infra/.woodpecker/default.yml

when:
  event: push
  branch: master

clone:
  git:
    image: woodpeckerci/plugin-git
    settings:
      attempts: 5
      backoff: 10s

steps:
  - name: prepare
    image: alpine
    commands:
      - "apk update && apk add jq curl git git-crypt"
      # git-crypt for secrets/ directory (TLS certs, deploy key)
      - |
        curl -k https://10.0.20.100:6443/api/v1/namespaces/woodpecker/configmaps/git-crypt-key -H "Authorization:Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" | jq -r .data.key | base64 -d > /tmp/key
      - "git-crypt unlock /tmp/key && rm /tmp/key"
      # Vault: authenticate via K8s service account JWT
      - |
        SA_TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
        VAULT_TOKEN=$(curl -s -X POST http://vault-active.vault.svc.cluster.local:8200/v1/auth/kubernetes/login \
          -d "{\"role\":\"ci\",\"jwt\":\"$SA_TOKEN\"}" | jq -r .auth.client_token)
        echo "export VAULT_TOKEN=$VAULT_TOKEN" > .vault-env
        echo "export VAULT_ADDR=http://vault-active.vault.svc.cluster.local:8200" >> .vault-env

  - name: terragrunt-apply
    image: alpine
    commands:
      - "apk update && apk add curl unzip git openssh-client"
      # Install Terraform
      - "wget -qO /tmp/terraform.zip https://releases.hashicorp.com/terraform/1.5.7/terraform_1.5.7_linux_amd64.zip"
      - "unzip -o /tmp/terraform.zip -d /usr/local/bin/ && chmod 755 /usr/local/bin/terraform"
      # Install Terragrunt
      - "wget -qO /usr/local/bin/terragrunt https://github.com/gruntwork-io/terragrunt/releases/download/v0.99.4/terragrunt_linux_amd64"
      - "chmod 755 /usr/local/bin/terragrunt"
      # Source Vault token
      - "source .vault-env"
      # Apply platform stack (core infrastructure services)
      - "cd stacks/platform && terragrunt apply --non-interactive -auto-approve"

  - name: cleanup-and-push
    image: alpine
    commands:
      - "rm -f .vault-env"
      - "apk update && apk add openssh-client git git-crypt"
      - "mkdir -p ~/.ssh && ssh-keyscan -H github.com >> ~/.ssh/known_hosts"
      - "chmod 400 secrets/deploy_key"
      # Only add specific paths — never git add .
      - "git add stacks/ state/ .woodpecker/ || true"
      - "git remote set-url origin git@github.com:ViktorBarzin/infra.git"
      - "git commit -m 'Woodpecker CI deploy commit [CI SKIP]' || echo 'No changes'"
      - "GIT_SSH_COMMAND='ssh -i ./secrets/deploy_key -o IdentitiesOnly=yes' git push origin master"
    when:
      status: [success, failure]

  - name: slack
    image: curlimages/curl
    commands:
      - |
        curl -s -X POST -H 'Content-type: application/json' \
          --data "{\"channel\":\"general\",\"text\":\"Woodpecker CI: infra pipeline ${CI_PIPELINE_STATUS}\"}" \
          "$SLACK_WEBHOOK" || true
    environment:
      SLACK_WEBHOOK:
        from_secret: slack_webhook
    when:
      status: [success, failure]