3c3e6bfc95
All checks were successful
ci/woodpecker/push/default Pipeline was successful
infra-ci now builds on GHA → ghcr and the ghcr-based apply is PROVEN (pipeline 165 ran terragrunt apply in the ghcr image). Removing the Woodpecker build-ci-image.yml (clean cut). The breakglass tarball is preserved as a MANUAL Woodpecker job pulling ghcr (public) → registry VM; infra-ci on ghcr is external + node-cached, so the Forgejo-down rationale for the old auto-tarball is moot — this is belt-and-braces DR. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
31 lines
1.3 KiB
YAML
31 lines
1.3 KiB
YAML
# Break-glass: save the ghcr infra-ci image to a tarball on the registry VM
|
|
# (10.0.20.10) so it can be `docker load`-ed onto a node if ghcr is ever
|
|
# unreachable during a recovery. infra-ci now builds on GHA → ghcr (ADR-0002),
|
|
# which is external + node-cached, so this is a belt-and-braces DR artifact —
|
|
# run MANUALLY after an infra-ci rebuild (or periodically). Pulls from ghcr
|
|
# (public, no login). Recovery: docs/runbooks/forgejo-registry-breakglass.md.
|
|
when:
|
|
- event: manual
|
|
|
|
steps:
|
|
- name: breakglass-tarball
|
|
image: alpine:3.20
|
|
failure: ignore
|
|
environment:
|
|
REGISTRY_SSH_KEY:
|
|
from_secret: registry_ssh_key
|
|
commands:
|
|
- apk add --no-cache openssh-client
|
|
- mkdir -p ~/.ssh && chmod 700 ~/.ssh
|
|
- printf '%s\n' "$REGISTRY_SSH_KEY" > ~/.ssh/id_ed25519
|
|
- chmod 600 ~/.ssh/id_ed25519
|
|
- ssh-keyscan -t ed25519 10.0.20.10 >> ~/.ssh/known_hosts 2>/dev/null
|
|
- |
|
|
ssh -n -o BatchMode=yes root@10.0.20.10 "
|
|
set -e
|
|
mkdir -p /opt/registry/data/private/_breakglass
|
|
IMAGE=ghcr.io/viktorbarzin/infra-ci:latest
|
|
docker pull \$IMAGE
|
|
docker save \$IMAGE | gzip > /opt/registry/data/private/_breakglass/infra-ci-latest.tar.gz
|
|
ls -lh /opt/registry/data/private/_breakglass/infra-ci-latest.tar.gz
|
|
"
|