chore(ci): custom self-hosted runner image with Android + Flatpak deps preinstalled (#227) #243
No reviewers
Labels
No labels
area:auth
area:ci
area:db
area:infra
area:native
area:pwa
area:service
epic
feature
foundation
No milestone
No project
No assignees
2 participants
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
james/carol!243
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "227-runner-image"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Summary
Closes #227. Ships a custom self-hosted Forgejo Actions runner image (
forge.wynning.tech/james/carol-runner) that bakes in the Android + Flatpak + release-pipeline dep surface those release lanes pay for on every run today (~5-10 min × 2 lanes)..forgejo/runner-image/Dockerfile— Ubuntu 24.04 LTS base; mirrorsrelease-android.yml+release-flatpak.yml's install steps with pinnedARGs..forgejo/workflows/release-runner-image.yml— builds + publishes on Dockerfile change, monthly cron (0 0 1 * *), or manual dispatch. cosign-signs by digest and emits a SLSA v1.0 attestation byte-for-byte parallel torelease.yml.release-android.yml+release-flatpak.yml—container:line points at<TBD-FILLED-BY-FIRST-PUBLISH>with the existingjs-24.04image as the live target until the first runner-image publish lands. Install steps marked<SENTINEL-FALLBACK>so the follow-up digest-swap PR knows what to delete.docs/ci.md— new "Runner image" section covering contents, publish cadence, update flow, and relationship to #237.Version pins
ubuntu:24.04LTS,linux/amd64only..tool-versions.openjdk-21-jdk-headless),cmdline-toolsrev 11076708,platforms;android-35,build-tools;35.0.0. SDK licences accepted at image-build time.1.83.0(minimal profile),libwebkit2gtk-4.1-dev+libsoup-3.0-dev+libjavascriptcoregtk-4.1-dev+ the rest of the Tauri dep set,flatpak+flatpak-builder, GNOMEPlatform//48+Sdk//48pre-staged (soft-fail).release.yml.Expected compressed image size: ~5-7 GB.
Expected per-release savings
Today the Android lane spends ~3-5 min on JDK + SDK install + license acceptance; the Flatpak lane spends ~7-10 min on rustup + apt deps + GNOME runtime fetch. Both go to zero once the digest swap lands. Wall-clock for the two lanes combined should drop by ~10 min per release.
Before / after diffs
release-android.ymlremoves:Install JDK ${{ env.JAVA_VERSION }}step (apt-get +update-java-alternativeslookup).Install Android SDKstep (cmdline-tools fetch + unzip + license accept + sdkmanager calls).release-flatpak.ymlremoves:Install Tauri + Flatpak system depsstep (apt-get of 14 packages).Install Rust toolchainstep (rustup-init).Install Flatpak runtime + SDKstep (flathub remote + system install).Today the Android + Flatpak workflows still carry collapsed
<SENTINEL-FALLBACK>versions of these steps; the digest-swap follow-up PR deletes them.Test plan
actionlint .forgejo/workflows/*.yml— clean.docker buildx build --check .forgejo/runner-image/— "Check complete, no warnings found."pnpm install --frozen-lockfile— clean.pnpm -F @carol/api typecheck/lint/test— clean (556 passed, 107 skipped).pnpm -F @carol/api-client typecheck/lint/test/check— clean.pnpm -F @carol/client typecheck/lint/test— clean.release-runner-image.ymlbuilds + pushes + signs the runner image, prints the digest in the job summary.<TBD-FILLED-BY-FIRST-PUBLISH>in both release workflows to the real@sha256:…, delete the<SENTINEL-FALLBACK>install steps.cosign verify --key https://forge.wynning.tech/james/carol/raw/branch/main/cosign.pub forge.wynning.tech/james/carol-runner@sha256:<digest>.vX.Y.Z) and confirm the Android + Flatpak lanes save ~10 min combined vs. the previous tag's run.Relationship to #237
#237 (developer dev-container) and #227 (CI runner image) have an overlapping dep surface but different consumers and release cadences. They stay separate Dockerfiles today; documented under
docs/ci.md"Runner image" → "Relationship to #237".Surprises
flatpak install --systemneeds a session bus that's not present indocker build's default sandbox. The Dockerfile soft-fails that step (|| echo "WARNING: …") so the layer continues without the runtime; the workflow'sflatpak-builderinvocation pulls it on first run and disk-caches it for subsequent runs. This is documented in both the Dockerfile anddocs/ci.md.yes | sdkmanager --licenses > /dev/null || trueis the same one-liner the workflow used before — runs at image-build time so the runtime workflow never sees the prompt.release.yml. Same key-pair, same--tlog-upload=trueexplicitness, same hand-built SLSA v1.0 predicate shape. No deviations.Links: #227 · ADR-0014
🤖 Generated with Claude Code
Trivy (container image)
Threshold:
high· Total findings: 121 · At/above threshold: 16.27.0, 7.28.0, 8.5.0📊 Test coverage
Patch coverage: no testable lines changed.
Overall (
app/,lib/,db/, excluding UI per ADR-0019):Soft thresholds per ADR-0019. Coverage is informational and does not block merge.
View command line instructions
Manual merge helper
Use this merge commit message when completing the merge manually.
Checkout
From your project repository, check out a new branch and test the changes.Merge
Merge the changes and update on Forgejo.Warning: The "Autodetect manual merge" setting is not enabled for this repository, you will have to mark this pull request as manually merged afterwards.