fix: deply

Author: hey-intent

CONTRIBUTING.md

@@ -188,8 +188,8 @@ L'orchestrateur est dans `app/app.py` (FastAPI).
 python -c "import ast; ast.parse(open('app/app.py').read())"
 
 # Rebuild + deploiement
-docker build -f images/orchestrator/Dockerfile -t ghcr.io/<your-org>/orchestrator:latest .
-docker save ghcr.io/<your-org>/orchestrator:latest | sudo k3s ctr images import -
+docker build -f images/orchestrator/Dockerfile -t ghcr.io/hey-intent/orchestrator:latest .
+docker save ghcr.io/hey-intent/orchestrator:latest | sudo k3s ctr images import -
 kubectl -n ai-bot rollout restart deployment/orchestrator
 
 # Verifier les logs

README.md

@@ -8,20 +8,17 @@ This project automates the **Issue -> Label -> Pull Request** flow: an `ai-pr-*`
 
 It avoids vendor lock-in with 3 built-in providers:
 
-| Label | Provider | Backend |
-|-------|----------|---------|
-| `ai-pr-claude` | Claude Code | Anthropic |
-| `ai-pr-codex` | Codex | OpenAI |
-| `ai-pr-aider` | Aider | OpenRouter (extensible) |
+| Label          | Provider    | Backend                 |
+| -------------- | ----------- | ----------------------- |
+| `ai-pr-claude` | Claude Code | Anthropic               |
+| `ai-pr-codex`  | Codex       | OpenAI                  |
+| `ai-pr-aider`  | Aider       | OpenRouter (extensible) |
 
 The architecture is designed to easily add more providers (see `CONTRIBUTING.md`).
 
 Tested on: VPS / 8 GB RAM / 4 vCPU / k3s single-node.
 
-> [!IMPORTANT]
-> **This repo is a POC and a serious working base.**
-> It demonstrates a fully functional flow, but is not production-ready without hardening.
-> See the [Security](#security) section and `SECURITY.md` for details.
+> [!IMPORTANT] **This repo is a POC and a serious working base.** It demonstrates a fully functional flow, but is not production-ready without hardening. See the [Security](#security) section and `SECURITY.md` for details.
 
 ---
 
@@ -151,8 +148,8 @@ Add a label `ai-pr-claude`, `ai-pr-codex`, or `ai-pr-aider` to a GitHub issue. T
 ### Kubernetes Secrets
 
 | Secret | Keys | Used by |
-|--------|------|---------|
-| `github-app` | `GITHUB_APP_ID`, `GITHUB_PRIVATE_KEY`  | orchestrator |
+| --- | --- | --- |
+| `github-app` | `GITHUB_APP_ID`, `GITHUB_PRIVATE_KEY` | orchestrator |
 | `github-webhook-secret` | `WEBHOOK_SECRET` | orchestrator |
 | `orchestrator-config` | `JOB_TTL_SECONDS`, `ADMIN_TOKEN` | orchestrator |
 | `anthropic-api-key` | `ANTHROPIC_API_KEY` | worker-claude |
@@ -175,12 +172,12 @@ kubectl -n ai-bot get secret anthropic-api-key -o jsonpath='{.data.ANTHROPIC_API
 
 ### Docker Images
 
-| Image | Dockerfile |
-|-------|-----------|
-| `ghcr.io/<your-org>/orchestrator:latest` | `images/orchestrator/Dockerfile` |
-| `worker-claude:latest` | `images/worker-claude/Dockerfile` |
-| `worker-codex:latest` | `images/worker-codex/Dockerfile` |
-| `worker-aider:latest` | `images/worker-aider/Dockerfile` |
+| Image                                    | Dockerfile                        |
+| ---------------------------------------- | --------------------------------- |
+| `ghcr.io/hey-intent/orchestrator:latest` | `images/orchestrator/Dockerfile`  |
+| `worker-claude:latest`                   | `images/worker-claude/Dockerfile` |
+| `worker-codex:latest`                    | `images/worker-codex/Dockerfile`  |
+| `worker-aider:latest`                    | `images/worker-aider/Dockerfile`  |
 
 Rebuild and reimport after changes:
 
@@ -249,7 +246,7 @@ curl -s -X POST http://127.0.0.1:8080/jobs/run -H "Authorization: Bearer <ADMIN_
 ### Threat Model
 
 | Surface | Risk | Mitigation |
-|---------|------|------------|
+| --- | --- | --- |
 | **Incoming webhook** | Fake webhook to trigger a job | HMAC-SHA256 signature (`WEBHOOK_SECRET`) verified on every request |
 | **Admin endpoints** | Unauthorized access | Bearer token (`ADMIN_TOKEN`), not exposed via Ingress |
 | **GitHub App private key** | Theft = full access | PEM in orchestrator pod only, workers receive an ephemeral token (1h) |
@@ -272,7 +269,7 @@ curl -s -X POST http://127.0.0.1:8080/jobs/run -H "Authorization: Bearer <ADMIN_
 ## Troubleshooting
 
 | Symptom | Diagnostic |
-|---------|-----------|
+| --- | --- |
 | `ErrImageNeverPull` | Image not imported into k3s (`docker save ... \| sudo k3s ctr images import -`) |
 | `CrashLoopBackOff` | `kubectl logs pod/<pod> --previous` |
 | `Not logged in` | Missing API secret (depends on provider) |

ansible/group_vars/vps.yml

@@ -1,14 +1,14 @@
 # --- Cluster ---
-k3s_version: "v1.31.4+k3s1"          # pin a stable version
+k3s_version: "v1.31.4+k3s1" # pin a stable version
 kubeconfig_path: /etc/rancher/k3s/k3s.yaml
 
 # --- Project ---
 project_dir: /opt/patchwork-agent
-repo_url: "https://github.com/<your-org>/k3-github-pr.git"
+repo_url: "https://github.com/hey-intent/patchwork-agents.git"
 repo_branch: main
 
 # --- Images ---
-orchestrator_image: "ghcr.io/<your-org>/orchestrator:latest"
+orchestrator_image: "ghcr.io/hey-intent/orchestrator:latest"
 worker_images:
   - name: worker-claude
     dockerfile: images/worker-claude/Dockerfile

ansible/playbook.yml

@@ -19,10 +19,29 @@
         name:
           - git
           - curl
-          - docker.io
           - jq
         state: present
         update_cache: true
+    - name: Add Docker GPG key
+      shell: |
+        install -m 0755 -d /etc/apt/keyrings
+        curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
+        chmod a+r /etc/apt/keyrings/docker.asc
+      args:
+        creates: /etc/apt/keyrings/docker.asc
+
+    - name: Add Docker repository
+      shell: |
+        echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu $(. /etc/os-release && echo $VERSION_CODENAME) stable" > /etc/apt/sources.list.d/docker.list
+      args:
+        creates: /etc/apt/sources.list.d/docker.list
+
+    - name: Install Docker CE
+      apt:
+        name: [docker-ce, docker-ce-cli, containerd.io, docker-buildx-plugin]
+        state: present
+        update_cache: true
+      notify: Restart docker
 
     - name: Enable and start Docker
       ansible.builtin.systemd_service:
@@ -86,10 +105,9 @@
     - name: Build orchestrator image
       ansible.builtin.command:
         cmd: >
-          docker build
-          -f {{ project_dir }}/images/orchestrator/Dockerfile
-          -t {{ orchestrator_image }}
-          {{ project_dir }}
+          docker build -f {{ project_dir }}/images/orchestrator/Dockerfile -t {{ orchestrator_image }} {{ project_dir }}
+
+
       changed_when: true
 
     - name: Import orchestrator image into k3s
@@ -103,10 +121,9 @@
     - name: Build worker images
       ansible.builtin.command:
         cmd: >
-          docker build
-          -f {{ project_dir }}/{{ item.dockerfile }}
-          -t {{ item.name }}:latest
-          {{ project_dir }}
+          docker build -f {{ project_dir }}/{{ item.dockerfile }} -t {{ item.name }}:latest {{ project_dir }}
+
+
       loop: "{{ worker_images }}"
       changed_when: true
 
@@ -144,10 +161,10 @@
           stringData:
             GITHUB_APP_ID: "{{ github_app_id }}"
             GITHUB_PRIVATE_KEY: |
-              {{ lookup('ansible.builtin.file', github_private_key_path) | indent(14, true) }}
+              {{ lookup('ansible.builtin.file', github_private_key_path) | indent(14, false) }}
       register: apply_secret_github_app
       changed_when: "'created' in apply_secret_github_app.stdout or 'configured' in apply_secret_github_app.stdout"
-      no_log: true
+      # no_log: true
 
     - name: Apply github-webhook-secret
       ansible.builtin.command:
@@ -163,7 +180,7 @@
             WEBHOOK_SECRET: "{{ webhook_secret }}"
       register: apply_secret_webhook
       changed_when: "'created' in apply_secret_webhook.stdout or 'configured' in apply_secret_webhook.stdout"
-      no_log: true
+      # no_log: true
 
     - name: Apply orchestrator-config secret
       ansible.builtin.command:
@@ -180,7 +197,7 @@
             ADMIN_TOKEN: "{{ admin_token }}"
       register: apply_secret_orchestrator_cfg
       changed_when: "'created' in apply_secret_orchestrator_cfg.stdout or 'configured' in apply_secret_orchestrator_cfg.stdout"
-      no_log: true
+      # no_log: true
 
     - name: Apply anthropic-api-key secret
       ansible.builtin.command:
@@ -197,7 +214,7 @@
       register: apply_secret_anthropic
       changed_when: "'created' in apply_secret_anthropic.stdout or 'configured' in apply_secret_anthropic.stdout"
       when: anthropic_api_key | length > 0
-      no_log: true
+      # no_log: true
 
     - name: Apply openai-api-key secret
       ansible.builtin.command:
@@ -214,7 +231,7 @@
       register: apply_secret_openai
       changed_when: "'created' in apply_secret_openai.stdout or 'configured' in apply_secret_openai.stdout"
       when: openai_api_key | length > 0
-      no_log: true
+      # no_log: true
 
     - name: Apply openrouter-api-key secret
       ansible.builtin.command:
@@ -231,7 +248,7 @@
       register: apply_secret_openrouter
       changed_when: "'created' in apply_secret_openrouter.stdout or 'configured' in apply_secret_openrouter.stdout"
       when: openrouter_api_key | length > 0
-      no_log: true
+      # no_log: true
 
     - name: Copy orchestrator manifest to temporary file
       ansible.builtin.copy:
@@ -276,3 +293,8 @@
     - name: Print status
       ansible.builtin.debug:
         var: status.stdout_lines
+  handlers:
+    - name: Restart docker
+      ansible.builtin.systemd_service:
+        name: docker
+        state: restarted