feat(linux/build): silvermetal-builder Gitea Actions runner deployment

act_runner-based deployment that handles `runs-on: silvermetal-builder` jobs. Adapted from the stinky-roger-tv flutter-builder pattern with three changes: - privileged: true (live-build needs loop devices + chroot) - 4h job timeout (covers two reproducibility-gated ISO builds + diffoscope) - silvermetal-builder label maps to catthehacker/ubuntu:act-latest, not the silvermetal-builder image — the builder image stays minimal (no docker-cli), and build.sh invokes it via `docker run` from the catthehacker job shell Deployed at /opt/silvermetal-builder-runner/ on the SLAB docker host (10.0.0.51); registered with git.silverlabs.uk and reporting healthy. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-26 11:59:44 +01:00
parent f9e606d22d
commit 7b99516232
5 changed files with 148 additions and 0 deletions
--- a/linux/build/runner/.env.example
+++ b/linux/build/runner/.env.example
@@ -0,0 +1,7 @@
+# Copy to .env on the deployment host. NEVER commit the real token.
+#
+# Get a registration token:
+#   curl -H "Authorization: token $GITEA_TOKEN" \
+#        https://git.silverlabs.uk/api/v1/admin/runners/registration-token
+#
+RUNNER_TOKEN=replace-with-registration-token
--- a/linux/build/runner/Dockerfile.runner
+++ b/linux/build/runner/Dockerfile.runner
@@ -0,0 +1,6 @@
+# act_runner with docker-cli, so the runner can `docker run` the
+# silvermetal-builder image inside the job. Pattern matches the
+# stinky-roger-tv flutter-builder runner.
+FROM gitea/act_runner:latest
+
+RUN apk add --no-cache docker-cli git
--- a/linux/build/runner/README.md
+++ b/linux/build/runner/README.md
@@ -0,0 +1,61 @@
+# silvermetal-builder runner deployment
+
+The Gitea Actions runner that handles `runs-on: silvermetal-builder` jobs from `.gitea/workflows/build-iso-linux.yaml`.
+
+## Layout
+
+| File                 | Purpose                                                                |
+|----------------------|------------------------------------------------------------------------|
+| `docker-compose.yml` | act_runner service definition, deployed on SLAB docker host.           |
+| `Dockerfile.runner`  | Adds `docker-cli` to the upstream `gitea/act_runner` image.            |
+| `config.yaml`        | act_runner runtime config — privileged, 4h timeout, host network.      |
+| `.env.example`       | Template for the registration-token env file (real `.env` not commit). |
+
+## Why privileged
+
+`live-build` needs loop devices and chroot inside the build container. Without `privileged: true`, `mksquashfs` and `debootstrap` fail. This is the only Gitea runner in the SilverLABS fleet that runs privileged — keep its scope narrow (one repo, one job class).
+
+## Deploy
+
+On the SLAB docker host (`10.0.0.51`):
+
+```bash
+sudo mkdir -p /opt/silvermetal-builder-runner
+cd /opt/silvermetal-builder-runner
+
+# Copy this directory's contents in (e.g. via scp or rsync from a checkout
+# of SilverLABS/SilverMetal at linux/build/runner/).
+# Then create the .env with a fresh registration token:
+
+GITEA_TOKEN=<admin-token> \
+  curl -H "Authorization: token $GITEA_TOKEN" \
+       https://git.silverlabs.uk/api/v1/admin/runners/registration-token
+
+cp .env.example .env
+$EDITOR .env  # paste the token
+
+# Pre-pull the builder image so the first job isn't a cold start:
+docker login docker-registry.silverlabs.uk
+docker pull docker-registry.silverlabs.uk/silvermetal-builder:latest
+
+docker compose up -d
+docker compose logs -f --tail 50   # watch for "Runner registered"
+```
+
+Check the runner shows up under `git.silverlabs.uk/-/admin/actions/runners` with label `silvermetal-builder`.
+
+## Bump the runner image / config
+
+```bash
+cd /opt/silvermetal-builder-runner
+git pull   # if you keep this dir as a checkout
+docker compose up -d --build
+```
+
+## Tear down
+
+```bash
+docker compose down -v   # -v drops runner-data volume; runner has to re-register
+```
+
+The runner-data volume holds the registered runner identity — keep it across image bumps so we don't pollute the Gitea runners list with dead entries.
--- a/linux/build/runner/config.yaml
+++ b/linux/build/runner/config.yaml
@@ -0,0 +1,29 @@
+# Gitea act_runner config for the silvermetal-builder runner.
+#
+# Two ISO builds back-to-back at ~60-90 minutes each = workflow runtime
+# floor of ~3h. Default 60m timeout would trip mid-build.
+
+log:
+  level: info
+
+runner:
+  capacity: 1            # one reproducibility-gated build at a time
+  timeout: 240m          # 4h ceiling per job — covers two builds + diffoscope
+  fetch_timeout: 5s
+  fetch_interval: 2s
+
+container:
+  network: host
+  privileged: true       # required: live-build needs loop devices + chroot
+  valid_volumes:
+    - "/cache:/cache"
+    - "/var/run/docker.sock:/var/run/docker.sock"
+  options: >-
+    -v /cache:/cache
+    -v /var/run/docker.sock:/var/run/docker.sock
+  # Cache the silvermetal-builder image locally after first pull. Bumping
+  # the image digest in BUILDER_IMAGE invalidates and re-pulls automatically.
+  force_pull: false
+
+host:
+  workdir_parent: /data/cache/actions
--- a/linux/build/runner/docker-compose.yml
+++ b/linux/build/runner/docker-compose.yml
@@ -0,0 +1,45 @@
+# silvermetal-builder Gitea Actions runner.
+#
+# Deployment target: SLAB docker host (10.0.0.51) at /opt/silvermetal-builder-runner/
+# Setup:
+#   1. Ensure docker-registry.silverlabs.uk/silvermetal-builder:latest is pushed.
+#   2. Get a registration token: Gitea Admin -> Actions -> Runners
+#      (or `curl -H "Authorization: token $GITEA_TOKEN" \
+#            https://git.silverlabs.uk/api/v1/admin/runners/registration-token`)
+#   3. Set RUNNER_TOKEN in .env
+#   4. docker compose up -d
+#
+# Why privileged: live-build mounts loop devices and chroots inside the build
+# container. Without privileged, mksquashfs and debootstrap fail.
+
+services:
+  silvermetal-runner:
+    build:
+      context: .
+      dockerfile: Dockerfile.runner
+    container_name: silvermetal-builder-runner
+    restart: unless-stopped
+    privileged: true
+    environment:
+      GITEA_INSTANCE_URL: https://git.silverlabs.uk
+      GITEA_RUNNER_REGISTRATION_TOKEN: ${RUNNER_TOKEN}
+      GITEA_RUNNER_NAME: silvermetal-builder
+      # Label routing. Both labels map to the standard catthehacker image
+      # (has bash + git + docker-cli, everything build.sh needs to run).
+      # The actual silvermetal-builder build environment (live-build, etc.)
+      # is invoked by build.sh via `docker run`, not as the job container —
+      # that keeps the silvermetal-builder image minimal and avoids nesting
+      # docker-cli inside our own pinned image.
+      GITEA_RUNNER_LABELS: "silvermetal-builder:docker://catthehacker/ubuntu:act-latest,ubuntu-latest:docker://catthehacker/ubuntu:act-latest"
+    volumes:
+      - runner-data:/data
+      - /var/run/docker.sock:/var/run/docker.sock
+      - /root/.docker:/root/.docker:ro
+      # Cache for snapshot.debian.org and apt downloads — survives container
+      # recreate, avoids repeated mirror traffic and the rate-limit risk.
+      - /opt/silvermetal-builder-runner/cache:/cache
+    labels:
+      - "com.silverlabs.service=gitea-silvermetal-builder-runner"
+
+volumes:
+  runner-data: