ci: add GitOps update step to Woodpecker pipeline

- After building gateway/users images, update GitOps with new SHA tag - Update apps/nxtgauge-backend-rust/overlays/prod/kustomization.yaml - Requires secrets: GITOPS_REPO_URL, GITOPS_BRANCH, GITOPS_TOKEN
2026-04-14 14:18:00 +02:00 · 2026-04-14 14:18:00 +02:00 · d4c7fdcddd
commit d4c7fdcddd
parent 30d8eeb279
1 changed files with 52 additions and 4 deletions
--- a/.woodpecker.yml
+++ b/.woodpecker.yml
@ -1,11 +1,13 @@
-# Woodpecker CI - All 21 services + migrate run in parallel via matrix
-# Woodpecker executes each matrix entry as a separate pipeline concurrently
+# Woodpecker CI - Build all services + update GitOps with image digests
+#
+# Secrets required in Woodpecker:
+# - REGISTRY_HOSTPORT, REGISTRY_USERNAME, REGISTRY_PASSWORD (existing)
+# - GITOPS_REPO_URL, GITOPS_BRANCH, GITOPS_TOKEN, GITOPS_USERNAME, GITOPS_EMAIL

 when:
  branch: [main, high-performance]
  event: push

-# Limit concurrent pipelines to avoid overwhelming resources
 concurrency:
  limit: 4

@ -56,8 +58,54 @@ steps:
      platforms: linux/amd64
      cache: false

+  - name: update-gitops
+    image: alpine:latest
+    environment:
+      GITOPS_REPO_URL:
+        from_secret: GITOPS_REPO_URL
+      GITOPS_BRANCH:
+        from_secret: GITOPS_BRANCH
+      GITOPS_TOKEN:
+        from_secret: GITOPS_TOKEN
+    commands:
+      - |
+        set -e
+        apk add --no-cache git bash sed
+
+        SERVICE_IMAGE="registry.nxtgauge.com:5000/nxtgauge-rust-${SERVICE}:${CI_COMMIT_SHA}"
+        echo "Service: ${SERVICE}, Image: ${SERVICE_IMAGE}"
+
+        # Clone gitops repo
+        GIT_REPO=$(echo "${GITOPS_REPO_URL}" | sed 's|https://||')
+        git clone "https://x-access-token:${GITOPS_TOKEN}@${GIT_REPO}" /tmp/gitops
+        cd /tmp/gitops
+        git checkout ${GITOPS_BRANCH:-main}
+
+        # Find and update the image in backend overlay
+        BACKEND_OVERLAY="apps/nxtgauge-backend-rust/overlays/prod"
+        if [ -f "${BACKEND_OVERLAY}/kustomization.yaml" ]; then
+          # Update to use SHA tag
+          sed -i "s|image: registry.nxtgauge.com:5000/nxtgauge-rust-${SERVICE}:.*|image: registry.nxtgauge.com:5000/nxtgauge-rust-${SERVICE}:${CI_COMMIT_SHA}|" \
+            ${BACKEND_OVERLAY}/kustomization.yaml
+          echo "Updated ${SERVICE} in ${BACKEND_OVERLAY}/kustomization.yaml"
+        fi
+
+        # Commit if changed
+        if ! git diff --quiet; then
+          git add -A
+          git commit -m "ci: update ${SERVICE} to ${CI_COMMIT_SHA:0:8}"
+          git push origin ${GITOPS_BRANCH:-main}
+          echo "Pushed GitOps update"
+        else
+          echo "No changes to push"
+        fi
+    when:
+      status: success
+      matrix:
+        SERVICE: [gateway, users]
+
 ---
-# Separate pipeline for database migrations (runs independently)
+# Database migrations pipeline
 when:
  branch: [main, high-performance]
  event: push