SilverLABS/SilverMetal
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ced77e305ffac03056d270c68643b7f1ff8c2c84
SilverMetal/linux/build/runner/config.yaml
SysAdmin ced77e305f
Some checks failed
Build SilverMetal Linux ISO (reproducibility-gated) / builder-image (push) Failing after 1s
Details
Build SilverMetal Linux ISO (reproducibility-gated) / build-and-verify (push) Has been skipped
Details
fix(linux/build): valid_volumes takes source paths, not bind specs (M1.1 iter19) 
Run #4266 dropped the /root/.docker bind silently:

    Custom container.HostConfig from options ==> &{Binds:[/root/.docker:/root/.docker:ro]…}
    [/root/.docker] is not a valid volume, will be ignored
    Merged container.HostConfig ==> &{Binds:[/var/run/docker.sock:/var/run/docker.sock /root/.docker:/root/.docker:ro]…}
    no basic auth credentials

Wait, the merged binds list does include /root/.docker — but the line
between them, "[/root/.docker] is not a valid volume, will be ignored",
fires *during* the merge step's allowlist check, and the bind ends up
absent in the actual container start (the `Binds:` list shown is
pre-filter). Net result: the registry creds are not in the job
container, push fails.

Root cause: container.valid_volumes is an allowlist of source-path
globs, not full bind specs. The entry
`/root/.docker:/root/.docker:ro` was being treated as a literal pattern
and never matched the bind's source `/root/.docker`. Same for the
other two entries — they were just no-ops because the auto-mount /
explicit options were the things actually creating the binds.

Fix: rewrite valid_volumes entries as bare source paths.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-07 17:51:17 +01:00

46 lines
1.9 KiB
YAML
Raw Blame History

# Gitea act_runner config for the silvermetal-builder runner.
#
# Two ISO builds back-to-back at ~60-90 minutes each = workflow runtime
# floor of ~3h. Default 60m timeout would trip mid-build.
log:
level: info
runner:
capacity: 1 # one reproducibility-gated build at a time
timeout: 240m # 4h ceiling per job — covers two builds + diffoscope
fetch_timeout: 5s
fetch_interval: 2s
container:
network: host
privileged: true # required: live-build needs loop devices + chroot
# `valid_volumes` is an allowlist of **source paths** (globs), not full
# bind specs. Listing "/root/.docker:/root/.docker:ro" here makes the
# runner silently drop the bind from container.options with
# "[/root/.docker] is not a valid volume, will be ignored" — because
# the literal pattern "/root/.docker:/root/.docker:ro" doesn't match
# the bind source "/root/.docker". Source paths only:
valid_volumes:
- /cache
- /var/run/docker.sock
- /root/.docker
# `options` is applied on top of act_runner's default per-job-container
# docker run args. /var/run/docker.sock is auto-mounted by act_runner
# already; listing it here a second time triggers
# "Duplicate mount point" on container create. So options carries ONLY
# the bind that act_runner doesn't know about: the host's
# docker-registry.silverlabs.uk credentials at /root/.docker, which
# catthehacker/ubuntu:act-latest reads from /root/.docker/config.json
# for `docker push`. Without it the push fails with "no basic auth
# credentials" even though `docker build` over the DooD socket works
# fine. /cache stays in valid_volumes (workflow-requestable) but
# doesn't need an unconditional mount.
options: -v /root/.docker:/root/.docker:ro
# Cache the silvermetal-builder image locally after first pull. Bumping
# the image digest in BUILDER_IMAGE invalidates and re-pulls automatically.
force_pull: false
host:
workdir_parent: /data/cache/actions
Reference in New Issue View Git Blame Copy Permalink