5 changed files with 62 additions and 200 deletions
--- a/.forgejo/workflows/example-docker-compose.yml
+++ b/.forgejo/workflows/example-docker-compose.yml
@ -14,22 +14,19 @@ jobs:
      - name: Install docker
        run: |
          apt-get update -qq
          export DOCKER_TLS_VERIFY=""
          export DOCKER_HOST="unix:///var/run/docker.sock"
          export DEBIAN_FRONTEND=noninteractive
          apt-get install -qq -y ca-certificates curl gnupg
          install -m 0755 -d /etc/apt/keyrings
-          curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
+          curl -fsSL https://download.docker.com/linux/debian/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
-          echo "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian "$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
+          echo "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian "$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
          apt-get update -qq
          apt-get install -qq -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin=2.20.2-1~debian.11~bullseye
          docker version
          #
          # docker compose is prone to non backward compatible changes, pin it
          #
          apt-get install -qq -y docker-compose-plugin=2.20.2-1~debian.11~bullseye
-
+          docker compose version
      - name: Start Docker Daemon in the Background
        run: |
          nohup dockerd > /dev/null 2>&1 &
          sleep 10  # Wait for Docker to initialize
          docker info  # Verify Docker is running
      - name: run the example
        run: |
@ -38,7 +35,6 @@ jobs:
          secret=$(openssl rand -hex 20)
          sed -i -e "s/{SHARED_SECRET}/$secret/" compose-forgejo-and-runner.yml
          cli="docker compose --progress quiet -f compose-forgejo-and-runner.yml"
          chown -R 1000:1000 /srv
          #
          # Launch Forgejo & the runner
          #
--- a/6
+++ b/6
@ -1,6 +1,6 @@
 FROM --platform=$BUILDPLATFORM code.forgejo.org/oci/tonistiigi/xx AS xx
-FROM --platform=$BUILDPLATFORM code.forgejo.org/oci/golang:1.21-alpine3.19 AS build-env
+FROM --platform=$BUILDPLATFORM code.forgejo.org/oci/golang:1.21-alpine3.19 as build-env
 #
 # Transparently cross compile for the target platform
@ -40,10 +40,8 @@ ENV HOME=/data
 USER 1000:1000
 COPY --chmod=555 entrypoint.sh /entrypoint.sh
 WORKDIR /data
 VOLUME ["/data"]
-ENTRYPOINT ["/entrypoint.sh"]
+CMD ["/bin/forgejo-runner"]
--- a/entrypoint.sh
+++ b/entrypoint.sh
@ -1,132 +0,0 @@
 #!/usr/bin/env bash
 set -e
 # Technically not nessecary but it cleans up the logs from having token/secret values
 run_command() {
  local cmd="$@"
  # Replace any --token <value> or --secret <value> with [REDACTED]
  local safe_cmd=$(echo "$cmd" | sed -E 's/--(token|secret) [^ ]+/--\1 [REDACTED]/g')
  decho "Running command: $safe_cmd"
  eval $cmd
 }
 decho() {
  if [[ "${DEBUG}" == "true" ]]; then
    echo "[entrypoint] $@"
  fi
 }
 decho $PWD
 # Check if the script is running as root
 if [[ $(id -u) -eq 0 ]]; then
  ISROOT=true
  decho "[WARNING] Running as root user"
 fi
 # Handle if `command` is passed, as command appends arguments to the entrypoint
 if [ "$#" -gt 0 ]; then
    run_command $@
    exit
 fi
 # Handle and alter the config file
 if [[ -z "${CONFIG_FILE}" ]]; then
  echo "CONFIG_FILE is not set"
  CONFIG_FILE="/data/config.yml"
 fi
 CONFIG_ARG="--config ${CONFIG_FILE}"
 decho "CONFIG: ${CONFIG_ARG}"
 DOCKER_HOST=${DOCKER_HOST:-"tcp://docker:2367"}
 DOCKER_CERT_PATH=${DOCKER_CERT_PATH:-"/certs/client"}
 DOCKER_TLS_VERIFY=${DOCKER_TLS_VERIFY:-1}
 decho "DOCKER_HOST: ${DOCKER_HOST}"
 decho "DOCKER_CERT_PATH: ${DOCKER_CERT_PATH}"
 decho "DOCKER_TLS_VERIFY: ${DOCKER_TLS_VERIFY}"
 if [[ ! -f "${CONFIG_FILE}" ]]; then
  echo "Creating ${CONFIG_FILE}"
  run_command "forgejo-runner generate-config > ${CONFIG_FILE}"
  # Remove test environment variables if they exist in the config file
  sed -i "/^    A_TEST_ENV_NAME_1:/d" ${CONFIG_FILE}
  sed -i "/^    A_TEST_ENV_NAME_2:/d" ${CONFIG_FILE}
  # Apply default values for docker
  sed -i "/^  labels:/c\  labels: [\"docker:docker://code.forgejo.org/oci/node:20-bookworm\", \"ubuntu-22.04:docker://catthehacker/ubuntu:act-22.04\"]" ${CONFIG_FILE}
  sed -i "/^  network:/c\  network: host" ${CONFIG_FILE}
 fi
 ENV_FILE=${ENV_FILE:-"/data/.env"}
 decho "ENV_FILE: ${ENV_FILE}"
 sed -i "/^  env_file:/c\  env_file: ${ENV_FILE}" ${CONFIG_FILE}
 if [[ ! -f "${ENV_FILE}" ]]; then
  echo "Creating ${ENV_FILE}"
  touch ${ENV_FILE}
  echo "DOCKER_HOST=${DOCKER_HOST}" >> ${ENV_FILE}
  echo "DOCKER_TLS_VERIFY=${DOCKER_TLS_VERIFY}" >> ${ENV_FILE}
  echo "DOCKER_CERT_PATH=${DOCKER_CERT_PATH}" >> ${ENV_FILE}
 fi
 EXTRA_ARGS=""
 if [[ ! -z "${RUNNER_LABELS}" ]]; then
  EXTRA_ARGS="${EXTRA_ARGS} --labels ${RUNNER_LABELS}"
 fi
 decho "EXTRA_ARGS: ${EXTRA_ARGS}"
 # Set the runner file
 RUNNER_FILE=${RUNNER_FILE:-"runner.json"} # use json so editors know how to highlight
 decho "RUNNER_FILE: ${RUNNER_FILE}"
 sed -i "/^  file:/c\  file: ${RUNNER_FILE}" ${CONFIG_FILE}
 if [[ "${SKIP_WAIT}" != "true" ]]; then
  echo "Waiting 10s to allow other services to start up..."
  sleep 10
 fi
 if [[ ! -s "${RUNNER_FILE}" ]]; then
  touch ${RUNNER_FILE}
  try=$((try + 1))
  success=0
  decho "try: ${try}, success: ${success}"
  # The point of this loop is to make it simple, when running both forgejo-runner and gitea in docker,
  # for the forgejo-runner to wait a moment for gitea to become available before erroring out.  Within
  # the context of a single docker-compose, something similar could be done via healthchecks, but
  # this is more flexible.
  while [[ $success -eq 0 ]] && [[ $try -lt ${MAX_REG_ATTEMPTS:-10} ]]; do
    if [[ ! -z "${FORGEJO_SECRET}" ]]; then
      run_command forgejo-runner create-runner-file --connect \
    --instance "${FORGEJO_URL:-http://forgejo:3000}" \
    --name "${RUNNER_NAME:-$(hostname)}" \
    --secret "${FORGEJO_SECRET}" \
    ${CONFIG_ARG}\
    ${EXTRA_ARGS} 2>&1 | tee /tmp/reg.log
    else
      run_command forgejo-runner register \
    --instance "${FORGEJO_URL:-http://forgejo:3000}" \
    --name "${RUNNER_NAME:-$(hostname)}" \
    --token "${RUNNER_TOKEN}" \
    --no-interactive \
    ${CONFIG_ARG}\
    ${EXTRA_ARGS} 2>&1 | tee /tmp/reg.log
    fi
    cat /tmp/reg.log | grep -E 'connection successful|registered successfully' >/dev/null
    if [[ $? -eq 0 ]]; then
      echo "SUCCESS"
      success=1
    else
      echo "Waiting to retry ..."
      sleep 5
    fi
    decho "try: ${try}, success: ${success}"
  done
 fi
 # Prevent reading the token from the forgejo-runner process
 unset RUNNER_TOKEN
 unset FORGEJO_SECRET
 run_command forgejo-runner daemon ${CONFIG_ARG}
--- a/examples/docker-compose/.gitignore
+++ b/examples/docker-compose/.gitignore
@ -1 +0,0 @@
 srv
--- a/examples/docker-compose/compose-forgejo-and-runner.yml
+++ b/examples/docker-compose/compose-forgejo-and-runner.yml
@ -11,82 +11,83 @@
 # NOTE: a token obtained from the Forgejo web interface cannot be used
 #       as a shared secret.
 #
-# Replace ${RUNNER_TOKEN} with the token obtained from the Forgejo web interface.
+# Replace {ROOT_PASSWORD} with a secure password
 #
 # Replace ROOT_PASSWORD with a secure password.
 #
 networks:
  forgejo:
 volumes:
  docker_certs:
 services:
  docker-in-docker:
    image: code.forgejo.org/oci/docker:dind
-    hostname: docker # Must set hostname for both internal DNS and TLS to work as certs are only valid for docker and localhost
+    hostname: docker  # Must set hostname as TLS certificates are only valid for docker or localhost
    restart: unless-stopped
    privileged: true
    networks:
      - forgejo
    environment:
-      DOCKER_TLS_CERTDIR: "/certs" # set to "" to disable the use of TLS, also manually update existing runner configs to use port 2375
+      DOCKER_TLS_CERTDIR: /certs
-      DOCKER_HOST: "docker" # remove aswell to disable TLS
+      DOCKER_HOST: docker-in-docker
    volumes:
      - docker_certs:/certs
  forgejo:
    image: codeberg.org/forgejo/forgejo:1.21
    hostname: forgejo
    networks:
      - forgejo
    volumes:
      - /srv/forgejo-data:/data
    ports:
      - 8080:3000
    environment:
      FORGEJO__security__INSTALL_LOCK: "true" # remove in production
    command: >-
      bash -c '
      /bin/s6-svscan /etc/s6 &
      sleep 10 ;
      su -c "forgejo admin user create --admin --username root --password ROOT_PASSWORD --email root@example.com" git ;
      su -c "forgejo forgejo-cli actions register --secret {SHARED_SECRET}" git ;
      su -c "forgejo admin user create --admin --username root --password {ROOT_PASSWORD} --email root@example.com" git ;
      sleep infinity
      '
-
+    environment:
-  # all values that have defaults listed are optional
+      FORGEJO__security__INSTALL_LOCK: "true"
-  # only FORGEJO_SECRET or RUNNER_TOKEN is required, the secret will be prioritized
+      FORGEJO__log__LEVEL: "debug"
-  # FORGEJO_URL is required if forgejo is not in this compose file or docker network
+      FORGEJO__repository__ENABLE_PUSH_CREATE_USER: "true"
-  runner-daemon:
+      FORGEJO__repository__DEFAULT_PUSH_CREATE_PRIVATE: "false"
-    ## TODO: Update image to the the release
+      FORGEJO__repository__DEFAULT_REPO_UNITS: "repo.code,repo.actions"
    ## made from this PR: https://code.forgejo.org/forgejo/runner/pulls/283
    # image: code.forgejo.org/forgejo/runner:3.4.1
    build: ../../
    user: "1000" # defaults to 1000,
    restart: unless-stopped # needed for fixing file ownership on restart
    volumes:
-      - /srv/runner-data:/data
+      - /srv/forgejo-data:/data
-      - docker_certs:/certs
+    ports:
-    networks:
+      - 8080:3000
-      - forgejo
+
-    depends_on:
+  runner-register:
    image: code.forgejo.org/forgejo/runner:3.4.1
    links:
      - docker-in-docker
      - forgejo
    environment:
-      CONFIG_FILE: config.yml # defaults to /data/config.yml
+      DOCKER_HOST: tcp://docker-in-docker:2376
    volumes:
      - /srv/runner-data:/data
    user: 0:0
    command: >-
      bash -ec '
      while : ; do
        forgejo-runner create-runner-file --connect --instance http://forgejo:3000 --name runner --secret {SHARED_SECRET} && break ;
        sleep 1 ;
      done ;
      sed -i -e "s|\"labels\": null|\"labels\": [\"docker:docker://code.forgejo.org/oci/node:20-bookworm\", \"ubuntu-22.04:docker://catthehacker/ubuntu:act-22.04\"]|" .runner ;
      forgejo-runner generate-config > config.yml ;
      sed -i -e "s|network: .*|network: host|" config.yml ;
      sed -i -e "s|^  envs:$$|  envs:\n    DOCKER_HOST: tcp://docker:2376\n    DOCKER_TLS_VERIFY: 1\n    DOCKER_CERT_PATH: /certs/client|" config.yml ;
      sed -i -e "s|^  options:|  options: -v /certs/client:/certs/client|" config.yml ;
      sed -i -e "s|  valid_volumes: \[\]$$|  valid_volumes:\n    - /certs/client|" config.yml ;
      chown -R 1000:1000 /data
      '
-      DOCKER_HOST: "tcp://docker:2376" # defaults to tcp://docker:2376
+  runner-daemon:
-      DOCKER_CERT_PATH: "/certs/client" # defaults to /certs/client
+    image: code.forgejo.org/forgejo/runner:3.4.1
-      DOCKER_TLS_VERIFY: "1" # defaults to 1
+    links:
-
+      - docker-in-docker
-      FORGEJO_URL: ${FORGEJO_URL} # defaults to http://forgejo:3000
+      - forgejo
-      FORGEJO_SECRET: "{SHARED_SECRET}" # shared secret, must match Forgejo's, overrides RUNNER_TOKEN
+    environment:
-
+      DOCKER_HOST: tcp://docker:2376
-      RUNNER_FILE: .runner # defaults to /data/runner.json
+      DOCKER_CERT_PATH: /certs/client
-      RUNNER_NAME: runner-daemon # defaults to forgejo-runner, used for registration
+      DOCKER_TLS_VERIFY: "1"
-      RUNNER_TOKEN: ${RUNNER_TOKEN} # token obtained from Forgejo web interface
+    volumes:
-
+      - /srv/runner-data:/data
-      DEBUG: "true" # defaults to false, set to true to enable debug logging
+      - docker_certs:/certs
-      SKIP_WAIT: "false" # defaults to false, set to true to skip the 10 second wait to allow for forgejo and docker-in-docker to start
+    command: >-
      bash -c '
      while : ; do test -w .runner && forgejo-runner --config config.yml daemon ; sleep 1 ; done
      '