monotux.tech

I was experimenting with the buildah plugin for Woodpecker CI and had a hard time figuring out how to inject my local certificate authority into the mix…until I realized I had missed something fundamental about Woodpecker CI.

I was experimenting with the mermaid parser from xai-grok-markdown that Simon Willison discovered and transformed into a WASM application, but I wanted to build and package it as an OCI container (due to reasons). I decided to do this with the buildah plugin for Woodpecker CI, also due to reasons.

This worked fine1 but ran into issues with my registries internally issued certificate. Luckily, I finally understood that I can use volumes even with plugins – I could just bind mount my internal CA into the container!

when:
  - event: pull_request

steps:
  - name: buildah
    image: registry.example.com/ghcr/plugin-buildah:v1.1.1
    privileged: true
    volumes:
      - /usr/local/share/ca-certificates/internalCA.crt:/etc/containers/certs.d/registry.example.com/ca.crt:ro
    settings:
      mirror: registry.example.com/dockerhub
      repo: mermaid-grok/mermaid-grok
      cache_repo: mermaid-grok/build-cache
      tags: devbuild
      registry: registry.example.com
      username:
        from_secret: harbor-username
      password:
        from_secret: harbor-password

I think I can simplify a few other woodpecker workflows now, previously I have used an ‘init container’ to install the CA…


  1. Running it as a privileged container? Ew… ↩︎