SilverLABS/SilverMetal
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e7a5fdd6290201e79f818c4eeb28f466aba8219c
SilverMetal/linux/build/runner/config.yaml
SysAdmin e7a5fdd629
Some checks failed
Build SilverMetal Linux ISO (reproducibility-gated) / builder-image (push) Failing after 2s
Details
Build SilverMetal Linux ISO (reproducibility-gated) / build-and-verify (push) Has been skipped
Details
fix(linux/build): mount /root/.docker into job containers (M1.1 iter17) 
Run #4263 cleared the new builder-image job's `docker build` step
cleanly but `docker push` died with:

    no basic auth credentials

The runner host (10.0.0.51) is logged in to docker-registry.silverlabs.uk —
that's how iter1-15 builder images got pushed by hand. But the
silvermetal-builder act_runner only mounts /root/.docker into its own
container, not into the job containers it spawns. catthehacker/ubuntu:
act-latest runs as root and reads /root/.docker/config.json for auth;
without that file mounted in, docker-cli has no creds to send via the
DooD socket and the registry returns 401 Basic-realm.

Fix: extend the act_runner `container.options` to mount
/root/.docker:/root/.docker:ro into each job container, and add the same
entry to valid_volumes. Update the runner README so first-time deploys
know the host-side `docker login` is what makes the in-CI push work.

This requires a one-time runner redeploy on 10.0.0.51:

    cd /opt/silvermetal-builder-runner
    git pull
    docker compose up -d --build

After that, the builder-image job pushes cleanly and feeds its digest
to build-and-verify as designed.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-07 17:33:35 +01:00

40 lines
1.4 KiB
YAML
Raw Blame History

# Gitea act_runner config for the silvermetal-builder runner.
#
# Two ISO builds back-to-back at ~60-90 minutes each = workflow runtime
# floor of ~3h. Default 60m timeout would trip mid-build.
log:
level: info
runner:
capacity: 1 # one reproducibility-gated build at a time
timeout: 240m # 4h ceiling per job — covers two builds + diffoscope
fetch_timeout: 5s
fetch_interval: 2s
container:
network: host
privileged: true # required: live-build needs loop devices + chroot
valid_volumes:
- "/cache:/cache"
- "/var/run/docker.sock:/var/run/docker.sock"
- "/root/.docker:/root/.docker:ro"
options: >-
-v /cache:/cache
-v /var/run/docker.sock:/var/run/docker.sock
-v /root/.docker:/root/.docker:ro
# The /root/.docker mount carries the host's docker-registry.silverlabs.uk
# credentials into the job container, so `docker push` from the
# builder-image job in build-iso-linux.yaml works without an explicit
# `docker login` step. catthehacker/ubuntu:act-latest runs as root, so
# /root/.docker/config.json is what its docker-cli reads. Without this,
# the push fails with "no basic auth credentials" — even though docker
# build itself works fine over the DooD socket.
#
# Cache the silvermetal-builder image locally after first pull. Bumping
# the image digest in BUILDER_IMAGE invalidates and re-pulls automatically.
force_pull: false
host:
workdir_parent: /data/cache/actions
Reference in New Issue View Git Blame Copy Permalink