diff --git a/linux/build/runner/.env.example b/linux/build/runner/.env.example new file mode 100644 index 0000000..3379575 --- /dev/null +++ b/linux/build/runner/.env.example @@ -0,0 +1,7 @@ +# Copy to .env on the deployment host. NEVER commit the real token. +# +# Get a registration token: +# curl -H "Authorization: token $GITEA_TOKEN" \ +# https://git.silverlabs.uk/api/v1/admin/runners/registration-token +# +RUNNER_TOKEN=replace-with-registration-token diff --git a/linux/build/runner/Dockerfile.runner b/linux/build/runner/Dockerfile.runner new file mode 100644 index 0000000..b3062c9 --- /dev/null +++ b/linux/build/runner/Dockerfile.runner @@ -0,0 +1,6 @@ +# act_runner with docker-cli, so the runner can `docker run` the +# silvermetal-builder image inside the job. Pattern matches the +# stinky-roger-tv flutter-builder runner. +FROM gitea/act_runner:latest + +RUN apk add --no-cache docker-cli git diff --git a/linux/build/runner/README.md b/linux/build/runner/README.md new file mode 100644 index 0000000..0969c36 --- /dev/null +++ b/linux/build/runner/README.md @@ -0,0 +1,61 @@ +# silvermetal-builder runner deployment + +The Gitea Actions runner that handles `runs-on: silvermetal-builder` jobs from `.gitea/workflows/build-iso-linux.yaml`. + +## Layout + +| File | Purpose | +|----------------------|------------------------------------------------------------------------| +| `docker-compose.yml` | act_runner service definition, deployed on SLAB docker host. | +| `Dockerfile.runner` | Adds `docker-cli` to the upstream `gitea/act_runner` image. | +| `config.yaml` | act_runner runtime config — privileged, 4h timeout, host network. | +| `.env.example` | Template for the registration-token env file (real `.env` not commit). | + +## Why privileged + +`live-build` needs loop devices and chroot inside the build container. Without `privileged: true`, `mksquashfs` and `debootstrap` fail. This is the only Gitea runner in the SilverLABS fleet that runs privileged — keep its scope narrow (one repo, one job class). + +## Deploy + +On the SLAB docker host (`10.0.0.51`): + +```bash +sudo mkdir -p /opt/silvermetal-builder-runner +cd /opt/silvermetal-builder-runner + +# Copy this directory's contents in (e.g. via scp or rsync from a checkout +# of SilverLABS/SilverMetal at linux/build/runner/). +# Then create the .env with a fresh registration token: + +GITEA_TOKEN= \ + curl -H "Authorization: token $GITEA_TOKEN" \ + https://git.silverlabs.uk/api/v1/admin/runners/registration-token + +cp .env.example .env +$EDITOR .env # paste the token + +# Pre-pull the builder image so the first job isn't a cold start: +docker login docker-registry.silverlabs.uk +docker pull docker-registry.silverlabs.uk/silvermetal-builder:latest + +docker compose up -d +docker compose logs -f --tail 50 # watch for "Runner registered" +``` + +Check the runner shows up under `git.silverlabs.uk/-/admin/actions/runners` with label `silvermetal-builder`. + +## Bump the runner image / config + +```bash +cd /opt/silvermetal-builder-runner +git pull # if you keep this dir as a checkout +docker compose up -d --build +``` + +## Tear down + +```bash +docker compose down -v # -v drops runner-data volume; runner has to re-register +``` + +The runner-data volume holds the registered runner identity — keep it across image bumps so we don't pollute the Gitea runners list with dead entries. diff --git a/linux/build/runner/config.yaml b/linux/build/runner/config.yaml new file mode 100644 index 0000000..703c670 --- /dev/null +++ b/linux/build/runner/config.yaml @@ -0,0 +1,29 @@ +# Gitea act_runner config for the silvermetal-builder runner. +# +# Two ISO builds back-to-back at ~60-90 minutes each = workflow runtime +# floor of ~3h. Default 60m timeout would trip mid-build. + +log: + level: info + +runner: + capacity: 1 # one reproducibility-gated build at a time + timeout: 240m # 4h ceiling per job — covers two builds + diffoscope + fetch_timeout: 5s + fetch_interval: 2s + +container: + network: host + privileged: true # required: live-build needs loop devices + chroot + valid_volumes: + - "/cache:/cache" + - "/var/run/docker.sock:/var/run/docker.sock" + options: >- + -v /cache:/cache + -v /var/run/docker.sock:/var/run/docker.sock + # Cache the silvermetal-builder image locally after first pull. Bumping + # the image digest in BUILDER_IMAGE invalidates and re-pulls automatically. + force_pull: false + +host: + workdir_parent: /data/cache/actions diff --git a/linux/build/runner/docker-compose.yml b/linux/build/runner/docker-compose.yml new file mode 100644 index 0000000..1dc6d29 --- /dev/null +++ b/linux/build/runner/docker-compose.yml @@ -0,0 +1,45 @@ +# silvermetal-builder Gitea Actions runner. +# +# Deployment target: SLAB docker host (10.0.0.51) at /opt/silvermetal-builder-runner/ +# Setup: +# 1. Ensure docker-registry.silverlabs.uk/silvermetal-builder:latest is pushed. +# 2. Get a registration token: Gitea Admin -> Actions -> Runners +# (or `curl -H "Authorization: token $GITEA_TOKEN" \ +# https://git.silverlabs.uk/api/v1/admin/runners/registration-token`) +# 3. Set RUNNER_TOKEN in .env +# 4. docker compose up -d +# +# Why privileged: live-build mounts loop devices and chroots inside the build +# container. Without privileged, mksquashfs and debootstrap fail. + +services: + silvermetal-runner: + build: + context: . + dockerfile: Dockerfile.runner + container_name: silvermetal-builder-runner + restart: unless-stopped + privileged: true + environment: + GITEA_INSTANCE_URL: https://git.silverlabs.uk + GITEA_RUNNER_REGISTRATION_TOKEN: ${RUNNER_TOKEN} + GITEA_RUNNER_NAME: silvermetal-builder + # Label routing. Both labels map to the standard catthehacker image + # (has bash + git + docker-cli, everything build.sh needs to run). + # The actual silvermetal-builder build environment (live-build, etc.) + # is invoked by build.sh via `docker run`, not as the job container — + # that keeps the silvermetal-builder image minimal and avoids nesting + # docker-cli inside our own pinned image. + GITEA_RUNNER_LABELS: "silvermetal-builder:docker://catthehacker/ubuntu:act-latest,ubuntu-latest:docker://catthehacker/ubuntu:act-latest" + volumes: + - runner-data:/data + - /var/run/docker.sock:/var/run/docker.sock + - /root/.docker:/root/.docker:ro + # Cache for snapshot.debian.org and apt downloads — survives container + # recreate, avoids repeated mirror traffic and the rate-limit risk. + - /opt/silvermetal-builder-runner/cache:/cache + labels: + - "com.silverlabs.service=gitea-silvermetal-builder-runner" + +volumes: + runner-data: