ci: fix lint errors across project, update ruff.toml per-file ignores

2026-04-18 21:02:28 +00:00
parent 4d1894c652
commit 5f6d23888a
34 changed files with 1441 additions and 188 deletions
@@ -0,0 +1,15 @@
+# ClusterRoleBinding: Grant Woodpecker agent cluster-admin for integration tests
+# Integration test steps create ephemeral namespaces and deploy sandbox infrastructure.
+# Mirrors the existing ARC runner RBAC pattern.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: woodpecker-agent-inttest
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+  - kind: ServiceAccount
+    name: woodpecker-agent
+    namespace: woodpecker
@@ -0,0 +1,20 @@
+# NetworkPolicy: Allow Traefik ingress to Woodpecker server
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-traefik-to-woodpecker
+  namespace: woodpecker
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: server
+  policyTypes:
+    - Ingress
+  ingress:
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: kube-system
+      ports:
+        - protocol: TCP
+          port: 8000
@@ -0,0 +1,53 @@
+# Helm values for Woodpecker CI
+# Chart: woodpecker/woodpecker
+# Namespace: woodpecker
+
+# --- Server ---
+server:
+  enabled: true
+
+  env:
+    WOODPECKER_HOST: "https://stonks-ci.celestium.life"
+    WOODPECKER_SERVER_ADDR: "0.0.0.0:8000"
+    WOODPECKER_GITEA: "true"
+    WOODPECKER_GITEA_URL: "http://gitea-service.git-server.svc.cluster.local:3000"
+    WOODPECKER_GITEA_CLIENT: "<GITEA_CLIENT_ID>"
+    WOODPECKER_GITEA_SECRET: "<GITEA_CLIENT_SECRET>"
+    WOODPECKER_ADMIN: "admin"
+    WOODPECKER_PLUGINS_PRIVILEGED: "woodpeckerci/plugin-docker-buildx"
+
+  # Traefik ingress with TLS via cert-manager
+  ingress:
+    enabled: true
+    ingressClassName: traefik
+    hosts:
+      - host: stonks-ci.celestium.life
+        paths:
+          - path: /
+            backend:
+              serviceName: woodpecker-server
+              servicePort: 80
+    tls:
+      - secretName: woodpecker-tls
+        hosts:
+          - stonks-ci.celestium.life
+    annotations:
+      cert-manager.io/cluster-issuer: ca-issuer
+
+  # NFS-backed persistent volume for SQLite database and build data
+  persistentVolume:
+    enabled: true
+    size: 5Gi
+    storageClass: ""
+
+# --- Agent ---
+agent:
+  enabled: true
+  replicaCount: 2
+
+  env:
+    WOODPECKER_SERVER: "woodpecker-server:9000"
+    WOODPECKER_BACKEND: kubernetes
+    WOODPECKER_BACKEND_K8S_NAMESPACE: woodpecker
+    WOODPECKER_BACKEND_K8S_VOLUME_SIZE: 10G
+    WOODPECKER_BACKEND_K8S_STORAGE_RWX: "true"