chore(ci): switch woodpecker pipelines to plugin-docker-buildx

2026-04-28 14:18:58 +02:00
parent 8fd3e53fe6
commit fbaa598ae7
2 changed files with 83 additions and 76 deletions
--- a/.woodpecker/backend.yaml
+++ b/.woodpecker/backend.yaml
@@ -1,45 +1,45 @@
 when:
-  - event: push
-    branch: main
+  - event: [push, pull_request]
    path:
-      - 'backend/**'
-      - '.woodpecker/backend.yaml'
-
-services:
-  docker:
-    image: docker:29-dind
-    privileged: true
-    environment:
-      DOCKER_TLS_CERTDIR: ''
-    commands:
-      - dockerd-entrypoint.sh --host=tcp://0.0.0.0:2375 --tls=false
+      include:
+        - 'backend/**'
+        - '.woodpecker/backend.yaml'

 steps:
-  build:
-    image: docker:29
-    environment:
-      DOCKER_HOST: tcp://docker:2375
-      REGISTRY_USER:
-        from_secret: registry_user
-      REGISTRY_PASSWORD:
-        from_secret: registry_password
+  test:
+    image: golang:1.26-alpine
    commands:
-      - apk add --no-cache git
-      - until docker info > /dev/null 2>&1; do echo "waiting for dind..."; sleep 1; done
-      - docker login -u "$REGISTRY_USER" -p "$REGISTRY_PASSWORD" registry.itsh.dev
-      - docker buildx create --name ci-builder --driver docker-container --use
-      - export SOURCE_DATE_EPOCH=$(git log -1 --format=%ct)
-      - SHORT_SHA=$(echo "$CI_COMMIT_SHA" | cut -c1-8)
-      - |
-        docker buildx build \
-          --output "type=image,push=true,rewrite-timestamp=true" \
-          -f backend/deploy/Dockerfile \
-          -t "registry.itsh.dev/vikingowl/marktvogt.de/backend:$SHORT_SHA" \
-          backend/
+      - apk add --no-cache git gcc musl-dev
+      - cd backend && CGO_ENABLED=1 go test ./... -count=1 -race

+  # Build and push immutable SHA-tagged image on main branch only.
+  # rewrite-timestamp normalizes layer timestamps to SOURCE_DATE_EPOCH for
+  # reproducible builds. CI_COMMIT_TIMESTAMP is expected to be a Unix epoch
+  # in Woodpecker 2.x; if it arrives as RFC3339 on this instance, parse it
+  # in a prep step (see infinity-tales TODO).
+  docker:
+    image: woodpeckerci/plugin-docker-buildx
+    environment:
+      SOURCE_DATE_EPOCH: ${CI_COMMIT_TIMESTAMP}
+    settings:
+      repo: registry.itsh.dev/vikingowl/marktvogt.de/backend
+      tags:
+        - "${CI_COMMIT_SHA:0:8}"
+      dockerfile: backend/deploy/Dockerfile
+      context: backend
+      registry: registry.itsh.dev
+      output: type=image,push=true,rewrite-timestamp=true
+      username:
+        from_secret: registry_user
+      password:
+        from_secret: registry_password
+    when:
+      - event: push
+        branch: main
+
+  # Deploy via Helm using the exact SHA tag just pushed
  deploy:
    image: alpine/helm:4.1
-    depends_on: [build]
    environment:
      KUBECONFIG_DATA:
        from_secret: kubeconfig_data
@@ -63,11 +63,10 @@ steps:
      - mkdir -p ~/.kube
      - echo "$KUBECONFIG_DATA" > ~/.kube/config
      - chmod 600 ~/.kube/config
-      - SHORT_SHA=$(echo "$CI_COMMIT_SHA" | cut -c1-8)
      - |
        helm upgrade --install marktvogt-backend ./backend/deploy/helm/ \
          --namespace tenant-2 \
-          --set image.tag="$SHORT_SHA" \
+          --set image.tag="${CI_COMMIT_SHA:0:8}" \
          --set smtp.host="$SMTP_HOST" \
          --set smtp.user="$SMTP_USER" \
          --set smtp.password="$SMTP_PASSWORD" \
@@ -76,4 +75,9 @@ steps:
          --set ai.agentDiscovery="$AI_AGENT_DISCOVERY" \
          --set discovery.token="$DISCOVERY_TOKEN" \
          --set turnstile.secretKey="$TURNSTILE_SECRET_KEY" \
-          --rollback-on-failure --wait=watcher --timeout 5m
+          --rollback-on-failure \
+          --wait=watcher \
+          --timeout 5m
+    when:
+      - event: push
+        branch: main
--- a/.woodpecker/web.yaml
+++ b/.woodpecker/web.yaml
@@ -1,47 +1,46 @@
 when:
-  - event: push
-    branch: main
+  - event: [push, pull_request]
    path:
-      - 'web/**'
-      - '.woodpecker/web.yaml'
-
-services:
-  docker:
-    image: docker:29-dind
-    privileged: true
-    environment:
-      DOCKER_TLS_CERTDIR: ''
-    commands:
-      - dockerd-entrypoint.sh --host=tcp://0.0.0.0:2375 --tls=false
+      include:
+        - 'web/**'
+        - '.woodpecker/web.yaml'

 steps:
-  build:
-    image: docker:29
-    environment:
-      DOCKER_HOST: tcp://docker:2375
-      REGISTRY_USER:
-        from_secret: registry_user
-      REGISTRY_PASSWORD:
-        from_secret: registry_password
+  check:
+    image: node:25-alpine
    commands:
-      - apk add --no-cache git
-      - until docker info > /dev/null 2>&1; do echo "waiting for dind..."; sleep 1; done
-      - docker login -u "$REGISTRY_USER" -p "$REGISTRY_PASSWORD" registry.itsh.dev
-      - docker buildx create --name ci-builder --driver docker-container --use
-      - export SOURCE_DATE_EPOCH=$(git log -1 --format=%ct)
-      - SHORT_SHA=$(echo "$CI_COMMIT_SHA" | cut -c1-8)
-      - |
-        docker buildx build \
-          --output "type=image,push=true,rewrite-timestamp=true" \
-          -f web/Dockerfile \
-          --build-arg PUBLIC_API_BASE_URL=https://api.marktvogt.de \
-          --build-arg PUBLIC_TURNSTILE_SITE_KEY=0x4AAAAAACjLCV-78Ql1oTPz \
-          -t "registry.itsh.dev/vikingowl/marktvogt.de/web:$SHORT_SHA" \
-          web/
+      - npm install -g pnpm@10
+      - cd web && pnpm install --frozen-lockfile
+      - cd web && pnpm check

+  # Build and push immutable SHA-tagged image on main branch only.
+  # See backend.yaml for SOURCE_DATE_EPOCH / rewrite-timestamp notes.
+  docker:
+    image: woodpeckerci/plugin-docker-buildx
+    environment:
+      SOURCE_DATE_EPOCH: ${CI_COMMIT_TIMESTAMP}
+    settings:
+      repo: registry.itsh.dev/vikingowl/marktvogt.de/web
+      tags:
+        - "${CI_COMMIT_SHA:0:8}"
+      dockerfile: web/Dockerfile
+      context: web
+      registry: registry.itsh.dev
+      output: type=image,push=true,rewrite-timestamp=true
+      username:
+        from_secret: registry_user
+      password:
+        from_secret: registry_password
+      build_args:
+        - PUBLIC_API_BASE_URL=https://api.marktvogt.de
+        - PUBLIC_TURNSTILE_SITE_KEY=0x4AAAAAACjLCV-78Ql1oTPz
+    when:
+      - event: push
+        branch: main
+
+  # Deploy via Helm using the exact SHA tag just pushed
  deploy:
    image: alpine/helm:4.1
-    depends_on: [build]
    environment:
      KUBECONFIG_DATA:
        from_secret: kubeconfig_data
@@ -49,9 +48,13 @@ steps:
      - mkdir -p ~/.kube
      - echo "$KUBECONFIG_DATA" > ~/.kube/config
      - chmod 600 ~/.kube/config
-      - SHORT_SHA=$(echo "$CI_COMMIT_SHA" | cut -c1-8)
      - |
        helm upgrade --install marktvogt-web ./web/deploy/helm/ \
          --namespace tenant-2 \
-          --set image.tag="$SHORT_SHA" \
-          --rollback-on-failure --wait=watcher --timeout 5m
+          --set image.tag="${CI_COMMIT_SHA:0:8}" \
+          --rollback-on-failure \
+          --wait=watcher \
+          --timeout 5m
+    when:
+      - event: push
+        branch: main