Skip to content

feat(tfroot-runner): rebase onto ghcr.io/actions/actions-runner#6

Merged
xnoto merged 1 commit intomainfrom
feat/runner-agent-tfroot-runner
Apr 30, 2026
Merged

feat(tfroot-runner): rebase onto ghcr.io/actions/actions-runner#6
xnoto merged 1 commit intomainfrom
feat/runner-agent-tfroot-runner

Conversation

@xnoto
Copy link
Copy Markdown
Contributor

@xnoto xnoto commented Apr 30, 2026
edited
Loading

Summary

Rebase the tfroot-runner image onto `ghcr.io/actions/actions-runner:latest` (Ubuntu 22.04, glibc-native) following the multi-stage layout in `hatch1fy/infra-images/terraform-runner`. The runner agent is already inside the base, so jobs labeled `runs-on: tfroot-runner` will execute directly in the pod with no nested `container:` block and no glibc-shim wrangling.

Stage 1 — `ubuntu:24.04` builder

  • Python 3.14 venv with `pre-commit` + `checkov`
  • Binary downloads: tofu (with `terraform` symlink), kubectl, kustomize, sops, terraform-docs, tfupdate, hcledit, tflint, infracost
  • All stripped at the end

Stage 2 — `ghcr.io/actions/actions-runner:latest`

  • apt: python3.14 (runtime only), ansible-core, openssh-client, jq, genisoimage, gnupg, make, shellcheck, libatomic1
  • yq via direct binary download (the `yq` apt package is the wrong tool)
  • COPY of all builder binaries + the venv
  • Pre-cache pre-commit hooks as `runner` user
  • USER `runner` — required by ARC

Test plan

  • After image build: `docker run --rm --entrypoint sh ghcr.io/makeitworkcloud/tfroot-runner:latest -c 'id; tofu version; kubectl version --client; sops --version; pre-commit --version'` — uid=1000(runner), all tools present
  • After image build: `docker run --rm --entrypoint /home/runner/run.sh ghcr.io/makeitworkcloud/tfroot-runner:latest --version` — actions/runner banner
  • After kustomize-cluster runner-set lands: GitHub UI shows `tfroot-runner` runner set; ephemeral runner pods spawn for jobs labeled `runs-on: tfroot-runner`

Pairs with

  • kustomize-cluster (incoming): `workloads/arc/tfroot-runner-application.yaml` deploying the runner-set against this image.
  • shared-workflows (incoming): make `container:` optional, default `runs-on: tfroot-runner`.
  • tfroot-libvirt (incoming): caller switches to `runs-on: tfroot-runner`.

🤖 Generated with Claude Code

@xnoto
feat(tfroot-runner): layer the actions/runner agent for gha-runner-sc…
3e731e7 
…ale-set

Stay on Alpine + the existing toolchain layer; add the GitHub Actions
runner agent and the glibc-compat shims it needs (gcompat / icu / krb5 /
lttng-ust). The image now self-registers with a gha-runner-scale-set
listener and runs jobs natively, so callers stop nesting tfroot-runner
inside a `container:` block.

- Add `runner` user (UID 1000), download the runner agent tarball into
  /home/runner, chown.
- Drop ENV HOME=/root; switch USER to `runner` before pre-commit caching
  so the cache lands under the runtime user's HOME.
- Replace CMD with ENTRYPOINT /home/runner/run.sh.
@xnoto xnoto force-pushed the feat/runner-agent-tfroot-runner branch from b8115d3 to 3e731e7 Compare April 30, 2026 04:39
@xnoto xnoto changed the title feat(tfroot-runner): layer the actions/runner agent for gha-runner-scale-set feat(tfroot-runner): rebase onto ghcr.io/actions/actions-runner Apr 30, 2026
@xnoto xnoto self-assigned this Apr 30, 2026
@xnoto xnoto merged commit d1e6e1f into main Apr 30, 2026
2 checks passed
@xnoto xnoto deleted the feat/runner-agent-tfroot-runner branch April 30, 2026 04:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@xnoto xnoto

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@xnoto