blumeops/containers/forgejo-runner/Dockerfile

# Forgejo Actions Job Execution Image
#
# This image is used as the job execution environment for Forgejo Actions.
# The host runner daemon creates containers from this image to run workflow steps.
#
# Includes: Node.js (for GitHub Actions), Docker CLI, git, and common CI tools.
#
# Usage: Configure runner with label like:
#   docker:docker://registry.ops.eblu.me/blumeops/forgejo-runner:latest

FROM debian:bookworm-slim

ARG TARGETARCH

# Install base dependencies
RUN apt-get update && apt-get install -y --no-install-recommends \
    ca-certificates \
    curl \
    git \
    jq \
    gnupg \
    lsb-release \
    xz-utils \
    && rm -rf /var/lib/apt/lists/*

# Install Node.js 24.x LTS (required for actions/checkout@v4 and Quartz builds)
RUN curl -fsSL https://deb.nodesource.com/setup_24.x | bash - \
    && apt-get install -y --no-install-recommends nodejs \
    && rm -rf /var/lib/apt/lists/*

# Install Docker CLI (for container builds - daemon accessed via socket mount)
# and skopeo (for pushing images to zot registry - Docker 27 manifest compat issues)
RUN install -m 0755 -d /etc/apt/keyrings \
    && curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc \
    && chmod a+r /etc/apt/keyrings/docker.asc \
    && echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian $(lsb_release -cs) stable" > /etc/apt/sources.list.d/docker.list \
    && apt-get update \
    && apt-get install -y --no-install-recommends docker-ce-cli skopeo \
    && rm -rf /var/lib/apt/lists/*

# Install uv (Python package runner for towncrier)
RUN curl -LsSf https://astral.sh/uv/install.sh | sh \
    && mv /root/.local/bin/uv /usr/local/bin/uv \
    && mv /root/.local/bin/uvx /usr/local/bin/uvx

# Install argocd CLI (for syncing apps from workflows)
# Use dpkg --print-architecture as fallback since TARGETARCH may be empty in single-platform builds
RUN ARCH="${TARGETARCH:-$(dpkg --print-architecture)}" \
    && curl -fsSL -o /usr/local/bin/argocd \
    "https://github.com/argoproj/argo-cd/releases/latest/download/argocd-linux-${ARCH}" \
    && chmod +x /usr/local/bin/argocd \
    && argocd version --client

# Default to bash
CMD ["/bin/bash"]
Migrate Forgejo runner to Kubernetes with DinD (#60) ## Summary - Deploy Forgejo runner to k8s with Docker-in-Docker sidecar - Add job execution image with Node.js and Docker CLI - Retire host-mode runner on indri - All CI jobs now run containerized in k8s ## Components Added - `containers/forgejo-runner/Dockerfile` - Job execution image - `argocd/apps/forgejo-runner.yaml` - ArgoCD Application - `argocd/manifests/forgejo-runner/` - Kubernetes manifests ## Components Removed - `ansible/roles/forgejo_runner/` - No longer needed ## Changes to Existing Files - `.forgejo/workflows/build-container.yaml` - Use `k8s` runner with `DOCKER_HOST` env - `.github/actionlint.yaml` - Only `k8s` label now valid ## Deployment 1. Apply secret: `op inject -i argocd/manifests/forgejo-runner/secret.yaml.tpl \| kubectl --context=minikube-indri apply -f -` 2. Sync ArgoCD: `argocd app sync forgejo-runner` 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/60 2026-01-25 19:56:17 -08:00			`# Forgejo Actions Job Execution Image`
			`#`
			`# This image is used as the job execution environment for Forgejo Actions.`
			`# The host runner daemon creates containers from this image to run workflow steps.`
			`#`
			`# Includes: Node.js (for GitHub Actions), Docker CLI, git, and common CI tools.`
			`#`
			`# Usage: Configure runner with label like:`
			`# docker:docker://registry.ops.eblu.me/blumeops/forgejo-runner:latest`

			`FROM debian:bookworm-slim`

			`ARG TARGETARCH`

			`# Install base dependencies`
			`RUN apt-get update && apt-get install -y --no-install-recommends \`
			`ca-certificates \`
			`curl \`
			`git \`
			`jq \`
			`gnupg \`
			`lsb-release \`
			`xz-utils \`
			`&& rm -rf /var/lib/apt/lists/*`

Upgrade forgejo-runner to Node.js 24.x LTS Quartz now requires Node.js >= 22. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-02-03 09:19:58 -08:00			`# Install Node.js 24.x LTS (required for actions/checkout@v4 and Quartz builds)`
			`RUN curl -fsSL https://deb.nodesource.com/setup_24.x \| bash - \`
Migrate Forgejo runner to Kubernetes with DinD (#60) ## Summary - Deploy Forgejo runner to k8s with Docker-in-Docker sidecar - Add job execution image with Node.js and Docker CLI - Retire host-mode runner on indri - All CI jobs now run containerized in k8s ## Components Added - `containers/forgejo-runner/Dockerfile` - Job execution image - `argocd/apps/forgejo-runner.yaml` - ArgoCD Application - `argocd/manifests/forgejo-runner/` - Kubernetes manifests ## Components Removed - `ansible/roles/forgejo_runner/` - No longer needed ## Changes to Existing Files - `.forgejo/workflows/build-container.yaml` - Use `k8s` runner with `DOCKER_HOST` env - `.github/actionlint.yaml` - Only `k8s` label now valid ## Deployment 1. Apply secret: `op inject -i argocd/manifests/forgejo-runner/secret.yaml.tpl \| kubectl --context=minikube-indri apply -f -` 2. Sync ArgoCD: `argocd app sync forgejo-runner` 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/60 2026-01-25 19:56:17 -08:00			`&& apt-get install -y --no-install-recommends nodejs \`
			`&& rm -rf /var/lib/apt/lists/*`

			`# Install Docker CLI (for container builds - daemon accessed via socket mount)`
Add skopeo to forgejo-runner image Pre-install skopeo for pushing images to zot registry. Docker 27's manifest format has compatibility issues with zot, so we use skopeo for the push step. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-30 11:11:19 -08:00			`# and skopeo (for pushing images to zot registry - Docker 27 manifest compat issues)`
Migrate Forgejo runner to Kubernetes with DinD (#60) ## Summary - Deploy Forgejo runner to k8s with Docker-in-Docker sidecar - Add job execution image with Node.js and Docker CLI - Retire host-mode runner on indri - All CI jobs now run containerized in k8s ## Components Added - `containers/forgejo-runner/Dockerfile` - Job execution image - `argocd/apps/forgejo-runner.yaml` - ArgoCD Application - `argocd/manifests/forgejo-runner/` - Kubernetes manifests ## Components Removed - `ansible/roles/forgejo_runner/` - No longer needed ## Changes to Existing Files - `.forgejo/workflows/build-container.yaml` - Use `k8s` runner with `DOCKER_HOST` env - `.github/actionlint.yaml` - Only `k8s` label now valid ## Deployment 1. Apply secret: `op inject -i argocd/manifests/forgejo-runner/secret.yaml.tpl \| kubectl --context=minikube-indri apply -f -` 2. Sync ArgoCD: `argocd app sync forgejo-runner` 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/60 2026-01-25 19:56:17 -08:00			`RUN install -m 0755 -d /etc/apt/keyrings \`
			`&& curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc \`
			`&& chmod a+r /etc/apt/keyrings/docker.asc \`
			`&& echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian $(lsb_release -cs) stable" > /etc/apt/sources.list.d/docker.list \`
			`&& apt-get update \`
Add skopeo to forgejo-runner image Pre-install skopeo for pushing images to zot registry. Docker 27's manifest format has compatibility issues with zot, so we use skopeo for the push step. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-30 11:11:19 -08:00			`&& apt-get install -y --no-install-recommends docker-ce-cli skopeo \`
Migrate Forgejo runner to Kubernetes with DinD (#60) ## Summary - Deploy Forgejo runner to k8s with Docker-in-Docker sidecar - Add job execution image with Node.js and Docker CLI - Retire host-mode runner on indri - All CI jobs now run containerized in k8s ## Components Added - `containers/forgejo-runner/Dockerfile` - Job execution image - `argocd/apps/forgejo-runner.yaml` - ArgoCD Application - `argocd/manifests/forgejo-runner/` - Kubernetes manifests ## Components Removed - `ansible/roles/forgejo_runner/` - No longer needed ## Changes to Existing Files - `.forgejo/workflows/build-container.yaml` - Use `k8s` runner with `DOCKER_HOST` env - `.github/actionlint.yaml` - Only `k8s` label now valid ## Deployment 1. Apply secret: `op inject -i argocd/manifests/forgejo-runner/secret.yaml.tpl \| kubectl --context=minikube-indri apply -f -` 2. Sync ArgoCD: `argocd app sync forgejo-runner` 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/60 2026-01-25 19:56:17 -08:00			`&& rm -rf /var/lib/apt/lists/*`

Auto-deploy docs from build workflow (#93) ## Summary - Add `uv` and `argocd` CLI to forgejo-runner container image - Add `workflow-bot` ArgoCD account with sync permissions (declarative via kustomize patches) - Add `ARGOCD_AUTH_TOKEN` to forgejo-runner external secret for workflow auth - Update build workflow to auto-deploy docs after release: - Update configmap with new release URL - Commit changelog and configmap changes - Sync docs app via ArgoCD ## Deployment and Testing Manual steps required before this can work: 1. [ ] Build and push new forgejo-runner image (v2.4.0) 2. [ ] Sync argocd app to create workflow-bot account 3. [ ] Generate token: `argocd account generate-token --account workflow-bot` 4. [ ] Store token in 1Password under "Forgejo Secrets" with field `argocd_token` 5. [ ] Sync forgejo-runner app to pick up new external secret 6. [ ] Update forgejo-runner deployment to use new image version 7. [ ] Test by running workflow manually 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/93 2026-02-03 16:58:03 -08:00			`# Install uv (Python package runner for towncrier)`
			`RUN curl -LsSf https://astral.sh/uv/install.sh \| sh \`
			`&& mv /root/.local/bin/uv /usr/local/bin/uv \`
			`&& mv /root/.local/bin/uvx /usr/local/bin/uvx`

			`# Install argocd CLI (for syncing apps from workflows)`
Fix argocd CLI download in forgejo-runner image - Add -L flag to follow redirects - Add -f flag to fail on HTTP errors - Use dpkg --print-architecture as fallback for TARGETARCH - Verify binary works after download Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-02-03 17:11:25 -08:00			`# Use dpkg --print-architecture as fallback since TARGETARCH may be empty in single-platform builds`
			`RUN ARCH="${TARGETARCH:-$(dpkg --print-architecture)}" \`
			`&& curl -fsSL -o /usr/local/bin/argocd \`
			`"https://github.com/argoproj/argo-cd/releases/latest/download/argocd-linux-${ARCH}" \`
			`&& chmod +x /usr/local/bin/argocd \`
			`&& argocd version --client`
Auto-deploy docs from build workflow (#93) ## Summary - Add `uv` and `argocd` CLI to forgejo-runner container image - Add `workflow-bot` ArgoCD account with sync permissions (declarative via kustomize patches) - Add `ARGOCD_AUTH_TOKEN` to forgejo-runner external secret for workflow auth - Update build workflow to auto-deploy docs after release: - Update configmap with new release URL - Commit changelog and configmap changes - Sync docs app via ArgoCD ## Deployment and Testing Manual steps required before this can work: 1. [ ] Build and push new forgejo-runner image (v2.4.0) 2. [ ] Sync argocd app to create workflow-bot account 3. [ ] Generate token: `argocd account generate-token --account workflow-bot` 4. [ ] Store token in 1Password under "Forgejo Secrets" with field `argocd_token` 5. [ ] Sync forgejo-runner app to pick up new external secret 6. [ ] Update forgejo-runner deployment to use new image version 7. [ ] Test by running workflow manually 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/93 2026-02-03 16:58:03 -08:00
Migrate Forgejo runner to Kubernetes with DinD (#60) ## Summary - Deploy Forgejo runner to k8s with Docker-in-Docker sidecar - Add job execution image with Node.js and Docker CLI - Retire host-mode runner on indri - All CI jobs now run containerized in k8s ## Components Added - `containers/forgejo-runner/Dockerfile` - Job execution image - `argocd/apps/forgejo-runner.yaml` - ArgoCD Application - `argocd/manifests/forgejo-runner/` - Kubernetes manifests ## Components Removed - `ansible/roles/forgejo_runner/` - No longer needed ## Changes to Existing Files - `.forgejo/workflows/build-container.yaml` - Use `k8s` runner with `DOCKER_HOST` env - `.github/actionlint.yaml` - Only `k8s` label now valid ## Deployment 1. Apply secret: `op inject -i argocd/manifests/forgejo-runner/secret.yaml.tpl \| kubectl --context=minikube-indri apply -f -` 2. Sync ArgoCD: `argocd app sync forgejo-runner` 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/60 2026-01-25 19:56:17 -08:00			`# Default to bash`
			`CMD ["/bin/bash"]`