forge_ci — add §9 runner environment reference from ops #119

Merged

mik-tf merged 2 commits from development_forge_ci into development 2026-04-26 12:53:43 +00:00

Conversation 0 Commits 2 Files changed 1 +157

mik-tf commented 2026-04-22 13:21:14 +00:00

Owner

Copy link

Closes #116

What

Adds §9 Runner Environment Reference to forge_ci/SKILL.md + 5 rows to the existing §6 tables that point to §9. No existing content changed or restructured.

Why

Peter at ops wrote up what our shared Forgejo runners support while helping unblock a freezone CI build (coopcloud/circle_ops#760, znzfreezone_code/home#319). Consolidate the generic info so every repo doing container builds in Actions inherits it.

Content added in §9

• Runner config.yml shape (automounted docker + podman sockets, privileged: false, default seccomp)
• Supported: docker build/push ✓, podman ✓; not: buildah ✗ (with repro one-liner + why env-var workarounds don't rescue it)
• ghcr.io/despiegk/builder:latest inventory — preinstalled vs must-install, cargo-not-on-PATH gotcha, apt-lists pre-wipe
• Alternative image (catthehacker/ubuntu:act-22.04) + scheduling caveat (no host-specific labels, always override container.image:)
• Secrets pattern: one REGISTRY_PASSWORD token (packages + repo scope); username hardcoded git, no REGISTRY_USER secret needed
• Minimal working tag-triggered release.yml skeleton — validated end-to-end on znzfreezone_code/znzfreezone_deploy
• Where to file ops-level asks (coopcloud/circle_ops)

§6 additions

5 rows, each pointing to §9:

• apt MergeList parse errors on fresh apt-get update
• SIGPIPE (exit 141) from cmd | head -N under set -o pipefail
• docker: command not found (builder image doesn't ship the CLI)
• buildah CLONE_NEWUSER (unsupported, use docker path)
• docker login username is empty (hardcode -u git)

Stats

One clean commit, +163 lines, zero deletions. File grows ~30%.

Note

Public-safe content only — no IPs, hostnames, provider names, or direct links to private infrastructure repos. Generic runner-config and image-inventory knowledge devs can act on without needing ops-repo access.

Closes https://forge.ourworld.tf/lhumina_code/hero_skills/issues/116 ## What Adds `§9 Runner Environment Reference` to `forge_ci/SKILL.md` + 5 rows to the existing §6 tables that point to §9. No existing content changed or restructured. ## Why Peter at ops wrote up what our shared Forgejo runners support while helping unblock a freezone CI build ([`coopcloud/circle_ops#760`](https://forge.ourworld.tf/coopcloud/circle_ops/issues/760), [`znzfreezone_code/home#319`](https://forge.ourworld.tf/znzfreezone_code/home/issues/319)). Consolidate the generic info so every repo doing container builds in Actions inherits it. ## Content added in §9 - Runner `config.yml` shape (automounted docker + podman sockets, `privileged: false`, default seccomp) - Supported: `docker build/push` ✓, `podman` ✓; not: `buildah` ✗ (with repro one-liner + why env-var workarounds don't rescue it) - `ghcr.io/despiegk/builder:latest` inventory — preinstalled vs must-install, cargo-not-on-PATH gotcha, apt-lists pre-wipe - Alternative image (`catthehacker/ubuntu:act-22.04`) + scheduling caveat (no host-specific labels, always override `container.image:`) - Secrets pattern: one `REGISTRY_PASSWORD` token (packages + repo scope); username hardcoded `git`, no `REGISTRY_USER` secret needed - Minimal working tag-triggered `release.yml` skeleton — validated end-to-end on `znzfreezone_code/znzfreezone_deploy` - Where to file ops-level asks (`coopcloud/circle_ops`) ## §6 additions 5 rows, each pointing to §9: - apt `MergeList` parse errors on fresh `apt-get update` - SIGPIPE (exit 141) from `cmd | head -N` under `set -o pipefail` - `docker: command not found` (builder image doesn't ship the CLI) - `buildah` CLONE_NEWUSER (unsupported, use docker path) - `docker login` `username is empty` (hardcode `-u git`) ## Stats One clean commit, +163 lines, zero deletions. File grows ~30%. ## Note Public-safe content only — no IPs, hostnames, provider names, or direct links to private infrastructure repos. Generic runner-config and image-inventory knowledge devs can act on without needing ops-repo access.

mik-tf added 1 commit 2026-04-22 13:21:14 +00:00

forge_ci: add §9 runner environment reference from ops ... e43cf3694e

Captures what ops documented about the shared Forgejo act_runner fleet
while helping unblock a freezone CI build that needed container image
pushes from Actions.

§9 covers:
- Runner config (generic shape — automounted host docker socket,
  podman socket, default seccomp, not privileged)
- Supported: docker build/push via socket, podman
- Not supported: buildah (default seccomp blocks CLONE_NEWUSER;
  env-var workarounds don't rescue this — those fix CRI-O/OpenShift
  runtimes, not docker-backed runners)
- ghcr.io/despiegk/builder:latest inventory: what ships, what's missing,
  cargo-not-on-PATH gotcha, apt lists pre-wipe requirement
- Alternative image (catthehacker/ubuntu:act-22.04) + scheduling caveat
  (no host-specific labels, always set container.image explicitly)
- Secrets pattern: one REGISTRY_PASSWORD token (packages + repo scope);
  username hardcoded to "git" — no REGISTRY_USER secret needed
- Minimal tag-triggered release.yml skeleton, validated end-to-end on
  znzfreezone_code/znzfreezone_deploy
- Where to file ops-level asks (coopcloud/circle_ops)

§6 table additions (5 rows pointing to §9 for common failures):
- apt MergeList parse on fresh update
- SIGPIPE (exit 141) from `cmd | head -N` under `set -o pipefail`
- `docker: command not found` (builder image doesn't ship the CLI)
- `buildah` CLONE_NEWUSER (unsupported, use docker path)
- `docker login` empty-username error (hardcode `-u git`)

No existing content changed or restructured. Growth ~170 lines.

#116

mik-tf changed title from WIP: forge_ci — add §9 runner environment reference from ops to forge_ci — add §9 runner environment reference from ops 2026-04-22 13:32:09 +00:00

mik-tf added 1 commit 2026-04-22 13:33:14 +00:00

forge_ci: drop project-specific references (#319, #760) from §9 ... d036b225b3

Issue/PR citations like freezone CI and circle_ops belong in commit
messages + PR bodies, not in the skill doc itself. Future devs reading
forge_ci shouldn't have to context-switch through a project-specific
trail to understand the generic runner knowledge.

#116

mik-tf merged commit 91e4882f35 into development 2026-04-26 12:53:43 +00:00

mik-tf deleted branch development_forge_ci 2026-04-26 12:53:43 +00:00

mik-tf referenced this pull request from a commit 2026-04-26 12:53:45 +00:00

Merge pull request 'forge_ci — add §9 runner environment reference from ops' (#119) from development_forge_ci into development

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels   

prio_critical

  

prio_low

  

type_bug

  

type_contact

  

type_issue

  

type_lead

  

type_question

  

type_story

  

type_task

No labels

prio_critical

prio_low

type_bug

type_contact

type_issue

type_lead

type_question

type_story

type_task

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

lhumina_code/hero_skills!119

No description provided.