Merge pull request 'fix: infra: CI broken on main — missing WOODPECKER_PLUGINS_PRIVILEGED server env + misplaced .woodpecker/ops-filer.yml in project repo (#779)' (#782) from fix/issue-779 into main

2026-04-15 11:07:27 +00:00 · 2026-04-15 11:07:27 +00:00 · c644660bda
commit c644660bda
parent 91f36b2692 a8d393f3bd
4 changed files with 6 additions and 37 deletions
--- a/.env.example
+++ b/.env.example
@ -63,6 +63,10 @@ FORGE_BOT_USERNAMES=dev-bot,review-bot,planner-bot,gardener-bot,vault-bot,superv
 WOODPECKER_TOKEN=                          # [SECRET] Woodpecker API token
 WOODPECKER_SERVER=http://localhost:8000     # [CONFIG] Woodpecker server URL
 WOODPECKER_AGENT_SECRET=                   # [SECRET] shared secret for server↔agent auth (auto-generated)
+# Woodpecker privileged-plugin allowlist — comma-separated image names
+# Add plugins/docker (and others) here to allow privileged execution
+WOODPECKER_PLUGINS_PRIVILEGED=plugins/docker
+
 # WOODPECKER_REPO_ID — now per-project, set in projects/*.toml [ci] section

 # Woodpecker Postgres (for direct DB queries)
--- a/.woodpecker/ops-filer.yml
+++ b/.woodpecker/ops-filer.yml
@ -1,36 +0,0 @@
-# .woodpecker/ops-filer.yml — Sub-issue filer pipeline (#764)
-#
-# Triggered on push to main of the ops repo after a sprint PR merges.
-# Parses sprints/*.md for ## Sub-issues blocks and files them on the
-# project repo via filer-bot (FORGE_FILER_TOKEN).
-#
-# NOTE: This pipeline runs on the ops repo. It must be registered in the
-# ops repo's Woodpecker project. The filer script (lib/sprint-filer.sh)
-# lives in the code repo and is cloned into the workspace.
-#
-# Idempotency: safe to re-run — each sub-issue carries a decomposed-from
-# marker that the filer checks before creating.
-
-when:
-  branch: main
-  event: push
-
-steps:
-  - name: file-subissues
-    image: alpine:3
-    commands:
-      - apk add --no-cache bash curl jq
-      # Clone the code repo to get the filer script
-      - AUTH_URL=$(printf '%s' "${FORGE_URL}/disinto-admin/disinto.git" | sed "s|://|://token:${FORGE_FILER_TOKEN}@|")
-      - git clone --depth 1 "$AUTH_URL" /tmp/code-repo
-      # Run filer against all sprint files in the ops repo workspace
-      - bash /tmp/code-repo/lib/sprint-filer.sh --all sprints/
-    environment:
-      FORGE_FILER_TOKEN:
-        from_secret: forge_filer_token
-      FORGE_URL:
-        from_secret: forge_url
-      FORGE_API:
-        from_secret: forge_api
-      FORGE_API_BASE:
-        from_secret: forge_api_base
--- a/AGENTS.md
+++ b/AGENTS.md
@ -114,7 +114,7 @@ bash dev/phase-test.sh
 | Planner | `planner/` | Strategic planning | [planner/AGENTS.md](planner/AGENTS.md) |
 | Predictor | `predictor/` | Infrastructure pattern detection | [predictor/AGENTS.md](predictor/AGENTS.md) |
 | Architect | `architect/` | Strategic decomposition (read-only on project repo) | [architect/AGENTS.md](architect/AGENTS.md) |
-| Filer | `lib/sprint-filer.sh` | Sub-issue filing from merged sprint PRs | `.woodpecker/ops-filer.yml` |
+| Filer | `lib/sprint-filer.sh` | Sub-issue filing from merged sprint PRs | ops repo pipeline (deferred, see #779) |
 | Reproduce | `docker/reproduce/` | Bug reproduction using Playwright MCP | `formulas/reproduce.toml` |
 | Triage | `docker/reproduce/` | Deep root cause analysis | `formulas/triage.toml` |
 | Edge dispatcher | `docker/edge/` | Polls ops repo for vault actions, executes via Claude sessions | `docker/edge/dispatcher.sh` |
--- a/lib/generators.sh
+++ b/lib/generators.sh
@ -295,6 +295,7 @@ services:
      WOODPECKER_AGENT_SECRET: ${WOODPECKER_AGENT_SECRET:-}
      WOODPECKER_DATABASE_DRIVER: sqlite3
      WOODPECKER_DATABASE_DATASOURCE: /var/lib/woodpecker/woodpecker.sqlite
+      WOODPECKER_PLUGINS_PRIVILEGED: ${WOODPECKER_PLUGINS_PRIVILEGED:-plugins/docker}
      WOODPECKER_ENVIRONMENT: "FORGE_TOKEN:${FORGE_TOKEN}"
    depends_on:
      forgejo: