feat: adopt declarative forgejo-runner config

argocd/manifests/forgejo-runner/config.yaml

@@ -1,9 +1,8 @@
-# Reviewed against v12.7.3 defaults (2026-03-30)
+# Reviewed against v12.8.2 defaults (2026-04-20)
 log:
   level: info
 
 runner:
-  file: /data/.runner
   capacity: 2
   timeout: 3h
   shutdown_timeout: 3h
@@ -13,7 +12,15 @@ runner:
     TZ: America/Los_Angeles
 
 container:
-  # Job execution image is set via RUNNER_LABELS in deployment.yaml
   network: "host"
   # Connect to DinD sidecar via TCP (not socket)
   docker_host: tcp://127.0.0.1:2375
+
+server:
+  connections:
+    forgejo:
+      url: https://forge.ops.eblu.me/
+      uuid: ${FORGEJO_RUNNER_UUID}
+      token: ${FORGEJO_RUNNER_TOKEN}
+      labels:
+        - k8s:docker://registry.ops.eblu.me/blumeops/runner-job-image:v0.20.1-24f7512

argocd/manifests/forgejo-runner/deployment.yaml

@@ -25,14 +25,6 @@ spec:
           env:
             - name: TZ
               value: America/Los_Angeles
-            - name: DOCKER_HOST
-              value: tcp://localhost:2375
-            - name: FORGEJO_URL
-              value: "https://forge.ops.eblu.me"
-            - name: RUNNER_NAME
-              value: "k8s-runner"
-            - name: RUNNER_LABELS
-              value: "k8s:docker://registry.ops.eblu.me/blumeops/runner-job-image:v0.20.1-24f7512"
           command:
             - /bin/sh
             - -c
@@ -44,19 +36,11 @@ spec:
               done
               echo "Docker daemon ready"
 
-              # Register if not already registered
-              if [ ! -f /data/.runner ]; then
-                echo "Registering runner..."
-                forgejo-runner register \
-                  --instance "$FORGEJO_URL" \
-                  --token "$RUNNER_TOKEN" \
-                  --name "$RUNNER_NAME" \
-                  --labels "$RUNNER_LABELS" \
-                  --no-interactive
-              fi
+              # Render config with credentials from ExternalSecret.
+              envsubst < /config/config.yaml > /tmp/config.yaml
 
               # Start daemon
-              exec forgejo-runner daemon --config /config/config.yaml
+              exec forgejo-runner daemon --config /tmp/config.yaml
           envFrom:
             - secretRef:
                 name: forgejo-runner-env

argocd/manifests/forgejo-runner/external-secret.yaml

@@ -1,11 +1,7 @@
-# ExternalSecret for Forgejo Runner token
+# ExternalSecret for Forgejo Runner credentials
 #
 # 1Password item: "Forgejo Secrets" in blumeops vault
-# Field: runner_reg (runner registration token)
-#
-# Non-secret env vars (FORGEJO_URL, RUNNER_NAME, RUNNER_LABELS) live in the
-# deployment spec so that changes (e.g. image version bumps) trigger a rollout
-# automatically.
+# Fields: runner_k8s_uuid, runner_k8s_token
 #
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
@@ -21,7 +17,11 @@ spec:
     name: forgejo-runner-env
     creationPolicy: Owner
   data:
-  - secretKey: RUNNER_TOKEN
+  - secretKey: FORGEJO_RUNNER_UUID
     remoteRef:
       key: Forgejo Secrets
-      property: runner_reg
+      property: runner_k8s_uuid
+  - secretKey: FORGEJO_RUNNER_TOKEN
+    remoteRef:
+      key: Forgejo Secrets
+      property: runner_k8s_token

containers/forgejo-runner/container.py

@@ -13,7 +13,7 @@ from blumeops.containers import (
     oci_labels,
 )
 
-VERSION = "12.7.3"
+VERSION = "12.8.2"
 
 
 async def build(src: dagger.Directory) -> dagger.Container:
@@ -34,7 +34,7 @@ async def build(src: dagger.Directory) -> dagger.Container:
 
     # Stage 2: Runtime
     runtime = alpine_runtime(
-        extra_apk=["git", "bash", "ca-certificates"],
+        extra_apk=["git", "bash", "ca-certificates", "gettext-envsubst"],
         uid=1000,
         gid=1000,
         username="runner",

docs/changelog.d/forgejo-runner-v12-8-server-connections.infra.md

@@ -1 +1 @@
-Consolidated Forgejo runner how-to documentation into two cards covering declarative `server.connections` configuration and workflow validation, removing stale one-off upgrade notes.
+Upgraded the k8s Forgejo runner to the v12.8 line, switched it from first-boot registration to declarative `server.connections` credentials from 1Password, and consolidated the supporting runner how-to documentation.

docs/reference/services/forgejo-runner.md

@@ -1,7 +1,7 @@
 ---
 title: Forgejo Runner
-modified: 2026-03-30
-last-reviewed: 2026-03-30
+modified: 2026-04-20
+last-reviewed: 2026-04-20
 tags:
   - service
   - ci-cd
@@ -22,21 +22,21 @@ Forgejo Actions runner daemon for CI/CD job execution. Runs as a Kubernetes pod
 | **Capacity** | 2 concurrent jobs |
 | **Timeout** | 3h |
 | **Forgejo Instance** | https://forge.ops.eblu.me |
-| **Image** | `code.forgejo.org/forgejo/runner` (see `argocd/manifests/forgejo-runner/kustomization.yaml` for current tag) |
+| **Image** | `registry.ops.eblu.me/blumeops/forgejo-runner` (see `argocd/manifests/forgejo-runner/kustomization.yaml` for current tag) |
 | **DinD Sidecar** | `docker:27-dind` |
 
 ## Architecture
 
 The pod runs two containers:
 
-1. **runner** - The Forgejo runner daemon. Registers with the forge on first start, then polls for jobs. Talks to DinD via `tcp://localhost:2375`.
+1. **runner** - The Forgejo runner daemon. Loads a rendered `server.connections` config at startup, then polls for jobs. Talks to DinD via `tcp://localhost:2375`.
 2. **dind** - Docker-in-Docker sidecar (privileged). Provides the Docker daemon for job container execution. Uses a registry mirror at `host.minikube.internal:5050` ([[zot]]).
 
-Runner state (`/data/.runner`) is stored in an `emptyDir` volume, so re-registration happens on pod restart. The registration token comes from 1Password via [[external-secrets]].
+The runner daemon image is built from `containers/forgejo-runner/container.py`, not pulled directly from upstream. Credentials come from 1Password via [[external-secrets]], and the startup script renders the final config before launching the daemon. The `/data` volume remains for the runner home directory and job scratch space, not for `.runner` registration state.
 
 ## Job Execution Image
 
-The actual container image used to run workflow steps is set via `RUNNER_LABELS` in the deployment, not in the runner config. This image is tracked separately as `runner-job-image` in `service-versions.yaml`. See [[build-container-image]] for how it's built.
+The actual container image used to run workflow steps is declared in `server.connections.labels` in the runner config. This image is tracked separately as `runner-job-image` in `service-versions.yaml`. See [[build-container-image]] for how it's built.
 
 ## Network
 
@@ -46,7 +46,8 @@ Jobs run with `network: "host"` to share the DinD network namespace. This gives
 
 | Secret | Source | Purpose |
 |--------|--------|---------|
-| `RUNNER_TOKEN` | 1Password ("Forgejo Secrets" → `runner_reg`) | Runner registration with forge |
+| `FORGEJO_RUNNER_UUID` | 1Password ("Forgejo Secrets" → `runner_k8s_uuid`) | Static runner identity for `server.connections` |
+| `FORGEJO_RUNNER_TOKEN` | 1Password ("Forgejo Secrets" → `runner_k8s_token`) | Static runner credential for `server.connections` |
 
 ## Related
 

docs/reference/services/forgejo.md

@@ -85,6 +85,7 @@ Both container workflows trigger on the same tag pattern (`*-v[0-9]*`). Each che
 Server configuration secrets managed via 1Password → Ansible:
 - `lfs-jwt-secret`, `internal-token`, `oauth2-jwt-secret` - Forgejo server tokens
 - `runner_reg` - Runner registration token (also in k8s via [[external-secrets]])
+- `runner_k8s_uuid`, `runner_k8s_token` - Static credentials for the k8s runner `server.connections` flow
 
 ## Forgejo Actions Secrets
 

service-versions.yaml

@@ -236,7 +236,7 @@ services:
   - name: forgejo-runner
     type: argocd
     last-reviewed: 2026-03-30
-    current-version: "12.7.3"
+    current-version: "12.8.2"
     upstream-source: https://code.forgejo.org/forgejo/runner/releases
     notes: >-
       Runner daemon version (code.forgejo.org/forgejo/runner). Job execution