veilor-org/veilor-os
1
0
Fork 0
Code Issues Pull requests Projects Releases 1 Packages Wiki Activity Actions 1

ci: pin actions to node20-safe tags + runner sock pass-through #8

Merged
s8n merged 1 commit from feat/runner-fix-docker-sock-and-node20 into main 2026-05-06 13:47:20 +01:00
Conversation 0 Commits 1 Files changed 2 +16 -6
s8n commented 2026-05-06 10:51:00 +01:00
Owner
Copy link

Summary

Fixes two forgejo-runner blockers that broke A1's build attempts:

  1. docker.sock not propagated to job containers. Runner had the host socket bind-mounted into ITS container, but per-job containers (catthehacker/ubuntu) didn't. addnab/docker-run-action@v3 inside the job was unable to reach the docker engine.

    Fix landed on nullstone (out-of-band — not in this PR):

    • /home/docker/forgejo-runner/conf/config.yaml — sets container.options: -v /var/run/docker.sock:/var/run/docker.sock, whitelists socket via valid_volumes, sets docker_host: unix:///var/run/docker.sock.
    • /opt/docker/forgejo-runner/docker-compose.yml — bind-mounts the new conf dir at /conf:ro and runs daemon --config /conf/config.yaml.
    • docker compose up -d recreated the container; logs show runner: nullstone, with version: v6.4.0, with labels: [ubuntu-24.04 nullstone], declared successfully with the new config in effect.

  2. node20 vs node24 mismatch. actions/checkout@v4 floats forward and v4.2+ ships a node24 binary that forgejo-runner v6.4.0 (node20) refuses to exec. softprops/action-gh-release@v2 likewise.

    This PR pins:

    • actions/checkoutv4.1.7 (build-iso.yml + lint.yml)
    • softprops/action-gh-releasev2.0.4 (both publish + release-attach steps)
    • addnab/docker-run-action left at @v3 (composite/docker, no node) with explanatory comment
    • ludeeus/action-shellcheck@master left untouched (docker-based)

Test plan

  • Operator triggers build-iso.yml on this branch via Forgejo workflow_dispatch.
  • Confirm the per-job act-24.04 container can reach /var/run/docker.sock.
  • Confirm checkout step exits 0 (no Cannot find module ... node24 error).

Out of scope

  • SHA pinning (separate hardening pass).
  • Re-enabling runs-on: ubuntu-24.04 for cross-platform validation.
## Summary Fixes two forgejo-runner blockers that broke A1's build attempts: 1. **docker.sock not propagated to job containers.** Runner had the host socket bind-mounted into ITS container, but per-job containers (catthehacker/ubuntu) didn't. `addnab/docker-run-action@v3` inside the job was unable to reach the docker engine. Fix landed on nullstone (out-of-band — not in this PR): - `/home/docker/forgejo-runner/conf/config.yaml` — sets `container.options: -v /var/run/docker.sock:/var/run/docker.sock`, whitelists socket via `valid_volumes`, sets `docker_host: unix:///var/run/docker.sock`. - `/opt/docker/forgejo-runner/docker-compose.yml` — bind-mounts the new conf dir at `/conf:ro` and runs `daemon --config /conf/config.yaml`. - `docker compose up -d` recreated the container; logs show `runner: nullstone, with version: v6.4.0, with labels: [ubuntu-24.04 nullstone], declared successfully` with the new config in effect. 2. **node20 vs node24 mismatch.** `actions/checkout@v4` floats forward and v4.2+ ships a node24 binary that forgejo-runner v6.4.0 (node20) refuses to exec. `softprops/action-gh-release@v2` likewise. This PR pins: - `actions/checkout` → `v4.1.7` (build-iso.yml + lint.yml) - `softprops/action-gh-release` → `v2.0.4` (both publish + release-attach steps) - `addnab/docker-run-action` left at `@v3` (composite/docker, no node) with explanatory comment - `ludeeus/action-shellcheck@master` left untouched (docker-based) ## Test plan - [ ] Operator triggers `build-iso.yml` on this branch via Forgejo workflow_dispatch. - [ ] Confirm the per-job `act-24.04` container can reach `/var/run/docker.sock`. - [ ] Confirm checkout step exits 0 (no `Cannot find module ... node24` error). ## Out of scope - SHA pinning (separate hardening pass). - Re-enabling `runs-on: ubuntu-24.04` for cross-platform validation.
s8n added 1 commit 2026-05-06 10:51:01 +01:00
ci: pin actions to node20-safe tags + runner sock pass-through
Some checks failed
Lint / Kickstart syntax (pull_request) Failing after 0s
Details
Lint / Shell scripts (pull_request) Failing after 0s
Details
Lint / No personal/onyx leaks (pull_request) Failing after 0s
Details
73c2c68e32 
forgejo-runner v6.4.0 ships a node20 javascript engine. v4.2+ of
actions/checkout and v2.0.5+ of softprops/action-gh-release moved to
node24, which the runner refuses to exec. Pin both to last node20
release.

Pairs with a runner-side config change (separately deployed on
nullstone /home/docker/forgejo-runner/conf/config.yaml) that adds
`-v /var/run/docker.sock:/var/run/docker.sock` to per-job container
options + whitelists the socket via valid_volumes — without that
addnab/docker-run-action@v3 inside the catthehacker/ubuntu job
container can't reach the docker engine.

- actions/checkout v4 -> v4.1.7
- softprops/action-gh-release v2 -> v2.0.4
- addnab/docker-run-action v3 unchanged (composite/docker, no node)
- ludeeus/action-shellcheck@master unchanged (docker-based)

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
s8n merged commit 1db860c557 into main 2026-05-06 13:47:20 +01:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: veilor-org/veilor-os#8
No description provided.
Delete branch "feat/runner-fix-docker-sock-and-node20"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?