oss/forgejo-runner
oss/forgejo-runner
1
0
Fork 0
mirror of https://code.forgejo.org/forgejo/runner.git synced 2025-09-30 19:22:09 +00:00
Code Wiki Activity
forgejo-runner/examples/lxc-systemd
History
Renovate Bot 877749a730
Update dependency forgejo/runner to v10 (#928) 
This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [forgejo/runner](https://code.forgejo.org/forgejo/runner) | major | `9.1.1` -> `10.0.1` |

---

### Release Notes

<details>
<summary>forgejo/runner (forgejo/runner)</summary>

### [`v10.0.1`](https://code.forgejo.org/forgejo/runner/releases/tag/v10.0.1)

[Compare Source](https://code.forgejo.org/forgejo/runner/compare/v10.0.0...v10.0.1)

- [User guide](https://forgejo.org/docs/next/user/actions/overview/)
- [Administrator guide](https://forgejo.org/docs/next/admin/actions/)
- [Container images](https://code.forgejo.org/forgejo/-/packages/container/runner/versions)

Release Notes

***

### [`v10.0.0`](https://code.forgejo.org/forgejo/runner/releases/tag/v10.0.0)

[Compare Source](https://code.forgejo.org/forgejo/runner/compare/v9.1.1...v10.0.0)

> **Warning** Upgrade to v10.0.1 instead. A regression was found on `pull_request_target` events and is fixed in the [v10.0.1 release](https://code.forgejo.org/forgejo/runner/releases/tag/v10.0.1).

- [User guide](https://forgejo.org/docs/next/user/actions/overview/)
- [Administrator guide](https://forgejo.org/docs/next/admin/actions/)
- [Container images](https://code.forgejo.org/forgejo/-/packages/container/runner/versions)

Release Notes

- [PR](https://code.forgejo.org/forgejo/runner/pulls/925): <!--number 925 --><!--line 0 --><!--description Zml4KHNlY3VyaXR5KTogcHJldmVudCBvbjogcHVsbF9yZXF1ZXN0IGFjdGlvbnMgZnJvbSBtdXRhdGluZyBjYWNoZXMgb2Ygb3RoZXIgd29ya2Zsb3cgZXZlbnRz-->fix(security): prevent on: pull\_request actions from mutating caches of other workflow events<!--description-->
  forgej-runner currently creates a safer execution environment for workflows triggered by pull requests by denying those workflows access to the repository's secrets, preventing pull requests from compromising the confidentiality of the secrets.

  Workflows do have access to write to the action cache, which is shared with future workflow executions, including executions that may have access to repository secrets.  This was assumed safe as the cache is a "write-once" operation based upon the cache key; if an execution writes to that cache, it will be read by other workflows only if a matching key parameter is provided, and it can not be modified again.  These assumptions were identified as weak security practices with known workarounds.

  It is possible for a malicious pull request to mutate the shared cache and embed untrusted artifacts, which may later be executed in workflow executions with access to secrets, risking the confidentiality of those secrets.

  In order to eliminate this risk, workflows executing with the `pull_request` and `pull_request_target` events have their write operations to the cache isolated to future workflow executions from the same pull request.  They can continue to read from the shared cache if applicable.

  If using an external cache server configuration, both the cache server and other instances of the runner must be running the same software version.  The recommended upgrade procedure in this configuration is to bring all runners offline, upgrade the cache server to the latest release and bring it online, and then bring all other runners online.
- [PR](https://code.forgejo.org/forgejo/runner/pulls/924): <!--number 924 --><!--line 0 --><!--description Zml4KHNlY3VyaXR5KTogZW5zdXJlIHVuaXF1ZSBuYW1lcyBmb3IgY29udGFpbmVyIGltYWdlcyBjcmVhdGVkIGJ5IGFjdGlvbnM=-->fix(security): ensure unique names for container images created by actions<!--description-->
  Without this fix, when a workflow ran a local [docker action](https://forgejo.org/docs/next/user/actions/actions/#docker-actions) (e.g. the [example in the end-to-end tests](8f920b4b7a/actions/example-force-rebuild/.forgejo/workflows/test.yml)), it used an image tag that could collide with other workflows that happen to use the same name. The workaround for older runner versions is to set [`[container].force_rebuild: true`](https://forgejo.org/docs/next/admin/actions/runner-installation/#configuration) in the runner configuration file.

***

<!--URL:https://code.forgejo.org/forgejo/runner-->

- bug fixes
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/925): <!--number 925 --><!--line 0 --><!--description Zml4KHNlY3VyaXR5KTogcHJldmVudCBvbjogcHVsbF9yZXF1ZXN0IGFjdGlvbnMgZnJvbSBtdXRhdGluZyBjYWNoZXMgb2Ygb3RoZXIgd29ya2Zsb3cgZXZlbnRz-->fix(security): prevent on: pull\_request actions from mutating caches of other workflow events<!--description-->
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/924): <!--number 924 --><!--line 0 --><!--description Zml4KHNlY3VyaXR5KTogZW5zdXJlIHVuaXF1ZSBuYW1lcyBmb3IgY29udGFpbmVyIGltYWdlcyBjcmVhdGVkIGJ5IGFjdGlvbnM=-->fix(security): ensure unique names for container images created by actions<!--description-->
- other
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/921): <!--number 921 --><!--line 0 --><!--description VXBkYXRlIGNvZGUuZm9yZ2Vqby5vcmcvZm9yZ2Vqby9mb3JnZWpvIERvY2tlciB0YWcgdG8gdjExLjAuNA==-->Update code.forgejo.org/forgejo/forgejo Docker tag to v11.0.4<!--description-->
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/922): <!--number 922 --><!--line 0 --><!--description Y2hvcmU6IGV4cGxhaW4gdGhlIGRpZmZlcmVuY2UgYmV0d2VlbiBgam9iX2xldmVsYCBhbmQgYGxldmVsYA==-->chore: explain the difference between `job_level` and `level`<!--description-->
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/917): <!--number 917 --><!--line 0 --><!--description Y2hvcmU6IGFkZCByZW1pbmRlciBvZiBob3cgdG8gcnVuIGEgbG9jYWwgdGVzdA==-->chore: add reminder of how to run a local test<!--description-->
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/919): <!--number 919 --><!--line 0 --><!--description Y2hvcmU6IHVuaWZ5IGNhc2NhZGUtc2V0dXAtZm9yZ2VqbyB3aXRoIGNhc2NhZGUtZm9yZ2Vqbw==-->chore: unify cascade-setup-forgejo with cascade-forgejo<!--description-->
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/873): <!--number 873 --><!--line 0 --><!--description Y2hvcmU6IHJlbW92ZSBgZ2l0aHViLmNvbS9wa2cvZXJyb3JzYA==-->chore: remove `github.com/pkg/errors`<!--description-->
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/915): <!--number 915 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBnaXRodWIuY29tL3N0cmV0Y2hyL3Rlc3RpZnkgdG8gdjEuMTEuMQ==-->Update module github.com/stretchr/testify to v1.11.1<!--description-->
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/914): <!--number 914 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBnb29nbGUuZ29sYW5nLm9yZy9wcm90b2J1ZiB0byB2MS4zNi44-->Update module google.golang.org/protobuf to v1.36.8<!--description-->
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/907): <!--number 907 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBnby5ldGNkLmlvL2Jib2x0IHRvIHYxLjQuMw==-->Update module go.etcd.io/bbolt to v1.4.3<!--description-->
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/906): <!--number 906 --><!--line 0 --><!--description dGVzdDogcmVtb3ZlIGludGVybmFsIHRpbWVvdXQgaW4gVGVzdFJ1bm5lckNhY2hlQ29uZmlndXJhdGlvbg==-->test: remove internal timeout in TestRunnerCacheConfiguration<!--description-->
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/902): <!--number 902 --><!--line 0 --><!--description Y2hvcmU6IHNraXAgdGVzdHMgdGhhdCByZXF1aXJlIEZvcmdlam8gaWYgaXQgaXMgbm90IGF2YWlsYWJsZQ==-->chore: skip tests that require Forgejo if it is not available<!--description-->
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/903): <!--number 903 --><!--line 0 --><!--description Y2hvcmU6IHJld29yayB0aGUgUkVBRE1F-->chore: rework the README<!--description-->
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/904): <!--number 904 --><!--line 0 --><!--description VXBkYXRlIGdpdGh1Yi5jb20vZ28tdmlwZXIvbWFwc3RydWN0dXJlL3YyIChpbmRpcmVjdCkgdG8gdjIuNC4wIFtTRUNVUklUWV0=-->Update github.com/go-viper/mapstructure/v2 (indirect) to v2.4.0 \[SECURITY]<!--description-->
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/900): <!--number 900 --><!--line 0 --><!--description Y2hvcmU6IHJlbW92ZSBUZXN0UnVuQ29udGV4dF9HZXRHaXRIdWJDb250ZXh0-->chore: remove TestRunContext\_GetGitHubContext<!--description-->
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/899): <!--number 899 --><!--line 0 --><!--description Y2hvcmU6IGRvIG5vdCBmb3JjZSBHT1BST1hZ-->chore: do not force GOPROXY<!--description-->
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/890): <!--number 890 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBnaXRodWIuY29tL3Zla3RyYS9tb2NrZXJ5L3YyIHRvIHYyLjUzLjU=-->Update module github.com/vektra/mockery/v2 to v2.53.5<!--description-->
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/893): <!--number 893 --><!--line 0 --><!--description Y2hvcmU6IGZpeCAuUEhPTlkgbGludCB0YXJnZXRz-->chore: fix .PHONY lint targets<!--description-->
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/898): <!--number 898 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgZm9yZ2Vqby9ydW5uZXIgdG8gdjkuMS4x-->Update dependency forgejo/runner to v9.1.1<!--description-->
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/897): <!--number 897 --><!--line 0 --><!--description VXBkYXRlIGNvZGUuZm9yZ2Vqby5vcmcvZm9yZ2Vqby9ydW5uZXIgRG9ja2VyIHRhZyB0byB2OS4xLjE=-->Update code.forgejo.org/forgejo/runner Docker tag to v9.1.1<!--description-->

<!--end release-notes-assistant-->

</details>

---

### Configuration

📅 **Schedule**: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS45MS4yIiwidXBkYXRlZEluVmVyIjoiNDEuOTEuMiIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiS2luZC9DaG9yZSIsInJ1bi1lbmQtdG8tZW5kLXRlc3RzIl19-->

<!--start release-notes-assistant-->
<!--URL:https://code.forgejo.org/forgejo/runner-->
- other
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/928): <!--number 928 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgZm9yZ2Vqby9ydW5uZXIgdG8gdjEw-->Update dependency forgejo/runner to v10<!--description-->
<!--end release-notes-assistant-->

Reviewed-on: https://code.forgejo.org/forgejo/runner/pulls/928
Reviewed-by: earl-warren <earl-warren@noreply.code.forgejo.org>
Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
2025-09-01 14:24:38 +00:00
..
forgejo-runner-service.sh Update dependency forgejo/runner to v10 (#928) 2025-09-01 14:24:38 +00:00
README.md feat: lxc-systemd defaults to using Forgejo runner 9.0.2 (#804) 2025-08-03 09:57:24 +00:00

README.md

forgejo-runner-service.sh installs a Forgejo runner within an LXC container and runs it from a systemd service.

Quickstart

  • Install: sudo wget -O /usr/local/bin/forgejo-runner-service.sh https://code.forgejo.org/forgejo/runner/raw/branch/main/examples/lxc-systemd/forgejo-runner-service.sh && sudo chmod +x /usr/local/bin/forgejo-runner-service.sh
  • Obtain a runner registration token ($TOKEN)
  • Choose a serial number that is not already in use in /etc/forgejo-runner
  • Create a runner INPUTS_SERIAL=30 INPUTS_TOKEN=$TOKEN INPUTS_FORGEJO=https://code.forgejo.org forgejo-runner-service.sh
  • Start systemctl enable --now forgejo-runner@$INPUTS_SERIAL
  • Monitor with:
    • systemctl status forgejo-runner@$INPUTS_SERIAL
    • tail --follow=name /var/log/forgejo-runner/$INPUTS_SERIAL.log

Installation or upgrade

Installation

  • sudo wget -O /usr/local/bin/forgejo-runner-service.sh https://code.forgejo.org/forgejo/runner/raw/branch/main/examples/lxc-systemd/forgejo-runner-service.sh && sudo chmod +x /usr/local/bin/forgejo-runner-service.sh

Upgrade

Warning

runners will not be upgraded immediately, the upgrade will happen when they restart (at $INPUTS_LIFETIME intervals).

The following will be upgraded:

  • forgejo-runner-service.sh will replace itself with the script found at the provided URL (e.g. https://code.forgejo.org/forgejo/runner/src/tag/v6.3.1/examples/lxc-systemd/forgejo-runner-service.sh)
  • lxc-helpers*.sh will be replaced with the version pinned in forgejo-runner-service.sh
  • forgejo-runner-X.Y.Z will default to the version hardcoded in forgejo-runner-service.sh

Example:

  • forgejo-runner-service.sh upgrade https://code.forgejo.org/forgejo/runner/src/tag/v6.3.1/examples/lxc-systemd/forgejo-runner-service.sh

Description

  • Each runner is assigned a unique serial number ($INPUTS_SERIAL)
  • The configuration is in /etc/forgejo-runner/$INPUTS_SERIAL
  • The environment variables are in /etc/forgejo-runner/$INPUTS_SERIAL/env
  • The cache is in /var/lib/forgejo-runner/runner-$INPUTS_SERIAL
  • The systemd service unit is forgejo-runner@$INPUTS_SERIAL
  • The logs of the runner daemon are in /var/log/forgejo-runner/$INPUTS_SERIAL.log

How it works

  • Creating a runner (for instance with INPUTS_SERIAL=30 INPUTS_TOKEN=$TOKEN INPUTS_FORGEJO=https://code.forgejo.org forgejo-runner-service.sh) will:
    • use $INPUTS_TOKEN to register on $INPUTS_FORGEJO and save the result in the /etc/forgejo-runner/$INPUTS_SERIAL/.runner file
    • generate a default configuration file in the /etc/forgejo-runner/$INPUTS_SERIAL/config.yml file which can then be manually edited
  • Each runner is launched in a dedicated LXC container named runner-$INPUTS_SERIAL-lxc with the following bind mounts:
    • /etc/forgejo-runner/$INPUTS_SERIAL
    • /var/lib/forgejo-runner/runner-$INPUTS_SERIAL/.cache/actcache
  • systemctl start forgejo-runner@$INPUTS_SERIAL will do the following when it starts and every $INPUTS_LIFETIME interval after that:
    • attempt to gracefully stop (SIGTERM) the runner, waiting for all jobs to complete
    • forcibly kill the runner if it does not stop within 6h
    • shutdown the LXC container and delete it (the volumes bind mounted are preserved)
    • create a brand new LXC container (with the specified $INPUTS_LXC_CONFIG)
    • install and run a Forgejo runner daemon in the LXC container using /etc/forgejo-runner/$INPUTS_SERIAL/config.yml
    • redirect the output of the runner to /var/log/forgejo-runner/$INPUTS_SERIAL.log
  • systemctl stop forgejo-runner@$INPUTS_SERIAL will stop the runner but keep the LXC container running

Creation

The creation of a new runner is driven by the following environment variables:

  • INPUTS_SERIAL: unique number in the range [10-100] (check /etc/forgejo-runner)
  • INPUTS_TOKEN: a runner registration token obtained from the web UI
  • INPUTS_FORGEJO: the Forgejo instance from which INPUTS_TOKEN was obtained (e.g. https://code.forgejo.org)
  • INPUTS_RUNNER_VERSION: the version of the Forgejo runner as found in https://code.forgejo.org/forgejo/runner/releases (e.g. 9.0.2)
  • INPUTS_LXC_CONFIG: the value of the --config argument of lxc-helpers used when creating the LXC container for the runner (e.g. docker)
  • INPUTS_LIFETIME: the LXC container is re-created when its lifetime expires (e.g. 7d)

Hacking

  • An existing LXC configuration will not be modified. If lxc-ls exists, it is assumed that LXC is configured and ready to be used.
  • Migrating an existing runner: 
    serial=10
mkdir /etc/forgejo-runner/$serial
cp .runner config.yml /etc/forgejo-runner/$serial
INPUTS_SERIAL=$serial INPUTS_FORGEJO=https://code.forgejo.org forgejo-runner-service.sh
systemctl status forgejo-runner@$serial
  • Set debug by adding VERBOSE=true in /etc/forgejo-runner/$INPUTS_SERIAL/env

Use a specific version of the Forgejo runner

The goal is that a LXC container uses a version of the Forgejo runner that is different from the default. It needs to be installed and pinned.

  • Install: INPUTS_RUNNER_VERSION=9.0.2 forgejo-runner-service.sh install_runner
  • Pin the version in /etc/forgejo-runner/N/env (e.g. INPUTS_RUNNER_VERSION=9.0.2)