heraldstack-core currently has two woodpecker config files in .woodpecker/:
the ratified ci rebuild architecture requires one file per tier because woodpecker
publishes one github status per pipeline file, and branch protection needs tier-0 and
tier-1 as separate required checks. main.yml violates this pattern.
task:
- split main.yml into .woodpecker/tier-0.yml (draft + skip-ci + metadata gates),
.woodpecker/tier-2.yml (semgrep + trivy async), and .woodpecker/tier-3.yml (nightly cron)
- delete main.yml
- do not touch tier-1.yml — that file is being rewritten in the current sprint
to use the firecracker plugin
success criteria:
- four files in .woodpecker/ (tier-0.yml, tier-1.yml, tier-2.yml, tier-3.yml)
- main.yml removed
- each tier file gets its own github status check visible in PRs
- branch protection updated to require tier-0 and tier-1 (tier-2/tier-3 advisory)
depends on: current sprint tier-1.yml rewrite landing first
heraldstack-core currently has two woodpecker config files in .woodpecker/:
the ratified ci rebuild architecture requires one file per tier because woodpecker
publishes one github status per pipeline file, and branch protection needs tier-0 and
tier-1 as separate required checks. main.yml violates this pattern.
task:
.woodpecker/tier-2.yml (semgrep + trivy async), and .woodpecker/tier-3.yml (nightly cron)
to use the firecracker plugin
success criteria:
depends on: current sprint tier-1.yml rewrite landing first