Keep only test.yaml workflow for now. Container build workflows
and ci-base Dockerfile will be added in a future PR.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The Docker-based runner with Tailscale sidecar approach was abandoned
in favor of host execution mode. Clean up the unused infrastructure:
- Remove tailscale_ci_gateway role and its reference in indri.yml
- Remove tag:ci-gateway ACL grants and tagOwners from pulumi policy
- Plist already removed from indri
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Docker-based runner had networking issues reaching Forgejo from job
containers. Host execution mode runs the runner daemon directly on indri,
with jobs executing on the host. Actions that need Docker use host
networking to access localhost:3001.
- Runner binary compiled locally at ~/code/3rd/forgejo-runner
- Labels use :host suffix instead of :docker://image
- PATH set in launchd plist for mise-managed tools (node, etc.)
- Container network set to "host" for actions needing Docker
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add --accept-routes to tailscale-ci-gateway for service routing
- Run forgejo-runner as root for docker socket access
- Mount actual docker socket path (not symlink)
- Use gateway network namespace for tailnet connectivity
- Registration uses gateway network for Forgejo access
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Architecture:
- tailscale_ci_gateway role: Runs Tailscale container on tailnet-jobs network
- forgejo_runner role: Runs runner daemon in container on same network
- Job containers also use tailnet-jobs network
This allows the runner and jobs to reach forge.tail8d86e.ts.net via
the Tailscale gateway, avoiding hairpinning issues with localhost.
Changes:
- Add tailscale_ci_gateway role with launchd management
- Refactor forgejo_runner to use containerized daemon
- Runner registers with Tailscale URL instead of localhost
- Job containers run on tailnet-jobs network
- Update playbook role ordering (gateway before runner)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add ci-gateway tag owner (admin and blumeops can assign)
- Grant ci-gateway access to forge:443 for git operations
- Grant ci-gateway access to registry:443 for container push/pull
- Add ACL test for ci-gateway access
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Remove forgejo-runner k8s manifests and ArgoCD app (runner now on indri)
- Remove build-runner workflow (no longer needed)
- Add ci-base image with Ubuntu 22.04 + common CI tools
- Add build-ci-base workflow to build the image
- Update test workflow to check docker instead of buildah
- Document bootstrap vs production mode for runner labels
- Configure host.docker.internal:5050 for zot access from job containers
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Use Docker instead of buildah in composite action
- Build workflows now run on docker-builder label
- Add actionlint config for custom runner labels
- Avoids nested containerization complexity in k8s
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Run forgejo-runner directly on indri using Docker container mode
instead of trying to build containers inside k8s pods. This avoids
nested containerization complexity.
Features:
- Build from source using mise + Go
- Docker container mode for job isolation
- Can build containers via Docker socket
- Labels: docker-builder (distinct from k8s runner)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Buildah needs UID/GID remapping to extract images with files
owned by different users (root, shadow, etc). Configure
subordinate UID/GID ranges for the runner user.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Remove imagePullPolicy: Always (rely on immutable tags)
- Use explicit version tag instead of :latest
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Multi-stage build from mirrored forgejo-runner source
- Create proper runner user with passwd entry (fixes buildah)
- Use named user instead of numeric UID
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Workflows trigger on git tags (e.g. runner-v1.0.0, devpi-v1.0.0)
- Composite action takes explicit version, tags image with version + SHA
- Add mise-tasks/container-list to enumerate containers and recent tags
- Add mise-tasks/container-release to create release tags
- Update CLAUDE.md with container release commands
- TODO: investigate zot tag immutability
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Replace docker-cli with buildah/podman in runner image
- Configure buildah for overlay storage with fuse-overlayfs
- Add registry config for insecure local registry
- Remove Docker socket mount and root security context from deployment
- Update composite action to use buildah bud/push instead of docker
Buildah is daemonless - no Docker socket required, cleaner security model.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Create composite action: .forgejo/actions/build-push-image
- Add build-runner.yaml workflow (triggers on Dockerfile changes)
- Add build-devpi.yaml workflow (triggers on Dockerfile/start.sh changes)
- Mount Docker socket in runner deployment for container builds
- Run runner as root to access Docker socket
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
