foundation-runner (forgejo/runner:6, digest-pinned). Registration is idempotent (ADR-007): it reuses /data/.runner if present, else mints a token via `forgejo actions generate-runner-token` and consumes it with `forgejo-runner register` (the token never leaves the VM). The daemon runs as uid 1000 with the host docker group (gid 996) added for socket access — root-equivalent and co-located, the documented day-zero compromise (PLAN-002 R5 / PLAN-001 §4a); a fenced or separate runner VM is the steady state. Live on cx33 Helsinki: runner declared (labels docker,dind) and polling; a hello-world `runs-on: docker` workflow pushed to olsitec/foundation ran to success (workflow run #1). Acceptance T10 met. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| components | ||
| lib | ||
| config.ts | ||
| index.ts | ||
| package.json | ||
| Pulumi.foundation.yaml | ||
| Pulumi.yaml | ||
| run.sh | ||
| tsconfig.json | ||
| vault-unseal.sh | ||