blumeops/docs/reference/services/forgejo-runner.md

---
title: Forgejo Runner
modified: 2026-04-20
last-reviewed: 2026-04-20
tags:
  - service
  - ci-cd
---

# Forgejo Runner

Forgejo Actions runner daemon for CI/CD job execution. Runs as a Kubernetes pod on [[indri]] (minikube) with a Docker-in-Docker sidecar.

## Quick Reference

| Property | Value |
|----------|-------|
| **Namespace** | `forgejo-runner` |
| **ArgoCD App** | `forgejo-runner` |
| **Runner Name** | `k8s-runner` |
| **Labels** | `k8s` |
| **Capacity** | 2 concurrent jobs |
| **Timeout** | 3h |
| **Forgejo Instance** | https://forge.ops.eblu.me |
| **Image** | `registry.ops.eblu.me/blumeops/forgejo-runner` (see `argocd/manifests/forgejo-runner/kustomization.yaml` for current tag) |
| **DinD Sidecar** | `docker:27-dind` |

## Architecture

The pod runs two containers:

1. **runner** - The Forgejo runner daemon. Loads a rendered `server.connections` config at startup, then polls for jobs. Talks to DinD via `tcp://localhost:2375`.
2. **dind** - Docker-in-Docker sidecar (privileged). Provides the Docker daemon for job container execution. Uses a registry mirror at `host.minikube.internal:5050` ([[zot]]).

The runner daemon image is built from `containers/forgejo-runner/container.py`, not pulled directly from upstream. Credentials come from 1Password via [[external-secrets]], and the startup script renders the final config before launching the daemon. The `/data` volume remains for the runner home directory and job scratch space, not for `.runner` registration state.

## Job Execution Image

The actual container image used to run workflow steps is declared in `server.connections.labels` in the runner config. This image is tracked separately as `runner-job-image` in `service-versions.yaml`. See [[build-container-image]] for how it's built.

## Network

Jobs run with `network: "host"` to share the DinD network namespace. This gives job containers access to the same DNS and network as the pod, including cluster-internal services.

## Credentials

| Secret | Source | Purpose |
|--------|--------|---------|
| `FORGEJO_RUNNER_UUID` | 1Password ("Forgejo Secrets" → `runner_k8s_uuid`) | Static runner identity for `server.connections` |
| `FORGEJO_RUNNER_TOKEN` | 1Password ("Forgejo Secrets" → `runner_k8s_token`) | Static runner credential for `server.connections` |

## Related

- [[forgejo]] - The forge this runner connects to
- [[argocd]] - Deployment mechanism
- [[zot]] - Registry mirror for job image pulls
- [[build-container-image]] - How container images are built via this runner
Upgrade forgejo-runner 12.7.0 → 12.7.3, add service card Patch upgrade picks up idempotent FetchTask API, offline registration fix, cloudflare/circl security dep update, and custom gRPC user-agent. No config defaults changed. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-30 16:31:06 -07:00			`---`
			`title: Forgejo Runner`
Upgrade forgejo-runner to v12.8, adopt server.connections, and clean up docs (#338) ## Summary - consolidate forgejo-runner how-to docs into current cards - upgrade the k8s forgejo-runner deployment to the latest v12.8.x runner image - switch the k8s runner from first-boot register flow to declarative server.connections config - keep the runner image on the native Dagger build path and update the surrounding manifests/secrets ## Notes - PR opened early for C1 review - implementation and deployment verification will follow in subsequent commits Reviewed-on: https://forge.eblu.me/eblume/blumeops/pulls/338 2026-04-20 09:03:54 -07:00			`modified: 2026-04-20`
			`last-reviewed: 2026-04-20`
Upgrade forgejo-runner 12.7.0 → 12.7.3, add service card Patch upgrade picks up idempotent FetchTask API, offline registration fix, cloudflare/circl security dep update, and custom gRPC user-agent. No config defaults changed. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-30 16:31:06 -07:00			`tags:`
			`- service`
			`- ci-cd`
			`---`

			`# Forgejo Runner`

			`Forgejo Actions runner daemon for CI/CD job execution. Runs as a Kubernetes pod on [[indri]] (minikube) with a Docker-in-Docker sidecar.`

			`## Quick Reference`

			`\| Property \| Value \|`
			`\|----------\|-------\|`
			\| Namespace \| `forgejo-runner` \|
			\| ArgoCD App \| `forgejo-runner` \|
			\| Runner Name \| `k8s-runner` \|
			\| Labels \| `k8s` \|
			`\| Capacity \| 2 concurrent jobs \|`
			`\| Timeout \| 3h \|`
			`\| Forgejo Instance \| https://forge.ops.eblu.me \|`
Upgrade forgejo-runner to v12.8, adopt server.connections, and clean up docs (#338) ## Summary - consolidate forgejo-runner how-to docs into current cards - upgrade the k8s forgejo-runner deployment to the latest v12.8.x runner image - switch the k8s runner from first-boot register flow to declarative server.connections config - keep the runner image on the native Dagger build path and update the surrounding manifests/secrets ## Notes - PR opened early for C1 review - implementation and deployment verification will follow in subsequent commits Reviewed-on: https://forge.eblu.me/eblume/blumeops/pulls/338 2026-04-20 09:03:54 -07:00			\| Image \| `registry.ops.eblu.me/blumeops/forgejo-runner` (see `argocd/manifests/forgejo-runner/kustomization.yaml` for current tag) \|
Upgrade forgejo-runner 12.7.0 → 12.7.3, add service card Patch upgrade picks up idempotent FetchTask API, offline registration fix, cloudflare/circl security dep update, and custom gRPC user-agent. No config defaults changed. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-30 16:31:06 -07:00			\| DinD Sidecar \| `docker:27-dind` \|

			`## Architecture`

			`The pod runs two containers:`

Upgrade forgejo-runner to v12.8, adopt server.connections, and clean up docs (#338) ## Summary - consolidate forgejo-runner how-to docs into current cards - upgrade the k8s forgejo-runner deployment to the latest v12.8.x runner image - switch the k8s runner from first-boot register flow to declarative server.connections config - keep the runner image on the native Dagger build path and update the surrounding manifests/secrets ## Notes - PR opened early for C1 review - implementation and deployment verification will follow in subsequent commits Reviewed-on: https://forge.eblu.me/eblume/blumeops/pulls/338 2026-04-20 09:03:54 -07:00			1. runner - The Forgejo runner daemon. Loads a rendered `server.connections` config at startup, then polls for jobs. Talks to DinD via `tcp://localhost:2375`.
Upgrade forgejo-runner 12.7.0 → 12.7.3, add service card Patch upgrade picks up idempotent FetchTask API, offline registration fix, cloudflare/circl security dep update, and custom gRPC user-agent. No config defaults changed. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-30 16:31:06 -07:00			2. dind - Docker-in-Docker sidecar (privileged). Provides the Docker daemon for job container execution. Uses a registry mirror at `host.minikube.internal:5050` ([[zot]]).

Upgrade forgejo-runner to v12.8, adopt server.connections, and clean up docs (#338) ## Summary - consolidate forgejo-runner how-to docs into current cards - upgrade the k8s forgejo-runner deployment to the latest v12.8.x runner image - switch the k8s runner from first-boot register flow to declarative server.connections config - keep the runner image on the native Dagger build path and update the surrounding manifests/secrets ## Notes - PR opened early for C1 review - implementation and deployment verification will follow in subsequent commits Reviewed-on: https://forge.eblu.me/eblume/blumeops/pulls/338 2026-04-20 09:03:54 -07:00			The runner daemon image is built from `containers/forgejo-runner/container.py`, not pulled directly from upstream. Credentials come from 1Password via [[external-secrets]], and the startup script renders the final config before launching the daemon. The `/data` volume remains for the runner home directory and job scratch space, not for `.runner` registration state.
Upgrade forgejo-runner 12.7.0 → 12.7.3, add service card Patch upgrade picks up idempotent FetchTask API, offline registration fix, cloudflare/circl security dep update, and custom gRPC user-agent. No config defaults changed. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-30 16:31:06 -07:00
			`## Job Execution Image`

Upgrade forgejo-runner to v12.8, adopt server.connections, and clean up docs (#338) ## Summary - consolidate forgejo-runner how-to docs into current cards - upgrade the k8s forgejo-runner deployment to the latest v12.8.x runner image - switch the k8s runner from first-boot register flow to declarative server.connections config - keep the runner image on the native Dagger build path and update the surrounding manifests/secrets ## Notes - PR opened early for C1 review - implementation and deployment verification will follow in subsequent commits Reviewed-on: https://forge.eblu.me/eblume/blumeops/pulls/338 2026-04-20 09:03:54 -07:00			The actual container image used to run workflow steps is declared in `server.connections.labels` in the runner config. This image is tracked separately as `runner-job-image` in `service-versions.yaml`. See [[build-container-image]] for how it's built.
Upgrade forgejo-runner 12.7.0 → 12.7.3, add service card Patch upgrade picks up idempotent FetchTask API, offline registration fix, cloudflare/circl security dep update, and custom gRPC user-agent. No config defaults changed. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-30 16:31:06 -07:00
			`## Network`

			Jobs run with `network: "host"` to share the DinD network namespace. This gives job containers access to the same DNS and network as the pod, including cluster-internal services.

			`## Credentials`

			`\| Secret \| Source \| Purpose \|`
			`\|--------\|--------\|---------\|`
Upgrade forgejo-runner to v12.8, adopt server.connections, and clean up docs (#338) ## Summary - consolidate forgejo-runner how-to docs into current cards - upgrade the k8s forgejo-runner deployment to the latest v12.8.x runner image - switch the k8s runner from first-boot register flow to declarative server.connections config - keep the runner image on the native Dagger build path and update the surrounding manifests/secrets ## Notes - PR opened early for C1 review - implementation and deployment verification will follow in subsequent commits Reviewed-on: https://forge.eblu.me/eblume/blumeops/pulls/338 2026-04-20 09:03:54 -07:00			\| `FORGEJO_RUNNER_UUID` \| 1Password ("Forgejo Secrets" → `runner_k8s_uuid`) \| Static runner identity for `server.connections` \|
			\| `FORGEJO_RUNNER_TOKEN` \| 1Password ("Forgejo Secrets" → `runner_k8s_token`) \| Static runner credential for `server.connections` \|
Upgrade forgejo-runner 12.7.0 → 12.7.3, add service card Patch upgrade picks up idempotent FetchTask API, offline registration fix, cloudflare/circl security dep update, and custom gRPC user-agent. No config defaults changed. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-30 16:31:06 -07:00
			`## Related`

			`- [[forgejo]] - The forge this runner connects to`
			`- [[argocd]] - Deployment mechanism`
			`- [[zot]] - Registry mirror for job image pulls`
			`- [[build-container-image]] - How container images are built via this runner`