nixos/forgejo.runner: initialize module#496325
Conversation
adamcstephens
requested review from
NyCodeGHG,
bendlas,
christoph-heiss,
emilylange,
mweinelt,
pyrox0 and
tebriel
adamcstephens
force-pushed
the
push-kpxuoykptuty
branch
from
0dfb0ed to
5a287d9
Compare
|
this is very exciting, I'll attempt to replace my manual implementation with this tonight. |
nixpkgs-ci
Bot
added
2.status: merge conflict
|
Ok I've moved my config to this module in https://frodux.dev/Frodux/nixos/pulls/772, it has properly registered, picked up a job, and is working on it. First test with |
adamcstephens
force-pushed
the
push-kpxuoykptuty
branch
2 times, most recently
from
615d282 to
41f14ec
Compare
nixpkgs-ci
Bot
removed
the
2.status: merge conflict
adamcstephens
force-pushed
the
push-kpxuoykptuty
branch
2 times, most recently
from
a0b1988 to
dc3b027
Compare
|
This is looking pretty good to me here in nixpkgs. I still need to test this with my local exec runner to see if the hardening is ok. |
tebriel
left a comment
tebriel
left a comment
There was a problem hiding this comment.
I'm still only running it in docker mode but the update to use LoadCredential is working as expected.
adamcstephens
force-pushed
the
push-kpxuoykptuty
branch
from
6d5d3c2 to
a7175bc
Compare
Initial port from services.gitea-actions-runner, switching to systemd template services and applying aggressive hardening. Assisted-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
adamcstephens
force-pushed
the
push-kpxuoykptuty
branch
from
a7175bc to
4c4eb93
Compare
|
I ended up dropping the systemd escaping. It's problematic for a few of the options and I'm not convinced it's worth the problems and ugliness. Open to feedback if you disagree. |
adamcstephens
force-pushed
the
push-kpxuoykptuty
branch
from
4c4eb93 to
4c73d06
Compare
adamcstephens
force-pushed
the
push-kpxuoykptuty
branch
from
47d36b7 to
f7767d0
Compare
|
If it's a large lift migrating off the static runner token, I'm willing to assist with this PR. ForgeJo is deprecating it, no? It seems strange to initialize this module using deprecated functionality |
|
This PR supports both registration token (yes, deprecated) and the newer pre-registered Upstream does not have a timeline for removal of registration token, but it won't be while v15 LTS is supported. |
|
Nobody willing to approve this? A number of people have weighed in and reviewed. |
tebriel
left a comment
tebriel
left a comment
There was a problem hiding this comment.
This feels 1.0-complete and ready to go. Users will need to opt-in to it so I'm not worried about breaking someone's existing configuration. Let's do this and fix any sharp edges we find along the way. I've been running this branch for quite some time so it's at least very ready based on my use cases.
nixpkgs-ci
Bot
added
12.approvals: 2
|
The reason I did not approve is that this feels too much stuck in the past. A fresh take would be fully config file driven. |
Does this not also provide that capability? |
I'll open a new PR with a different take on this in an hour or two. |
|
Fair enough, I'll close this then and defer to your PR. |
|
#529621 is ready for review now. |
12 participants
I couldn't remember exactly where we left the discussion, and couldn't find the context looking at github/matrix, so I went ahead with an initial implementation. This is based off the gitea-actions-runner, but using a template service and applying maximum hardening. It's possible this is too much hardening and will need to be tuned back, but the basic tests at least are passing.
Things done
passthru.tests.nixpkgs-reviewon this PR. See nixpkgs-review usage../result/bin/.