From dc00921703ce0a85306702f1631d049b194f954e Mon Sep 17 00:00:00 2001
From: jordan <jordan.washburn@gmail.com>
Date: Thu, 5 Feb 2026 19:26:44 -0700
Subject: [PATCH] ci: add Woodpecker CI for self-hosted builds

- Add .woodpecker.yml with build steps for api, worker, claudebox
- Update K8s manifests to use registry.threesix.ai/rdev/*
- Remove ghcr-secret imagePullSecrets (Zot is unauthenticated)

Builds will run on Woodpecker using kaniko, pushing to our internal
Zot registry. This eliminates the QEMU cross-compilation issues on
Apple Silicon.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 .woodpecker.yml                       | 74 +++++++++++++++++++++++++++
 deployments/k8s/base/claudebox.yaml   |  5 +-
 deployments/k8s/base/rdev-api.yaml    |  4 +-
 deployments/k8s/base/rdev-worker.yaml |  6 +--
 4 files changed, 78 insertions(+), 11 deletions(-)
 create mode 100644 .woodpecker.yml

diff --git a/.woodpecker.yml b/.woodpecker.yml
new file mode 100644
index 0000000..b86cf5d
--- /dev/null
+++ b/.woodpecker.yml
@@ -0,0 +1,74 @@
+# Woodpecker CI for rdev platform
+# Builds and deploys rdev-api, rdev-worker, and rdev-claudebox
+
+variables:
+  - &registry "registry.threesix.ai"
+  - &when_main
+    branch: main
+    event: push
+
+steps:
+  # Run tests first
+  test:
+    image: golang:1.22-alpine
+    commands:
+      - apk add --no-cache git
+      - go test ./...
+
+  # Build rdev-api image
+  build-api:
+    image: gcr.io/kaniko-project/executor:v1.23.2-debug
+    commands:
+      - /kaniko/executor
+        --context=/woodpecker/src
+        --dockerfile=Dockerfile.api
+        --destination=registry.threesix.ai/rdev/api:${CI_COMMIT_SHA:0:8}
+        --destination=registry.threesix.ai/rdev/api:latest
+        --cache=true
+        --skip-tls-verify
+    when:
+      <<: *when_main
+
+  # Build rdev-worker image
+  build-worker:
+    image: gcr.io/kaniko-project/executor:v1.23.2-debug
+    commands:
+      - /kaniko/executor
+        --context=/woodpecker/src
+        --dockerfile=Dockerfile.worker
+        --destination=registry.threesix.ai/rdev/worker:${CI_COMMIT_SHA:0:8}
+        --destination=registry.threesix.ai/rdev/worker:latest
+        --cache=true
+        --skip-tls-verify
+    when:
+      <<: *when_main
+
+  # Build rdev-claudebox image
+  build-claudebox:
+    image: gcr.io/kaniko-project/executor:v1.23.2-debug
+    commands:
+      - /kaniko/executor
+        --context=/woodpecker/src
+        --dockerfile=Dockerfile
+        --destination=registry.threesix.ai/rdev/claudebox:${CI_COMMIT_SHA:0:8}
+        --destination=registry.threesix.ai/rdev/claudebox:latest
+        --cache=true
+        --skip-tls-verify
+    when:
+      <<: *when_main
+
+  # Deploy to k3s cluster
+  deploy:
+    image: bitnami/kubectl:latest
+    commands:
+      - echo "Deploying rdev-api..."
+      - kubectl set image deployment/rdev-api rdev-api=registry.threesix.ai/rdev/api:${CI_COMMIT_SHA:0:8} -n rdev
+      - kubectl rollout status deployment/rdev-api -n rdev --timeout=120s
+      - echo "Deploying rdev-worker..."
+      - kubectl set image deployment/rdev-worker rdev-worker=registry.threesix.ai/rdev/worker:${CI_COMMIT_SHA:0:8} -n rdev
+      - kubectl rollout status deployment/rdev-worker -n rdev --timeout=120s
+      - echo "Deploying claudebox..."
+      - kubectl set image statefulset/claudebox claudebox=registry.threesix.ai/rdev/claudebox:${CI_COMMIT_SHA:0:8} -n rdev
+      - kubectl rollout status statefulset/claudebox -n rdev --timeout=300s
+    when:
+      <<: *when_main
diff --git a/deployments/k8s/base/claudebox.yaml b/deployments/k8s/base/claudebox.yaml
index d32f947..dae1dd3 100644
--- a/deployments/k8s/base/claudebox.yaml
+++ b/deployments/k8s/base/claudebox.yaml
@@ -22,7 +22,7 @@ spec:
     spec:
       containers:
         - name: claudebox
-          image: ghcr.io/orchard9/rdev-claudebox:v0.4.0
+          image: registry.threesix.ai/rdev/claudebox:latest
           imagePullPolicy: Always
 
           resources:
@@ -70,9 +70,6 @@ spec:
           persistentVolumeClaim:
             claimName: claudebox-claude-config
 
-      # Pull from GitHub Container Registry
-      imagePullSecrets:
-        - name: ghcr-secret
 ---
 # Headless service for StatefulSet
 apiVersion: v1
diff --git a/deployments/k8s/base/rdev-api.yaml b/deployments/k8s/base/rdev-api.yaml
index 3bde018..83a3d72 100644
--- a/deployments/k8s/base/rdev-api.yaml
+++ b/deployments/k8s/base/rdev-api.yaml
@@ -24,7 +24,7 @@ spec:
       serviceAccountName: rdev-api
       containers:
         - name: rdev-api
-          image: ghcr.io/orchard9/rdev-api:v0.10.56
+          image: registry.threesix.ai/rdev/api:latest
           imagePullPolicy: Always
 
           ports:
@@ -147,8 +147,6 @@ spec:
             - name: OTEL_EXPORTER_OTLP_ENDPOINT
               value: "otel-collector.observability.svc.cluster.local:4317"
 
-      imagePullSecrets:
-        - name: ghcr-secret
 ---
 # Service for rdev-api
 apiVersion: v1
diff --git a/deployments/k8s/base/rdev-worker.yaml b/deployments/k8s/base/rdev-worker.yaml
index d05264c..cffeab9 100644
--- a/deployments/k8s/base/rdev-worker.yaml
+++ b/deployments/k8s/base/rdev-worker.yaml
@@ -24,7 +24,7 @@ spec:
       containers:
         # Main worker container - polls for tasks and orchestrates execution
         - name: worker
-          image: ghcr.io/orchard9/rdev-worker:latest
+          image: registry.threesix.ai/rdev/worker:latest
           imagePullPolicy: Always
 
           env:
@@ -69,7 +69,7 @@ spec:
 
         # Claudebox sidecar - provides Claude Code execution via HTTP
         - name: claudebox
-          image: ghcr.io/orchard9/rdev-claudebox:latest
+          image: registry.threesix.ai/rdev/claudebox:latest
           imagePullPolicy: Always
 
           env:
@@ -132,8 +132,6 @@ spec:
           persistentVolumeClaim:
             claimName: claudebox-claude-config
 
-      imagePullSecrets:
-        - name: ghcr-secret
 ---
 # Secret for worker credentials
 apiVersion: v1