Two changes that ship together so a single CI run lands both:
1) SlackNotifier — support bot-token + channel transport
- Previous version only supported a pinned webhook URL.
- New mode uses chat.postMessage with bot_token + channel.
- Channel can be changed via env var without rotating webhooks.
- bot-token transport wins when both are set.
- Fail-soft: ok=false (e.g. channel_not_found if the user
hasn't created #trading-bot yet) is logged + skipped, not
raised.
- 5 new tests (10 total): bot-token wins, channel_not_found
swallowed, headers/payload shape verified.
2) Image tags — switch from :${CI_PIPELINE_NUMBER} → :0.1.${N}
- 3-part semver so Keel patch policy (cluster-wide default
in inject-keel-annotations) is bounded to patch bumps
within 0.1.x. Prior 1-part tags (:53) were technically
parseable as major-only, which Keel patch wouldn't bump
but could still resolve oddly under digest tracking.
- Memory id=1935 documents Keel patch ≠ bulletproof for
non-semver; semver tags are the safer mode.
- update-deployment + verify-deploy steps updated to match.
- :latest still pushed for cache-from + bootstrap.
Pipeline #47 was the first green build since the infra was simplified
on 2026-05-22 (commit 66ca8b9e in infra), which removed news-fetcher,
sentiment-analyzer, trade-executor and added meet-kevin-watcher; a
later commit added kevin-signal-bridge for Phase 1. The .woodpecker.yml
patch list was never updated, so update-deployment added 3 stale
containers to the running pod (news-fetcher, sentiment-analyzer,
trade-executor) — sentiment + trade-executor crash on port 8000 since
news-fetcher binds it first.
Update the strategic-merge patch to match infra exactly:
- signal-generator
- learning-engine
- market-data
- meet-kevin-watcher (was unmanaged → image stuck on :latest)
- kevin-signal-bridge (was unmanaged → image stuck on :latest)
Strategic merge doesn't remove containers not in the patch, so the 3
stale containers in the live deployment will be cleaned up by a
follow-up terragrunt apply on infra/stacks/trading-bot.
The buildx plugin was not passing NGINX_CONF build arg correctly,
causing the docker-compose nginx config (with hostname api-gateway)
to be used instead of the K8s one (with localhost).
- Replace pip with uv in Dockerfile.service builder stage (~5-10x faster)
- Replace pip with uv in CI test step
- Separate pyproject.toml copy from source copy in Dockerfile for better
Docker layer caching (deps only reinstalled when pyproject.toml changes)
- Add cache_from for buildx to reuse layers from previous builds
- Remove pip cache workaround from test step (not persisted in K8s)
The woodpeckerci/plugin-docker-buildx was not passing the EXTRAS build
arg correctly (commas in the value were likely being parsed as list
separators), causing the image to only install dev dependencies instead
of all service extras (api, news, sentiment, trading, backtester).
Hardcode the pip install extras directly in the Dockerfile rather than
relying on the build arg.
The publish-images step used an alpine container to run skopeo for
re-tagging, but intermittent DNS failures prevent apk from installing
packages. Instead, have the buildx plugin push with both the pipeline
number tag and latest tag directly, eliminating the extra step.
Woodpecker pre-processes ${VAR} syntax as CI variables, replacing
undefined ones with empty strings. Use $$ escaping for shell variables
to prevent Woodpecker from consuming them. The ${REPO} variable in
the skopeo publish step was being replaced with empty string.
plugins/docker does not get privileged: true in K8s pods despite being
in WOODPECKER_PLUGINS_PRIVILEGED. woodpeckerci/plugin-docker-buildx
correctly receives privileged mode. Previous build failure with buildx
was a transient network timeout reaching registry-1.docker.io.
The woodpeckerci/plugin-docker-buildx plugin started dockerd correctly
(privileged mode works) but failed DockerHub authentication. Switch back
to plugins/docker which is proven working in realestate-crawler pipeline.
- Use woodpeckerci/plugin-docker-buildx instead of plugins/docker to fix
Docker daemon connection failures (privileged mode not applied)
- Add pip dependency caching between builds via /woodpecker/pip-cache
- Fix slack plugin image (plugins/slack, not woodpeckerci/plugin-slack)
- Use proper buildx cache_from syntax (type=registry,ref=...)
