log:
  level: info

runner:
  file: {{ act_runner_work_dir }}/{{ runner_name }}/.runner
  capacity: {{ runner_capacity | default(gitea_runner_capacity) | default(4) }}
  timeout: 3h
  insecure: false
  fetch_timeout: 5s
  fetch_interval: 2s
  labels:
{% for label in runner_labels | default(gitea_runner_labels) %}
    - {{ label }}
{% endfor %}

cache:
  enabled: true
  dir: {{ act_runner_work_dir }}/{{ runner_name }}/cache

container:
  # Each job runs in its own ephemeral container (docker:// labels) backed by
  # the gitea-runner user's rootless podman socket — this is what isolates the
  # per-job Go module/build caches and fixes cross-repo cache poisoning.
  network: host
  privileged: false
  # Bind-mount the runner's SSH material (key + known_hosts) read-only into
  # every job container at /root/.ssh (CI image runs as root) so git submodule
  # clones over ssh://git@git.skudak.com:2222 succeed. ci-ssh is a dedicated
  # container_file_t-labelled copy staged in tasks/user.yml.
  options: -v {{ gitea_runner_home }}/ci-ssh:/root/.ssh:ro
  workdir_parent:
  # act_runner gates host bind-mounts against this allowlist; the ci-ssh source
  # path must be listed or the -v above is silently stripped from the job container.
  valid_volumes:
    - {{ gitea_runner_home }}/ci-ssh
  # Point act at the real rootless socket so it mounts the correct path into
  # job containers (the documented rootless-podman gotcha).
  docker_host: "unix:///run/user/{{ gitea_runner_uid }}/podman/podman.sock"
  force_pull: false

host:
  workdir_parent: {{ act_runner_work_dir }}/{{ runner_name }}/workdir