5 changed files with 57 additions and 199 deletions
--- a/.forgejo/workflows/example-docker-compose.yml
+++ b/.forgejo/workflows/example-docker-compose.yml
@ -31,8 +31,6 @@ jobs:
      - name: run the example
        run: |
          set -x
-          mkdir -p /srv/runner-data
-          chown 1000:1000 /srv/runner-data
          cd examples/docker-compose
          secret=$(openssl rand -hex 20)
          sed -i -e "s/{SHARED_SECRET}/$secret/" compose-forgejo-and-runner.yml
@ -40,7 +38,7 @@ jobs:
          #
          # Launch Forgejo & the runner
          #
-          $cli up -d --remove-orphans
+          $cli up -d
          for delay in $(seq 60) ; do test -f /srv/runner-data/.runner && break ; sleep 30 ; done
          test -f /srv/runner-data/.runner
          #
--- a/6
+++ b/6
@ -1,6 +1,6 @@
 FROM --platform=$BUILDPLATFORM code.forgejo.org/oci/tonistiigi/xx AS xx

-FROM --platform=$BUILDPLATFORM code.forgejo.org/oci/golang:1.21-alpine3.19 AS build-env
+FROM --platform=$BUILDPLATFORM code.forgejo.org/oci/golang:1.21-alpine3.19 as build-env

 #
 # Transparently cross compile for the target platform
@ -40,10 +40,8 @@ ENV HOME=/data

 USER 1000:1000

-COPY --chmod=555 entrypoint.sh /entrypoint.sh
-
 WORKDIR /data

 VOLUME ["/data"]

-ENTRYPOINT ["/entrypoint.sh"]
+CMD ["/bin/forgejo-runner"]
--- a/entrypoint.sh
+++ b/entrypoint.sh
@ -1,138 +0,0 @@
-#!/usr/bin/env bash
-
-set -e
-
-# Technically not nessecary but it cleans up the logs from having token/secret values
-run_command() {
-  local cmd="$@"
-  # Replace any --token <value> or --secret <value> with [REDACTED]
-  local safe_cmd=$(echo "$cmd" | sed -E 's/--(token|secret) [^ ]+/--\1 [REDACTED]/g')
-  decho "Running command: $safe_cmd"
-  eval $cmd
-}
-
-decho() {
-  if [[ "${DEBUG}" == "true" ]]; then
-    echo "[entrypoint] $@"
-  fi
-}
-decho $PWD
-
-# Check if the script is running as root
-if [[ $(id -u) -eq 0 ]]; then
-  ISROOT=true
-  decho "[WARNING] Running as root user"
-fi
-
-# Handle if `command` is passed, as command appends arguments to the entrypoint
-if [ "$#" -gt 0 ]; then
-    run_command $@
-    exit
-fi
-
-# Handle and alter the config file
-if [[ -z "${CONFIG_FILE}" ]]; then
-  echo "CONFIG_FILE is not set"
-  CONFIG_FILE="/data/config.yml"
-fi
-CONFIG_ARG="--config ${CONFIG_FILE}"
-decho "CONFIG: ${CONFIG_ARG}"
-
-DOCKER_HOST=${DOCKER_HOST:-"tcp://docker:2367"}
-DOCKER_CERT_PATH=${DOCKER_CERT_PATH:-"/certs/client"}
-DOCKER_TLS_VERIFY=${DOCKER_TLS_VERIFY:-1}
-decho "DOCKER_HOST: ${DOCKER_HOST}"
-decho "DOCKER_CERT_PATH: ${DOCKER_CERT_PATH}"
-decho "DOCKER_TLS_VERIFY: ${DOCKER_TLS_VERIFY}"
-if [[ ! -f "${CONFIG_FILE}" ]]; then
-  echo "Creating ${CONFIG_FILE}"
-  run_command "forgejo-runner generate-config > ${CONFIG_FILE}"
-
-  # Remove test environment variables if they exist in the config file
-  sed -i "/^    A_TEST_ENV_NAME_1:/d" ${CONFIG_FILE}
-  sed -i "/^    A_TEST_ENV_NAME_2:/d" ${CONFIG_FILE}
-
-  # Apply default values for docker
-  sed -i "/^  labels:/c\  labels: [\"docker:docker://code.forgejo.org/oci/node:20-bookworm\", \"ubuntu-22.04:docker://catthehacker/ubuntu:act-22.04\"]" ${CONFIG_FILE}
-  sed -i "/^  network:/c\  network: host" ${CONFIG_FILE}
-
-  if [[ "${DOCKER_PRIVILEGED}" == "true" ]]; then
-    sed -i "/^  privileged:/c\  privileged: true" ${CONFIG_FILE}
-    sed -i "/^  options:/c\  options:-v /certs/client:/certs/client" ${CONFIG_FILE}
-    sed -i "/^  valid_volumes:/c\  valid_volumes:\n    - /certs/client" ${CONFIG_FILE}
-  fi
-
-fi
-
-ENV_FILE=${ENV_FILE:-"/data/.env"}
-decho "ENV_FILE: ${ENV_FILE}"
-sed -i "/^  env_file:/c\  env_file: ${ENV_FILE}" ${CONFIG_FILE}
-
-if [[ ! -f "${ENV_FILE}" ]]; then
-  echo "Creating ${ENV_FILE}"
-  touch ${ENV_FILE}
-  echo "DOCKER_HOST=${DOCKER_HOST}" >> ${ENV_FILE}
-  echo "DOCKER_TLS_VERIFY=${DOCKER_TLS_VERIFY}" >> ${ENV_FILE}
-  echo "DOCKER_CERT_PATH=${DOCKER_CERT_PATH}" >> ${ENV_FILE}
-fi
-
-EXTRA_ARGS=""
-if [[ ! -z "${RUNNER_LABELS}" ]]; then
-  EXTRA_ARGS="${EXTRA_ARGS} --labels ${RUNNER_LABELS}"
-fi
-decho "EXTRA_ARGS: ${EXTRA_ARGS}"
-
-# Set the runner file
-RUNNER_FILE=${RUNNER_FILE:-"runner.json"} # use json so editors know how to highlight
-decho "RUNNER_FILE: ${RUNNER_FILE}"
-sed -i "/^  file:/c\  file: ${RUNNER_FILE}" ${CONFIG_FILE}
-
-if [[ "${SKIP_WAIT}" != "true" ]]; then
-  echo "Waiting 10s to allow other services to start up..."
-  sleep 10
-fi
-
-if [[ ! -s "${RUNNER_FILE}" ]]; then
-  touch ${RUNNER_FILE}
-  try=$((try + 1))
-  success=0
-  decho "try: ${try}, success: ${success}"
-
-  # The point of this loop is to make it simple, when running both forgejo-runner and gitea in docker,
-  # for the forgejo-runner to wait a moment for gitea to become available before erroring out.  Within
-  # the context of a single docker-compose, something similar could be done via healthchecks, but
-  # this is more flexible.
-  while [[ $success -eq 0 ]] && [[ $try -lt ${MAX_REG_ATTEMPTS:-10} ]]; do
-    if [[ ! -z "${FORGEJO_SECRET}" ]]; then
-      run_command forgejo-runner create-runner-file --connect \
-    --instance "${FORGEJO_URL:-http://forgejo:3000}" \
-    --name "${RUNNER_NAME:-$(hostname)}" \
-    --secret "${FORGEJO_SECRET}" \
-    ${CONFIG_ARG}\
-    ${EXTRA_ARGS} 2>&1 | tee /tmp/reg.log
-    else
-      run_command forgejo-runner register \
-    --instance "${FORGEJO_URL:-http://forgejo:3000}" \
-    --name "${RUNNER_NAME:-$(hostname)}" \
-    --token "${RUNNER_TOKEN}" \
-    --no-interactive \
-    ${CONFIG_ARG}\
-    ${EXTRA_ARGS} 2>&1 | tee /tmp/reg.log
-    fi
-    cat /tmp/reg.log | grep -E 'connection successful|registered successfully' >/dev/null
-    if [[ $? -eq 0 ]]; then
-      echo "SUCCESS"
-      success=1
-    else
-      echo "Waiting to retry ..."
-      sleep 5
-    fi
-    decho "try: ${try}, success: ${success}"
-  done
-fi
-
-# Prevent reading the token from the forgejo-runner process
-unset RUNNER_TOKEN
-unset FORGEJO_SECRET
-
-run_command forgejo-runner daemon ${CONFIG_ARG}
--- a/examples/docker-compose/.gitignore
+++ b/examples/docker-compose/.gitignore
@ -1 +0,0 @@
-srv
--- a/examples/docker-compose/compose-forgejo-and-runner.yml
+++ b/examples/docker-compose/compose-forgejo-and-runner.yml
@ -11,82 +11,83 @@
 # NOTE: a token obtained from the Forgejo web interface cannot be used
 #       as a shared secret.
 #
-# Replace ${RUNNER_TOKEN} with the token obtained from the Forgejo web interface.
-#
-# Replace {ROOT_PASSWORD} with a secure password.
+# Replace {ROOT_PASSWORD} with a secure password
 #
+
 volumes:
  docker_certs:

 services:
+
  docker-in-docker:
    image: code.forgejo.org/oci/docker:dind
-    hostname: docker # Must set hostname for both internal DNS and TLS to work as certs are only valid for docker and localhost
-    restart: unless-stopped
+    hostname: docker  # Must set hostname as TLS certificates are only valid for docker or localhost
    privileged: true
    environment:
-      DOCKER_TLS_CERTDIR: "/certs" # set to "" to disable the use of TLS, also manually update existing runner configs to use port 2375
-      DOCKER_HOST: "docker" # remove aswell to disable TLS
+      DOCKER_TLS_CERTDIR: /certs
+      DOCKER_HOST: docker-in-docker
    volumes:
      - docker_certs:/certs

  forgejo:
    image: codeberg.org/forgejo/forgejo:1.21
-    hostname: forgejo
-    volumes:
-      - /srv/forgejo-data:/data
-    ports:
-      - 8080:3000
-    environment:
-      FORGEJO__security__INSTALL_LOCK: "true" # remove in production
-      FORGEJO__log__LEVEL: "debug" # remove in production
-      FORGEJO__repository__ENABLE_PUSH_CREATE_USER: "true" # enables the ability to create a repo when pushing
-      FORGEJO__repository__DEFAULT_PUSH_CREATE_PRIVATE: "false" # defaults above to public
-      FORGEJO__repository__DEFAULT_REPO_UNITS: "repo.code,repo.actions"
-    # `command` is not neecessary, but can be used to create an admin user as shown below when combined with INSTALL_LOCK
    command: >-
      bash -c '
      /bin/s6-svscan /etc/s6 &
      sleep 10 ;
-      su -c "forgejo admin user create --admin --username root --password {ROOT_PASSWORD} --email root@example.com" git ;
      su -c "forgejo forgejo-cli actions register --secret {SHARED_SECRET}" git ;
+      su -c "forgejo admin user create --admin --username root --password {ROOT_PASSWORD} --email root@example.com" git ;
      sleep infinity
      '
+    environment:
+      FORGEJO__security__INSTALL_LOCK: "true"
+      FORGEJO__log__LEVEL: "debug"
+      FORGEJO__repository__ENABLE_PUSH_CREATE_USER: "true"
+      FORGEJO__repository__DEFAULT_PUSH_CREATE_PRIVATE: "false"
+      FORGEJO__repository__DEFAULT_REPO_UNITS: "repo.code,repo.actions"
+    volumes:
+      - /srv/forgejo-data:/data
+    ports:
+      - 8080:3000
+
+  runner-register:
+    image: code.forgejo.org/forgejo/runner:3.4.1
+    links:
+      - docker-in-docker
+      - forgejo
+    environment:
+      DOCKER_HOST: tcp://docker-in-docker:2376
+    volumes:
+      - /srv/runner-data:/data
+    user: 0:0
+    command: >-
+      bash -ec '
+      while : ; do
+        forgejo-runner create-runner-file --connect --instance http://forgejo:3000 --name runner --secret {SHARED_SECRET} && break ;
+        sleep 1 ;
+      done ;
+      sed -i -e "s|\"labels\": null|\"labels\": [\"docker:docker://code.forgejo.org/oci/node:20-bookworm\", \"ubuntu-22.04:docker://catthehacker/ubuntu:act-22.04\"]|" .runner ;
+      forgejo-runner generate-config > config.yml ;
+      sed -i -e "s|network: .*|network: host|" config.yml ;
+      sed -i -e "s|^  envs:$$|  envs:\n    DOCKER_HOST: tcp://docker:2376\n    DOCKER_TLS_VERIFY: 1\n    DOCKER_CERT_PATH: /certs/client|" config.yml ;
+      sed -i -e "s|^  options:|  options: -v /certs/client:/certs/client|" config.yml ;
+      sed -i -e "s|  valid_volumes: \[\]$$|  valid_volumes:\n    - /certs/client|" config.yml ;
+      chown -R 1000:1000 /data
+      '

-  # all values that have defaults listed are optional
-  # only FORGEJO_SECRET or RUNNER_TOKEN is required, the secret will be prioritized
-  # FORGEJO_URL is required if forgejo is not in this compose file or docker network
  runner-daemon:
-    ## TODO: Update image to the the release
-    ## made from this PR: https://code.forgejo.org/forgejo/runner/pulls/283
-
-    # image: code.forgejo.org/forgejo/runner:3.4.1
-    build: ../../
-    user: "1000" # defaults to 1000,
-    restart: unless-stopped # needed for fixing file ownership on restart
+    image: code.forgejo.org/forgejo/runner:3.4.1
+    links:
+      - docker-in-docker
+      - forgejo
+    environment:
+      DOCKER_HOST: tcp://docker:2376
+      DOCKER_CERT_PATH: /certs/client
+      DOCKER_TLS_VERIFY: "1"
    volumes:
      - /srv/runner-data:/data
      - docker_certs:/certs
-    depends_on:
-      - docker-in-docker
-      - forgejo
-    links:
-      - forgejo
-      - docker-in-docker
-    environment:
-      CONFIG_FILE: config.yml # defaults to /data/config.yml
-
-      DOCKER_HOST: "tcp://docker:2376" # defaults to tcp://docker:2376
-      DOCKER_CERT_PATH: "/certs/client" # defaults to /certs/client
-      DOCKER_TLS_VERIFY: "1" # defaults to 1
-      DOCKER_PRIVILEGED: "true" # defaults to false for security reasons
-
-      FORGEJO_URL: ${FORGEJO_URL} # defaults to http://forgejo:3000
-      FORGEJO_SECRET: "{SHARED_SECRET}" # shared secret, must match Forgejo's, overrides RUNNER_TOKEN
-
-      RUNNER_FILE: .runner # defaults to /data/runner.json
-      RUNNER_NAME: runner-daemon # defaults to forgejo-runner, used for registration
-      RUNNER_TOKEN: ${RUNNER_TOKEN} # token obtained from Forgejo web interface
-
-      DEBUG: "true" # defaults to false, set to true to enable debug logging
-      SKIP_WAIT: "false" # defaults to false, set to true to skip the 10 second wait to allow for forgejo and docker-in-docker to start
+    command: >-
+      bash -c '
+      while : ; do test -w .runner && forgejo-runner --config config.yml daemon ; sleep 1 ; done
+      '