feat: configure Gitea runners

forgejo/config/runners/config.yaml

@@ -0,0 +1,94 @@
+# Example configuration file, it's safe to copy this as the default config file without any modification.
+
+# You don't have to copy this file to your instance,
+# just run `./act_runner generate-config > config.yaml` to generate a config file.
+
+log:
+  # The level of logging, can be trace, debug, info, warn, error, fatal
+  level: info
+
+runner:
+  # Where to store the registration result.
+  file: .runner
+  # Execute how many tasks concurrently at the same time.
+  capacity: 1
+  # Extra environment variables to run jobs.
+  envs:
+    DOCKER_HOST: tcp://localhost:2376
+    DOCKER_TLS_VERIFY: "1"
+    DOCKER_CERT_PATH : /certs/client
+  # Extra environment variables to run jobs from a file.
+  # It will be ignored if it's empty or the file doesn't exist.
+  env_file: .env
+  # The timeout for a job to be finished.
+  # Please note that the Gitea instance also has a timeout (3h by default) for the job.
+  # So the job could be stopped by the Gitea instance if it's timeout is shorter than this.
+  timeout: 10m
+  # Whether skip verifying the TLS certificate of the Gitea instance.
+  insecure: false
+  # The timeout for fetching the job from the Gitea instance.
+  fetch_timeout: 5s
+  # The interval for fetching the job from the Gitea instance.
+  fetch_interval: 2s
+  # The labels of a runner are used to determine which jobs the runner can run, and how to run them.
+  # Like: ["macos-arm64:host", "ubuntu-latest:docker://node:16-bullseye", "ubuntu-22.04:docker://node:16-bullseye"]
+  # If it's empty when registering, it will ask for inputting labels.
+  # If it's empty when execute `deamon`, will use labels in `.runner` file.
+  labels:
+   - "ubuntu-latest:docker://code.icb4dc0.de/infrastructure/images/act_runtime:latest"
+   - "ubuntu-22.04:docker://code.icb4dc0.de/infrastructure/images/act_runtime:latest"
+   - "ubuntu-20.04:docker://code.icb4dc0.de/infrastructure/images/act_runtime:latest"
+
+cache:
+  # Enable cache server to use actions/cache.
+  enabled: true
+  # The directory to store the cache data.
+  # If it's empty, the cache data will be stored in $HOME/.cache/actcache.
+  dir: ""
+  # The host of the cache server.
+  # It's not for the address to listen, but the address to connect from job containers.
+  # So 0.0.0.0 is a bad choice, leave it empty to detect automatically.
+  host: ""
+  # The port of the cache server.
+  # 0 means to use a random available port.
+  port: 0
+  # The external cache server URL. Valid only when enable is true.
+  # If it's specified, act_runner will use this URL as the ACTIONS_CACHE_URL rather than start a server by itself.
+  # The URL should generally end with "/".
+  external_server: "http://act-runner-cache.forgejo.svc:8080/"
+
+container:
+  # Specifies the network to which the container will connect.
+  # Could be host, bridge or the name of a custom network.
+  # If it's empty, act_runner will create a network automatically.
+  network: "host"
+  # Whether to use privileged mode or not when launching task containers (privileged mode is required for Docker-in-Docker).
+  privileged: true
+  # And other options to be used when the container is started (eg, --add-host=my.gitea.url:host-gateway).
+  options: "--volume=/certs/client/:/certs/client/:ro"
+  # The parent directory of a job's working directory.
+  # If it's empty, /workspace will be used.
+  workdir_parent:
+  # Volumes (including bind mounts) can be mounted to containers. Glob syntax is supported, see https://github.com/gobwas/glob
+  # You can specify multiple volumes. If the sequence is empty, no volumes can be mounted.
+  # For example, if you only allow containers to mount the `data` volume and all the json files in `/src`, you should change the config to:
+  # valid_volumes:
+  #   - data
+  #   - /src/*.json
+  # If you want to allow any volume, please use the following configuration:
+  # valid_volumes:
+  #   - '**'
+  valid_volumes:
+    - /certs/client/
+  # overrides the docker client host with the specified one.
+  # If it's empty, act_runner will find an available docker host automatically.
+  # If it's "-", act_runner will find an available docker host automatically, but the docker host won't be mounted to the job containers and service containers.
+  # If it's not empty or "-", the specified docker host will be used. An error will be returned if it doesn't work.
+  docker_host: ""
+  # Pull docker image(s) even if already present
+  force_pull: true
+
+host:
+  # The parent directory of a job's working directory.
+  # If it's empty, $HOME/.cache/act/ will be used.
+  workdir_parent:

forgejo/kustomization.yaml

@@ -10,10 +10,18 @@ commonLabels:
 images:
   - name: act_runner
     newName: docker.io/gitea/act_runner
-    newTag: 0.2.6-dind-rootless
+    newTag: nightly
 
 resources:
   - resources/runners/act-runner.yaml
+  - resources/runners/cache-pvc.yaml
+  - resources/runners/act-cache.yaml
+  - resources/runners/act-cache-svc.yaml
+
+configMapGenerator:
+- name: act-runner-config
+  files:
+  - config/runners/config.yaml
 
 helmCharts:
   - name: forgejo

forgejo/resources/runners/act-cache-svc.yaml

@@ -0,0 +1,11 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: act-runner-cache
+spec:
+  selector:
+    app.kubernetes.io/name: act-runner-cache
+  ports:
+  - port: 8080
+    targetPort: 8080

forgejo/resources/runners/act-cache.yaml

@@ -0,0 +1,39 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: act-runner-cache
+  labels:
+    app.kubernetes.io/name: act-runner-cache
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: act-runner-cache
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: act-runner-cache
+    spec:
+      containers:
+        - name: act-runner-cache
+          image: act_runner
+          command:
+            - /usr/local/bin/act_runner
+          args:
+            - cache-server
+            - --port=8080
+            - --dir=/data
+          resources:
+            limits:
+              memory: "384Mi"
+              cpu: "250m"
+          ports:
+            - containerPort: 8080
+          volumeMounts:
+            - name: cache-data
+              mountPath: /data
+      volumes:
+        - name: cache-data
+          persistentVolumeClaim:
+            claimName: act-runner-cache

forgejo/resources/runners/act-runner.yaml

@@ -31,8 +31,7 @@ spec:
         - name: runner
           image: act_runner
           imagePullPolicy: Always
-          # command: ["sh", "-c", "while ! nc -z localhost 2376 </dev/null; do echo 'waiting for docker daemon...'; sleep 5; done; /sbin/tini -- /opt/act/run.sh"]
+          command: ["sh", "-c", "while ! nc -z localhost 2376 </dev/null; do echo 'waiting for docker daemon...'; sleep 5; done; /sbin/tini -- /opt/act/run.sh"]
-          workingDir: /data
           env:
           - name: DOCKER_HOST
             value: tcp://localhost:2376
@@ -40,11 +39,27 @@ spec:
             value: /certs/client
           - name: DOCKER_TLS_VERIFY
             value: "1"
+          - name: CONFIG_FILE
+            value: /etc/act/config.yaml
           volumeMounts:
-          - name: runner-data
+            - name: runner-data
-            mountPath: /data
+              mountPath: /data
+            - name: runner-config
+              mountPath: /etc/act
+            - name: docker-certs
+              mountPath: /certs
           securityContext:
             privileged: true
+        - name: daemon
+          image: docker:23.0.6-dind
+          env:
+          - name: DOCKER_TLS_CERTDIR
+            value: /certs
+          securityContext:
+            privileged: true
+          volumeMounts:
+          - name: docker-certs
+            mountPath: /certs
       securityContext:
         fsGroup: 1000
       affinity:
@@ -60,6 +75,12 @@ spec:
         - name: runner-data
           emptyDir:
             sizeLimit: 500Mi
+        - name: docker-certs
+          emptyDir:
+            sizeLimit: 5Mi
+        - name: runner-config
+          configMap:
+            name: act-runner-config
         - name: runner-registrations
           secret:
             secretName: runner-registrations

forgejo/resources/runners/cache-pvc.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: act-runner-cache
+spec:
+  storageClassName: storage-box
+  resources:
+    requests:
+      storage: 50Gi
+  volumeMode: Filesystem
+  accessModes:
+    - ReadWriteMany

forgejo/resources/runners/runner-registrations.enc.yaml

@@ -4,8 +4,8 @@ metadata:
     name: runner-registrations
 type: Opaque
 stringData:
-    act-runner-arm64-0: ENC[AES256_GCM,data:uyrvGXYwuPExUSQp4WbMkpDuAo6XHMCGGcIbrUF2eGmM8xartGtKQ4QTuFJebQOkKv1fg/BELhbPGWa6S8+k7HKLWiiQFxNnwJam8cGFKoZZWubCAV+iRa7NdotiaZ7scGZW8PiCzejQZOC0L1QhGCDMEBFJ6ZkowBhtpWddIMsGrWmC1gyL5zWV6/wrmF5oJucdWyP7wJDsyOXoc9DyfVL1IfrVESleQRe8FXP/O+UQXV5zNzEP58tXKTjdhsHCaPDDX0sDT4mP3QkM2r5IqKs1GDer/UBTW0PNfsp7Y7dlhlzHAqqhNb+/OtOa+mrScBNXMwrL02cDnLE92rSrzNM76+nnBxBln/c2/4h8DvGO4l/Is6VryaeIwghWFUOKsgNP8OmhvKqpZ/+3q9YxRBL65KyErun6hOhs+3V7y2WqzevN8H2ETDOIF87ybPriaoPs1NeLRGwVZDlx4FlvAH6pz0lhsicxc2T2kAM5yMSFtePlbz2w1TT1NEN6YZF1eugXmYOBAva9JJ4yqbpOE3b2JuT38Lok81CtPM46yJreyQglVgOPvhMNaWxo50f/APlVt0q8J5JfbFQ/WKNeh+niLoJlYiKb1doY1s+tWlVav2qRDqtKaKMRiRi29339plLQtmFMgZmEIgREDiC2ZdvYTRu9QKNZT0AbFvZwttMJI1/Q7zXoESZn/zaWofxSlMsi,iv:xfY7wW8iEudBtLJBnTgfThZWFAg6yTPRq7adLQvVE9c=,tag:XAt1qSBhaXqS6ZGbmZS2qQ==,type:str]
+    act-runner-arm64-0: ENC[AES256_GCM,data:E3N2nSWKyMcSG8POA4pizGkkxCfNc0hJBivUYoa9F2er5uOktokeOHvAIr5G3a8x7mRVFJRDMKutRVOG268UN9KTmJqzuD6GbEPuLVVpDKjCgb5dvtnNjxtESF7+1ukwo8kEoc+79hGbPyKMJOtgS6EL2FQUwuRNmAgT3GMlxahTL6PsNg33VrP/VB0fuUYy/jKo48nQYvBj4n+JOA5uyNKlxlEf0CspVZrhPtLJHx5VpDsJrnvOlruHZdcQuYHZADTfex4LZS7Y8Pa7D4EJv0If1L0lN0/iOecPqt5pQ438jlUZTgEsKxdWa7Rb52X1bmT9DqV0Bx3bLyLMatAMymNJ3m2W/1kS7CJoB1tPAZUmXHfypjV7PVUz2qnpUokN7DNCrIyrbnXRwM1jQUQam2JNlu+AhV8MEqQEbQFrHSTxXZkEC29qMWvCBvjRc2r9b6PsO0S6BtJcu3PgkNg7F6hxfgZYRBhzUR6j8Plnug35AXg7xuj6+pFs57UXILttw7LRkYnInDVk5qhzbp26VIj8Bhzad7CNwbzHsxRfXXXVPIdO3p6NcsfLtMxU96vwmlK/WdyuqD5nO6hdMZqTi4TpC5mjWy0iCFjj0E+Ugn3F4yI=,iv:2DpznFTRUioIgh1uJH3bwf5j3RT6ijcfhpKHWmHKmN8=,tag:ud1SMMurcYUkhee+ptbECw==,type:str]
-    act-runner-arm64-1: ENC[AES256_GCM,data:rB/kGXHssX1q+4OO/VQh2QK3yLcCaYcF6Fz8KjPtI4BtBW+LwvoPHN4yksbchnksdmWY8BJNwuQi6G7m8X6w9Pg4J/Zdz+nbLmpZytg4woDF6eWErZXkBlf8gLwsg0VnBRpUNj8/klL3n23V9lBKDrw3O2VjimPub0lwmyrQk7RdZDWWlKbD0xu818GhDF3ADQclTE7nq6NwgAV9869AWh1+DULYfEk0wXGENVya1jF0DPjUb2U4q/EsrAm3pkyd3pRmIw2ojsVYon1SGl+zcuEUqF3LY4zw9mu9H5Vi/adL/s1m7HxQrzLtz4kZVbmyGLCgkia/1NOrtU5nAHSrAwNxACOWdYP7F9nKV1abAud2/a7l9EyIhi/AnVEGQZEuV1uuHUH1vActDGgFO9HFLnxRGjwTpHNB7cRr8E4JE2dHShOux7rGpiVx5QnI89+bTzvo3gHvoZZA97BAOfxxlbTXn2zWtLIJTn75JDDndOkxniRmhkxyyFi4VnpDda3OpAWWqhdllMob+b/AK0LW7uJL/gdttYKxQLaQ5YLniy8aFXU9wZbEf0/AY2LUI1WDj7OVB4U/m00JiHg0MUDly5QHOA5QYAVF3zMuJ0fHo9itxZnUzb2g4Pds4OyshlB8NQOV+Lrh7fr87TUYFmxK9YYdsYUdqGn1SVzE/UMPyy9mi93jRbtu1qQRmqbF+M6looMq,iv:XRzrky6m/qcfa2YtxJHLbMO/yguNCc8qKGyUDyky8pc=,tag:/crdE1RWYfoCXK2ZcNQhXQ==,type:str]
+    act-runner-arm64-1: ENC[AES256_GCM,data:GoE1+phr6ZEpoPWloHijAhoOEsKV9ny+tJX8IMJjY95Cgs78ZWftvYBvAvuoqw1UfEGo5UXaKGFDZAOcMpDSKiv5uJuZMgHbqwCVGkawv9TzmnKwAsNt7NTMSf8WU6DkTKfEvWjgs4E1LMC4yprfBp0TssmZWWZbtnMYki5szT8MvLPc7H1DNrJ/izrNbshWrt2oiNiQL7XPU88iu1az2qy3t9FzTuJPetg9OM4eaSB9TALQ0oW586jpRctyuJZ8f0OvyflmkQ+DFRHgk506R0qZEXlFHkQLmNxEpMRdbx0+EiWNIHNY50QTvrnMMLHJA0hdZm2R3mHLzBUv78NDFB43x7MVj9pVo/0gZs0j0uSWq4i4GTcXKVryWKExXMjou8lx3MEod6t30lJ19i08meppXgjszBDmlcJnyC20OVO4qb20oap6l7ytcXKcNCZiLhgqXR827Or/PPjWk2eHPYHyJUF48Mqz1znPwltwfBbGjatsyjX4526jNPFs2H4pWHRqaCQwYDGbUiT4zeekT29rahrwXSAdvhQhRwKv1R6RUzNuzIJGpfMDZZobaUsh688z1d6nM43zeyZiFPOre9omEaF4NoJS6R6RQt80O2QFm1s=,iv:Y8d+/uV4Se0WLzYtnB/13QNXYRa6+EgMX9qwPCHGeEU=,tag:XS7MTcCIhGYUk/GCiLfJYA==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -30,8 +30,8 @@ sops:
             VnExSnBIcEVCRVNjeFdDbGZNbURLUEkKTZLpcYtYWKgHWISrxkvVeU+x56QHf0lF
             xxG8xPUiesGm/MBidk19TblX14oWy+VYA65KQrHBtgBIJUmohnNLvw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-11-14T20:55:58Z"
+    lastmodified: "2023-11-16T17:47:39Z"
-    mac: ENC[AES256_GCM,data:wFTn/1rdxGqz8pbckijAGIwwD5o443HpkbiPD0bB4+Dhs3CHz34PL/7cXFZ/hVG8x/0Ux3dmxXAKKm7AC4ozpReToByv3vNtJFqwDwmY6UVXMKviv/dCPCyBRRO0FFhe3g6Or9JYv2kNuAnEBJaza9oqH22Obk7QHYjMzeFNWQA=,iv:PrVAkT9ST9KpibVx82IcV+wvJSPOZZr8IKsKGS86qr8=,tag:ERpvyi7CFmcBXqr0sVmuMQ==,type:str]
+    mac: ENC[AES256_GCM,data:NlTvNsdqVkXQb19xudf4UaGnIfQzMXES90vfH+TEWbto7dxZmjh8DuTfXBpZaFtrsf9EIkVzUDEfQiNsCYDG0D22pTSVcAFxWbr31Alk/DpFTfwOPELnKE+p/PoaXGh1DjJYeGbSTsP7sG4iWX1QNOZ7BeGVAXup2DRoaui3rOs=,iv:LDnFbyP/Wca1He3iCiaIzfZEdqM5Mc1y+eAgQDoRmEg=,tag:0T9tN30plslcuGAE5337Sw==,type:str]
     pgp: []
     unencrypted_regex: ^(apiVersion|metadata|kind|type)$
     version: 3.8.1