daniel/furtka
1
1
Fork 0
Code Issues 1 Pull requests Projects 1 Releases 13 Packages Wiki Activity Actions
furtka/.forgejo/workflows/build-iso.yml
Daniel Maksymilian Syrnicki 0f0308bf68
Some checks failed
Build ISO / build-iso (push) Failing after 46s
Details
CI / lint (push) Successful in 25s
Details
CI / test (push) Successful in 32s
Details
CI / validate-json (push) Successful in 24s
Details
CI / markdown-links (push) Successful in 14s
Details
ci: switch build-iso to docker-outside-of-docker 
The DinD setup was the wrong tool here: forgejo-runner runs on host
docker, but it spawned jobs via the DinD sidecar — meaning jobs
were isolated inside DinD's own docker namespace and couldn't reach
`docker-in-docker` by hostname, and couldn't see the
`forgejo-runner_default` network (which only exists on host docker).

Switched the runner (compose.yml + data/config.yml) to talk directly
to host docker via `/var/run/docker.sock` and added it to the host
`docker` group (GID 988) so the non-root runner user can use the
socket. `valid_volumes` now whitelists the socket so job containers
can mount it too.

Workflow now mounts /var/run/docker.sock into the job container and
points DOCKER_HOST at that unix socket. `./iso/build.sh` then runs
its inner `docker run --privileged archlinux:latest` against the
host daemon — no nested docker.

Tradeoff: this is less isolated than DinD (jobs have full host docker
access — they could spawn arbitrary containers), but on a dedicated
single-user build VM the DooD simplification is worth it.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-14 18:45:32 +02:00

47 lines
1.2 KiB
YAML
Raw Blame History

name: Build ISO
# Full ISO build is ~15-20 min. Only run on push-to-main and manual
# dispatch so feature-branch iteration stays fast. See
# memory/project_ci_branching for the rationale.
on:
push:
branches: [main]
workflow_dispatch:
concurrency:
group: build-iso-${{ github.ref }}
cancel-in-progress: true
jobs:
build-iso:
runs-on: ubuntu-latest
timeout-minutes: 30
# The runner is configured for docker-outside-of-docker: it mounts the
# host's /var/run/docker.sock. Jobs get the same socket so the
# `docker run` inside build.sh talks to the host daemon directly,
# no DinD gymnastics.
container:
image: catthehacker/ubuntu:act-latest
volumes:
- /var/run/docker.sock:/var/run/docker.sock
env:
DOCKER_HOST: unix:///var/run/docker.sock
steps:
- uses: actions/checkout@v4
- name: Build ISO
run: ./iso/build.sh
- name: Report ISO hash
run: |
iso=$(ls iso/out/*.iso | head -1)
echo "ISO: $iso"
sha256sum "$iso"
- name: Upload ISO artifact
uses: actions/upload-artifact@v4
with:
name: furtka-iso
path: iso/out/*.iso
retention-days: 14
if-no-files-found: error
Reference in a new issue View git blame Copy permalink