From 1e391f96bbc4a814d6e55e247ac2c634a69009da Mon Sep 17 00:00:00 2001 From: Erich Blume Date: Mon, 30 Mar 2026 16:31:06 -0700 Subject: [PATCH] =?UTF-8?q?Upgrade=20forgejo-runner=2012.7.0=20=E2=86=92?= =?UTF-8?q?=2012.7.3,=20add=20service=20card?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Patch upgrade picks up idempotent FetchTask API, offline registration fix, cloudflare/circl security dep update, and custom gRPC user-agent. No config defaults changed. Co-Authored-By: Claude Opus 4.6 (1M context) --- argocd/manifests/forgejo-runner/config.yaml | 2 +- .../forgejo-runner/kustomization.yaml | 2 +- .../+forgejo-runner-12.7.3.infra.md | 1 + docs/reference/services/forgejo-runner.md | 56 +++++++++++++++++++ docs/reference/services/forgejo.md | 1 + service-versions.yaml | 4 +- 6 files changed, 62 insertions(+), 4 deletions(-) create mode 100644 docs/changelog.d/+forgejo-runner-12.7.3.infra.md create mode 100644 docs/reference/services/forgejo-runner.md diff --git a/argocd/manifests/forgejo-runner/config.yaml b/argocd/manifests/forgejo-runner/config.yaml index c92d616..4894825 100644 --- a/argocd/manifests/forgejo-runner/config.yaml +++ b/argocd/manifests/forgejo-runner/config.yaml @@ -1,4 +1,4 @@ -# Reviewed against v12.7.0 defaults (2026-02-22) +# Reviewed against v12.7.3 defaults (2026-03-30) log: level: info diff --git a/argocd/manifests/forgejo-runner/kustomization.yaml b/argocd/manifests/forgejo-runner/kustomization.yaml index 67527de..2c845ee 100644 --- a/argocd/manifests/forgejo-runner/kustomization.yaml +++ b/argocd/manifests/forgejo-runner/kustomization.yaml @@ -10,7 +10,7 @@ resources: images: - name: code.forgejo.org/forgejo/runner - newTag: "12.7.0" + newTag: "12.7.3" - name: docker newTag: 27-dind diff --git a/docs/changelog.d/+forgejo-runner-12.7.3.infra.md b/docs/changelog.d/+forgejo-runner-12.7.3.infra.md new file mode 100644 index 0000000..379ca3e --- /dev/null +++ b/docs/changelog.d/+forgejo-runner-12.7.3.infra.md @@ -0,0 +1 @@ +Upgrade forgejo-runner from 12.7.0 to 12.7.3 (bug fixes, security dep update). Add service reference card. diff --git a/docs/reference/services/forgejo-runner.md b/docs/reference/services/forgejo-runner.md new file mode 100644 index 0000000..d61f378 --- /dev/null +++ b/docs/reference/services/forgejo-runner.md @@ -0,0 +1,56 @@ +--- +title: Forgejo Runner +modified: 2026-03-30 +last-reviewed: 2026-03-30 +tags: + - service + - ci-cd +--- + +# Forgejo Runner + +Forgejo Actions runner daemon for CI/CD job execution. Runs as a Kubernetes pod on [[indri]] (minikube) with a Docker-in-Docker sidecar. + +## Quick Reference + +| Property | Value | +|----------|-------| +| **Namespace** | `forgejo-runner` | +| **ArgoCD App** | `forgejo-runner` | +| **Runner Name** | `k8s-runner` | +| **Labels** | `k8s` | +| **Capacity** | 2 concurrent jobs | +| **Timeout** | 3h | +| **Forgejo Instance** | https://forge.ops.eblu.me | +| **Image** | `code.forgejo.org/forgejo/runner` (see `argocd/manifests/forgejo-runner/kustomization.yaml` for current tag) | +| **DinD Sidecar** | `docker:27-dind` | + +## Architecture + +The pod runs two containers: + +1. **runner** - The Forgejo runner daemon. Registers with the forge on first start, then polls for jobs. Talks to DinD via `tcp://localhost:2375`. +2. **dind** - Docker-in-Docker sidecar (privileged). Provides the Docker daemon for job container execution. Uses a registry mirror at `host.minikube.internal:5050` ([[zot]]). + +Runner state (`/data/.runner`) is stored in an `emptyDir` volume, so re-registration happens on pod restart. The registration token comes from 1Password via [[external-secrets]]. + +## Job Execution Image + +The actual container image used to run workflow steps is set via `RUNNER_LABELS` in the deployment, not in the runner config. This image is tracked separately as `runner-job-image` in `service-versions.yaml`. See [[build-container-image]] for how it's built. + +## Network + +Jobs run with `network: "host"` to share the DinD network namespace. This gives job containers access to the same DNS and network as the pod, including cluster-internal services. + +## Credentials + +| Secret | Source | Purpose | +|--------|--------|---------| +| `RUNNER_TOKEN` | 1Password ("Forgejo Secrets" → `runner_reg`) | Runner registration with forge | + +## Related + +- [[forgejo]] - The forge this runner connects to +- [[argocd]] - Deployment mechanism +- [[zot]] - Registry mirror for job image pulls +- [[build-container-image]] - How container images are built via this runner diff --git a/docs/reference/services/forgejo.md b/docs/reference/services/forgejo.md index fbbc506..635f479 100644 --- a/docs/reference/services/forgejo.md +++ b/docs/reference/services/forgejo.md @@ -161,6 +161,7 @@ Forgejo hosts pull mirrors of external repositories (GitHub, etc.) for supply ch ## Related +- [[forgejo-runner]] - k8s CI/CD runner (minikube on indri) - [[argocd]] - Uses Forgejo as git source - [[authentik]] - OIDC identity provider - [[zot]] - Container registry for built images diff --git a/service-versions.yaml b/service-versions.yaml index 6e67b24..adb0974 100644 --- a/service-versions.yaml +++ b/service-versions.yaml @@ -234,8 +234,8 @@ services: - name: forgejo-runner type: argocd - last-reviewed: 2026-02-22 - current-version: "12.7.0" + last-reviewed: 2026-03-30 + current-version: "12.7.3" upstream-source: https://code.forgejo.org/forgejo/runner/releases notes: >- Runner daemon version (code.forgejo.org/forgejo/runner). Job execution