viktor/wrongmove
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
wrongmove/.woodpecker/frontend.yml
Viktor Barzin 25458fd2a2 wrongmove: bake VITE_MAPBOX_TOKEN into the frontend build 
Adds a build-arg path so the Mapbox public token is injected at
`vite build` time instead of being hardcoded in the bundle:

- `frontend/Dockerfile` declares `ARG VITE_MAPBOX_TOKEN` in the
  builder stage and re-exports it via `ENV` so Vite picks it up.
- `.woodpecker/frontend.yml` maps the global `wrongmove-mapbox-token`
  Woodpecker secret into a step-level `VITE_MAPBOX_TOKEN` env var,
  then forwards it via `build_args_from_env`.

Token is a domain-restricted `pk.*` public token (Mapbox), so bundle
exposure is the intended threat model. Vault-stored at
`secret/ci/global/wrongmove-mapbox-token`; synced to Woodpecker by
the existing vault-woodpecker-sync CronJob every 6h.

Replaces the post-Fix-4 "Map unavailable — set VITE_MAPBOX_TOKEN"
banner with a working basemap.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-15 21:42:40 +00:00

181 lines
5.6 KiB
YAML
Raw Blame History

when:
- event: push
branch: master
clone:
git:
image: woodpeckerci/plugin-git
settings:
attempts: 5
backoff: 10s
steps:
- name: install-frontend-deps
image: node:24-alpine
backend_options:
kubernetes:
resources:
requests:
memory: 1Gi
limits:
memory: 2Gi
environment:
NODE_OPTIONS: "--max-old-space-size=1536"
commands:
- cd frontend && npm ci
- name: test-shard-1
image: node:24-alpine
depends_on:
- install-frontend-deps
backend_options:
kubernetes:
resources:
requests:
memory: 1Gi
limits:
memory: 2Gi
environment:
NODE_OPTIONS: "--max-old-space-size=1536"
commands:
- cd frontend && npx vitest run --reporter=verbose --shard=1/4
- name: test-shard-2
image: node:24-alpine
depends_on:
- install-frontend-deps
backend_options:
kubernetes:
resources:
requests:
memory: 1Gi
limits:
memory: 2Gi
environment:
NODE_OPTIONS: "--max-old-space-size=1536"
commands:
- cd frontend && npx vitest run --reporter=verbose --shard=2/4
- name: test-shard-3
image: node:24-alpine
depends_on:
- install-frontend-deps
backend_options:
kubernetes:
resources:
requests:
memory: 1Gi
limits:
memory: 2Gi
environment:
NODE_OPTIONS: "--max-old-space-size=1536"
commands:
- cd frontend && npx vitest run --reporter=verbose --shard=3/4
- name: test-shard-4
image: node:24-alpine
depends_on:
- install-frontend-deps
backend_options:
kubernetes:
resources:
requests:
memory: 1Gi
limits:
memory: 2Gi
environment:
NODE_OPTIONS: "--max-old-space-size=1536"
commands:
- cd frontend && npx vitest run --reporter=verbose --shard=4/4
- name: build-and-push-frontend
image: woodpeckerci/plugin-docker-buildx
depends_on:
- test-shard-1
- test-shard-2
- test-shard-3
- test-shard-4
environment:
VITE_MAPBOX_TOKEN:
from_secret: wrongmove-mapbox-token
settings:
username: viktorbarzin
password:
from_secret: dockerhub-token
repo: viktorbarzin/immoweb
dockerfile: frontend/Dockerfile
context: frontend
target: production
platforms:
- linux/amd64
tag: ["${CI_PIPELINE_NUMBER}", "latest"]
cache_from: "viktorbarzin/immoweb:latest"
cache_to: "type=inline"
build_args_from_env:
- VITE_MAPBOX_TOKEN
- name: update-deployment
image: alpine
depends_on:
- build-and-push-frontend
commands:
- apk add --no-cache curl jq
- |
TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
IMAGE="viktorbarzin/immoweb:${CI_PIPELINE_NUMBER}"
RESTART_AT=$(date -u +%Y-%m-%dT%H:%M:%SZ)
API="https://kubernetes:6443/apis/apps/v1/namespaces/realestate-crawler/deployments"
DEPLOY="realestate-crawler-ui"
CONTAINER=$(curl -sfk "$API/$DEPLOY" \
-H "Authorization: Bearer $TOKEN" \
-H "Accept: application/json" | jq -r '.spec.template.spec.containers[0].name')
echo "Patching $DEPLOY (container=$CONTAINER) to image $IMAGE with restartedAt=$RESTART_AT..."
curl -sf -X PATCH "$API/$DEPLOY" \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/strategic-merge-patch+json" \
-k -d "{\"spec\":{\"template\":{\"metadata\":{\"annotations\":{\"kubectl.kubernetes.io/restartedAt\":\"$RESTART_AT\"}},\"spec\":{\"containers\":[{\"name\":\"$CONTAINER\",\"image\":\"$IMAGE\"}]}}}}" \
| jq '{name: .metadata.name, generation: .metadata.generation, image: .spec.template.spec.containers[0].image}'
- name: verify-deploy
image: alpine
depends_on:
- update-deployment
commands:
- apk add --no-cache curl jq
- |
TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
EXPECTED_IMAGE="viktorbarzin/immoweb:${CI_PIPELINE_NUMBER}"
PODS_API="https://kubernetes:6443/api/v1/namespaces/realestate-crawler/pods?labelSelector=app%3Drealestate-crawler-ui"
for i in $(seq 1 60); do
RAW=$(curl -sfk "$PODS_API" \
-H "Authorization: Bearer $TOKEN" \
-H "Accept: application/json")
if [ "$i" -eq 1 ]; then
echo "DEBUG: All pods for realestate-crawler-ui:"
echo "$RAW" | jq -r '[.items[] | {name: .metadata.name, image: .spec.containers[0].image, ready: (.status.containerStatuses[]? | .ready), phase: .status.phase}] | .[] | " \(.name) image=\(.image) ready=\(.ready) phase=\(.phase)"' 2>/dev/null || echo " (no pods found)"
fi
RESULT=$(echo "$RAW" | \
jq --arg img "$EXPECTED_IMAGE" '[.items[] | select(
(.status.containerStatuses[]? | .ready == true) and
(.spec.containers[]? | .image | endswith($img))
) | {name: .metadata.name, image: .spec.containers[0].image, started: .status.startTime}]')
COUNT=$(echo "$RESULT" | jq 'length')
echo "Attempt $i/60: $COUNT pod(s) ready with image matching $EXPECTED_IMAGE"
if [ "$COUNT" -gt 0 ]; then
echo "$RESULT" | jq -r '.[] | " \(.name) image=\(.image) started=\(.started)"'
echo "New pod is live!"
exit 0
fi
sleep 5
done
echo "ERROR: No new ready pod with image $EXPECTED_IMAGE appeared within 5 minutes"
exit 1
Reference in a new issue View git blame Copy permalink