infra: self-hosted runner manifest (closes private-repo CI-billing exhaustion)#19
Merged
mastermanas805 merged 1 commit intoMay 21, 2026
Conversation
…exhaustion) Adds k8s/self-hosted-runner.yaml: a Deployment that runs an actions/runner pod on the existing DOKS cluster. Eliminates metered CI minutes for private repos (worker, provisioner, infra). Costs zero ongoing — uses already-paid DigitalOcean node-pool budget. Incorporates PB02-H50 review findings: - Persistent PVC for .runner state across pod restarts (no more re-registration on every restart) - trap on SIGTERM/SIGINT only (not EXIT — that fires after every completed job and deregisters) - Operator setup steps include the GHCR_PUSH_TOKEN secret (required for Deploy workflows) - actions/runner image pinned to 2.334.0 (current at time of write) - runAsUser/runAsGroup/fsGroup 1001 — non-root container - strategy Recreate so two pods never share RUNNER_NAME during rollout - Optional NetworkPolicy include block lists 100.64.0.0/10 CGNAT (DOKS pod-CIDR variant) - ServiceAccount + Namespace defined explicitly OPERATOR ACTION REQUIRED — see file header for the 8-step apply procedure. Trust-boundary notes documented inline. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
mastermanas805
force-pushed
the
infra/self-hosted-runner-pb02-fixed-2026-05-21
branch
from
9f2e063 to
a1dd73c
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds k8s/self-hosted-runner.yaml — runs actions/runner pod on DOKS to eliminate metered CI minutes for worker/provisioner/infra. Incorporates 8 PB02-H50 review fixes (PVC, SIGTERM-only, GHCR_PUSH_TOKEN, runner 2.334.0, non-root, Recreate, CGNAT block). DO NOT MERGE without applying — operator must follow the 8-step procedure in the file header (create PATs, create secret, kubectl apply, patch each workflow's runs-on).