bastian/deploy_home
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

gitea-actions: add ARM/Python CI deps and SSH bind-mount for submodule clones

Browse Source 
- Containerfile.ci: add python3-yaml + python3-jinja2 and the
  gcc-arm-none-eabi / binutils / libnewlib toolchain for embedded builds
- bind-mount the runner's SSH key + known_hosts read-only into each job
  container at /root/.ssh so submodule clones over
  ssh://git@git.skudak.com:2222 succeed; staged as a dedicated
  container_file_t-labelled ci-ssh copy (tasks/user.yml) and allowlisted
  via valid_volumes (config.yaml.j2)

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Bastian de Byl
2026-06-13 22:14:08 -04:00
parent 7d4a398bba
commit a30ff9b165
3 changed files with 58 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
ansible/roles/gitea-actions/templates/Containerfile.ci
+2 -1
View File
@@ -7,7 +7,8 @@ ARG DOCKER_CLI_VERSION=27.3.1
RUN apt-get update && apt-get install -y --no-install-recommends \
ca-certificates curl git openssh-client make build-essential \
python3 python3-pip jq zip unzip \
python3 python3-pip python3-yaml python3-jinja2 jq zip unzip \
gcc-arm-none-eabi binutils-arm-none-eabi libnewlib-arm-none-eabi \
&& rm -rf /var/lib/apt/lists/*
# Static docker client (no daemon) for jobs that run `docker build` against the
ansible/roles/gitea-actions/templates/config.yaml.j2
+9 -2
View File
@@ -23,9 +23,16 @@ container:
# per-job Go module/build caches and fixes cross-repo cache poisoning.
network: host
privileged: false
options:
# Bind-mount the runner's SSH material (key + known_hosts) read-only into
# every job container at /root/.ssh (CI image runs as root) so git submodule
# clones over ssh://git@git.skudak.com:2222 succeed. ci-ssh is a dedicated
# container_file_t-labelled copy staged in tasks/user.yml.
options: -v {{ gitea_runner_home }}/ci-ssh:/root/.ssh:ro
workdir_parent:
valid_volumes: []
# act_runner gates host bind-mounts against this allowlist; the ci-ssh source
# path must be listed or the -v above is silently stripped from the job container.
valid_volumes:
- {{ gitea_runner_home }}/ci-ssh
# Point act at the real rootless socket so it mounts the correct path into
# job containers (the documented rootless-podman gotcha).
docker_host: "unix:///run/user/{{ gitea_runner_uid }}/podman/podman.sock"