From b7409cea4e34f3ea197334e615ef065fe50270be Mon Sep 17 00:00:00 2001
From: Viktor Barzin <viktorbarzin@meta.com>
Date: Mon, 23 Mar 2026 22:28:37 +0200
Subject: [PATCH] fix(renew-tls): use alpine+curl for kubectl step to avoid
 permission denied

bitnami/kubectl runs as non-root UID 1001, cannot read git-crypt
decrypted secrets owned by root. Switch to alpine (runs as root)
with kubectl downloaded directly.
---
 .woodpecker/renew-tls.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.woodpecker/renew-tls.yml b/.woodpecker/renew-tls.yml
index 6787bc00..72577ccd 100644
--- a/.woodpecker/renew-tls.yml
+++ b/.woodpecker/renew-tls.yml
@@ -52,8 +52,10 @@ steps:
       - "echo 'Certificate is valid for at least 7 more days'"
 
   - name: update-tls-source-secret
-    image: bitnami/kubectl:latest
+    image: alpine
     commands:
+      - "apk update && apk add curl"
+      - "curl -LO https://dl.k8s.io/release/v1.31.0/bin/linux/amd64/kubectl && chmod +x kubectl && mv kubectl /usr/local/bin/"
       - |
         kubectl create secret tls tls-secret \
           --cert=secrets/fullchain.pem --key=secrets/privkey.pem \