eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions

Switch to Buildah for container builds #51

Merged
eblume merged 30 commits from feature/p5-container-builds into main 2026-01-24 13:30:26 -08:00
Conversation 0 Commits 30 Files changed 23 +37 -21
1 changed files with 37 additions and 21 deletions
Download patch file Download diff file Expand all files Collapse all files
Showing only changes of commit 4e0767b4d9 - Show all commits

Build forgejo-runner from source with proper user setup
Some checks failed
Test CI / test (pull_request) Successful in 3s
Details
Build forgejo-runner / build (push) Failing after 2s
Details

Prev Next 
- Multi-stage build from mirrored forgejo-runner source
- Create proper runner user with passwd entry (fixes buildah)
- Use named user instead of numeric UID

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Erich Blume 2026-01-23 22:00:19 -08:00
commit 4e0767b4d9

58
argocd/manifests/forgejo-runner/Dockerfile
View file

@ -1,19 +1,37 @@
FROM code.forgejo.org/forgejo/runner:3.5.1
# Build forgejo-runner from source
# Source: https://forge.tail8d86e.ts.net/eblume/forgejo-runner (mirror of code.forgejo.org/forgejo/runner)
# Switch to root to install packages
USER root
FROM golang:1.24-alpine AS builder
# The base image is Alpine Linux
# Install tools needed for GitHub Actions and builds
ARG FORGEJO_RUNNER_VERSION=v3.5.1
RUN apk add --no-cache git make build-base
WORKDIR /src
RUN git clone --depth 1 --branch ${FORGEJO_RUNNER_VERSION} \
https://forge.tail8d86e.ts.net/eblume/forgejo-runner.git .
RUN make clean && make build
# Runtime image
FROM alpine:3.21
# Create runner user with proper passwd entry (required by buildah)
RUN addgroup -g 1000 runner && \
adduser -D -u 1000 -G runner -h /data runner
# Install runtime dependencies
RUN apk add --no-cache \
# Required for actions/checkout and other Node-based actions
nodejs \
npm \
# Build essentials
# Core tools
git \
bash \
curl \
wget \
jq \
# Build essentials
make \
gcc \
g++ \
@ -22,27 +40,25 @@ RUN apk add --no-cache \
buildah \
podman \
fuse-overlayfs \
shadow \
ca-certificates
# Copy runner binary from builder
COPY --from=builder /src/forgejo-runner /bin/forgejo-runner
# Configure buildah for rootless operation
RUN mkdir -p /etc/containers && \
echo '[storage]' > /etc/containers/storage.conf && \
echo 'driver = "overlay"' >> /etc/containers/storage.conf && \
echo 'runroot = "/tmp/containers-run"' >> /etc/containers/storage.conf && \
echo 'graphroot = "/tmp/containers-storage"' >> /etc/containers/storage.conf && \
echo '[storage.options.overlay]' >> /etc/containers/storage.conf && \
echo 'mount_program = "/usr/bin/fuse-overlayfs"' >> /etc/containers/storage.conf
printf '[storage]\ndriver = "overlay"\nrunroot = "/tmp/containers-run"\ngraphroot = "/tmp/containers-storage"\n[storage.options.overlay]\nmount_program = "/usr/bin/fuse-overlayfs"\n' \
> /etc/containers/storage.conf
# Configure registries (allow insecure for local registry)
RUN mkdir -p /etc/containers && \
echo 'unqualified-search-registries = ["docker.io"]' > /etc/containers/registries.conf && \
echo '[[registry]]' >> /etc/containers/registries.conf && \
echo 'location = "registry.tail8d86e.ts.net"' >> /etc/containers/registries.conf && \
echo 'insecure = true' >> /etc/containers/registries.conf
RUN printf 'unqualified-search-registries = ["docker.io"]\n[[registry]]\nlocation = "registry.tail8d86e.ts.net"\ninsecure = true\n' \
> /etc/containers/registries.conf
# Verify tools are available
RUN node --version && npm --version && buildah --version
RUN node --version && npm --version && buildah --version && /bin/forgejo-runner --version
# Switch back to non-root user
USER 1000
ENV HOME=/data
WORKDIR /data
USER runner
CMD ["/bin/forgejo-runner"]