# Gitea act_runner config for the silvermetal-builder runner.
#
# Two ISO builds back-to-back at ~60-90 minutes each = workflow runtime
# floor of ~3h. Default 60m timeout would trip mid-build.

log:
  level: info

runner:
  capacity: 1            # one reproducibility-gated build at a time
  timeout: 240m          # 4h ceiling per job — covers two builds + diffoscope
  fetch_timeout: 5s
  fetch_interval: 2s

container:
  network: host
  privileged: true       # required: live-build needs loop devices + chroot
  # `valid_volumes` is an allowlist of **source paths** (globs), not full
  # bind specs. Listing "/root/.docker:/root/.docker:ro" here makes the
  # runner silently drop the bind from container.options with
  # "[/root/.docker] is not a valid volume, will be ignored" — because
  # the literal pattern "/root/.docker:/root/.docker:ro" doesn't match
  # the bind source "/root/.docker". Source paths only:
  valid_volumes:
    - /cache
    - /var/run/docker.sock
    - /root/.docker/config.json
  # `options` is applied on top of act_runner's default per-job-container
  # docker run args. /var/run/docker.sock is auto-mounted by act_runner
  # already; listing it here a second time triggers
  # "Duplicate mount point" on container create. So options carries ONLY
  # what act_runner doesn't provide: the host's docker-registry.silverlabs.uk
  # credentials, which catthehacker/ubuntu:act-latest's docker-cli reads
  # from /root/.docker/config.json for `docker push`. Without it the push
  # fails with "no basic auth credentials" even though `docker build`
  # over the DooD socket works fine.
  #
  # We mount the FILE (not the directory) read-only:
  # - ro is essential — config.json is the host's actual creds file.
  # - file-only (not /root/.docker:ro) keeps /root/.docker writable on the
  #   container's own overlay so buildx can write its activity tracking
  #   to /root/.docker/buildx/. Mounting the whole dir :ro broke run #4267
  #   with "failed to update builder last activity time: …read-only
  #   file system".
  options: -v /root/.docker/config.json:/root/.docker/config.json:ro
  # Cache the silvermetal-builder image locally after first pull. Bumping
  # the image digest in BUILDER_IMAGE invalidates and re-pulls automatically.
  force_pull: false

host:
  workdir_parent: /data/cache/actions