feat(infra): reactivate act_runner cache by sharing the runners network #82
+6
-12
@@ -2,15 +2,6 @@
|
||||
# Thin YAML — orchestration lives in package.json scripts (ci:check,
|
||||
# ci:audit, ci:commits, ci:perf) and Nx targets. Any change to gate
|
||||
# behaviour belongs in those scripts, not in this file.
|
||||
#
|
||||
# `cache: 'pnpm'` is intentionally NOT enabled on actions/setup-node
|
||||
# below: act_runner's built-in GitHub-Actions-cache server is bound on
|
||||
# the runner container and is unreachable from job containers (which
|
||||
# run on Docker's default network, not the runners' compose network).
|
||||
# Each request burns a ~2 min ETIMEDOUT on restore + another on save,
|
||||
# for zero hit rate. Once the runner network/cache config is fixed
|
||||
# (tracked in infra/README.md "Cache server"), re-add `cache: 'pnpm'`
|
||||
# here.
|
||||
|
||||
name: CI
|
||||
|
||||
@@ -50,6 +41,7 @@ jobs:
|
||||
- uses: actions/setup-node@v6
|
||||
with:
|
||||
node-version-file: '.nvmrc'
|
||||
cache: 'pnpm'
|
||||
- run: pnpm install --frozen-lockfile
|
||||
- run: pnpm ci:check
|
||||
|
||||
@@ -71,14 +63,13 @@ jobs:
|
||||
- uses: actions/setup-node@v6
|
||||
with:
|
||||
node-version-file: '.nvmrc'
|
||||
cache: 'pnpm'
|
||||
# Dependency vulnerability scan. Trivy is a Go binary, not an npm
|
||||
# package, so it cannot live in package.json scripts as cleanly
|
||||
# as audit/lint do.
|
||||
#
|
||||
# We deliberately avoid `aquasecurity/trivy-action`. On cache
|
||||
# miss (our act_runner cache server is unreachable from job
|
||||
# containers — see infra/README.md "Cache server (deferred)"),
|
||||
# the action falls back to `git clone github.com/aquasecurity/
|
||||
# miss the action falls back to `git clone github.com/aquasecurity/
|
||||
# trivy` to fetch its install script, using `actions/checkout`
|
||||
# which defaults `with.token` to `${{ github.token }}` (Gitea's
|
||||
# auto-token, useless for github.com). The clone hits the
|
||||
@@ -171,6 +162,7 @@ jobs:
|
||||
- uses: actions/setup-node@v6
|
||||
with:
|
||||
node-version-file: '.nvmrc'
|
||||
cache: 'pnpm'
|
||||
- run: pnpm install --frozen-lockfile
|
||||
- run: COMMIT_LINT_FROM=origin/main pnpm ci:commits
|
||||
|
||||
@@ -195,6 +187,7 @@ jobs:
|
||||
- uses: actions/setup-node@v6
|
||||
with:
|
||||
node-version-file: '.nvmrc'
|
||||
cache: 'pnpm'
|
||||
- run: pnpm install --frozen-lockfile
|
||||
- run: pnpm ci:perf
|
||||
- uses: actions/upload-artifact@v7
|
||||
@@ -212,6 +205,7 @@ jobs:
|
||||
- uses: actions/setup-node@v6
|
||||
with:
|
||||
node-version-file: '.nvmrc'
|
||||
cache: 'pnpm'
|
||||
- run: pnpm install --frozen-lockfile
|
||||
# Placeholder until the e2e a11y suite (axe-core via Playwright,
|
||||
# per ADR-0016) is wired with the first real screens. The job
|
||||
|
||||
@@ -33,6 +33,7 @@ jobs:
|
||||
- uses: actions/setup-node@v6
|
||||
with:
|
||||
node-version-file: '.nvmrc'
|
||||
cache: 'pnpm'
|
||||
# Full-tree Trivy (no skip-dirs, no severity filter — the per-PR
|
||||
# gate filters by severity for speed; this run wants the full
|
||||
# surface for the security feed). Manual install + curl, same
|
||||
@@ -92,6 +93,7 @@ jobs:
|
||||
- uses: actions/setup-node@v6
|
||||
with:
|
||||
node-version-file: '.nvmrc'
|
||||
cache: 'pnpm'
|
||||
- run: pnpm install --frozen-lockfile
|
||||
- run: pnpm exec lhci collect --url=${{ vars.LHCI_PROD_URL }} --numberOfRuns=3
|
||||
- run: pnpm exec lhci assert --config=./lighthouserc.js
|
||||
|
||||
+5
-8
@@ -88,18 +88,15 @@ The compose mounts `/var/run/docker.sock` into each runner so jobs can spawn con
|
||||
- **No host filesystem mounts beyond the docker socket:** the compose intentionally does not mount `/`, `/etc`, or any project source. Workflows that need data on the host must do so via Docker volumes.
|
||||
- **Future hardening (out of scope of v1):** migrate to **rootless Docker** on the runner host, or to a **DinD (Docker-in-Docker) sidecar** so the runner cannot escape into the host daemon. Decided when the org's RSSI confirms the security posture, or when the runner host is shared with anything else of value.
|
||||
|
||||
### Cache server (deferred)
|
||||
### Cache server
|
||||
|
||||
`act_runner` ships a built-in GitHub-Actions-cache-compatible server, used by `actions/setup-node@v4` (`cache: 'pnpm'`), `actions/cache`, and similar. In the current setup it does **not** work because the runner containers and the job containers live on different Docker networks: the runner is on the compose-defined `apf-portal-act-runners` bridge, while jobs spawned via the mounted `/var/run/docker.sock` come up on Docker's default `bridge` network. The cache server binds inside the runner container on a random port — unreachable from the job. The symptom is a ~2 min `ETIMEDOUT` at the start (restore) and end (save) of every job that opts into caching.
|
||||
`act_runner` ships a built-in GitHub-Actions-cache-compatible server, used by `actions/setup-node@v6` (`cache: 'pnpm'`), `actions/cache`, and similar. The default behaviour does **not** work in our compose-based setup: the runner container is on the compose-defined `apf-portal-act-runners` bridge, while jobs spawned through the mounted `/var/run/docker.sock` come up on Docker's anonymous `bridge` network — the cache server binds inside the runner on a random port, advertises an IP on the runners' bridge, and the job can't reach it. The symptom is a ~2 min `ETIMEDOUT` at the start (restore) and end (save) of every job that opts into caching.
|
||||
|
||||
For now `cache: 'pnpm'` is left **disabled** in `.gitea/workflows/ci.yml`. `pnpm install --frozen-lockfile` is fast enough on a warm pnpm store inside the job image (~30–60 s cold) that the cache layer adds no value as long as it doesn't actually transfer anything.
|
||||
The fix is in [`runner-config.yaml`](runner-config.yaml): `container.network: apf-portal-act-runners` instructs `act_runner` to attach every job container to the same compose-defined bridge as the runners. Job → runner is now an internal-network DNS hop, the advertised cache URL is reachable, and `cache: 'pnpm'` works end-to-end. The `cache: 'pnpm'` flag is enabled on every `actions/setup-node` step in `.gitea/workflows/ci.yml` and `.gitea/workflows/security-scheduled.yml`.
|
||||
|
||||
When this is reactivated, the right fix is one of:
|
||||
The blast-radius trade-off is bounded: every container on `apf-portal-act-runners` is one of our runner containers (plus the jobs they spawn), all of which already have full docker-socket access. Sharing a network does not widen what a malicious workflow can already do; it just lets jobs reach the cache server.
|
||||
|
||||
- attach jobs to the same Docker network as the runners (`runner.container.network` in act_runner's `config.yaml`, then advertise the cache `host` on the bridge IP); or
|
||||
- bind act_runner's cache server on a fixed `host_port` reachable from any container (host gateway IP), and set `ACTIONS_CACHE_URL` accordingly.
|
||||
|
||||
Either path needs a single-runner spike before being rolled out to the three.
|
||||
If the cache ever needs to be disabled (debugging cache-hit issues, etc.), set `cache.enabled: false` in `runner-config.yaml` and `./ci-runners.sh rotate`.
|
||||
|
||||
### `act_runner` image pinning
|
||||
|
||||
|
||||
@@ -14,3 +14,22 @@ container:
|
||||
# host (see infra/README.md "Updating the runner job images") — not
|
||||
# implicitly via :latest.
|
||||
force_pull: false
|
||||
|
||||
# Attach every job to the same Docker bridge network as the runner
|
||||
# containers themselves. Default behaviour (no value) is for jobs to
|
||||
# join Docker's anonymous "bridge" network — different from the
|
||||
# compose-defined `apf-portal-act-runners` bridge — which leaves
|
||||
# jobs unable to reach the runner-hosted cache server (the IP it
|
||||
# binds to and advertises is on the runners' bridge, not the jobs').
|
||||
# Sharing the network closes the gap and lets `actions/setup-node`'s
|
||||
# `cache: 'pnpm'` work end-to-end. The blast radius is bounded:
|
||||
# every container on this network is one of our runner containers,
|
||||
# all of which already have full docker-socket access.
|
||||
network: apf-portal-act-runners
|
||||
|
||||
# Built-in cache server — defaults are good (enabled, listens on a
|
||||
# pseudo-random port, stores cache under the runner's writable home).
|
||||
# Documented here only so a future contributor knows where the toggle
|
||||
# lives if it has to be disabled.
|
||||
cache:
|
||||
enabled: true
|
||||
|
||||
Reference in New Issue
Block a user