forgejo-runner/entrypoint.sh

#!/usr/bin/env bash

set -e

run_command() {
  local cmd="$1"

  # Replace any --token <value> or --secret <value> with [REDACTED]
  local safe_cmd=$(echo "$cmd" | sed -E 's/--(token|secret) [^ ]+/--\1 [REDACTED]/g')

  decho "Running command: $safe_cmd"

  if [[ "$ISROOT" == true ]]; then
    decho "Running as forgejo-runner"
    su -c "$cmd" forgejo-runner
  else
    decho "Running as $(whoami)"
    eval "$cmd"
  fi
}

makeUser() {
  adduser -u ${RUNNER_USER} -h /data -s /bin/bash -D forgejo-runner
}
makeGroup() {
  addgroup -g ${RUNNER_USER} forgejo-runner
}

decho() {
  if [[ "${DEBUG}" == "true" ]]; then
    echo "[entrypoint] $@"
  fi
}

# Initial setup
cd /data

decho "RUNNER_USER: ${RUNNER_USER}"
RUNNER_USER="${RUNNER_USER:-1000}"
# Check if the script is running as root
if [[ $(id -u) -eq 0 ]]; then
  ISROOT=true
  decho "Running as root"
fi

if [[ "$ISROOT" == true ]]; then
  # Check if the forgejo-runner user exists, if not, create it
  if ! id -u forgejo-runner >/dev/null 2>&1; then
    decho "Creating user forgejo-runner with UID ${RUNNER_USER}"
    makeUser
  else
      CURRENT_UID=$(id -u forgejo-runner)
      if [[ "${CURRENT_UID}" -ne "${RUNNER_USER}" ]]; then
        decho "Changing UID of forgejo-runner from ${CURRENT_UID} to ${RUNNER_USER}"
        deluser forgejo-runner
        makeUser
      fi
  fi

  # Check if the forgejo-runner group exists, if not, create it
  if ! getent group forgejo-runner >/dev/null 2>&1; then
    decho "Creating group forgejo-runner with GID ${RUNNER_USER}"
    makeGroup
  else
    CURRENT_GID=$(getent group forgejo-runner | cut -d: -f3)
    if [[ "${CURRENT_GID}" -ne "${RUNNER_USER}" ]]; then
      decho "Changing GID of forgejo-runner from ${CURRENT_GID} to ${RUNNER_USER}"
      delgroup forgejo-runner
      makeGroup
    fi
  fi

  # Ensure /data is owned by the runner user
  # yes this can slow things down but is 100% nessecary for the runner to function
  # when running as a root user, because for some reason the runner create files as
  # root and then cant access them
  chown -R forgejo-runner:forgejo-runner /data
fi

# Handle and alter the config file
if [[ -z "${CONFIG_FILE}" ]]; then
  echo "CONFIG_FILE is not set"
  CONFIG_FILE="/data/config.yml"
fi
CONFIG_ARG="--config ${CONFIG_FILE}"
decho "CONFIG: ${CONFIG_ARG}"

DOCKER_HOST=${DOCKER_HOST:-docker}
DOCKER_CERT_PATH=${DOCKER_CERT_PATH:-"/certs/client"}
DOCKER_TLS_VERIFY=${DOCKER_TLS_VERIFY:-0}
decho "DOCKER_HOST: ${DOCKER_HOST}"
decho "DOCKER_CERT_PATH: ${DOCKER_CERT_PATH}"
decho "DOCKER_TLS_VERIFY: ${DOCKER_TLS_VERIFY}"
if [[ ! -f "${CONFIG_FILE}" ]]; then
  echo "Creating ${CONFIG_FILE}"
  run_command "forgejo-runner generate-config > ${CONFIG_FILE}"

  # Remove test environment variables if they exist in the config file
  sed -i "/^    A_TEST_ENV_NAME_1:/d" ${CONFIG_FILE}
  sed -i "/^    A_TEST_ENV_NAME_2:/d" ${CONFIG_FILE}

  # Apply default values for docker
  sed -i "/^  labels:/c\  labels: [\"docker:docker://code.forgejo.org/oci/node:20-bookworm\", \"ubuntu-22.04:docker://catthehacker/ubuntu:act-22.04\"]" ${CONFIG_FILE}
  sed -i "/^  network:/c\  network: host" ${CONFIG_FILE}
  sed -i "/^  privileged:/c\  privileged: true" ${CONFIG_FILE}


  if [[ "${DOCKER_TLS_VERIFY}" -ne 1 ]]; then
    decho "Docker TLS diabled"
    sed -i "/^  docker_host:/c\  docker_host: ${DOCKER_HOST}" ${CONFIG_FILE}
  else
    decho "Docker TLS enabled"
    sed -i "/^  docker_host:/c\  docker_host: ${DOCKER_HOST}" ${CONFIG_FILE}
    sed -i "/^  valid_volumes:/c\  valid_volumes:\n    - ${DOCKER_CERT_PATH}" ${CONFIG_FILE}
    sed -i "/^  options:/c\  options: -v ${DOCKER_CERT_PATH}:${DOCKER_CERT_PATH}" ${CONFIG_FILE}
  fi
fi

ENV_FILE=${ENV_FILE:-"/data/.env"}
decho "ENV_FILE: ${ENV_FILE}"
sed -i "/^  env_file:/c\  env_file: ${ENV_FILE}" ${CONFIG_FILE}

if [[ ! -f "${ENV_FILE}" ]]; then
  echo "Creating ${ENV_FILE}"
  touch ${ENV_FILE}
  echo "DOCKER_HOST=${DOCKER_HOST}" >> ${ENV_FILE}
  echo "DOCKER_TLS_VERIFY=${DOCKER_TLS_VERIFY}" >> ${ENV_FILE}
  echo "DOCKER_CERT_PATH=${DOCKER_CERT_PATH}" >> ${ENV_FILE}
fi

EXTRA_ARGS=""
if [[ ! -z "${RUNNER_LABELS}" ]]; then
  EXTRA_ARGS="${EXTRA_ARGS} --labels ${RUNNER_LABELS}"
fi
decho "EXTRA_ARGS: ${EXTRA_ARGS}"

# Set the runner file
if [[ -z "${RUNNER_FILE}" ]]; then
  RUNNER_FILE="runner.json" # use json so editors know how to highlight
fi
decho "RUNNER_FILE: ${RUNNER_FILE}"
sed -i "/^  file:/c\  file: ${RUNNER_FILE}" ${CONFIG_FILE}

if [[ "${SKIP_WAIT}" != "true" ]]; then
  echo "Waiting 10s to allow other services to start up..."
  sleep 10
fi

if [[ ! -s "${RUNNER_FILE}" ]]; then
  touch ${RUNNER_FILE}
  try=$((try + 1))
  success=0
  decho "try: ${try}, success: ${success}"

  # The point of this loop is to make it simple, when running both forgejo-runner and gitea in docker,
  # for the forgejo-runner to wait a moment for gitea to become available before erroring out.  Within
  # the context of a single docker-compose, something similar could be done via healthchecks, but
  # this is more flexible.
  while [[ $success -eq 0 ]] && [[ $try -lt ${MAX_REG_ATTEMPTS:-10} ]]; do
  if [[ ! -z "${FORGEJO_SECRET}" ]]; then
    run_command "forgejo-runner create-runner-file --connect \
    --instance \"${FORGEJO_URL:-http://forgejo:3000}\" \
    --name \"${RUNNER_NAME:-$(hostname)}\" \
    --secret \"${FORGEJO_SECRET}\" \
    ${CONFIG_ARG}\
    ${EXTRA_ARGS} 2>&1 | tee /tmp/reg.log"
  else
    run_command "forgejo-runner register \
    --instance \"${FORGEJO_URL:-http://forgejo:3000}\" \
    --name \"${RUNNER_NAME:-$(hostname)}\" \
    --token \"${RUNNER_TOKEN}\" \
    --no-interactive \
    ${CONFIG_ARG}\
    ${EXTRA_ARGS} 2>&1 | tee /tmp/reg.log"
  fi
    cat /tmp/reg.log | grep -E 'connection successful|registered successfully' >/dev/null
    if [[ $? -eq 0 ]]; then
      echo "SUCCESS"
      success=1
    else
      echo "Waiting to retry ..."
      sleep 5
    fi
    decho "try: ${try}, success: ${success}"
  done
fi

# Prevent reading the token from the forgejo-runner process
unset RUNNER_TOKEN
unset FORGEJO_SECRET

run_command "forgejo-runner daemon ${CONFIG_ARG}"