generated from coulomb/repo-seed
Records successful forgejo-actions-probe image-build workflow and the static docker-cli + git-clone pattern for non-root host runners.
2.8 KiB
2.8 KiB
Forgejo Actions Runner Substrate
Last reviewed: 2026-07-03
Status: in-cluster runner on railiance01 (ADR-004). Supersedes interim coulombcore host runner.
Purpose
Forge-owned Actions runner for https://forgejo.coulomb.social so coulomb
organization repos build and publish without workstation or legacy-host Docker.
Label contract aligns with docs/gitea-actions-runner-substrate.md and
docs/ci-runner-actions-gitops-ownership.md.
Production Runner (ADR-004)
| Field | Value |
|---|---|
| Runner name | railiance01-build-01 |
| Scope | coulomb organization |
| Placement | forgejo namespace, railiance01 k3s |
| Manifest | railiance-apps/manifests/forgejo-runner.yaml |
| Images | code.forgejo.org/forgejo/runner:6.3.1, docker:27-dind |
| Job runtime | DinD sidecar (DOCKER_HOST=tcp://127.0.0.1:2375) |
| State PVC | forgejo-runner-data |
| Cluster deploy authority | Not included |
Labels
self-hosted:host,linux:host,linux_amd64:host,container-build:host,registry-publish:host,railiance01:host,ubuntu-latest:docker://node:20-bookworm,docker:docker://node:20-bookworm
Operator Commands
# S5 deploy (railiance-apps)
cd ~/railiance-apps
make forgejo-runner-registration-deploy # after SOPS encrypt
make forgejo-runner-deploy
make forgejo-runner-status
# Endpoint smoke
make forgejo-smoke
# Generate registration token (in cluster; do not log token)
KUBECONFIG=~/.kube/config-hosteurope kubectl exec -n forgejo deploy/forgejo-gitea -- \
forgejo actions generate-runner-token --scope coulomb
Secret Boundaries
forgejo-runner-registrationKubernetes Secret — registration token only.- Repo/org registry credentials — Forgejo Actions secrets, not in Git.
- No kubeconfig or OpenBao tokens on the runner pod by default.
Retired: Interim coulombcore Host Runner
railiance-coulombcore-build-01 on coulombcore was a scheduling proof only.
Disable after in-cluster runner is healthy:
ssh coulombcore 'sudo systemctl disable --now forgejo-runner'
Evidence
- Host probe (2026-07-03):
coulomb/forgejo-actions-probeworkflowsuccess. - In-cluster (2026-07-03):
railiance01-build-012/2 Ready;container-probeandimage-buildworkflowssuccess. Image-build uses static docker-cli on the non-root runner host +DOCKER_HOST=tcp://127.0.0.1:2375(DinD); org secretsREGISTRY_USER/REGISTRY_TOKEN; pushes toforgejo.coulomb.social/coulomb/forgejo-actions-probe. actions/checkout@v4failed on the host runner — usegit clonein job steps until checkout action compatibility is confirmed.
References
railiance-infra/docs/adr/ADR-004-forgejo-in-cluster-actions-runner.md- Forgejo runner installation