bastian/deploy_home
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

gitea-actions: run CI jobs in rootless-podman containers

Browse Source 
Switch the act_runners from :host execution to docker:// images backed by
a rootless podman socket under the gitea-runner user, so each job runs in
its own ephemeral container with per-job Go caches. This eliminates the
cross-repo GOMODCACHE/go-build poisoning that forced the debyl runner to
capacity:1.

- deps.yml: enable the rootless --user podman.socket, ensure subuid/subgid,
  register gitea_runner_uid; drop the rootful system socket override,
  podman-docker and host golang
- images.yml + Containerfile.ci/.espidf: build localhost/gitea-ci and
  localhost/gitea-ci-espidf into the runner's rootless image store
- config.yaml.j2: docker:// labels (per-runner overridable), docker_host
  -> rootless socket, force_pull false
- act_runner.service.j2: XDG_RUNTIME_DIR + DOCKER_HOST -> user socket
- defaults: uniform capacity:4 (drop the debyl capacity:1 workaround);
  esp_idf_version now tags the espressif/idf-based image
- main.yml: import images.yml, drop the host esp-idf install (firmware jobs
  use the espressif/idf job container instead)

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Bastian de Byl
2026-06-06 00:16:54 -04:00
parent 72ecc63e17
commit 2640d09cb5
11 changed files with 179 additions and 48 deletions
Download Patch File Download Diff File Expand all files Collapse all files
ansible/roles/gitea-actions/templates/config.yaml.j2
+10 -5
View File
@@ -3,27 +3,32 @@ log:
runner:
file: {{ act_runner_work_dir }}/{{ runner_name }}/.runner
capacity: {{ gitea_runner_capacity | default(4) }}
capacity: {{ runner_capacity | default(gitea_runner_capacity) | default(4) }}
timeout: 3h
insecure: false
fetch_timeout: 5s
fetch_interval: 2s
labels:
- ubuntu-latest:host
- ubuntu-22.04:host
- fedora:host
{% for label in runner_labels | default(gitea_runner_labels) %}
- {{ label }}
{% endfor %}
cache:
enabled: true
dir: {{ act_runner_work_dir }}/{{ runner_name }}/cache
container:
# Each job runs in its own ephemeral container (docker:// labels) backed by
# the gitea-runner user's rootless podman socket — this is what isolates the
# per-job Go module/build caches and fixes cross-repo cache poisoning.
network: host
privileged: false
options:
workdir_parent:
valid_volumes: []
docker_host: ""
# Point act at the real rootless socket so it mounts the correct path into
# job containers (the documented rootless-podman gotcha).
docker_host: "unix:///run/user/{{ gitea_runner_uid }}/podman/podman.sock"
force_pull: false
host: