ci: run quality on forgejo native runner, fix runner user

- switch all jobs to runs-on: native so the netty forgejo runner picks them up - deploy-netty now runs locally on netty via `just switch-netty` (no SSH) - fix tmpfiles owner: gitea-actions-runner creates user `gitea-runner`, not `forgejo-runner` Made-with: Cursor
2026-04-20 03:00:32 +00:00 · 2026-04-18 22:19:25 -04:00 · 2026-04-18 22:19:25 -04:00 · ec2f23757b
commit ec2f23757b
parent 0db4171b0b
2 changed files with 13 additions and 37 deletions
--- a/.github/workflows/quality.yml
+++ b/.github/workflows/quality.yml
@ -11,7 +11,7 @@ permissions:
 jobs:
  changes:
-    runs-on: [self-hosted, netty]
+    runs-on: native
    outputs:
      quality: ${{ steps.filter.outputs.quality }}
    steps:
@ -32,7 +32,7 @@ jobs:
  flake-check:
    name: Flake Check
-    runs-on: [self-hosted, netty]
+    runs-on: native
    needs: changes
    if: ${{ needs.changes.outputs.quality == 'true' }}
    steps:
@ -46,7 +46,7 @@ jobs:
  nix-format:
    name: Nix Format Check
-    runs-on: [self-hosted, netty]
+    runs-on: native
    needs: changes
    if: ${{ needs.changes.outputs.quality == 'true' }}
    steps:
@ -60,39 +60,15 @@ jobs:
  deploy-netty:
    name: Deploy netty
-    runs-on: ubuntu-latest
+    runs-on: native
    needs: [changes, flake-check, nix-format]
    if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' && needs.changes.outputs.quality == 'true' }}
    concurrency:
      group: deploy-netty
    steps:
      - uses: actions/checkout@v4
      - uses: DeterminateSystems/nix-installer-action@main
      - uses: DeterminateSystems/magic-nix-cache-action@main
      - name: Configure SSH
        shell: bash
        env:
          NETTY_SSH_PRIVATE_KEY: ${{ secrets.NETTY_SSH_PRIVATE_KEY }}
          NETTY_SSH_KNOWN_HOSTS: ${{ secrets.NETTY_SSH_KNOWN_HOSTS }}
        run: |
          set -euo pipefail
          test -n "$NETTY_SSH_PRIVATE_KEY"
          test -n "$NETTY_SSH_KNOWN_HOSTS"
          install -d -m 700 "$HOME/.ssh"
          printf '%s\n' "$NETTY_SSH_PRIVATE_KEY" > "$HOME/.ssh/netty"
          chmod 600 "$HOME/.ssh/netty"
          printf '%s\n' "$NETTY_SSH_KNOWN_HOSTS" > "$HOME/.ssh/known_hosts"
          chmod 600 "$HOME/.ssh/known_hosts"
          cat > "$HOME/.ssh/config" <<'EOF'
          Host netty
            HostName 152.53.195.59
            User root
            IdentityFile ~/.ssh/netty
            IdentitiesOnly yes
          EOF
          chmod 600 "$HOME/.ssh/config"
      - name: Deploy netty
        shell: bash
        run: |
          set -euo pipefail
-          nix shell nixpkgs#just --command just switch-netty
+          just switch-netty
--- a/hosts/netty/forgejo-runner.nix
+++ b/hosts/netty/forgejo-runner.nix
@ -9,14 +9,14 @@ let
 in
 {
  systemd.tmpfiles.rules = [
-    "d ${cacheRoot} 0750 forgejo-runner forgejo-runner -"
+    "d ${cacheRoot} 0750 gitea-runner gitea-runner -"
-    "d ${cacheRoot}/cargo 0750 forgejo-runner forgejo-runner -"
+    "d ${cacheRoot}/cargo 0750 gitea-runner gitea-runner -"
-    "d ${cacheRoot}/npm 0750 forgejo-runner forgejo-runner -"
+    "d ${cacheRoot}/npm 0750 gitea-runner gitea-runner -"
-    "d ${cacheRoot}/pip 0750 forgejo-runner forgejo-runner -"
+    "d ${cacheRoot}/pip 0750 gitea-runner gitea-runner -"
-    "d ${cacheRoot}/pre-commit 0750 forgejo-runner forgejo-runner -"
+    "d ${cacheRoot}/pre-commit 0750 gitea-runner gitea-runner -"
-    "d ${cacheRoot}/rustup 0750 forgejo-runner forgejo-runner -"
+    "d ${cacheRoot}/rustup 0750 gitea-runner gitea-runner -"
-    "d ${cacheRoot}/uv 0750 forgejo-runner forgejo-runner -"
+    "d ${cacheRoot}/uv 0750 gitea-runner gitea-runner -"
-    "d ${cacheRoot}/actcache 0750 forgejo-runner forgejo-runner -"
+    "d ${cacheRoot}/actcache 0750 gitea-runner gitea-runner -"
  ];
  services.gitea-actions-runner = {