90c944a265
All checks were successful
ci/woodpecker/push/default Pipeline was successful
Infra pipelines were failing intermittently across all authors (e.g. #241-244, #247) with the git clone step exiting 128: git fetch --depth=1 --filter=tree:0 ... (partial/treeless clone) git reset --hard <sha> fatal: could not fetch <tree-sha> from promisor remote remote: 404 page not found The plugin-git clone defaulted to a partial (treeless) clone. The initial ref fetch carries credentials, but the lazy *promisor* object fetch triggered by `git reset --hard` hits the PRIVATE Forgejo repo without creds -> 404 -> exit 128. Whether it fired was luck-of-the-draw, hence the ~50% intermittent failures fleet-wide (not specific to any commit). Fix: set `partial: false` on every clone block so all objects for the (still shallow) commit are fetched upfront with creds — no fragile lazy promisor fetch. Diagnosed against the woodpecker Postgres DB (steps/log_entries) since the Woodpecker HTTP API was itself flapping. Earlier "permission for ViktorBarzin" log lines were an unrelated cross-forge red herring. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
64 lines
2.3 KiB
YAML
64 lines
2.3 KiB
YAML
# Sync infra/scripts/pve-nfs-exports → PVE host /etc/exports on change.
|
|
#
|
|
# Wave 6b of the state-drift consolidation plan: move the "scp + exportfs -ra"
|
|
# deploy step out of runbook-human-hands and into CI so the Proxmox NFS export
|
|
# table tracks git.
|
|
#
|
|
# Trigger: push to master that touches `scripts/pve-nfs-exports`. The file
|
|
# header documents the deploy invocation; this pipeline codifies it.
|
|
#
|
|
# Credentials:
|
|
# - pve_ssh_key: Woodpecker repo-secret (ed25519 keypair provisioned
|
|
# 2026-04-18 as `woodpecker-pve-nfs-exports-sync`). Public key lives in
|
|
# /root/.ssh/authorized_keys on the PVE host. Private key mirrored in
|
|
# Vault `secret/woodpecker/pve_ssh_key` for recovery.
|
|
|
|
when:
|
|
- event: push
|
|
branch: master
|
|
path: scripts/pve-nfs-exports
|
|
- event: manual
|
|
|
|
clone:
|
|
git:
|
|
image: woodpeckerci/plugin-git
|
|
settings:
|
|
partial: false
|
|
depth: 1
|
|
attempts: 3
|
|
|
|
steps:
|
|
- name: deploy
|
|
image: alpine:3.20
|
|
environment:
|
|
PVE_SSH_KEY:
|
|
from_secret: pve_ssh_key
|
|
SLACK_WEBHOOK:
|
|
from_secret: slack_webhook
|
|
commands:
|
|
- apk add --no-cache openssh-client curl
|
|
- mkdir -p ~/.ssh && chmod 700 ~/.ssh
|
|
- printf '%s\n' "$PVE_SSH_KEY" > ~/.ssh/id_ed25519
|
|
- chmod 600 ~/.ssh/id_ed25519
|
|
# Pin host key — CI's ~/.ssh/known_hosts is ephemeral, so accept-new on first pull.
|
|
- ssh-keyscan -t ed25519 192.168.1.127 >> ~/.ssh/known_hosts 2>/dev/null
|
|
# Diff what we'd ship, so pipeline logs show the intended change.
|
|
- echo '---diff---' && ssh -o BatchMode=yes root@192.168.1.127 "cat /etc/exports" > /tmp/remote.exports || true
|
|
- diff -u /tmp/remote.exports scripts/pve-nfs-exports || true
|
|
- echo '---applying---'
|
|
- scp -o BatchMode=yes scripts/pve-nfs-exports root@192.168.1.127:/etc/exports
|
|
- ssh -o BatchMode=yes root@192.168.1.127 "exportfs -ra && exportfs -s | head -5"
|
|
- echo '---done---'
|
|
|
|
- name: slack
|
|
image: curlimages/curl:8.11.0
|
|
environment:
|
|
SLACK_WEBHOOK:
|
|
from_secret: slack_webhook
|
|
commands:
|
|
- |
|
|
curl -s -X POST -H 'Content-type: application/json' \
|
|
--data "{\"channel\":\"general\",\"text\":\"PVE /etc/exports sync: ${CI_PIPELINE_STATUS}\"}" \
|
|
"$SLACK_WEBHOOK" || true
|
|
when:
|
|
status: [success, failure]
|