ci: add Woodpecker CI for self-hosted builds

- Add .woodpecker.yml with build steps for api, worker, claudebox - Update K8s manifests to use registry.threesix.ai/rdev/* - Remove ghcr-secret imagePullSecrets (Zot is unauthenticated) Builds will run on Woodpecker using kaniko, pushing to our internal Zot registry. This eliminates the QEMU cross-compilation issues on Apple Silicon. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-05 19:26:44 -07:00 · 2026-02-05 19:26:44 -07:00 · dc00921703
commit dc00921703
parent 3b35900a2d
4 changed files with 78 additions and 11 deletions
--- a/.woodpecker.yml
+++ b/.woodpecker.yml
@ -0,0 +1,74 @@
+# Woodpecker CI for rdev platform
+# Builds and deploys rdev-api, rdev-worker, and rdev-claudebox
+
+variables:
+  - &registry "registry.threesix.ai"
+  - &when_main
+    branch: main
+    event: push
+
+steps:
+  # Run tests first
+  test:
+    image: golang:1.22-alpine
+    commands:
+      - apk add --no-cache git
+      - go test ./...
+
+  # Build rdev-api image
+  build-api:
+    image: gcr.io/kaniko-project/executor:v1.23.2-debug
+    commands:
+      - /kaniko/executor
+        --context=/woodpecker/src
+        --dockerfile=Dockerfile.api
+        --destination=registry.threesix.ai/rdev/api:${CI_COMMIT_SHA:0:8}
+        --destination=registry.threesix.ai/rdev/api:latest
+        --cache=true
+        --skip-tls-verify
+    when:
+      <<: *when_main
+
+  # Build rdev-worker image
+  build-worker:
+    image: gcr.io/kaniko-project/executor:v1.23.2-debug
+    commands:
+      - /kaniko/executor
+        --context=/woodpecker/src
+        --dockerfile=Dockerfile.worker
+        --destination=registry.threesix.ai/rdev/worker:${CI_COMMIT_SHA:0:8}
+        --destination=registry.threesix.ai/rdev/worker:latest
+        --cache=true
+        --skip-tls-verify
+    when:
+      <<: *when_main
+
+  # Build rdev-claudebox image
+  build-claudebox:
+    image: gcr.io/kaniko-project/executor:v1.23.2-debug
+    commands:
+      - /kaniko/executor
+        --context=/woodpecker/src
+        --dockerfile=Dockerfile
+        --destination=registry.threesix.ai/rdev/claudebox:${CI_COMMIT_SHA:0:8}
+        --destination=registry.threesix.ai/rdev/claudebox:latest
+        --cache=true
+        --skip-tls-verify
+    when:
+      <<: *when_main
+
+  # Deploy to k3s cluster
+  deploy:
+    image: bitnami/kubectl:latest
+    commands:
+      - echo "Deploying rdev-api..."
+      - kubectl set image deployment/rdev-api rdev-api=registry.threesix.ai/rdev/api:${CI_COMMIT_SHA:0:8} -n rdev
+      - kubectl rollout status deployment/rdev-api -n rdev --timeout=120s
+      - echo "Deploying rdev-worker..."
+      - kubectl set image deployment/rdev-worker rdev-worker=registry.threesix.ai/rdev/worker:${CI_COMMIT_SHA:0:8} -n rdev
+      - kubectl rollout status deployment/rdev-worker -n rdev --timeout=120s
+      - echo "Deploying claudebox..."
+      - kubectl set image statefulset/claudebox claudebox=registry.threesix.ai/rdev/claudebox:${CI_COMMIT_SHA:0:8} -n rdev
+      - kubectl rollout status statefulset/claudebox -n rdev --timeout=300s
+    when:
+      <<: *when_main
--- a/deployments/k8s/base/claudebox.yaml
+++ b/deployments/k8s/base/claudebox.yaml
@ -22,7 +22,7 @@ spec:
    spec:
      containers:
        - name: claudebox
-          image: ghcr.io/orchard9/rdev-claudebox:v0.4.0
+          image: registry.threesix.ai/rdev/claudebox:latest
          imagePullPolicy: Always

          resources:
@ -70,9 +70,6 @@ spec:
          persistentVolumeClaim:
            claimName: claudebox-claude-config

-      # Pull from GitHub Container Registry
-      imagePullSecrets:
-        - name: ghcr-secret
 ---
 # Headless service for StatefulSet
 apiVersion: v1
--- a/deployments/k8s/base/rdev-api.yaml
+++ b/deployments/k8s/base/rdev-api.yaml
@ -24,7 +24,7 @@ spec:
      serviceAccountName: rdev-api
      containers:
        - name: rdev-api
-          image: ghcr.io/orchard9/rdev-api:v0.10.56
+          image: registry.threesix.ai/rdev/api:latest
          imagePullPolicy: Always

          ports:
@ -147,8 +147,6 @@ spec:
            - name: OTEL_EXPORTER_OTLP_ENDPOINT
              value: "otel-collector.observability.svc.cluster.local:4317"

-      imagePullSecrets:
-        - name: ghcr-secret
 ---
 # Service for rdev-api
 apiVersion: v1
--- a/deployments/k8s/base/rdev-worker.yaml
+++ b/deployments/k8s/base/rdev-worker.yaml
@ -24,7 +24,7 @@ spec:
      containers:
        # Main worker container - polls for tasks and orchestrates execution
        - name: worker
-          image: ghcr.io/orchard9/rdev-worker:latest
+          image: registry.threesix.ai/rdev/worker:latest
          imagePullPolicy: Always

          env:
@ -69,7 +69,7 @@ spec:

        # Claudebox sidecar - provides Claude Code execution via HTTP
        - name: claudebox
-          image: ghcr.io/orchard9/rdev-claudebox:latest
+          image: registry.threesix.ai/rdev/claudebox:latest
          imagePullPolicy: Always

          env:
@ -132,8 +132,6 @@ spec:
          persistentVolumeClaim:
            claimName: claudebox-claude-config

-      imagePullSecrets:
-        - name: ghcr-secret
 ---
 # Secret for worker credentials
 apiVersion: v1