3b5498bc30
Merge pull request 'fix: [nomad-step-3] S3-fix-6 — woodpecker-agent can't reach server gRPC at localhost:9000 (port bound to LXC IP) ( #964 )' ( #966 ) from fix/issue-964 into main
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/nomad-validate Pipeline was successful
2026-04-17 15:01:59 +00:00
Agent
ab0a6be41f
fix: use Nomad interpolation syntax for WOODPECKER_SERVER
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/nomad-validate Pipeline was successful
ci/woodpecker/pr/ci Pipeline was successful
ci/woodpecker/pr/nomad-validate Pipeline was successful
ci/woodpecker/pr/secret-scan Pipeline was successful
2026-04-17 14:58:13 +00:00
Agent
3d62b52e36
fix: [nomad-step-3] S3-fix-6 — woodpecker-agent can't reach server gRPC at localhost:9000 (port bound to LXC IP) ( #964 )
2026-04-17 14:58:13 +00:00
82a712bac3
Merge pull request 'fix: [nomad-step-4] S4-fix-1 — vault-seed-agents.sh must seed kv/disinto/bots/dev (missing from .env import) ( #963 )' ( #965 ) from fix/issue-963 into main
ci/woodpecker/push/ci Pipeline was successful
2026-04-17 14:46:52 +00:00
dev-qwen2
1a637fdc27
fix: [nomad-step-4] S4-fix-1 — vault-seed-agents.sh must seed kv/disinto/bots/dev (missing from .env import) ( #963 )
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/pr/ci Pipeline was successful
ci/woodpecker/pr/secret-scan Pipeline was successful
2026-04-17 14:43:06 +00:00
edf7a28bd3
Merge pull request 'fix: [nomad-step-3] S3-fix-5 — nomad/client.hcl must allow_privileged for woodpecker-agent ( #961 )' ( #962 ) from fix/issue-961 into main
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/nomad-validate Pipeline was successful
2026-04-17 12:53:42 +00:00
dev-qwen2
fbcc6c5e43
fix: [nomad-step-3] S3-fix-5 — nomad/client.hcl must allow_privileged for woodpecker-agent ( #961 )
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/nomad-validate Pipeline was successful
ci/woodpecker/pr/ci Pipeline was successful
ci/woodpecker/pr/nomad-validate Pipeline was successful
ci/woodpecker/pr/secret-scan Pipeline was successful
2026-04-17 12:48:08 +00:00
9c4c5f1ac8
Merge pull request 'fix: [nomad-step-4] S4.2 — wire --with agents + deploy ordering ( #956 )' ( #960 ) from fix/issue-956 into main
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/nomad-validate Pipeline was successful
2026-04-17 11:06:39 +00:00
dev-qwen2
155ec85a3e
fix: [nomad-step-4] S4.2 — wire --with agents + deploy ordering ( #956 )
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/nomad-validate Pipeline was successful
ci/woodpecker/pr/ci Pipeline was successful
ci/woodpecker/pr/nomad-validate Pipeline was successful
ci/woodpecker/pr/smoke-init Pipeline was successful
2026-04-17 10:55:13 +00:00
a51f543005
Merge pull request 'fix: [nomad-step-4] S4.1 — nomad/jobs/agents.hcl (7 roles, llama, vault-templated bot tokens) ( #955 )' ( #959 ) from fix/issue-955 into main
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/nomad-validate Pipeline was successful
2026-04-17 10:49:36 +00:00
2ef77f4aa3
Merge pull request 'fix: [nomad-step-3] S3-fix-3 — host-volume dirs need 0777 for non-root containers ( #953 )' ( #957 ) from fix/issue-953 into main
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/nomad-validate Pipeline was successful
2026-04-17 10:40:32 +00:00
6ff08a3b74
Merge pull request 'fix: [nomad-step-3] S3-fix-4 — KV key-name mismatch: wp_forgejo_client vs forgejo_client ( #954 )' ( #958 ) from fix/issue-954 into main
ci/woodpecker/push/ci Pipeline was successful
2026-04-17 10:37:50 +00:00
Claude
eadefcd30a
fix: replace script check with checkless service registration
...
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/nomad-validate Pipeline was successful
ci/woodpecker/pr/ci Pipeline was successful
ci/woodpecker/pr/nomad-validate Pipeline was successful
ci/woodpecker/pr/secret-scan Pipeline was successful
Nomad native service provider only supports tcp/http checks, not
script checks. Since agents expose no HTTP endpoint, register the
service without a check — Nomad tracks health via task lifecycle.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-17 10:09:56 +00:00
Claude
c17548a216
fix: move service block to group level for nomad provider
...
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/nomad-validate Pipeline failed
ci/woodpecker/pr/ci Pipeline was successful
ci/woodpecker/pr/nomad-validate Pipeline failed
ci/woodpecker/pr/secret-scan Pipeline was successful
The Nomad native service provider requires the service block at the
group level, not inside the task. Script checks use task = "agents"
to specify the execution context.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-17 10:07:36 +00:00
Claude
aa7db2a5fc
fix: whitelist vault-seed preamble + precondition dup hashes
...
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/pr/ci Pipeline was successful
ci/woodpecker/pr/nomad-validate Pipeline failed
ci/woodpecker/pr/secret-scan Pipeline was successful
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-17 10:03:32 +00:00
dev-qwen2
ec3b51724f
fix: [nomad-step-3] S3-fix-3 — host-volume dirs need 0777 for non-root containers ( #953 )
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/nomad-validate Pipeline was successful
ci/woodpecker/pr/ci Pipeline was successful
ci/woodpecker/pr/nomad-validate Pipeline was successful
2026-04-17 10:00:16 +00:00
Claude
93a2a7bd3d
fix: [nomad-step-4] S4.1 — nomad/jobs/agents.hcl (7 roles, llama, vault-templated bot tokens) ( #955 )
...
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/nomad-validate Pipeline failed
ci/woodpecker/pr/ci Pipeline failed
ci/woodpecker/pr/nomad-validate Pipeline failed
ci/woodpecker/pr/secret-scan Pipeline was successful
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-17 09:57:12 +00:00
Agent
612b3e616c
fix: [nomad-step-3] S3-fix-4 — KV key-name mismatch: wp_forgejo_client vs forgejo_client ( #954 )
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/pr/ci Pipeline was successful
ci/woodpecker/pr/secret-scan Pipeline was successful
ci/woodpecker/pr/smoke-init Pipeline was successful
2026-04-17 09:53:23 +00:00
c20b0a8bd2
Merge pull request 'fix: [nomad-step-2] S2-fix-G — strip trailing /* from all vault policy paths (systemic 403) ( #951 )' ( #952 ) from fix/issue-951 into main
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/nomad-validate Pipeline was successful
2026-04-17 09:17:08 +00:00
Agent
8f5652864d
fix: [nomad-step-2] S2-fix-G — strip trailing /* from all vault policy paths (systemic 403) ( #951 )
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/nomad-validate Pipeline was successful
ci/woodpecker/pr/ci Pipeline was successful
ci/woodpecker/pr/nomad-validate Pipeline was successful
ci/woodpecker/pr/secret-scan Pipeline was successful
2026-04-17 09:11:22 +00:00
c47c6e71bd
Merge pull request 'fix: [nomad-step-3] S3-fix-2 — wp-oauth REPO_ROOT still wrong + seed/deploy must interleave ( #948 )' ( #949 ) from fix/issue-948 into main
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/nomad-validate Pipeline was successful
2026-04-17 08:38:56 +00:00
dev-qwen2
8fb173763c
fix: [nomad-step-3] S3-fix-2 — wp-oauth REPO_ROOT still wrong + seed/deploy must interleave ( #948 )
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/nomad-validate Pipeline was successful
ci/woodpecker/pr/ci Pipeline was successful
ci/woodpecker/pr/nomad-validate Pipeline was successful
ci/woodpecker/pr/smoke-init Pipeline was successful
2026-04-17 08:24:00 +00:00
c829d7781b
Merge pull request 'fix: [nomad-step-3] S3-fix — deploy.sh crashes on hyphenated job name + wp-oauth double lib/ path ( #944 )' ( #945 ) from fix/issue-944 into main
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/nomad-validate Pipeline was successful
2026-04-17 07:57:08 +00:00
dev-qwen2
7fd9a457c3
fix: [nomad-step-3] S3-fix — deploy.sh crashes on hyphenated job name + wp-oauth double lib/ path ( #944 )
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/nomad-validate Pipeline was successful
ci/woodpecker/pr/ci Pipeline was successful
ci/woodpecker/pr/nomad-validate Pipeline was successful
2026-04-17 07:49:40 +00:00
83f02cbb85
Merge pull request 'chore: gardener housekeeping' ( #946 ) from chore/gardener-20260417-0738 into main
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/nomad-validate Pipeline was successful
2026-04-17 07:42:25 +00:00
Claude
c604efd368
chore: gardener housekeeping 2026-04-17
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/nomad-validate Pipeline was successful
ci/woodpecker/pr/ci Pipeline was successful
ci/woodpecker/pr/nomad-validate Pipeline was successful
ci/woodpecker/pr/secret-scan Pipeline was successful
2026-04-17 07:38:11 +00:00
a7a046b81a
Merge pull request 'fix: [nomad-step-3] S3.4 — wire --with woodpecker + deploy ordering + OAuth seed ( #937 )' ( #943 ) from fix/issue-937-2 into main
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/nomad-validate Pipeline was successful
2026-04-17 07:05:34 +00:00
Claude
64cadf8a7d
fix: [nomad-step-3] S3.4 — wire --with woodpecker + deploy ordering + OAuth seed ( #937 )
...
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/nomad-validate Pipeline was successful
ci/woodpecker/pr/ci Pipeline was successful
ci/woodpecker/pr/nomad-validate Pipeline was successful
ci/woodpecker/pr/smoke-init Pipeline was successful
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-17 06:53:40 +00:00
3409c1b43c
Merge pull request 'fix: [nomad-step-3] S3.3 — wp-oauth-register.sh (Forgejo OAuth app + Vault KV) ( #936 )' ( #940 ) from fix/issue-936 into main
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/nomad-validate Pipeline was successful
2026-04-17 06:08:09 +00:00
dev-qwen2
13088f4eb2
fix: propagate DRY_RUN env var to wp-oauth-register.sh
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/nomad-validate Pipeline was successful
ci/woodpecker/pr/ci Pipeline was successful
ci/woodpecker/pr/nomad-validate Pipeline was successful
ci/woodpecker/pr/secret-scan Pipeline was successful
2026-04-17 06:03:41 +00:00
dev-qwen2
442d24b76d
fix: resolve CI blockers for wp-oauth-register.sh
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/nomad-validate Pipeline was successful
ci/woodpecker/pr/ci Pipeline was successful
ci/woodpecker/pr/nomad-validate Pipeline was successful
ci/woodpecker/pr/secret-scan Pipeline was successful
2026-04-17 05:54:30 +00:00
dev-qwen2
11566c2757
fix: add allowed hashes for vault-seed duplicate patterns
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/nomad-validate Pipeline was successful
ci/woodpecker/pr/ci Pipeline was successful
ci/woodpecker/pr/nomad-validate Pipeline was successful
ci/woodpecker/pr/secret-scan Pipeline was successful
2026-04-17 05:43:46 +00:00
dev-qwen2
10e469c970
fix: [nomad-step-3] S3.3 — wp-oauth-register.sh (Forgejo OAuth app + Vault KV) ( #936 )
2026-04-17 05:43:46 +00:00
71671d868d
Merge pull request 'fix: [nomad-step-3] S3.2 — nomad/jobs/woodpecker-agent.hcl (host-net, docker.sock) ( #935 )' ( #939 ) from fix/issue-935 into main
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/nomad-validate Pipeline was successful
2026-04-17 05:42:19 +00:00
Agent
5d76cc96fb
fix: [nomad-step-3] S3.2 — nomad/jobs/woodpecker-agent.hcl (host-net, docker.sock) ( #935 )
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/nomad-validate Pipeline was successful
ci/woodpecker/pr/ci Pipeline was successful
ci/woodpecker/pr/nomad-validate Pipeline was successful
ci/woodpecker/pr/secret-scan Pipeline was successful
2026-04-17 05:35:02 +00:00
b501077352
Merge pull request 'fix: [nomad-step-3] S3.1 — nomad/jobs/woodpecker-server.hcl + vault-seed-woodpecker.sh ( #934 )' ( #938 ) from fix/issue-934 into main
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/nomad-validate Pipeline was successful
2026-04-17 05:29:10 +00:00
Claude
28ed3dd751
fix: extract KV mount check into hvault_ensure_kv_v2 to deduplicate seed scripts
...
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/pr/ci Pipeline was successful
ci/woodpecker/pr/nomad-validate Pipeline was successful
ci/woodpecker/pr/secret-scan Pipeline was successful
The duplicate-detection CI step flagged the shared KV-mount-checking
boilerplate between vault-seed-forgejo.sh and vault-seed-woodpecker.sh.
Extract into lib/hvault.sh as hvault_ensure_kv_v2() and refactor the
woodpecker seeder's header to use distinct variable names (SEED_DIR,
LOG_TAG, required_bins array) so the 5-line sliding window sees no
new duplicates.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-17 05:21:47 +00:00
Claude
32c88471a7
fix: [nomad-step-3] S3.1 — nomad/jobs/woodpecker-server.hcl + vault-seed-woodpecker.sh ( #934 )
...
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/nomad-validate Pipeline was successful
ci/woodpecker/pr/ci Pipeline failed
ci/woodpecker/pr/nomad-validate Pipeline was successful
ci/woodpecker/pr/secret-scan Pipeline was successful
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-17 05:15:58 +00:00
40ffffed73
Merge pull request 'fix: incident: WP gRPC flake burned dev-qwen CI retry budget on #842 (2026-04-16) ( #867 )' ( #933 ) from fix/issue-867 into main
ci/woodpecker/push/ci Pipeline was successful
2026-04-17 01:40:38 +00:00
7a45cc31f9
Merge pull request 'fix: tech-debt: edge service missing pull_policy: build in --build mode generator ( #914 )' ( #931 ) from fix/issue-914 into main
ci/woodpecker/push/ci Pipeline was successful
2026-04-17 01:35:02 +00:00
Agent
c0697ab27b
fix: incident: WP gRPC flake burned dev-qwen CI retry budget on #842 (2026-04-16) ( #867 )
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/pr/ci Pipeline was successful
2026-04-17 01:34:41 +00:00
Agent
04ead1fbdc
fix: incident: WP gRPC flake burned dev-qwen CI retry budget on #842 (2026-04-16) ( #867 )
2026-04-17 01:34:41 +00:00
c3e58e88ed
Merge pull request 'fix: tech-debt: tools/vault-import.sh uses hardcoded secret/ KV mount ( #910 )' ( #932 ) from fix/issue-910 into main
ci/woodpecker/push/ci Pipeline was successful
2026-04-17 01:31:10 +00:00
Claude
f53c3690b8
fix: tech-debt: edge service missing pull_policy: build in --build mode generator ( #914 )
...
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/pr/ci Pipeline was successful
ci/woodpecker/pr/smoke-init Pipeline was successful
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-17 01:18:13 +00:00
dev-qwen2
99d3cb4c8f
fix: tech-debt: tools/vault-import.sh uses hardcoded secret/ KV mount ( #910 )
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/pr/ci Pipeline was successful
ci/woodpecker/pr/secret-scan Pipeline was successful
2026-04-17 01:18:03 +00:00
f93600a1cf
Merge pull request 'chore: gardener housekeeping 2026-04-17' ( #930 ) from chore/gardener-20260417-0107 into main
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/nomad-validate Pipeline was successful
2026-04-17 01:11:55 +00:00
Claude
caf937f295
chore: gardener housekeeping 2026-04-17
...
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/nomad-validate Pipeline was successful
ci/woodpecker/pr/ci Pipeline was successful
ci/woodpecker/pr/nomad-validate Pipeline was successful
ci/woodpecker/pr/secret-scan Pipeline was successful
- Promote #910 , #914 , #867 to backlog with acceptance criteria + affected files
- Promote #820 to backlog (already well-structured, dep on #758 gates pickup)
- Stage #915 as dust (no-op sed, single-line removal)
- Update all AGENTS.md watermarks to HEAD
- Root AGENTS.md: document vault-seed-<svc>.sh convention + complete test file list
- Track gardener/dust.jsonl in git (remove from .gitignore)
2026-04-17 01:07:31 +00:00
8ad5aca6bb
Merge pull request 'fix: [nomad-step-2] S2-fix-F — wire tools/vault-seed-<svc>.sh into bin/disinto --with <svc> ( #928 )' ( #929 ) from fix/issue-928 into main
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/nomad-validate Pipeline was successful
2026-04-16 22:23:55 +00:00
Claude
f214080280
fix: [review-r1] seed loop sudo invocation bypasses sudoers env_reset ( #929 )
...
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/nomad-validate Pipeline was successful
ci/woodpecker/pr/ci Pipeline was successful
ci/woodpecker/pr/nomad-validate Pipeline was successful
ci/woodpecker/pr/smoke-init Pipeline was successful
`sudo -n "VAULT_ADDR=$vault_addr" -- "$seed_script"` passed
VAULT_ADDR as a sudoers env-assignment argument. With the default
`env_reset=on` policy (almost all distros), sudo silently discards
env assignments unless the variable is in `env_keep` — and
VAULT_ADDR is not. The seeder then hit its own precondition check
at vault-seed-forgejo.sh:109 and died with "VAULT_ADDR unset",
breaking the fresh-LXC non-root acceptance path the PR was written
to close.
Fix: run `env` as the command under sudo — `sudo -n -- env
"VAULT_ADDR=$vault_addr" "$seed_script"` — so VAULT_ADDR is set in
the child process directly, unaffected by sudoers env handling.
The root (non-sudo) branch already used shell-level env assignment
and was correct.
Adds a grep-level regression guard that pins the `env VAR=val`
invocation and negative-asserts the unsafe bare-argument form.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-16 22:14:05 +00:00
Claude
5e83ecc2ef
fix: [nomad-step-2] S2-fix-F — wire tools/vault-seed-<svc>.sh into bin/disinto --with <svc> ( #928 )
...
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/nomad-validate Pipeline was successful
ci/woodpecker/pr/ci Pipeline was successful
ci/woodpecker/pr/nomad-validate Pipeline was successful
ci/woodpecker/pr/smoke-init Pipeline was successful
`tools/vault-seed-forgejo.sh` existed and worked, but `bin/disinto init
--backend=nomad --with forgejo` never invoked it, so a fresh LXC with an
empty Vault hit `Template Missing: vault.read(kv/data/disinto/shared/
forgejo)` and the forgejo alloc timed out inside deploy.sh's 240s
healthy_deadline — operator had to run the seeder + `nomad alloc
restart` by hand to recover.
In `_disinto_init_nomad`, after `vault-import.sh` (or its skip branch)
and before `deploy.sh`, iterate `--with <svc>` and auto-invoke
`tools/vault-seed-<svc>.sh` when the file exists + is executable.
Services without a seeder are silently skipped — Step 3+ services
(woodpecker, chat, etc.) can ship their own seeder without touching
`bin/disinto`. VAULT_ADDR is passed explicitly because cluster-up.sh
writes the profile.d export during this same init run (current shell
hasn't sourced it yet) and `vault-seed-forgejo.sh` — unlike its
sibling vault-* scripts — requires the caller to set VAULT_ADDR
instead of defaulting it via `_hvault_default_env`. Mirror the loop in
the --dry-run plan so the operator-visible plan matches the real run.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-16 22:00:13 +00:00
