Add Docker-based GitHub Actions self-hosted runner setup

Spomky · Spomky · commit 5d54ab0c6888 · 2025-08-09T13:51:36.000+02:00
- Introduced `Dockerfile` to build a lightweight custom image for the runner.
- Added GitHub workflow (`.github/build.yml`) for building, pushing, and tagging multi-architecture images.
- Included a startup script (`scripts/start.sh`) for registering and running the GitHub Actions runner.
diff --git a/.github/build.yml b/.github/build.yml
@@ -0,0 +1,136 @@
+name: Build and Push gh-runner
+
+on:
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+
+env:
+  IMAGE_NAME: ghcr.io/${{ github.repository }}
+  RUNNER_VERSION: 2.325.0
+
+jobs:
+  prepare:
+    name: "🧰 Build Preparation"
+    runs-on: ubuntu-latest
+    outputs:
+      image_name: ${{ steps.normalize.outputs.name }}
+      short_sha: ${{ steps.sha.outputs.short }}
+      is_tag: ${{ steps.tag.outputs.is_tag }}
+      version: ${{ steps.tag.outputs.version }}
+      major: ${{ steps.tag.outputs.major }}
+      minor: ${{ steps.tag.outputs.minor }}
+    steps:
+      - uses: actions/checkout@v4
+      - name: Normalize image name
+        id: normalize
+        run: echo "name=${IMAGE_NAME,,}" >> "$GITHUB_OUTPUT"
+      - name: Extract short SHA
+        id: sha
+        run: echo "short=$(git rev-parse --short HEAD)" >> "$GITHUB_OUTPUT"
+      - name: Extract version from tag
+        id: tag
+        run: |
+          if [[ "${GITHUB_REF}" == refs/tags/* ]]; then
+            version="${GITHUB_REF#refs/tags/}"
+            major=$(cut -d. -f1 <<< "$version")
+            minor=$(cut -d. -f2 <<< "$version")
+            echo "is_tag=true" >> "$GITHUB_OUTPUT"
+            echo "version=$version" >> "$GITHUB_OUTPUT"
+            echo "major=$major" >> "$GITHUB_OUTPUT"
+            echo "minor=$minor" >> "$GITHUB_OUTPUT"
+          else
+            echo "is_tag=false" >> "$GITHUB_OUTPUT"
+
+  build-amd64:
+    name: "🐳 Build Docker (AMD64)"
+    needs: prepare
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: docker/setup-buildx-action@v3
+      - uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Build and push AMD64 image
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          push: true
+          platforms: linux/amd64
+          tags: |
+            ${{ needs.prepare.outputs.image_name }}:amd64
+            ${{ needs.prepare.outputs.image_name }}:${{ needs.prepare.outputs.short_sha }}-amd64
+          build-args: |
+            RUNNER_VERSION=${{ env.RUNNER_VERSION }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+  build-arm64:
+    name: "🐳 Build Docker (ARM64)"
+    needs: prepare
+    runs-on: self-hosted
+    steps:
+      - uses: actions/checkout@v4
+      - uses: docker/setup-buildx-action@v3
+      - uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Build and push ARM64 image
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          push: true
+          platforms: linux/arm64
+          tags: |
+            ${{ needs.prepare.outputs.image_name }}:arm64
+            ${{ needs.prepare.outputs.image_name }}:${{ needs.prepare.outputs.short_sha }}-arm64
+          build-args: |
+            RUNNER_VERSION=${{ env.RUNNER_VERSION }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+  manifest:
+    name: "📦 Docker Manifest"
+    needs: [build-amd64, build-arm64]
+    runs-on: ubuntu-latest
+    env:
+      IMAGE_NAME: ${{ needs.prepare.outputs.image_name }}
+      SHORT_SHA: ${{ needs.prepare.outputs.short_sha }}
+      IS_TAG: ${{ needs.prepare.outputs.is_tag }}
+      VERSION: ${{ needs.prepare.outputs.version }}
+      MAJOR: ${{ needs.prepare.outputs.major }}
+      MINOR: ${{ needs.prepare.outputs.minor }}
+      GITHUB_REF: ${{ github.ref }}
+    steps:
+      - uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Create and push Docker manifest
+        run: |
+          docker buildx imagetools create \
+            --tag $IMAGE_NAME:$SHORT_SHA \
+            $IMAGE_NAME:amd64 \
+            $IMAGE_NAME:arm64
+
+          if [[ "$GITHUB_REF" == "refs/heads/main" ]]; then
+            docker buildx imagetools create \
+              --tag $IMAGE_NAME:latest \
+              $IMAGE_NAME:amd64 \
+              $IMAGE_NAME:arm64
+          fi
+
+          if [[ "$IS_TAG" == "true" ]]; then
+            docker buildx imagetools create \
+              --tag $IMAGE_NAME:$VERSION \
+              --tag $IMAGE_NAME:$MAJOR \
+              --tag $IMAGE_NAME:$MAJOR.$MINOR \
+              $IMAGE_NAME:amd64 \
+              $IMAGE_NAME:arm64
diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,65 @@
+# base image
+FROM ubuntu:24.04
+
+ARG RUNNER_VERSION
+ENV DEBIAN_FRONTEND=noninteractive
+
+LABEL Author="Florent Morselli"
+LABEL Email="florent.morselli@spomky-labs.com"
+LABEL GitHub="https://github.com/Spomky"
+LABEL BaseImage="ubuntu:24.04"
+LABEL RunnerVersion=${RUNNER_VERSION}
+
+# 1. Update base system and create a non-root user
+RUN apt-get update -y && \
+    apt-get upgrade -y && \
+    useradd -m -s /bin/bash docker
+
+# 2. Install core system packages (including gnupg for keyring management)
+RUN apt-get install -y --no-install-recommends \
+    curl \
+    gnupg \
+    nodejs \
+    wget \
+    unzip \
+    vim \
+    git \
+    jq \
+    build-essential \
+    libssl-dev \
+    libffi-dev \
+    python3 \
+    python3-venv \
+    python3-dev \
+    python3-pip
+
+# 3. Clean APT cache to reduce image size
+RUN apt-get clean && rm -rf /var/lib/apt/lists/*
+
+# 4. Add Docker’s official GPG key
+RUN curl -fsSL https://download.docker.com/linux/ubuntu/gpg | \
+    gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
+
+# 5. Add Docker’s APT repository (for CLI only)
+RUN echo "deb [arch=arm64 signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] \
+    https://download.docker.com/linux/ubuntu \
+    $(. /etc/os-release && echo \"$VERSION_CODENAME\") stable" \
+    > /etc/apt/sources.list.d/docker.list
+
+# 6. Install Docker CLI only (no daemon)
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends docker-ce-cli
+
+# 7. Download GitHub Actions runner
+RUN mkdir -p /actions-runner && \
+    curl -L https://github.com/actions/runner/releases/download/v${RUNNER_VERSION}/actions-runner-linux-arm64-${RUNNER_VERSION}.tar.gz \
+    -o /actions-runner/runner.tar.gz && \
+    tar -xzf /actions-runner/runner.tar.gz -C /actions-runner && \
+    rm /actions-runner/runner.tar.gz
+
+# 8. Install runner dependencies
+RUN /actions-runner/bin/installdependencies.sh
+
+# 9. Copy script
+COPY scripts/start.sh /start.sh
+RUN chmod +x /start.sh
diff --git a/scripts/start.sh b/scripts/start.sh
@@ -0,0 +1,50 @@
+#!/bin/bash
+
+set -e
+
+GH_OWNER=$GH_OWNER
+#GH_REPOSITORY=$GH_REPOSITORY
+GH_TOKEN=$GH_TOKEN
+
+RUNNER_NAME="runner-$(head /dev/urandom | tr -dc a-z0-9 | head -c 6)"
+export RUNNER_NAME
+
+# Ensure /actions-runner is accessible and owned
+chown -R docker:docker /actions-runner
+
+# Get Docker socket GID and allow docker user to access it
+DOCKER_GID=$(stat -c '%g' /var/run/docker.sock)
+groupadd -g "$DOCKER_GID" docker-host || true
+usermod -aG docker-host docker
+
+# Switch to docker user for config and execution
+su docker <<EOF
+cd /actions-runner
+
+#if [ ! -f .runner ]; then
+#  REG_TOKEN=\$(curl -sX POST \
+#    -H "Accept: application/vnd.github.v3+json" \
+#    -H "Authorization: token ${GH_TOKEN}" \
+#    https://api.github.com/repos/${GH_OWNER}/${GH_REPOSITORY}/actions/runners/registration-token | jq -r .token)
+#
+#  ./config.sh --unattended --url https://github.com/${GH_OWNER}/${GH_REPOSITORY} --token "\$REG_TOKEN" --name "\$RUNNER_NAME"
+#fi
+if [ ! -f .runner ]; then
+  REG_TOKEN=\$(curl -sX POST \
+    -H "Accept: application/vnd.github.v3+json" \
+    -H "Authorization: token ${GH_TOKEN}" \
+    https://api.github.com/orgs/${GH_OWNER}/actions/runners/registration-token | jq -r .token)
+
+  ./config.sh --unattended --url https://github.com/${GH_OWNER} --token "\$REG_TOKEN" --name "\$RUNNER_NAME"
+fi
+
+
+cleanup() {
+  echo "Removing runner..."
+  ./config.sh remove --unattended --token "\$REG_TOKEN"
+}
+trap 'cleanup; exit 130' INT
+trap 'cleanup; exit 143' TERM
+
+./run.sh
+EOF
