implement logic to set the stacks internal network for the action containers to support dind without a host port binding

This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [code.forgejo.org/forgejo/runner](https://forgejo.org) ([source](https://code.forgejo.org/forgejo/runner)) | minor | `12.1.2` -> `12.3.0` |

---

### Release Notes

<details>
<summary>forgejo/runner (code.forgejo.org/forgejo/runner)</summary>

### [`v12.3.0`](https://code.forgejo.org/forgejo/runner/releases/tag/v12.3.0)

[Compare Source](https://code.forgejo.org/forgejo/runner/compare/v12.2.0...v12.3.0)

- [User guide](https://forgejo.org/docs/next/user/actions/overview/)
- [Administrator guide](https://forgejo.org/docs/next/admin/actions/)
- [Container images](https://code.forgejo.org/forgejo/-/packages/container/runner/versions)

Release Notes

***

<!--start release-notes-assistant-->

<!--URL:https://code.forgejo.org/forgejo/runner-->

- features
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/1234): <!--number 1234 --><!--line 0 --><!--description ZmVhdChqb2JwYXJzZXIpOiBleHBvc2UgSm9iIHRvIHJldXNhYmxlIHdvcmtmbG93IGZldGNoZXJz-->feat(jobparser): expose Job to reusable workflow fetchers<!--description-->
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/1227): <!--number 1227 --><!--line 0 --><!--description ZmVhdChqb2JwYXJzZXIpOiBhZGQgdHJhY2tpbmcgSURzIGZvciBvdXRlci9pbm5lciBqb2JzIGluIHJldXNhYmxlIHdvcmtmbG93cw==-->feat(jobparser): add tracking IDs for outer/inner jobs in reusable workflows<!--description-->
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/1228): <!--number 1228 --><!--line 0 --><!--description ZmVhdChqb2JwYXJzZXIpOiBpZ25vcmUgYF9fbWV0YWRhdGFgIGluIHdvcmtmbG93IHNjaGVtYSB2YWxpZGF0aW9u-->feat(jobparser): ignore `__metadata` in workflow schema validation<!--description-->
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/1229): <!--number 1229 --><!--line 0 --><!--description ZmVhdChqb2JwYXJzZXIpOiBleHBvc2UgQVBJIGZvciBgRXZhbHVhdGVXb3JrZmxvd0NhbGxTZWNyZXRzYA==-->feat(jobparser): expose API for `EvaluateWorkflowCallSecrets`<!--description-->
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/1210): <!--number 1210 --><!--line 0 --><!--description ZmVhdChydW5uZXIpOiBza2lwIHNlcnZpY2UgY29udGFpbmVycyB3aXRoIGVtcHR5IGltYWdlIGFmdGVyIGludGVycG9sYXRpb24=-->feat(runner): skip service containers with empty image after interpolation<!--description-->
- bug fixes
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/1235): <!--number 1235 --><!--line 0 --><!--description Zml4KGpvYnBhcnNlcik6IHByZXNlcnZlIHdvcmtmbG93X3BhcmVudF9pZCBvbiByZXBhcnNpbmcgaW5jb21wbGV0ZSB3b3JrZmxvd3M=-->fix(jobparser): preserve workflow\_parent\_id on reparsing incomplete workflows<!--description-->
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/1230): <!--number 1230 --><!--line 0 --><!--description Zml4OiBhY2NlcHQgZW52IHJlZmVyZW5jZXMgaW4gc2VydmljZSBkZWZpbml0aW9ucw==-->fix: accept env references in service definitions<!--description-->

<!--end release-notes-assistant-->

### [`v12.2.0`](https://code.forgejo.org/forgejo/runner/releases/tag/v12.2.0)

[Compare Source](https://code.forgejo.org/forgejo/runner/compare/v12.1.2...v12.2.0)

- [User guide](https://forgejo.org/docs/next/user/actions/overview/)
- [Administrator guide](https://forgejo.org/docs/next/admin/actions/)
- [Container images](https://code.forgejo.org/forgejo/-/packages/container/runner/versions)

Release Notes

***

<!--start release-notes-assistant-->

<!--URL:https://code.forgejo.org/forgejo/runner-->

- features
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/1216): <!--number 1216 --><!--line 0 --><!--description ZmVhdChqb2JwYXJzZXIpOiBhbGxvdyBhY2Nlc3MgdG8gdGhlIG91dHB1dHMgb2YgYSByZXVzYWJsZSB3b3JrZmxvdw==-->feat(jobparser): allow access to the outputs of a reusable workflow<!--description-->
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/1209): <!--number 1209 --><!--line 0 --><!--description ZmVhdChqb2JwYXJzZXIpOiBzdXBwb3J0IGV4cGFuZGluZyByZXVzYWJsZSB3b3JrZmxvd3MgaW50byBtdWx0aXBsZSBuZXcgam9icw==-->feat(jobparser): support expanding reusable workflows into multiple new jobs<!--description-->
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/1221): <!--number 1221 --><!--line 0 --><!--description ZmVhdChqb2JwYXJzZXIpOiBhbGxvdyBhY2Nlc3NpbmcgYCR7eyBuZWVkcy4uLiB9fWAgd2hlbiBleHBhbmRpbmcgcmV1c2FibGUgd29ya2Zsb3dz-->feat(jobparser): allow accessing `${{ needs... }}` when expanding reusable workflows<!--description-->
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/1220): <!--number 1220 --><!--line 0 --><!--description ZmVhdChqb2JwYXJzZXIpOiBhbGxvdyBtYXRyaXggZXhwYW5zaW9uIG9uIGNhbGxlciBvZiByZXVzYWJsZSB3b3JrZmxvd3M=-->feat(jobparser): allow matrix expansion on caller of reusable workflows<!--description-->
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/1217): <!--number 1217 --><!--line 0 --><!--description ZmVhdChqb2JwYXJzZXIpOiByZXdyaXRlIHJldXNhYmxlIHdvcmtmbG93ICduZWVkcycgcmVmZXJlbmNlcyBiZXR3ZWVuIGpvYnM=-->feat(jobparser): rewrite reusable workflow 'needs' references between jobs<!--description-->
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/1215): <!--number 1215 --><!--line 0 --><!--description ZmVhdChqb2JwYXJzZXIpOiBwb3B1bGF0ZSAnbmVlZHMnIGluIHJldXNhYmxlIHdvcmtmbG93IGV4cGFuc2lvbg==-->feat(jobparser): populate 'needs' in reusable workflow expansion<!--description-->
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/1211): <!--number 1211 --><!--line 0 --><!--description ZmVhdChqb2JwYXJzZXIpOiBtYXAgJ3dpdGgnIGZyb20gY2FsbGVlIGludG8gJ2lucHV0cycgb2YgcmV1c2FibGUgd29ya2Zsb3cgZXhwYW5zaW9u-->feat(jobparser): map 'with' from callee into 'inputs' of reusable workflow expansion<!--description-->
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/1197): <!--number 1197 --><!--line 0 --><!--description ZmVhdDogYWRkIHZhcmlhYmxlIHdvcmtmbG93X3JlZiB0byBnaXRodWIgY29udGV4dA==-->feat: add variable workflow\_ref to github context<!--description-->
- bug fixes
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/1225): <!--number 1225 --><!--line 0 --><!--description Zml4KGpvYnBhcnNlcik6IGFsbG93IGFjY2VzcyB0byAnaW5wdXRzJyBjb250ZXh0IHdoZW4gZXZhbHVhdGluZyB3b3JrZmxvdyBjYWxsIG91dHB1dHM=-->fix(jobparser): allow access to 'inputs' context when evaluating workflow call outputs<!--description-->
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/1224): <!--number 1224 --><!--line 0 --><!--description Zml4KGpvYnBhcnNlcik6IHRyYWNrIHJldXNhYmxlIHdvcmtmbG93IHJlY3Vyc2lvbiBsaW1pdHMgYWNyb3NzIHJlLWV4cGFuc2lvbg==-->fix(jobparser): track reusable workflow recursion limits across re-expansion<!--description-->
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/1223): <!--number 1223 --><!--line 0 --><!--description Zml4KGpvYnBhcnNlcik6IGlubmVyIGpvYiBpbiBhIHJldXNhYmxlIHdvcmtmbG93IGNhbid0IHJlZmVyZW5jZSAke3sgbmVlZHMuLi4gfX0gaW4gYHdpdGhg-->fix(jobparser): inner job in a reusable workflow can't reference ${{ needs... }} in `with`<!--description-->
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/1222): <!--number 1222 --><!--line 0 --><!--description Zml4OiB1bnJlY292ZXJhYmxlIGVycm9ycyBpbiBhcnRpZmFjdGNhY2hlIHNob3VsZCBoYXZlIG5vbi16ZXJvIGV4aXQgY29kZQ==-->fix: unrecoverable errors in artifactcache should have non-zero exit code<!--description-->
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/1214): <!--number 1214 --><!--line 0 --><!--description Zml4OiByZWxhdGl2ZSByZXVzYWJsZSB3b3JrZmxvdyB3LyBIVFRQIChub3QgSFRUUFMpIGdpdGh1YiBpbnN0YW5jZSB1cmw=-->fix: relative reusable workflow w/ HTTP (not HTTPS) github instance url<!--description-->
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/1213): <!--number 1213 --><!--line 0 --><!--description Zml4OiBkb3VibGUgcHJvdG9jb2wgcHJlZml4IGluIHJldXNhYmxlIHdvcmtmbG93IGNsb25lIFVSTHM=-->fix: double protocol prefix in reusable workflow clone URLs<!--description-->

<!--end release-notes-assistant-->

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS4xNzMuMSIsInVwZGF0ZWRJblZlciI6IjQxLjE3My4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->

Reviewed-on: https://git.coopcloud.tech/coop-cloud/forgejo-runner/pulls/16
Co-authored-by: Renovate Bot <renovate@coopcloud.tech>
Co-committed-by: Renovate Bot <renovate@coopcloud.tech>

.env.sample

@@ -1,5 +1,8 @@
 RECIPE=forgejo-runner
 
+# The level of logging, can be trace, debug, info, warn, error, fatal
+LOG_LEVEL=info
+
 CACHE_ENABLED=false
 
 # Defines the number of concrurrent tasks to be run
@@ -7,6 +10,5 @@ RUNNER_CAPACITY=1
 
 RUNNER_TIMEOUT=3h
 
-# Set to 'host', to use the host network. When left empty it creates a temporary
-# network for each container.
-#CONTAIER_NETWORK
+# Set to 'host', to use the host network or any other. By using 'default', the runner gets configured to use the internal network of its own stack, so the action can access the docker
+#CONTAINER_NETWORK=default

README.md

@@ -19,22 +19,23 @@ To enable [caching](https://forgejo.org/docs/latest/admin/runner-installation/#c
 CACHE_ENABLED=true
 ```
 
-## Docker in Docker
+## Docker in Docker (in Docker)
 
-To give an action container the ability to create more docker containers (e.g. for tests) you need to set the container network to "host". This can be done in the `.env` file:
-```
-CONTAINER_NETWORK=host
-```
+Per default, the action container has the ability to access the docker socket of the host machine via the socket proxy in this recipe. Keep this in mind, since this is a security concern!
 
-This allows you to access the docker host at "tcp://0.0.0.0:2375". See this part of an action workflow on how to access the docker host.
+If you don't set anything in the `CONTAINER_NETWORK` env, the runner is configured to their own dedicated network and so can't reach the docker socket proxy.
+
+If you set `CONTAINER_NETWORK` to `default`, the runner attaches the started containers to the internal network of this recipe, so the socket proxy can be reached (via it's dns name).
+
+This allows you to access the docker host at "tcp://socket-proxy:2375". See this part of an action workflow on how to access the docker host.
 ```
 - name: Set up Docker Buildx
   uses: docker/setup-buildx-action@v3
   with:
-    endpoint: tcp://0.0.0.0:2375
+    endpoint: tcp://socket-proxy:2375
     platforms: linux/amd64
 - name: run api tests
   run: |
-    export DOCKER_HOST="tcp://0.0.0.0:2375"
+    export DOCKER_HOST="tcp://socket-proxy:2375"
       make test-api
 ```

abra.sh

@@ -1,4 +1,4 @@
-export RUNNER_CONF_VERSION=v8
+export RUNNER_CONF_VERSION=v9
 export ENTRYPOINT_VERSION=v9
 
 register_runner() {

compose.yml

@@ -2,10 +2,9 @@ version: '3.8'
 
 services:
   app:
-    image: 'code.forgejo.org/forgejo/runner:6.2.2'
+    image: 'code.forgejo.org/forgejo/runner:12.3.0'
     environment:
       - DOCKER_HOST=tcp://socket-proxy:2375
-      - RUNNER_CAPACITY
     configs:
       - source: runner_conf
         target: /config.yml
@@ -16,7 +15,7 @@ services:
       - "data:/data"
     deploy:
       labels:
-        - "coop-cloud.${STACK_NAME}.version=1.1.0+6.2.2"
+        - "coop-cloud.${STACK_NAME}.version=4.1.1+12.3.0"
     networks:
       - internal
     ports:
@@ -24,8 +23,9 @@ services:
     entrypoint: /custom-entrypoint.sh
 
   socket-proxy:
-    image: lscr.io/linuxserver/socket-proxy:1.26.1-r0-ls15
+    image: lscr.io/linuxserver/socket-proxy:3.2.10
     environment:
+      - PROXY_READ_TIMEOUT=5000
       - ALLOW_START=1
       - ALLOW_STOP=1
       - ALLOW_RESTARTS=1
@@ -57,14 +57,13 @@ services:
       - /var/run/docker.sock:/var/run/docker.sock:ro
     networks:
       - internal
-    ports:
-      - "2375:2375"
 
 volumes:
   data:
 
 networks:
   internal:
+    attachable: true
 
 configs:
   runner_conf:

config.yml.tmpl

@@ -1,6 +1,6 @@
 log:
   # The level of logging, can be trace, debug, info, warn, error, fatal
-  level: info
+  level: {{ env "LOG_LEVEL" }}
 
 runner:
   # Where to store the registration result.
@@ -48,12 +48,12 @@ container:
   # Specifies the network to which the container will connect.
   # Could be host, bridge or the name of a custom network.
   # If it's empty, create a network automatically.
-  network: "{{ env "CONTAINER_NETWORK" }}"
+  network: {{ if eq (env "CONTAINER_NETWORK") "default" }}{{ env "STACK_NAME" }}_internal{{ else }}{{ env "CONTAINER_NETWORK" }}{{ end }}
   # Whether to create networks with IPv6 enabled. Requires the Docker daemon to be set up accordingly.
   # Only takes effect if "network" is set to "".
   enable_ipv6: false
   # Whether to use privileged mode or not when launching task containers (privileged mode is required for Docker-in-Docker).
-  privileged: false
+  privileged: true
   # And other options to be used when the container is started (eg, --add-host=my.forgejo.url:host-gateway).
   options:
   # The parent directory of a job's working directory.

entrypoint.sh.tmpl

@@ -3,7 +3,6 @@
 set -e
 
 mkdir -p /data
-touch /data/.runner
 mkdir -p /data/.cache
 
 # Wait for the runner to get registered before starting the forgejo-runner daemon.

release/3.0.0+11.1.2

@@ -0,0 +1 @@
+Fixed a typo in .env.sample and upgrade runner to v11

release/4.0.0+12.0.1

@@ -0,0 +1 @@
+The breaking change in forgejo-runner should not affect us. Making a major bump just in case

release/4.1.1+12.3.0

@@ -0,0 +1 @@
+Security: Remove Docker Socket binding + Chore: update to 12.3.0

renovate.json

@@ -0,0 +1,6 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "config:recommended"
+  ]
+}