veilor-org/veilor-os
1
0
Fork 0
Code Issues Pull requests Projects Releases 1 Packages Wiki Activity Actions

ci: pin actions to node20-safe tags + runner sock pass-through
Some checks failed
Lint / Kickstart syntax (pull_request) Failing after 0s
Details
Lint / Shell scripts (pull_request) Failing after 0s
Details
Lint / No personal/onyx leaks (pull_request) Failing after 0s
Details

Browse source 
forgejo-runner v6.4.0 ships a node20 javascript engine. v4.2+ of
actions/checkout and v2.0.5+ of softprops/action-gh-release moved to
node24, which the runner refuses to exec. Pin both to last node20
release.

Pairs with a runner-side config change (separately deployed on
nullstone /home/docker/forgejo-runner/conf/config.yaml) that adds
`-v /var/run/docker.sock:/var/run/docker.sock` to per-job container
options + whitelists the socket via valid_volumes — without that
addnab/docker-run-action@v3 inside the catthehacker/ubuntu job
container can't reach the docker engine.

- actions/checkout v4 -> v4.1.7
- softprops/action-gh-release v2 -> v2.0.4
- addnab/docker-run-action v3 unchanged (composite/docker, no node)
- ludeeus/action-shellcheck@master unchanged (docker-based)

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
claude-veilor-bot 2026-05-06 10:50:15 +01:00
parent b40e89a3cb
commit 73c2c68e32
2 changed files with 16 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
.github/workflows/build-iso.yml vendored
View file

@ -30,7 +30,9 @@ jobs:
steps:
- name: Checkout
uses: actions/checkout@v4
# Pinned to last v4 tag confirmed to ship on node20. v4.2+ ships
# node24 which forgejo-runner v6.4.0 (node20) cannot exec.
uses: actions/checkout@v4.1.7
- name: Free up disk
run: |
@ -39,6 +41,9 @@ jobs:
df -h
- name: Run build inside Fedora 43 container
# v3 is composite/docker-based — no node runtime in the action
# itself. Safe under node20 forgejo-runner. TODO(infra): consider
# SHA pinning in a follow-up sweep.
uses: addnab/docker-run-action@v3
with:
image: registry.fedoraproject.org/fedora:43
@ -199,7 +204,8 @@ jobs:
- name: Publish to ci-latest rolling prerelease
if: success() && github.ref == 'refs/heads/main'
uses: softprops/action-gh-release@v2
# Pinned to last v2 tag confirmed to ship on node20.
uses: softprops/action-gh-release@v2.0.4
with:
tag_name: ci-latest
name: "ci-latest (auto)"
@ -233,7 +239,8 @@ jobs:
- name: Attach to release on tag
if: github.event_name == 'release'
uses: softprops/action-gh-release@v2
# Pinned to last v2 tag confirmed to ship on node20.
uses: softprops/action-gh-release@v2.0.4
with:
files: |
build/out/*.iso

9
.github/workflows/lint.yml vendored
View file

@ -12,7 +12,8 @@ jobs:
container:
image: registry.fedoraproject.org/fedora:43
steps:
- uses: actions/checkout@v4
# Pinned to last v4 tag confirmed to ship on node20.
- uses: actions/checkout@v4.1.7
- run: dnf -y install pykickstart
- run: ksvalidator kickstart/veilor-os.ks
@ -20,7 +21,8 @@ jobs:
name: Shell scripts
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v4
# Pinned to last v4 tag confirmed to ship on node20.
- uses: actions/checkout@v4.1.7
- uses: ludeeus/action-shellcheck@master
with:
severity: warning
@ -30,7 +32,8 @@ jobs:
name: No personal/onyx leaks
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v4
# Pinned to last v4 tag confirmed to ship on node20.
- uses: actions/checkout@v4.1.7
- name: Grep for leaks
run: |
set -e