Bump Dagger to 0.20.6 and migrate runner-job-image to Alpine container.py

Bumps the Dagger engine/CLI from v0.20.1 to v0.20.6 (mise pin, dagger.json
engineVersion, SDK regen) and rewrites the runner-job-image container as a
native Dagger pipeline on Alpine 3.23 using the shared alpine_runtime helper,
replacing the Debian-based Dockerfile. All Forgejo Actions in this repo use
actions/checkout (a JS action), so musl is not a compatibility concern.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

.gitignore

@@ -12,3 +12,5 @@ __pycache__/
 
 # OS
 .DS_Store
+/**/__pycache__
+/.env

containers/runner-job-image/Dockerfile

@@ -1,84 +0,0 @@
-# Forgejo Actions Job Execution Image
-#
-# This image is used as the job execution environment for Forgejo Actions.
-# The host runner daemon creates containers from this image to run workflow steps.
-#
-# Build logic (container images, docs site) runs inside Dagger containers,
-# so this image only needs: git, Docker CLI, Dagger CLI, ArgoCD CLI, uv, yq, and basic tools.
-#
-# Usage: Configure runner with label like:
-#   docker:docker://registry.ops.eblu.me/blumeops/runner-job-image:latest
-
-ARG CONTAINER_APP_VERSION=0.20.1
-
-FROM debian:bookworm-slim
-
-ARG TARGETARCH
-ARG CONTAINER_APP_VERSION
-ARG DAGGER_VERSION=${CONTAINER_APP_VERSION}
-
-LABEL org.opencontainers.image.title="Runner Job Image"
-LABEL org.opencontainers.image.description="Forgejo Actions job execution environment"
-LABEL org.opencontainers.image.version="${CONTAINER_APP_VERSION}"
-LABEL org.opencontainers.image.source="https://forge.eblu.me/eblume/blumeops"
-LABEL org.opencontainers.image.vendor="blumeops"
-
-# Install base dependencies
-RUN apt-get update && apt-get install -y --no-install-recommends \
-    ca-certificates \
-    curl \
-    git \
-    gnupg \
-    jq \
-    tzdata \
-    && rm -rf /var/lib/apt/lists/*
-
-# Install Node.js (required by actions/checkout and other JavaScript Actions)
-RUN curl -fsSL https://deb.nodesource.com/setup_22.x | bash - \
-    && apt-get install -y --no-install-recommends nodejs \
-    && rm -rf /var/lib/apt/lists/* \
-    && node --version
-
-# Install Docker CLI (Dagger shells out to `docker` to provision its engine)
-RUN install -m 0755 -d /etc/apt/keyrings \
-    && curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc \
-    && chmod a+r /etc/apt/keyrings/docker.asc \
-    && echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian bookworm stable" > /etc/apt/sources.list.d/docker.list \
-    && apt-get update \
-    && apt-get install -y --no-install-recommends docker-ce-cli \
-    && rm -rf /var/lib/apt/lists/*
-
-# Install uv (Python package runner for towncrier)
-RUN curl -LsSf https://astral.sh/uv/install.sh | sh \
-    && mv /root/.local/bin/uv /usr/local/bin/uv \
-    && mv /root/.local/bin/uvx /usr/local/bin/uvx
-
-# Install argocd CLI (for syncing apps from workflows)
-RUN ARCH="${TARGETARCH:-$(dpkg --print-architecture)}" \
-    && curl -fsSL -o /usr/local/bin/argocd \
-    "https://github.com/argoproj/argo-cd/releases/latest/download/argocd-linux-${ARCH}" \
-    && chmod +x /usr/local/bin/argocd \
-    && argocd version --client
-
-# Install Dagger CLI (for running Dagger CI pipelines)
-RUN ARCH="${TARGETARCH:-$(dpkg --print-architecture)}" \
-    && curl -fsSL -o /tmp/dagger.tar.gz \
-    "https://dl.dagger.io/dagger/releases/${DAGGER_VERSION}/dagger_v${DAGGER_VERSION}_linux_${ARCH}.tar.gz" \
-    && tar -xzf /tmp/dagger.tar.gz -C /usr/local/bin dagger \
-    && rm /tmp/dagger.tar.gz \
-    && dagger version
-
-# Install yq (for editing YAML files in workflows)
-RUN ARCH="${TARGETARCH:-$(dpkg --print-architecture)}" \
-    && curl -fsSL -o /usr/local/bin/yq \
-    "https://github.com/mikefarah/yq/releases/latest/download/yq_linux_${ARCH}" \
-    && chmod +x /usr/local/bin/yq \
-    && yq --version
-
-# Install flyctl (for Fly.io cache purge after docs deploy)
-RUN curl -L https://fly.io/install.sh | sh \
-    && mv /root/.fly/bin/flyctl /usr/local/bin/fly \
-    && rm -rf /root/.fly
-
-# Default to bash
-CMD ["/bin/bash"]

containers/runner-job-image/container.py

@@ -0,0 +1,79 @@
+"""Forgejo Actions job execution image — native Dagger build.
+
+The forgejo-runner daemon creates containers from this image to run
+workflow steps. Contains the tools workflows reach for: git, Docker CLI,
+Node.js (for JavaScript Actions), Dagger CLI, ArgoCD CLI, uv, yq, flyctl.
+
+VERSION tracks the Dagger CLI version, the primary build tool.
+"""
+
+import dagger
+
+from blumeops.containers import alpine_runtime, oci_labels
+
+VERSION = "0.20.6"
+
+
+async def build(src: dagger.Directory) -> dagger.Container:
+    # Map `uname -m` to the arch suffix each upstream uses.
+    arch_setup = (
+        'ARCH_UNAME="$(uname -m)"; '
+        'case "$ARCH_UNAME" in '
+        "  x86_64) ARCH=amd64 ;; "
+        "  aarch64) ARCH=arm64 ;; "
+        '  *) echo "unsupported arch: $ARCH_UNAME" >&2; exit 1 ;; '
+        "esac; "
+    )
+
+    runtime = alpine_runtime(
+        extra_apk=[
+            "bash",
+            "ca-certificates",
+            "curl",
+            "docker-cli",
+            "git",
+            "gnupg",
+            "jq",
+            "nodejs",
+            "npm",
+            "tzdata",
+        ],
+        create_user=False,
+    )
+    runtime = oci_labels(
+        runtime,
+        title="Runner Job Image",
+        description="Forgejo Actions job execution environment",
+        version=VERSION,
+    )
+
+    install_tools = (
+        arch_setup
+        + "set -eux; "
+        # Dagger CLI (pinned)
+        + f'curl -fsSL -o /tmp/dagger.tar.gz "https://dl.dagger.io/dagger/releases/{VERSION}/dagger_v{VERSION}_linux_${{ARCH}}.tar.gz"; '
+        + "tar -xzf /tmp/dagger.tar.gz -C /usr/local/bin dagger; "
+        + "rm /tmp/dagger.tar.gz; "
+        + "dagger version; "
+        # ArgoCD CLI (latest — matches cluster server version over time)
+        + 'curl -fsSL -o /usr/local/bin/argocd "https://github.com/argoproj/argo-cd/releases/latest/download/argocd-linux-${ARCH}"; '
+        + "chmod +x /usr/local/bin/argocd; "
+        + "argocd version --client; "
+        # yq (latest)
+        + 'curl -fsSL -o /usr/local/bin/yq "https://github.com/mikefarah/yq/releases/latest/download/yq_linux_${ARCH}"; '
+        + "chmod +x /usr/local/bin/yq; "
+        + "yq --version; "
+        # uv / uvx (latest; musl target auto-selected by installer)
+        + "curl -LsSf https://astral.sh/uv/install.sh "
+        + '| env UV_INSTALL_DIR=/usr/local/bin UV_UNMANAGED_INSTALL="/usr/local/bin" sh; '
+        + "uv --version; "
+        # flyctl (latest)
+        + "curl -L https://fly.io/install.sh | sh; "
+        + "mv /root/.fly/bin/flyctl /usr/local/bin/fly; "
+        + "rm -rf /root/.fly; "
+        + "fly version"
+    )
+
+    return runtime.with_exec(["sh", "-c", install_tools]).with_default_args(
+        args=["/bin/bash"]
+    )

dagger.json

@@ -1,8 +1,7 @@
 {
   "name": "blumeops",
-  "engineVersion": "v0.20.1",
+  "engineVersion": "v0.20.6",
   "sdk": {
     "source": "python"
-  },
+  }
-  "source": "."
 }

docs/changelog.d/dagger-0-20-6-runner-image-alpine.infra.md

@@ -0,0 +1 @@
+Upgraded Dagger from v0.20.1 to v0.20.6 (engine, CLI pin, and SDK regen) and migrated `runner-job-image` from a Debian-based Dockerfile to a native Dagger `container.py` on Alpine 3.23, reusing the shared `alpine_runtime` helper.

docs/reference/tools/dagger.md

@@ -16,7 +16,7 @@ Build engine for BlumeOps CI/CD pipelines. Replaces shell-based build scripts wi
 | Property | Value |
 |----------|-------|
 | **Module** | `blumeops` |
-| **Engine Version** | v0.20.1 |
+| **Engine Version** | v0.20.6 |
 | **SDK** | Python |
 | **Source** | `src/blumeops/main.py` |
 | **Config** | `dagger.json` (source: `.`) |

mise.toml

@@ -8,5 +8,5 @@
 "pipx:borgmatic" = "2.1.4"
 prek = "0.3.4"
 pulumi = "3.215.0"
-dagger = "0.20.1"
+dagger = "0.20.6"
 "pipx:ty" = "0.0.29"

service-versions.yaml

@@ -244,8 +244,8 @@ services:
 
   - name: runner-job-image
     type: argocd
-    last-reviewed: 2026-03-06
+    last-reviewed: 2026-04-21
-    current-version: "0.20.1"
+    current-version: "0.20.6"
     upstream-source: https://github.com/dagger/dagger/releases
     notes: >-
       Forgejo Actions job execution image. CONTAINER_APP_VERSION tracks the
@@ -396,8 +396,8 @@ services:
 
   - name: dagger
     type: mise
-    last-reviewed: 2026-04-12
+    last-reviewed: 2026-04-21
-    current-version: "0.20.1"
+    current-version: "0.20.6"
     upstream-source: https://github.com/dagger/dagger/releases
     notes: Dagger CI/CD engine; pinned in mise.toml