ci: run actions runner as normal user

This commit is contained in:
teutat3s 2024-05-30 15:49:56 +02:00
parent 866785ef47
commit cc70a740a1
Signed by untrusted user: teutat3s
GPG key ID: 4FA1D3FA524F22C1
2 changed files with 31 additions and 18 deletions

View file

@ -8,13 +8,6 @@ jobs:
- name: Check out repository code - name: Check out repository code
uses: https://code.forgejo.org/actions/checkout@v4 uses: https://code.forgejo.org/actions/checkout@v4
- name: Prepare cachix
uses: https://github.com/cachix/cachix-action@v14
with:
name: pub-solar
authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
useDaemon: false
- name: Check formatting - name: Check formatting
run: | run: |
nix --accept-flake-config --access-tokens '' develop --command treefmt --fail-on-change nix --accept-flake-config --access-tokens '' develop --command treefmt --fail-on-change

View file

@ -15,7 +15,24 @@
# Needed for the docker runner to communicate with the act_runner cache # Needed for the docker runner to communicate with the act_runner cache
networking.firewall.trustedInterfaces = [ "br-+" ]; networking.firewall.trustedInterfaces = [ "br-+" ];
systemd.services."gitea-runner-tankstelle".path = with pkgs; [ users.users.gitea-runner = {
home = "/var/lib/gitea-runner/tankstelle";
useDefaultShell = true;
group = "gitea-runner";
# Required to interact with nix daemon
extraGroups = [
"wheel"
];
isSystemUser = true;
};
users.groups.gitea-runner = { };
systemd.tmpfiles.rules = [ "d '/var/lib/gitea-runner' 0750 gitea-runner gitea-runner - -" ];
systemd.services."gitea-runner-tankstelle" = {
serviceConfig.DynamicUser = lib.mkForce false;
path = with pkgs; [
coreutils coreutils
bash bash
coreutils coreutils
@ -25,7 +42,10 @@
gnused gnused
nodejs nodejs
wget wget
cachix
jq
]; ];
};
# forgejo actions runner # forgejo actions runner
# https://forgejo.org/docs/latest/admin/actions/ # https://forgejo.org/docs/latest/admin/actions/