chore(release): drop Woodpecker CI; release-image.sh is now canonical

Removes .woodpecker.yml and replaces the tag-triggered image publish flow
with a local-build-and-push script (release-image.sh).

Why: the CI added two indirections (Woodpecker dashboard, Codeberg secrets
config) that aren't worth the cost for a single-developer release flow.
When the previous release didn't show up in the package registry, "did
the release happen?" required checking three places (the git tag, the
CI dashboard, the registry); with local builds, success or failure is
visible in the developer's terminal immediately.

The cascade behavior is preserved: `sh release-image.sh 0.0.3` publishes
:0.0.3 :stable :beta :alpha just like the .woodpecker.yml job did. Beta
and alpha channels work identically (`sh release-image.sh 0.0.3-beta.1
beta` → :0.0.3-beta.1 :beta :alpha).

The git-tag convention stays (`zddc-server-vX.Y.Z`); now you tag *and*
run the script as two coordinated steps. AGENTS.md "Release tagging" and
zddc/README.md "Release Tagging" / "Container image" updated to reflect
the new flow. No code change in the binary.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

.woodpecker.yml

@@ -1,79 +0,0 @@
-# Woodpecker CI for ZDDC.
-#
-# Triggers on `zddc-server-v*` tag pushes. Builds the runtime container
-# image and publishes it to Codeberg's container registry with channel
-# tags that cascade downward, so that pinning to `:stable` always gets
-# the most recent stable, `:beta` always tracks the most recent beta-or-
-# stable, and `:alpha` always tracks the most recent alpha-or-newer.
-#
-# Tag conventions
-# ---------------
-#   zddc-server-vX.Y.Z              → stable release
-#   zddc-server-vX.Y.Z-beta.N       → beta release
-#   zddc-server-vX.Y.Z-alpha.N      → alpha release
-#
-# Image tags applied (cascading)
-# ------------------------------
-#   stable release:   :X.Y.Z         + :stable, :beta, :alpha
-#   beta release:     :X.Y.Z-beta.N  + :beta, :alpha
-#   alpha release:    :X.Y.Z-alpha.N + :alpha
-#
-# `:latest` is intentionally NOT published. The project uses
-# `stable / beta / alpha` channel terminology consistently; see
-# AGENTS.md "Channel discipline".
-#
-# To enable: in the Woodpecker dashboard at https://ci.codeberg.org →
-# repo → Settings → Secrets, add codeberg_user (your Codeberg username)
-# and codeberg_token (a personal token with package:write scope from
-# https://codeberg.org/user/settings/applications). Restrict both
-# secrets to the `tag` event for safety.
-
-when:
-  - event: tag
-    ref: refs/tags/zddc-server-v*
-
-steps:
-  prepare-bundle:
-    image: docker.io/alpine:3.20
-    commands:
-      # 1. Assemble zddc/dist/web/ from the landing + archive built outputs.
-      #    build.sh now skips the (host-side) podman binary build when
-      #    podman is absent, which is the case in CI — the runtime
-      #    container image's own builder stage produces linux/amd64.
-      - sh build.sh
-      # 2. Compute the image tags. Grammar:
-      #    zddc-server-vX.Y.Z              → stable
-      #    zddc-server-vX.Y.Z-alpha.N      → alpha (cascade: alpha)
-      #    zddc-server-vX.Y.Z-beta.N       → beta  (cascade: beta, alpha)
-      #    Anything else is rejected by the `when:` filter; nothing to
-      #    handle here.
-      - |
-        VERSION="${CI_COMMIT_TAG#zddc-server-v}"
-        case "$VERSION" in
-          *-alpha.*) CHANNEL=alpha ;;
-          *-beta.*)  CHANNEL=beta  ;;
-          *)         CHANNEL=stable ;;
-        esac
-        case "$CHANNEL" in
-          stable) TAGS="$VERSION stable beta alpha" ;;
-          beta)   TAGS="$VERSION beta alpha" ;;
-          alpha)  TAGS="$VERSION alpha" ;;
-        esac
-        printf '%s\n' $TAGS > .image-tags
-        echo "Channel: $CHANNEL"
-        echo "Tags:    $TAGS"
-
-  publish-image:
-    image: woodpeckerci/plugin-docker-buildx
-    settings:
-      registry: codeberg.org
-      repo: codeberg.org/varasys/zddc-server
-      dockerfile: zddc/Containerfile
-      context: zddc
-      target: server
-      tags_file: .image-tags
-      auto_tag: false
-      username:
-        from_secret: codeberg_user
-      password:
-        from_secret: codeberg_token

AGENTS.md

@@ -275,11 +275,25 @@ ZDDC_DATA_DIR=/path/to/your/archive podman-compose -f zddc/podman-compose.yaml u
 
 ### Release tagging
 
+Two coordinated steps — git tag for auditability, then local image build:
+
 ```sh
 git tag zddc-server-v1.0.0
-git push --tags
+git push origin zddc-server-v1.0.0
+sh release-image.sh 1.0.0                # → :1.0.0 :stable :beta :alpha
 ```
 
+The cascade matches the channel rules elsewhere in the repo: stable bumps
+all four tags; `beta` bumps `:1.0.0-beta.N :beta :alpha`; `alpha` bumps
+`:1.0.0-alpha.N :alpha`. See `release-image.sh` for the full mapping.
+
+Prerequisite: `podman login codeberg.org` (one-time, with a Codeberg
+personal token scoped `package:write`).
+
+There is no CI for this — `.woodpecker.yml` was removed in favor of
+local-build-and-push because solo workflow benefits from one canonical
+path that fails loudly and visibly on the developer's terminal.
+
 ### Notes
 
 - No external test framework yet — Go unit tests run with `go test ./...` inside `zddc/` (requires Go 1.24+)

release-image.sh

@@ -0,0 +1,94 @@
+#!/bin/sh
+# release-image.sh — build the zddc-server runtime image locally and push it
+# to codeberg.org/varasys/zddc-server with cascading channel tags.
+#
+# Usage:
+#   sh release-image.sh <version> [stable|beta|alpha]
+#
+#   stable → :<version> :stable :beta :alpha   (default)
+#   beta   → :<version> :beta :alpha
+#   alpha  → :<version> :alpha
+#
+# Examples:
+#   sh release-image.sh 0.0.3                    # → :0.0.3 :stable :beta :alpha
+#   sh release-image.sh 0.0.3-beta.1 beta        # → :0.0.3-beta.1 :beta :alpha
+#   sh release-image.sh 0.0.3-alpha.2 alpha      # → :0.0.3-alpha.2 :alpha
+#
+# Convention: cut a git tag first (`git tag zddc-server-v0.0.3 && git push
+# origin zddc-server-v0.0.3`) so version history is auditable, then run this
+# to publish the image. The two are coordinated by hand, deliberately —
+# `.woodpecker.yml` is gone; this script is the canonical path.
+#
+# Prerequisites:
+#   - podman (or substitute docker — the commands below are identical)
+#   - logged in to codeberg.org: `podman login codeberg.org`
+#     (your Codeberg username + a personal token with `package:write` scope,
+#      generated at https://codeberg.org/user/settings/applications)
+#
+# What it does:
+#   1. Runs `sh build.sh` so zddc/dist/web/{index.html,archive.html} reflect
+#      current source — those get COPYd into the runtime image.
+#   2. Builds zddc/Containerfile's `server` stage as a single local image.
+#   3. Tags that image with each cascade tag and pushes them in turn.
+
+set -eu
+
+usage() {
+    echo "usage: $0 <version> [stable|beta|alpha]" >&2
+    echo "  version: e.g. 0.0.3, 0.0.3-beta.1, 0.0.3-alpha.2" >&2
+    exit 1
+}
+
+[ $# -ge 1 ] || usage
+VERSION="$1"
+CHANNEL="${2:-stable}"
+
+case "$CHANNEL" in
+    stable) TAGS="$VERSION stable beta alpha" ;;
+    beta)   TAGS="$VERSION beta alpha" ;;
+    alpha)  TAGS="$VERSION alpha" ;;
+    *) echo "error: unknown channel: $CHANNEL (expected stable|beta|alpha)" >&2; exit 1 ;;
+esac
+
+REPO="codeberg.org/varasys/zddc-server"
+SCRIPT_DIR=$(cd "$(dirname "$0")" && pwd)
+
+# Pick podman or docker, whichever is on PATH.
+if command -v podman >/dev/null 2>&1; then
+    OCI=podman
+elif command -v docker >/dev/null 2>&1; then
+    OCI=docker
+else
+    echo "error: neither podman nor docker found on PATH" >&2
+    exit 1
+fi
+
+echo "=== Building $REPO ==="
+echo "Version: $VERSION"
+echo "Channel: $CHANNEL"
+echo "Tags:    $TAGS"
+echo "OCI CLI: $OCI"
+echo
+
+# Refresh dist/web — the Containerfile's server stage COPYs them in.
+sh "$SCRIPT_DIR/build.sh"
+
+# Build the runtime image as a single local tag, then re-tag for each cascade
+# entry so the build runs once and the pushes are cheap layer reuses.
+"$OCI" build --target server -t zddc-server:build "$SCRIPT_DIR/zddc/"
+
+echo
+echo "=== Pushing tags ==="
+for tag in $TAGS; do
+    "$OCI" tag zddc-server:build "$REPO:$tag"
+    "$OCI" push "$REPO:$tag"
+    echo "pushed $REPO:$tag"
+done
+
+echo
+echo "=== Done ==="
+echo "Image is live at $REPO:$VERSION"
+echo "Tags published: $TAGS"
+echo
+echo "Next: bump tnd-zddc-chart (push to develop) so the chart's CI rebuilds"
+echo "the dev-shell image against the new :beta and helm-rolls the cluster."

zddc/README.md

@@ -358,9 +358,9 @@ tree.
 
 ## Container image
 
-Each `zddc-server-vX.Y.Z` git tag publishes a runtime image to Codeberg's
+The runtime image is published to Codeberg's container registry via a
-container registry via the Woodpecker CI pipeline at `.woodpecker.yml`,
+local-build-and-push script (`release-image.sh` at the repo root). Each
-with cascading channel tags:
+release publishes cascading channel tags:
 
 ```
 codeberg.org/varasys/zddc-server:X.Y.Z      # immutable, exact version
@@ -456,25 +456,29 @@ $env:ZDDC_ROOT="C:\archive"; $env:ZDDC_TLS_CERT="none"; $env:ZDDC_ADDR=":8080"
 
 ## Release Tagging
 
-Follow the repository convention: `zddc-server-vX.Y.Z`
+Follow the repository convention: `zddc-server-vX.Y.Z`. Two coordinated
+steps — git tag for auditability, then local image build and push:
 
 ```sh
+# 1. Tag the source.
 git tag zddc-server-v1.0.0
-git push --tags
+git push origin zddc-server-v1.0.0
+
+# 2. Build and push the runtime image with cascading channel tags.
+sh release-image.sh 1.0.0          # → :1.0.0 :stable :beta :alpha
+sh release-image.sh 1.0.0-beta.1 beta   # beta-channel release
+sh release-image.sh 1.0.0-alpha.2 alpha # alpha-channel release
 ```
 
-The `zddc-server-v*` tag triggers the `.woodpecker.yml` pipeline which
+Prerequisite: `podman login codeberg.org` (or `docker login`) once,
-builds and publishes the container image. See "Container image" above
+authenticating with your Codeberg username and a personal token with
-for the resulting image URLs.
+`package:write` scope, generated at
+<https://codeberg.org/user/settings/applications>. The token is your
+local credential — it never lives in the repo.
 
-The first time the pipeline runs you must configure two Woodpecker
+Single-developer / solo-release flow by design — no CI babysitting,
-secrets in repo Settings → Woodpecker:
+no separate dashboard to debug when the registry doesn't show what
-
+you expected. See `release-image.sh` for what each tag publishes.
-- `codeberg_user` — your Codeberg username (e.g. `VARASYS`)
-- `codeberg_token` — a personal token with `package:write` scope, generated at <https://codeberg.org/user/settings/applications>
-
-These never live in the repo; they are referenced from the pipeline via
-`from_secret:`.
 
 ---