feat(infra): reactivate act_runner cache by sharing the runners network
CI / commits (pull_request) Successful in 11m3s
CI / scan (pull_request) Successful in 11m5s
CI / check (pull_request) Successful in 11m10s
CI / a11y (pull_request) Successful in 56s
CI / perf (pull_request) Successful in 1m46s

The deferred-since-day-one cache-server gap (documented as
"Cache server (deferred)" in infra/README.md, mentioned every
time we hit a slow CI install). Root cause: act_runner's
built-in cache server binds inside the runner container and
advertises an IP on the compose-defined `apf-portal-act-runners`
bridge — but jobs are spawned via the mounted /var/run/docker.
sock, which puts them on Docker's anonymous default `bridge`
instead. The advertised URL is unreachable from the job, every
cache request burns a ~2 min ETIMEDOUT (restore + save), the
hit rate is zero.

Fix: tell act_runner to attach jobs to the same compose-defined
bridge as the runners, via `container.network` in the shared
runner-config.yaml. The advertised cache URL becomes a normal
internal-network DNS hop, jobs reach the cache server, and
`cache: 'pnpm'` works end-to-end.

The blast-radius trade-off is bounded: every container on the
apf-portal-act-runners network is one of our runner containers
(plus the jobs they spawn), all of which already have full
docker-socket access. Sharing a network does not widen what a
malicious workflow can already do; it just lets jobs reach the
cache server.

Changes:
- infra/runner-config.yaml: add `container.network: apf-portal-
  act-runners`. Surface the `cache.enabled: true` default
  explicitly so a future contributor knows where the toggle is.
- .gitea/workflows/ci.yml: re-enable `cache: 'pnpm'` on every
  actions/setup-node step (5 jobs). Drop the now-stale block
  comment that explained the disablement.
- .gitea/workflows/security-scheduled.yml: same on the two
  setup-node steps in this workflow.
- infra/README.md "Cache server" section rewritten — was
  "(deferred)", now describes the working setup, with the
  rationale and blast-radius note. The disable toggle is
  documented inline.
- ci.yml's Trivy comment trimmed to drop the cross-reference to
  the deferred-cache-server section that no longer exists.

Roll-out on the runner host (manual, post-merge):

    cd <repo>/infra
    git pull
    ./ci-runners.sh rotate

`rotate` recreates the containers with the new
runner-config.yaml mount intact. The first CI job after rollout
seeds the cache from cold (~30-60 s install); subsequent jobs
should report `reused N` instead of `downloaded N` in the
`pnpm install --frozen-lockfile` line and finish a few minutes
faster overall.
This commit is contained in:
Julien Gautier
2026-05-10 18:54:04 +02:00
parent 2d676cc279
commit 2f41178935
4 changed files with 32 additions and 20 deletions
+6 -12
View File
@@ -2,15 +2,6 @@
# Thin YAML — orchestration lives in package.json scripts (ci:check,
# ci:audit, ci:commits, ci:perf) and Nx targets. Any change to gate
# behaviour belongs in those scripts, not in this file.
#
# `cache: 'pnpm'` is intentionally NOT enabled on actions/setup-node
# below: act_runner's built-in GitHub-Actions-cache server is bound on
# the runner container and is unreachable from job containers (which
# run on Docker's default network, not the runners' compose network).
# Each request burns a ~2 min ETIMEDOUT on restore + another on save,
# for zero hit rate. Once the runner network/cache config is fixed
# (tracked in infra/README.md "Cache server"), re-add `cache: 'pnpm'`
# here.
name: CI
@@ -50,6 +41,7 @@ jobs:
- uses: actions/setup-node@v6
with:
node-version-file: '.nvmrc'
cache: 'pnpm'
- run: pnpm install --frozen-lockfile
- run: pnpm ci:check
@@ -71,14 +63,13 @@ jobs:
- uses: actions/setup-node@v6
with:
node-version-file: '.nvmrc'
cache: 'pnpm'
# Dependency vulnerability scan. Trivy is a Go binary, not an npm
# package, so it cannot live in package.json scripts as cleanly
# as audit/lint do.
#
# We deliberately avoid `aquasecurity/trivy-action`. On cache
# miss (our act_runner cache server is unreachable from job
# containers — see infra/README.md "Cache server (deferred)"),
# the action falls back to `git clone github.com/aquasecurity/
# miss the action falls back to `git clone github.com/aquasecurity/
# trivy` to fetch its install script, using `actions/checkout`
# which defaults `with.token` to `${{ github.token }}` (Gitea's
# auto-token, useless for github.com). The clone hits the
@@ -171,6 +162,7 @@ jobs:
- uses: actions/setup-node@v6
with:
node-version-file: '.nvmrc'
cache: 'pnpm'
- run: pnpm install --frozen-lockfile
- run: COMMIT_LINT_FROM=origin/main pnpm ci:commits
@@ -195,6 +187,7 @@ jobs:
- uses: actions/setup-node@v6
with:
node-version-file: '.nvmrc'
cache: 'pnpm'
- run: pnpm install --frozen-lockfile
- run: pnpm ci:perf
- uses: actions/upload-artifact@v7
@@ -212,6 +205,7 @@ jobs:
- uses: actions/setup-node@v6
with:
node-version-file: '.nvmrc'
cache: 'pnpm'
- run: pnpm install --frozen-lockfile
# Placeholder until the e2e a11y suite (axe-core via Playwright,
# per ADR-0016) is wired with the first real screens. The job