Fix bugs preventing containers in PiP from reaching Forgejo instance

.forgejo/workflows/ci.yml

@@ -31,6 +31,11 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
+      - name: Network/DNS sanity from job container
+        run: |
+          getent hosts git.gcdo.org || true
+          curl -sS -o /dev/null -w 'status=%{http_code}\n' https://git.gcdo.org/api/healthz || true
+
       - name: Verify pinned digests provided
         run: |
           for v in RUST_IMG_DIGEST NODE_IMG_DIGEST POSTGRES_IMG_DIGEST PODMAN_CLIENT_IMG_DIGEST; do
@@ -97,7 +102,7 @@ jobs:
               --network integ-'"$RUN_ID"' \
               -v "$WORKSPACE":/workspace \
               -w /workspace \
-              -e DATABASE_URL=postgres://testuser:testpassword@test-postgres:5432/testdb \
+              -e DATABASE_URL=postgres://postgres:password@test-postgres:5432/sharenet_test \
               "'"${RUST_IMG_DIGEST}"'" \
               sh -c "cargo test --test '"'"'*'"'"' -- --test-threads=1"'
 

CI_CD_PIPELINE_SETUP_GUIDE.md

@@ -867,18 +867,18 @@ forgejo-runner register \
 
 ```bash
 # Create system config directory for Forgejo runner
-sudo mkdir -p /etc/forgejo-runner
+sudo mkdir -p /var/lib/forgejo-runner
 
 # Copy the runner configuration to system location
-sudo mv /home/CI_DEPLOY_USER/.runner /etc/forgejo-runner/.runner
+sudo mv /home/CI_DEPLOY_USER/.runner /var/lib/forgejo-runner/.runner
 
 # Set proper ownership and permissions
-sudo chown CI_SERVICE_USER:CI_SERVICE_USER /etc/forgejo-runner/.runner
-sudo chmod 600 /etc/forgejo-runner/.runner
+sudo chown CI_SERVICE_USER:CI_SERVICE_USER /var/lib/forgejo-runner/.runner
+sudo chmod 600 /var/lib/forgejo-runner/.runner
 ```
 
 **What this does**:
-- Copies the configuration to the system location (`/etc/forgejo-runner/.runner`)
+- Copies the configuration to the system location (`/var/lib/forgejo-runner/.runner`)
 - Sets proper ownership and permissions for CI_SERVICE_USER to access the config
 - Registers the runner with your Forgejo instance
 - Sets up the runner with appropriate labels for Ubuntu and Docker environments
@@ -887,28 +887,73 @@ sudo chmod 600 /etc/forgejo-runner/.runner
 
 ```bash
 sudo tee /etc/systemd/system/forgejo-runner.service > /dev/null << 'EOF'
+# /etc/systemd/system/forgejo-runner.service
 [Unit]
-Description=Forgejo Actions Runner
-After=network.target
+Description=Forgejo Actions Runner (CI, rootless)
+Wants=network-online.target user@%U.service
+After=network-online.target user@%U.service
 
 [Service]
-Type=simple
-WorkingDirectory=/etc/forgejo-runner
-ExecStart=/usr/bin/forgejo-runner daemon
+User=ci-service
+Group=ci-service
+
+# Point runner at the rootless Podman user socket; no TCP sockets.
+Environment=XDG_RUNTIME_DIR=/run/user/%U
+Environment=DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/%U/bus
+Environment=DOCKER_HOST=unix:///run/user/%U/podman/podman.sock
+
+# Use your config that gives job containers outbound DNS/HTTPS (egress only)
+ExecStart=/usr/bin/forgejo-runner daemon --config /etc/forgejo-runner-ci.yaml
 Restart=always
-RestartSec=10
+RestartSec=2
+NoNewPrivileges=yes
+
+# Lock it down; allow writes only where needed for jobs/state
+ProtectSystem=strict
+ProtectHome=read-only
+PrivateTmp=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectControlGroups=yes
+RestrictSUIDSGID=yes
+LockPersonality=yes
+CapabilityBoundingSet=
+AmbientCapabilities=
+SystemCallArchitectures=native
+ReadWritePaths=/home/ci-service/.cache/act /var/lib/forgejo-runner-ci
 
 [Install]
 WantedBy=multi-user.target
 EOF
 
+# One-time prep as CI_DEPLOY_USER:
+
+SVC=ci-service
+RUN_UID=$(id -u "$SVC")
+
+# Ensure the user manager + user socket exist
+sudo loginctl enable-linger "$SVC"
+sudo systemctl start "user@${RUN_UID}.service"
+sudo -u "$SVC" XDG_RUNTIME_DIR=/run/user/$RUN_UID DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/$RUN_UID/bus \
+  systemctl --user enable --now podman.socket
+
+# Create writable dirs for the hardened unit
+sudo install -d -o "$SVC" -g "$SVC" -m 0750 /home/$SVC/.cache/act /var/lib/forgejo-runner-ci
+
+# Point your runner config to the token in /var/lib (least privilege)
+# /etc/forgejo-runner/config.yaml -> runner.file: /var/lib/forgejo-runner/.runner
+
+# Reload + start the system unit
+sudo systemctl daemon-reload
+sudo systemctl enable --now forgejo-runner.service
+
 # Enable the service via user manager
 sudo systemctl enable forgejo-runner.service
 ```
 
 **What this does**:
 - Creates the systemd service configuration for the Forgejo runner
-- Sets the working directory to `/etc/forgejo-runner` where the `.runner` configuration file is located
+- Sets the working directory to `/var/lib/forgejo-runner` where the `.runner` configuration file is located
 - The runner will start here but the CI workflow will deploy the application to `/opt/APP_NAME`
 - Enables the service to start automatically on boot
 - Sets up proper restart behavior for reliability
@@ -1001,6 +1046,19 @@ fi
 if ! grep -q "^${SVC_USER}:" /etc/subuid; then echo "${SVC_USER}:100000:65536" | sudo tee -a /etc/subuid >/dev/null; fi
 if ! grep -q "^${SVC_USER}:" /etc/subgid; then echo "${SVC_USER}:100000:65536" | sudo tee -a /etc/subgid >/dev/null; fi
 
+
+# TODO: Try this instead of the below few steps
+# one-time
+sudo apt-get update -y && sudo apt-get install -y systemd-container
+sudo loginctl enable-linger ci-service
+sudo systemctl start "user@$(id -u ci-service).service"
+
+# now you can do this anywhere, no env exports:
+sudo systemctl --user --machine=ci-service@ daemon-reload
+sudo systemctl --user --machine=ci-service@ enable --now podman.socket
+sudo systemctl --user --machine=ci-service@ status podman.socket --no-pager
+
+
 # 3) Enable linger so the user's manager runs without login
 sudo loginctl enable-linger "$SVC_USER"
 loginctl show-user "$SVC_USER" | grep -q '^Linger=yes' || { echo "Linger not enabled"; exit 1; }