viktor/wrongmove
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

CI: migrate Docker build/push from Woodpecker to GitHub Actions

Browse source 
Was: Woodpecker built+pushed to DockerHub, then `kubectl set image` patched
the four Deployments to a pinned numeric tag. With Deployments pinned to
:51 (immutable tag), Keel polled forever and never saw a digest bump — and
no DockerHub pull-secret meant Keel hit 401 on the private repo at every
poll. The 4-Deployment setup also had a latent ImagePullBackOff risk: if a
node was replaced, fresh pulls would fail.

Now: GHA builds+pushes (.github/workflows/build-{api,frontend}.yml) on push
to master. Cluster Deployments reference :latest with an imagePullSecret
sourced from Vault via ESO (codified in infra/stacks/real-estate-crawler/
main.tf, separate commit). Keel polls :latest, sees the new digest after
each GHA build, and rolls all four Deployments.

- .github/workflows/build-api.yml: pytest (unit + integration/regression/
  e2e/test_listing_geojson) + buildx push viktorbarzin/realestatecrawler
  to {<8-char-sha>, latest}.
- .github/workflows/build-frontend.yml: vitest (all 4 ex-shards in one
  run) + Vite build with VITE_MAPBOX_TOKEN from GHA secret + buildx push
  viktorbarzin/immoweb to {<8-char-sha>, latest}.
- .woodpecker/{api,frontend}.yml renamed to
  .woodpecker/build-fallback-{api,frontend}.yml with `event: deployment`
  so they no longer fire on push — kept as manual-only fallback if GHA
  is down (CLAUDE.md convention from the 10 already-migrated projects).
- .claude/CLAUDE.md: Git Workflow section updated to reflect GHA as
  primary + the dockerhub-pull-secret wiring.

GHA repo secrets DOCKERHUB_TOKEN and MAPBOX_TOKEN populated from Vault
fields viktor.dockerhub_registry_password and ci/global.wrongmove-mapbox-token
respectively (DOCKERHUB_USERNAME=viktorbarzin was already set).

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Viktor Barzin 2026-05-18 19:11:31 +00:00
parent 01a940b9b6
commit c2acbf5d2e
5 changed files with 176 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

192
.woodpecker/frontend.yml
View file

@ -1,192 +0,0 @@
when:
- event: push
branch: master
clone:
git:
image: woodpeckerci/plugin-git
settings:
attempts: 5
backoff: 10s
steps:
- name: install-frontend-deps
image: node:24-alpine
backend_options:
kubernetes:
resources:
requests:
memory: 1Gi
limits:
memory: 2Gi
environment:
NODE_OPTIONS: "--max-old-space-size=1536"
commands:
- cd frontend && npm ci
- name: test-shard-1
image: node:24-alpine
depends_on:
- install-frontend-deps
backend_options:
kubernetes:
resources:
requests:
memory: 1Gi
limits:
memory: 2Gi
environment:
NODE_OPTIONS: "--max-old-space-size=1536"
commands:
- cd frontend && npx vitest run --reporter=verbose --shard=1/4
- name: test-shard-2
image: node:24-alpine
depends_on:
- install-frontend-deps
backend_options:
kubernetes:
resources:
requests:
memory: 1Gi
limits:
memory: 2Gi
environment:
NODE_OPTIONS: "--max-old-space-size=1536"
commands:
- cd frontend && npx vitest run --reporter=verbose --shard=2/4
- name: test-shard-3
image: node:24-alpine
depends_on:
- install-frontend-deps
backend_options:
kubernetes:
resources:
requests:
memory: 1Gi
limits:
memory: 2Gi
environment:
NODE_OPTIONS: "--max-old-space-size=1536"
commands:
- cd frontend && npx vitest run --reporter=verbose --shard=3/4
- name: test-shard-4
image: node:24-alpine
depends_on:
- install-frontend-deps
backend_options:
kubernetes:
resources:
requests:
memory: 1Gi
limits:
memory: 2Gi
environment:
NODE_OPTIONS: "--max-old-space-size=1536"
commands:
- cd frontend && npx vitest run --reporter=verbose --shard=4/4
# Writes frontend/.env.production from the Woodpecker secret. Vite auto-loads
# this file during `npx vite build` (the plugin step below picks it up via
# the build context). Cleaner than --build-arg because docker-buildx's
# build_args list-parser mangled the KEY=VALUE form when the value contained
# `=` separators (see pipeline 2207 — bundle came out without the token).
- name: prepare-frontend-env
image: alpine
depends_on:
- test-shard-1
- test-shard-2
- test-shard-3
- test-shard-4
environment:
MAPBOX_TOKEN:
from_secret: wrongmove-mapbox-token
commands:
- 'printf "VITE_MAPBOX_TOKEN=%s\n" "$MAPBOX_TOKEN" > frontend/.env.production'
- 'wc -c frontend/.env.production'
- name: build-and-push-frontend
image: woodpeckerci/plugin-docker-buildx
depends_on:
- prepare-frontend-env
settings:
username: viktorbarzin
password:
from_secret: dockerhub-token
repo: viktorbarzin/immoweb
dockerfile: frontend/Dockerfile
context: frontend
target: production
platforms:
- linux/amd64
tag: ["${CI_PIPELINE_NUMBER}", "latest"]
cache_from: "viktorbarzin/immoweb:latest"
cache_to: "type=inline"
- name: update-deployment
image: alpine
depends_on:
- build-and-push-frontend
commands:
- apk add --no-cache curl jq
- |
TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
IMAGE="viktorbarzin/immoweb:${CI_PIPELINE_NUMBER}"
RESTART_AT=$(date -u +%Y-%m-%dT%H:%M:%SZ)
API="https://kubernetes:6443/apis/apps/v1/namespaces/realestate-crawler/deployments"
DEPLOY="realestate-crawler-ui"
CONTAINER=$(curl -sfk "$API/$DEPLOY" \
-H "Authorization: Bearer $TOKEN" \
-H "Accept: application/json" | jq -r '.spec.template.spec.containers[0].name')
echo "Patching $DEPLOY (container=$CONTAINER) to image $IMAGE with restartedAt=$RESTART_AT..."
curl -sf -X PATCH "$API/$DEPLOY" \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/strategic-merge-patch+json" \
-k -d "{\"spec\":{\"template\":{\"metadata\":{\"annotations\":{\"kubectl.kubernetes.io/restartedAt\":\"$RESTART_AT\"}},\"spec\":{\"containers\":[{\"name\":\"$CONTAINER\",\"image\":\"$IMAGE\"}]}}}}" \
| jq '{name: .metadata.name, generation: .metadata.generation, image: .spec.template.spec.containers[0].image}'
- name: verify-deploy
image: alpine
depends_on:
- update-deployment
commands:
- apk add --no-cache curl jq
- |
TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
EXPECTED_IMAGE="viktorbarzin/immoweb:${CI_PIPELINE_NUMBER}"
PODS_API="https://kubernetes:6443/api/v1/namespaces/realestate-crawler/pods?labelSelector=app%3Drealestate-crawler-ui"
for i in $(seq 1 60); do
RAW=$(curl -sfk "$PODS_API" \
-H "Authorization: Bearer $TOKEN" \
-H "Accept: application/json")
if [ "$i" -eq 1 ]; then
echo "DEBUG: All pods for realestate-crawler-ui:"
echo "$RAW" | jq -r '[.items[] | {name: .metadata.name, image: .spec.containers[0].image, ready: (.status.containerStatuses[]? | .ready), phase: .status.phase}] | .[] | " \(.name) image=\(.image) ready=\(.ready) phase=\(.phase)"' 2>/dev/null || echo " (no pods found)"
fi
RESULT=$(echo "$RAW" | \
jq --arg img "$EXPECTED_IMAGE" '[.items[] | select(
(.status.containerStatuses[]? | .ready == true) and
(.spec.containers[]? | .image | endswith($img))
) | {name: .metadata.name, image: .spec.containers[0].image, started: .status.startTime}]')
COUNT=$(echo "$RESULT" | jq 'length')
echo "Attempt $i/60: $COUNT pod(s) ready with image matching $EXPECTED_IMAGE"
if [ "$COUNT" -gt 0 ]; then
echo "$RESULT" | jq -r '.[] | " \(.name) image=\(.image) started=\(.started)"'
echo "New pod is live!"
exit 0
fi
sleep 5
done
echo "ERROR: No new ready pod with image $EXPECTED_IMAGE appeared within 5 minutes"
exit 1