Secure gitea-runner: remove tracked secrets, use SSH for deploy

- Untrack .runner (contains registration token), act_runner binary, and nohup.out - Add gitea-runner sensitive files to .gitignore - Auto-register runner from env var if .runner is missing - Switch deploy workflow git pull from HTTP to SSH Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-07 13:19:45 +01:00
parent 4d16dd8d17
commit 4c8573767d
6 changed files with 17 additions and 21 deletions
--- a/.gitea/workflows/deploy.yaml
+++ b/.gitea/workflows/deploy.yaml
@@ -12,7 +12,7 @@ jobs:
              working-directory: /home/adamf/deploy/web_server
              run: |
                  git config --global --add safe.directory /home/adamf/deploy/web_server
-                  git pull http://gitea:3000/adamf/web_server.git main
+                  git pull ssh://git@gitea:2222/adamf/web_server.git main

            - name: Run docker compose up
              working-directory: /home/adamf/deploy/web_server
--- a/.gitignore
+++ b/.gitignore
@@ -9,6 +9,11 @@ backend/token/
 gitea/config/app.ini
 gitea/data/*

+# Gitea runner
+gitea-runner/.runner
+gitea-runner/act_runner
+gitea-runner/nohup.out
+
 # Rust build artifacts
 **/target/

--- a/gitea-runner/.runner
+++ b/gitea-runner/.runner
@@ -1,15 +0,0 @@
-{
-  "WARNING": "This file is automatically generated by act-runner. Do not edit it manually unless you know what you are doing. Removing this file will cause act runner to re-register as a new runner.",
-  "id": 2,
-  "uuid": "619db79e-39a2-4a92-9840-d6a87cde7d1f",
-  "name": "stppi",
-  "token": "7361451ecbbe1719fb071e93a334b6f6a531ac45",
-  "address": "http://localhost:3000/",
-  "labels": [
-    "self-hosted:host",
-    "ubuntu-latest:docker://docker.gitea.com/runner-images:ubuntu-latest",
-    "ubuntu-24.04:docker://docker.gitea.com/runner-images:ubuntu-24.04",
-    "ubuntu-22.04:docker://docker.gitea.com/runner-images:ubuntu-22.04"
-  ],
-  "ephemeral": false
-}
--- a/gitea-runner/act_runner
+++ b/gitea-runner/act_runner
--- a/gitea-runner/nohup.out
+++ b/gitea-runner/nohup.out
@@ -1,4 +0,0 @@
-time="2026-02-18T16:33:27Z" level=info msg="Starting runner daemon"
-time="2026-02-18T16:33:27Z" level=info msg="runner: stppi, with version: v0.3.0-1-g0f7efae, with labels: [self-hosted ubuntu-latest ubuntu-24.04 ubuntu-22.04], declare successfully"
-time="2026-02-18T16:33:37Z" level=info msg="runner: stppi shutdown initiated, waiting 0s for running jobs to complete before shutting down"
-time="2026-02-18T16:33:37Z" level=error msg="failed to fetch task" error="canceled: context canceled"
--- a/gitea-runner/run.sh
+++ b/gitea-runner/run.sh
@@ -6,7 +6,17 @@ while ! curl -sf http://localhost:3000 > /dev/null 2>&1; do
    sleep 2
 done

-echo "localhost:3000 is up. Starting act_runner daemon..." >&2
+echo "localhost:3000 is up." >&2

+if [ ! -f .runner ]; then
+    echo "No .runner file found. Registering runner..." >&2
+    ./act_runner register --no-interactive \
+        --instance http://localhost:3000 \
+        --token "${GITEA_RUNNER_REGISTRATION_TOKEN}" \
+        --name "${GITEA_RUNNER_NAME:-pi-runner}" \
+        --labels self-hosted
+fi
+
+echo "Starting act_runner daemon..." >&2
 exec ./act_runner daemon