add herald + upgrade gitea and woodpecker

.devcontainer/devcontainer.json

@@ -1,8 +1,9 @@
 {
     "workspaceFolder": "/workspace",
     "workspaceMount": "source=${localWorkspaceFolder},target=/workspace,type=bind,Z",
+    "runArgs": ["--userns=keep-id", "--security-opt", "label=disable"],
     "mounts": [
-        "source=${localEnv:HOME}/.ssh,target=/home/vscode/.ssh,type=bind,readonly"
+        "source=${localEnv:HOME}/.ssh,target=/root/.ssh,type=bind,readonly"
     ],
     "build": {
         "dockerfile": "Dockerfile"

docker-compose.yml

@@ -18,7 +18,7 @@ services:
             - prometheus_network
 
     woodpecker_server:
-    image: woodpeckerci/woodpecker-server:v3.13.0-alpine
+        image: woodpeckerci/woodpecker-server:v3.15-alpine
         volumes:
             - woodpeckerdata:/var/lib/woodpecker/
         entrypoint: /bin/sh -c "export WOODPECKER_GITEA_CLIENT=$$(cat /run/secrets/woodpecker_gitea_client) && export WOODPECKER_GITEA_SECRET=$$(cat /run/secrets/woodpecker_gitea_secret) && export WOODPECKER_AGENT_SECRET=$$(cat /run/secrets/woodpecker_agent_secret) && /bin/woodpecker-server"
@@ -35,7 +35,7 @@ services:
             - woodpecker_gitea_secret
 
     woodpecker_agent:
-    image: woodpeckerci/woodpecker-agent:v3.13.0-alpine
+        image: woodpeckerci/woodpecker-agent:v3.15-alpine
         volumes:
             - /var/run/docker.sock:/var/run/docker.sock
         entrypoint: /bin/sh -c "export WOODPECKER_AGENT_SECRET=$$(cat /run/secrets/woodpecker_agent_secret) && /bin/woodpecker-agent"
@@ -49,7 +49,7 @@ services:
             - woodpecker_agent_secret
 
     gitea:
-    image: docker.gitea.com/gitea:1.25.2
+        image: docker.gitea.com/gitea:1.26.2
         environment:
             - USER_UID=1000
             - USER_GID=1000
@@ -108,6 +108,33 @@ services:
         networks:
             - prometheus_network
 
+    herald:
+        image: tintounn/herald:1.0
+        entrypoint:
+            - /bin/sh
+            - -c
+            - >-
+                export GITEA_TOKEN=$$(cat /run/secrets/herald_gitea_token) &&
+                export OPEN_ROUTER_API_KEY=$$(cat /run/secrets/herald_openrouter_token) &&
+                export WEBHOOK_SIG_HEADER_SECRET=$$(cat /run/secrets/herald_gitea_header_secret) &&
+                export SENTRY_DSN=$$(cat /run/secrets/herald_sentry_dsn) &&
+                /app/herald
+        networks:
+            - reverse_network
+        secrets:
+            - herald_gitea_token
+            - herald_openrouter_token
+            - herald_gitea_header_secret
+            - herald_sentry_dsn
+        environment:
+            HTTP_PORT: 3000
+            BOT_NAME: Herald
+            BOT_MAX_CONCURRENT: 5
+            GITEA_URL: http://gitea:3000
+            GITEA_TIMEOUT: 60
+            OPEN_ROUTER_MODEL: deepseek/deepseek-v4-flash
+            OPEN_ROUTER_TIMEOUT: 600
+
 secrets:
     woodpecker_agent_secret:
         name: woodpecker_agent_secret_${DATETIME}
@@ -118,6 +145,18 @@ secrets:
     woodpecker_gitea_client:
         name: woodpecker_gitea_client_${DATETIME}
         file: ./secrets/woodpecker_gitea_client
+    herald_gitea_token:
+        name: herald_gitea_token_${DATETIME}
+        file: ./secrets/herald/herald_gitea_token
+    herald_openrouter_token:
+        name: herald_openrouter_token_${DATETIME}
+        file: ./secrets/herald/herald_openrouter_token
+    herald_gitea_header_secret:
+        name: herald_gitea_header_secret_${DATETIME}
+        file: ./secrets/herald/herald_gitea_header_secret
+    herald_sentry_dsn:
+        name: herald_sentry_dsn_${DATETIME}
+        file: ./secrets/herald/herald_sentry_dsn
 
 configs:
     caddy_config: