Merge pull request 'fix: infra: CI broken on main — missing WOODPECKER_PLUGINS_PRIVILEGED server env + misplaced .woodpecker/ops-filer.yml in project repo (#779)' (#782) from fix/issue-779 into main

2026-04-15 11:07:27 +00:00 · 2026-04-15 11:07:27 +00:00 · c644660bda
commit c644660bda
parent 91f36b2692 a8d393f3bd
4 changed files with 6 additions and 37 deletions
--- a/.env.example
+++ b/.env.example
@ -63,6 +63,10 @@ FORGE_BOT_USERNAMES=dev-bot,review-bot,planner-bot,gardener-bot,vault-bot,superv
 WOODPECKER_TOKEN=                          # [SECRET] Woodpecker API token
 WOODPECKER_SERVER=http://localhost:8000     # [CONFIG] Woodpecker server URL
 WOODPECKER_AGENT_SECRET=                   # [SECRET] shared secret for server↔agent auth (auto-generated)
 # Woodpecker privileged-plugin allowlist — comma-separated image names
 # Add plugins/docker (and others) here to allow privileged execution
 WOODPECKER_PLUGINS_PRIVILEGED=plugins/docker
 # WOODPECKER_REPO_ID — now per-project, set in projects/*.toml [ci] section
 # Woodpecker Postgres (for direct DB queries)
--- a/.woodpecker/ops-filer.yml
+++ b/.woodpecker/ops-filer.yml
@ -1,36 +0,0 @@
 # .woodpecker/ops-filer.yml — Sub-issue filer pipeline (#764)
 #
 # Triggered on push to main of the ops repo after a sprint PR merges.
 # Parses sprints/*.md for ## Sub-issues blocks and files them on the
 # project repo via filer-bot (FORGE_FILER_TOKEN).
 #
 # NOTE: This pipeline runs on the ops repo. It must be registered in the
 # ops repo's Woodpecker project. The filer script (lib/sprint-filer.sh)
 # lives in the code repo and is cloned into the workspace.
 #
 # Idempotency: safe to re-run — each sub-issue carries a decomposed-from
 # marker that the filer checks before creating.
 when:
  branch: main
  event: push
 steps:
  - name: file-subissues
    image: alpine:3
    commands:
      - apk add --no-cache bash curl jq
      # Clone the code repo to get the filer script
      - AUTH_URL=$(printf '%s' "${FORGE_URL}/disinto-admin/disinto.git" | sed "s|://|://token:${FORGE_FILER_TOKEN}@|")
      - git clone --depth 1 "$AUTH_URL" /tmp/code-repo
      # Run filer against all sprint files in the ops repo workspace
      - bash /tmp/code-repo/lib/sprint-filer.sh --all sprints/
    environment:
      FORGE_FILER_TOKEN:
        from_secret: forge_filer_token
      FORGE_URL:
        from_secret: forge_url
      FORGE_API:
        from_secret: forge_api
      FORGE_API_BASE:
        from_secret: forge_api_base
--- a/AGENTS.md
+++ b/AGENTS.md
@ -114,7 +114,7 @@ bash dev/phase-test.sh
 | Planner | `planner/` | Strategic planning | [planner/AGENTS.md](planner/AGENTS.md) |
 | Predictor | `predictor/` | Infrastructure pattern detection | [predictor/AGENTS.md](predictor/AGENTS.md) |
 | Architect | `architect/` | Strategic decomposition (read-only on project repo) | [architect/AGENTS.md](architect/AGENTS.md) |
-| Filer | `lib/sprint-filer.sh` | Sub-issue filing from merged sprint PRs | `.woodpecker/ops-filer.yml` |
+| Filer | `lib/sprint-filer.sh` | Sub-issue filing from merged sprint PRs | ops repo pipeline (deferred, see #779) |
 | Reproduce | `docker/reproduce/` | Bug reproduction using Playwright MCP | `formulas/reproduce.toml` |
 | Triage | `docker/reproduce/` | Deep root cause analysis | `formulas/triage.toml` |
 | Edge dispatcher | `docker/edge/` | Polls ops repo for vault actions, executes via Claude sessions | `docker/edge/dispatcher.sh` |
--- a/lib/generators.sh
+++ b/lib/generators.sh
@ -295,6 +295,7 @@ services:
      WOODPECKER_AGENT_SECRET: ${WOODPECKER_AGENT_SECRET:-}
      WOODPECKER_DATABASE_DRIVER: sqlite3
      WOODPECKER_DATABASE_DATASOURCE: /var/lib/woodpecker/woodpecker.sqlite
      WOODPECKER_PLUGINS_PRIVILEGED: ${WOODPECKER_PLUGINS_PRIVILEGED:-plugins/docker}
      WOODPECKER_ENVIRONMENT: "FORGE_TOKEN:${FORGE_TOKEN}"
    depends_on:
      forgejo: