Initial commit

Dockerfile

@@ -0,0 +1,39 @@
+FROM registry.fedoraproject.org/fedora-minimal:41
+
+ARG RUNNER_VERSION=6.3.1
+
+RUN dnf5 -y --setopt install_weak_deps=false install podman vim setpriv git nodejs22
+
+ENV BUILDAH_ISOLATION=chroot
+
+RUN curl -sfL https://code.forgejo.org/forgejo/runner/releases/download/v${RUNNER_VERSION}/forgejo-runner-${RUNNER_VERSION}-linux-amd64 -o /usr/local/bin/forgejo-runner
+RUN chmod +x /usr/local/bin/forgejo-runner
+
+RUN echo "nobody:65536:65536" > /etc/subuid
+RUN echo "nobody:65536:65536" > /etc/subgid
+
+ENV HOME=/builder
+ENV REGISTRY_AUTH_FILE=/builder/.config/containers/auth.json
+
+# This is a workaround for https://github.com/containers/podman/issues/23818, apart from that it serves absolutely no purpose. I also don't know why it looks there, given HOME is elsewhere, but it doesn't seem to cause any issues.
+RUN mkdir /.config && chown 65534:65534 /.config
+
+RUN mkdir /builder /builder/.config && chown -R 65534:65534 /builder
+
+WORKDIR /builder
+
+RUN setcap cap_setuid=ep /usr/bin/newuidmap cap_setgid=ep /usr/bin/newgidmap
+
+RUN find / -mindepth 1 -path /proc -prune -or -path /sys -prune -or -path /dev -prune -or -type f -perm /6000 -exec sh -c "chmod ug-s '{}' && echo \"Removed setuid/setgid bit(s) from '{}'\"" \;
+
+RUN getcap -r / | awk '{ print $1 }' | grep -vE '/usr/bin/new[ug]idmap' | xargs -I '{}' sh -c "setcap -r '{}' && echo \"Removed file capability bit(s) from '{}'\""
+
+RUN shopt -s dotglob && rm -rf /var/cache/* /tmp/* /var/tmp/*
+
+COPY entrypoint.sh /entrypoint.sh
+
+RUN chmod +x /entrypoint.sh
+
+USER 65534:65534
+
+CMD ["/entrypoint.sh"]

entrypoint.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+
+set -e
+
+cp /config/.runner /builder/.runner
+chmod 600 /builder/.runner
+
+mkdir -p /builder/.config/containers
+cp /config/auth.json /builder/.config/containers/auth.json
+chmod 600 /builder/.config/containers/auth.json
+
+exec setpriv --ambient-caps "-all" /usr/local/bin/forgejo-runner one-job --config config.yaml