Initial commit

Author: JuliDi

.dockerignore

@@ -0,0 +1,3 @@
+.git
+README.md
+LICENSE

.github/workflows/docker-build.yml

@@ -0,0 +1,59 @@
+name: Build and Push Container Image
+
+on:
+  push:
+    branches:
+      - main
+    tags:
+      - "v*"
+  schedule:
+    # Rebuild weekly to pick up security updates from base image
+    - cron: "37 4 * * 0"
+  workflow_dispatch:
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
+permissions:
+  contents: read
+  packages: write
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=raw,value=latest,enable={{is_default_branch}}
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=ref,event=branch
+            type=sha,prefix=
+
+      - name: Build and push
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max

Dockerfile

@@ -0,0 +1,44 @@
+FROM debian:bookworm
+
+ENV DEBIAN_FRONTEND=noninteractive
+
+# Install base system packages
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    ca-certificates \
+    curl \
+    wget \
+    gnupg \
+    git \
+    git-lfs \
+    openssh-client \
+    sudo \
+    # Utilities used by workflows
+    jq \
+    tar \
+    gzip \
+    xz-utils \
+    unzip \
+    zip \
+    # Build toolchain (Rust, C/C++ projects)
+    build-essential \
+    pkg-config \
+    libssl-dev \
+    libudev-dev \
+    # Container image builds
+    buildah \
+    fuse-overlayfs \
+    && rm -rf /var/lib/apt/lists/*
+
+# Install Node.js 24 via NodeSource
+RUN curl -fsSL https://deb.nodesource.com/setup_24.x | bash - \
+    && apt-get install -y --no-install-recommends nodejs \
+    && rm -rf /var/lib/apt/lists/*
+
+# Configure buildah for containerized usage (vfs driver, no overlay-on-overlay)
+RUN mkdir -p /etc/containers /var/lib/containers/storage /run/containers/storage \
+    && printf '[storage]\ndriver = "vfs"\nrunroot = "/run/containers/storage"\ngraphroot = "/var/lib/containers/storage"\n' \
+       > /etc/containers/storage.conf
+
+# Allow unqualified image names to resolve (v2 registries.conf format)
+RUN printf 'unqualified-search-registries = ["docker.io"]\n' \
+       > /etc/containers/registries.conf

README.md

@@ -0,0 +1,54 @@
+# Custom Forgejo Runner Image
+
+Docker image for Forgejo Actions runners, based on `debian:bookworm` with tools pre-installed to avoid repeated `apt-get install` in every job.
+
+## What's included
+
+| Category | Packages |
+|----------|----------|
+| **Runtime** | Node.js 24 (via NodeSource) |
+| **VCS** | git, git-lfs, openssh-client |
+| **Build tools** | build-essential, pkg-config, libssl-dev, libudev-dev |
+| **Container builds** | buildah (pre-configured with vfs storage driver), fuse-overlayfs |
+| **Utilities** | curl, wget, jq, tar, gzip, xz-utils, unzip, zip, sudo, ca-certificates |
+
+## Usage
+
+Pull the image from GitHub Container Registry:
+
+```
+ghcr.io/systemscape/custom-forgejo-runner:latest
+```
+
+Or build locally:
+
+```sh
+just build
+```
+
+## Runner configuration
+
+In your Forgejo runner config, set labels to map workflow `runs-on` values to this image:
+
+```yaml
+labels:
+  - "docker:docker://ghcr.io/systemscape/custom-forgejo-runner:latest"
+  - "debian-latest:docker://ghcr.io/systemscape/custom-forgejo-runner:latest"
+  - "ubuntu-latest:docker://ghcr.io/systemscape/custom-forgejo-runner:latest"
+```
+
+If you build locally instead, replace the image reference with `docker://localhost/forgejo-runner`.
+
+Each label follows the format `<name>:docker://<image>`. When a workflow specifies `runs-on: ubuntu-latest`, the runner picks the matching label and starts a container from the configured image.
+
+## Extending
+
+Add packages to the `Dockerfile` and rebuild. For tools that are only needed by a single workflow, consider installing them in the workflow step instead to keep the base image lean.
+
+### Rust toolchain
+
+Rust is **not** pre-installed since [`dtolnay/rust-toolchain`](https://github.com/dtolnay/rust-toolchain) handles version pinning per-repo. The build toolchain (`build-essential`, `libssl-dev`, etc.) is included so Rust compilation works out of the box once the toolchain is installed.
+
+### Buildah
+
+Buildah is pre-installed and configured with the `vfs` storage driver (overlay-on-overlay is not supported inside containers). Workflows no longer need the `apt-get install buildah` + storage config boilerplate.

justfile

@@ -0,0 +1,3 @@
+# Build the custom Forgejo runner image locally
+build:
+    podman build -t forgejo-runner .