Enable Forgejo Actions (Phase 1) (#48)

## Summary - Refactor Forgejo app.ini to be managed by ansible with secrets from 1Password - Enable Forgejo Actions in config (`[actions] ENABLED = true`) - Add `repo.actions` to DEFAULT_REPO_UNITS - Clean up unused MySQL database fields (we use SQLite) ## Phase 1 Progress This PR covers the first part of Phase 1 (ci-cd-bootstrap plan): - [x] Refactor app.ini to ansible template - [x] Store secrets in 1Password - [x] Enable Actions in config - [ ] Deploy config changes (pending review) - [ ] Create runner registration token - [ ] Deploy runner to k8s - [ ] Test with simple workflow ## Deployment and Testing - [ ] Run `mise run provision-indri -- --tags forgejo` to deploy - [ ] Verify Forgejo restarts correctly - [ ] Verify Actions tab appears in repo settings 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.tail8d86e.ts.net/eblume/blumeops/pulls/48
2026-01-23 17:00:12 -08:00 · 2026-01-23 17:00:12 -08:00 · 7893c41020
commit 7893c41020
parent 016f1043c8
15 changed files with 426 additions and 15 deletions
--- a/argocd/apps/forgejo-runner.yaml
+++ b/argocd/apps/forgejo-runner.yaml
@ -0,0 +1,23 @@
+# Forgejo Actions Runner
+# Runs in k8s, polls Forgejo for workflow jobs
+#
+# Before syncing, create the runner token secret:
+#   kubectl create namespace forgejo-runner
+#   op inject -i argocd/manifests/forgejo-runner/secret-token.yaml.tpl | kubectl apply -f -
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: forgejo-runner
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: ssh://forgejo@indri.tail8d86e.ts.net:2200/eblume/blumeops.git
+    targetRevision: main
+    path: argocd/manifests/forgejo-runner
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: forgejo-runner
+  syncPolicy:
+    syncOptions:
+      - CreateNamespace=true
--- a/argocd/manifests/forgejo-runner/configmap.yaml
+++ b/argocd/manifests/forgejo-runner/configmap.yaml
@ -0,0 +1,13 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: forgejo-runner-config
+  namespace: forgejo-runner
+data:
+  config.yaml: |
+    log:
+      level: info
+    runner:
+      file: /data/.runner
+      capacity: 1
+      timeout: 3h
--- a/argocd/manifests/forgejo-runner/deployment.yaml
+++ b/argocd/manifests/forgejo-runner/deployment.yaml
@ -0,0 +1,63 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: forgejo-runner
+  namespace: forgejo-runner
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: forgejo-runner
+  template:
+    metadata:
+      labels:
+        app: forgejo-runner
+    spec:
+      serviceAccountName: forgejo-runner
+      containers:
+        - name: runner
+          image: code.forgejo.org/forgejo/runner:3.5.1
+          env:
+            # Use internal k8s service via Tailscale operator egress
+            - name: FORGEJO_INSTANCE_URL
+              value: "http://forge.tailscale.svc.cluster.local:3001"
+            - name: RUNNER_NAME
+              value: "k8s-runner-1"
+            - name: RUNNER_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: forgejo-runner-token
+                  key: token
+          command:
+            - /bin/sh
+            - -c
+            - |
+              # Register runner if not already registered
+              if [ ! -f /data/.runner ]; then
+                forgejo-runner register \
+                  --instance "$FORGEJO_INSTANCE_URL" \
+                  --token "$RUNNER_TOKEN" \
+                  --name "$RUNNER_NAME" \
+                  --labels "ubuntu-latest:host,ubuntu-22.04:host" \
+                  --no-interactive
+              fi
+              # Start the runner daemon with config
+              forgejo-runner daemon --config /config/config.yaml
+          volumeMounts:
+            - name: runner-data
+              mountPath: /data
+            - name: runner-config
+              mountPath: /config
+          resources:
+            requests:
+              memory: "256Mi"
+              cpu: "100m"
+            limits:
+              memory: "1Gi"
+              cpu: "1000m"
+      volumes:
+        - name: runner-data
+          emptyDir: {}
+        - name: runner-config
+          configMap:
+            name: forgejo-runner-config
--- a/argocd/manifests/forgejo-runner/kustomization.yaml
+++ b/argocd/manifests/forgejo-runner/kustomization.yaml
@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: forgejo-runner
+resources:
+  - namespace.yaml
+  - serviceaccount.yaml
+  - configmap.yaml
+  - deployment.yaml
--- a/argocd/manifests/forgejo-runner/namespace.yaml
+++ b/argocd/manifests/forgejo-runner/namespace.yaml
@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: forgejo-runner
--- a/argocd/manifests/forgejo-runner/secret-token.yaml.tpl
+++ b/argocd/manifests/forgejo-runner/secret-token.yaml.tpl
@ -0,0 +1,10 @@
+# Template for op inject
+# Usage: op inject -i secret-token.yaml.tpl | kubectl apply -f -
+apiVersion: v1
+kind: Secret
+metadata:
+  name: forgejo-runner-token
+  namespace: forgejo-runner
+type: Opaque
+stringData:
+  token: "op://blumeops/w3663ffnvkewbftncqxtcpeavy/runner_reg"
--- a/argocd/manifests/forgejo-runner/serviceaccount.yaml
+++ b/argocd/manifests/forgejo-runner/serviceaccount.yaml
@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: forgejo-runner
+  namespace: forgejo-runner