viktor/wrongmove
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
wrongmove/.woodpecker/frontend.yml
Viktor Barzin d03a9a0fe2 wrongmove: inline VITE_MAPBOX_TOKEN as a build_arg (drop secret indirection) 
The previous attempt used a step-level `environment:` block with
`from_secret:`, which the Woodpecker linter rejected on plugin steps
("Should not configure both `environment` and `settings`"). Net effect
was build-and-push-frontend reverted to a commands step and the
docker daemon never started.

The Mapbox `pk.*` token ends up baked into the public bundle anyway —
its security model is domain restrictions in the Mapbox dashboard, not
build-time secrecy. Inlining the value in `build_args` is the simplest
working path and avoids the secret-indirection footgun. The token also
still lives in Vault at `secret/ci/global/wrongmove-mapbox-token` for
the day we adopt a private style URL or replace this with a different
provider.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-15 21:54:40 +00:00

180 lines
5.7 KiB
YAML
Raw Blame History

when:
- event: push
branch: master
clone:
git:
image: woodpeckerci/plugin-git
settings:
attempts: 5
backoff: 10s
steps:
- name: install-frontend-deps
image: node:24-alpine
backend_options:
kubernetes:
resources:
requests:
memory: 1Gi
limits:
memory: 2Gi
environment:
NODE_OPTIONS: "--max-old-space-size=1536"
commands:
- cd frontend && npm ci
- name: test-shard-1
image: node:24-alpine
depends_on:
- install-frontend-deps
backend_options:
kubernetes:
resources:
requests:
memory: 1Gi
limits:
memory: 2Gi
environment:
NODE_OPTIONS: "--max-old-space-size=1536"
commands:
- cd frontend && npx vitest run --reporter=verbose --shard=1/4
- name: test-shard-2
image: node:24-alpine
depends_on:
- install-frontend-deps
backend_options:
kubernetes:
resources:
requests:
memory: 1Gi
limits:
memory: 2Gi
environment:
NODE_OPTIONS: "--max-old-space-size=1536"
commands:
- cd frontend && npx vitest run --reporter=verbose --shard=2/4
- name: test-shard-3
image: node:24-alpine
depends_on:
- install-frontend-deps
backend_options:
kubernetes:
resources:
requests:
memory: 1Gi
limits:
memory: 2Gi
environment:
NODE_OPTIONS: "--max-old-space-size=1536"
commands:
- cd frontend && npx vitest run --reporter=verbose --shard=3/4
- name: test-shard-4
image: node:24-alpine
depends_on:
- install-frontend-deps
backend_options:
kubernetes:
resources:
requests:
memory: 1Gi
limits:
memory: 2Gi
environment:
NODE_OPTIONS: "--max-old-space-size=1536"
commands:
- cd frontend && npx vitest run --reporter=verbose --shard=4/4
- name: build-and-push-frontend
image: woodpeckerci/plugin-docker-buildx
depends_on:
- test-shard-1
- test-shard-2
- test-shard-3
- test-shard-4
settings:
username: viktorbarzin
password:
from_secret: dockerhub-token
repo: viktorbarzin/immoweb
dockerfile: frontend/Dockerfile
context: frontend
target: production
platforms:
- linux/amd64
tag: ["${CI_PIPELINE_NUMBER}", "latest"]
cache_from: "viktorbarzin/immoweb:latest"
cache_to: "type=inline"
# Mapbox pk.* token — public by design (baked into the bundle, gated
# by Mapbox dashboard domain restrictions, not build-time secrecy).
build_args:
- VITE_MAPBOX_TOKEN=pk.eyJ1IjoidmJhcnppbiIsImEiOiJjbWJ4aXhuM3ExNTdnMmtzMGRsaDNnY29lIn0.WLpUHqpbWKzHjKo1_vTWEQ
- name: update-deployment
image: alpine
depends_on:
- build-and-push-frontend
commands:
- apk add --no-cache curl jq
- |
TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
IMAGE="viktorbarzin/immoweb:${CI_PIPELINE_NUMBER}"
RESTART_AT=$(date -u +%Y-%m-%dT%H:%M:%SZ)
API="https://kubernetes:6443/apis/apps/v1/namespaces/realestate-crawler/deployments"
DEPLOY="realestate-crawler-ui"
CONTAINER=$(curl -sfk "$API/$DEPLOY" \
-H "Authorization: Bearer $TOKEN" \
-H "Accept: application/json" | jq -r '.spec.template.spec.containers[0].name')
echo "Patching $DEPLOY (container=$CONTAINER) to image $IMAGE with restartedAt=$RESTART_AT..."
curl -sf -X PATCH "$API/$DEPLOY" \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/strategic-merge-patch+json" \
-k -d "{\"spec\":{\"template\":{\"metadata\":{\"annotations\":{\"kubectl.kubernetes.io/restartedAt\":\"$RESTART_AT\"}},\"spec\":{\"containers\":[{\"name\":\"$CONTAINER\",\"image\":\"$IMAGE\"}]}}}}" \
| jq '{name: .metadata.name, generation: .metadata.generation, image: .spec.template.spec.containers[0].image}'
- name: verify-deploy
image: alpine
depends_on:
- update-deployment
commands:
- apk add --no-cache curl jq
- |
TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
EXPECTED_IMAGE="viktorbarzin/immoweb:${CI_PIPELINE_NUMBER}"
PODS_API="https://kubernetes:6443/api/v1/namespaces/realestate-crawler/pods?labelSelector=app%3Drealestate-crawler-ui"
for i in $(seq 1 60); do
RAW=$(curl -sfk "$PODS_API" \
-H "Authorization: Bearer $TOKEN" \
-H "Accept: application/json")
if [ "$i" -eq 1 ]; then
echo "DEBUG: All pods for realestate-crawler-ui:"
echo "$RAW" | jq -r '[.items[] | {name: .metadata.name, image: .spec.containers[0].image, ready: (.status.containerStatuses[]? | .ready), phase: .status.phase}] | .[] | " \(.name) image=\(.image) ready=\(.ready) phase=\(.phase)"' 2>/dev/null || echo " (no pods found)"
fi
RESULT=$(echo "$RAW" | \
jq --arg img "$EXPECTED_IMAGE" '[.items[] | select(
(.status.containerStatuses[]? | .ready == true) and
(.spec.containers[]? | .image | endswith($img))
) | {name: .metadata.name, image: .spec.containers[0].image, started: .status.startTime}]')
COUNT=$(echo "$RESULT" | jq 'length')
echo "Attempt $i/60: $COUNT pod(s) ready with image matching $EXPECTED_IMAGE"
if [ "$COUNT" -gt 0 ]; then
echo "$RESULT" | jq -r '.[] | " \(.name) image=\(.image) started=\(.started)"'
echo "New pod is live!"
exit 0
fi
sleep 5
done
echo "ERROR: No new ready pod with image $EXPECTED_IMAGE appeared within 5 minutes"
exit 1
Reference in a new issue View git blame Copy permalink