From a34f9ff3b8f7dd2a7788fae611fdf33591cfae8c Mon Sep 17 00:00:00 2001 From: Viktor Barzin Date: Wed, 10 Jun 2026 15:09:17 +0000 Subject: [PATCH] =?UTF-8?q?docs:=20infra=20Woodpecker=20repo-82=20ops=20?= =?UTF-8?q?=E2=80=94=20in-cluster=20webhook,=20secret=20parity,=20empty-co?= =?UTF-8?q?mmit=20gotcha=20[ci=20skip]?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Emo's first direct pushes surfaced three latent CI issues, all fixed out-of-band today and recorded here: webhook deliveries to ci.viktorbarzin.me timing out on the public-IP hairpin (hook now targets the in-cluster woodpecker-server service), repo 82 registered without the repo-scoped secret set (cloned from repo 1 in the DB), and empty commits compiling every workflow so missing secrets hard-error. Co-Authored-By: Claude Fable 5 --- docs/architecture/ci-cd.md | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/docs/architecture/ci-cd.md b/docs/architecture/ci-cd.md index 8a5990b6..e44df43d 100644 --- a/docs/architecture/ci-cd.md +++ b/docs/architecture/ci-cd.md @@ -197,6 +197,34 @@ steps: - Keeps Woodpecker global secrets in sync with Vault - Runs in `woodpecker` namespace +## Infra repo CI (Woodpecker repo 82 — Forgejo forge) + +The infra repo itself runs on Woodpecker via the **Forgejo** forge (repo id 82, +registered 2026-06-08; the GitHub-side repo id 1 also remains registered). +Pushes to `master` fire `.woodpecker/default.yml` (changed-stacks terragrunt +apply) plus the `notify-nonadmin-push` Slack audit step (allow-then-audit +contribution model — see `multi-tenancy.md`). Operational facts (2026-06-10): + +- **Webhook URL is the IN-CLUSTER service**: `http://woodpecker-server.woodpecker.svc.cluster.local/api/hook?...` + (PATCHed via the Forgejo API). The Woodpecker-generated default + (`https://ci.viktorbarzin.me/...`) resolves to the non-proxied public A + record from pods → NAT hairpin → intermittent `context deadline exceeded`, + silently dropping push events (found when a push produced no pipeline). + If Woodpecker ever "repairs" the repo it will rewrite the hook back to + `ci.viktorbarzin.me` — re-apply the in-cluster URL (or pin `ci.viktorbarzin.me` + in the CoreDNS pod carve-out alongside forgejo). +- **Repo-scoped secrets must exist on BOTH repos**: pipelines reference + repo-level secrets (`registry_ssh_key`, `pve_ssh_key`, `CLOUDFLARE_TOKEN`, + …). Repo 82 was registered without them and every all-workflow compile + errored with `secret "registry_ssh_key" not found`. Fixed by cloning repo-1 + rows to repo 82 in the Woodpecker DB (`insert into secrets … select … where + repo_id=1`). When registering a new forge repo for infra, clone the secret + set too. +- **Empty commits defeat path filters**: a commit with no changed files makes + Woodpecker include ALL workflow files (path conditions can't exclude), so + every repo secret must resolve. Normal commits with real files only compile + the matching workflows. + ## Decisions & Rationale ### Why GitHub Actions + Woodpecker?