unredacted/linux-hardened-unredacted
2
1
Fork 0
Code Issues 1 Pull requests Projects Releases 6 Packages Wiki Activity Actions

feat(ci): pre-built runner image Dockerfile (backlog C2) #10

Merged
zach merged 2 commits from feat/runner-image into main 2026-06-06 05:56:32 +00:00
Conversation 0 Commits 2 Files changed 2 +60
zach commented 2026-06-06 05:42:59 +00:00
Owner
Copy link

Adds containers/Dockerfile.runner-trixie-amd64 that bakes the kernel-build toolchain (apt-get build-dep linux + the explicit fetch/patch/sign/upload deps + gcc-*-plugin-dev) into an optional runner image, so build-kernel.yml's ~5-min per-build "install build deps" step can become a no-op.

Dockerfile only — not wired in. build-kernel.yml still apt-installs the same set at job start. Switching container.image to this image (by digest) is a deliberate follow-up commit the operator makes only AFTER building + pushing the image to the Forgejo container registry — otherwise every build breaks.

  • FROM the same pinned debian:trixie digest the workflow runs in.
  • Package set mirrors the workflow's "install build deps" step exactly (verified 18/18 explicit packages + build-dep linux + gcc-$(major)-plugin-dev). Header comment cross-references build-kernel.yml and tools/repro-check.sh so the three dep lists stay in sync.
  • docs/operators/runner-setup.md: "Optional: pre-built runner image" section documenting build → push → switch-by-digest.
Adds `containers/Dockerfile.runner-trixie-amd64` that bakes the kernel-build toolchain (`apt-get build-dep linux` + the explicit fetch/patch/sign/upload deps + `gcc-*-plugin-dev`) into an optional runner image, so build-kernel.yml's ~5-min per-build "install build deps" step can become a no-op. **Dockerfile only — not wired in.** build-kernel.yml still apt-installs the same set at job start. Switching `container.image` to this image (by digest) is a deliberate follow-up commit the operator makes only AFTER building + pushing the image to the Forgejo container registry — otherwise every build breaks. - FROM the same pinned `debian:trixie` digest the workflow runs in. - Package set mirrors the workflow's "install build deps" step exactly (verified 18/18 explicit packages + build-dep linux + gcc-$(major)-plugin-dev). Header comment cross-references build-kernel.yml and tools/repro-check.sh so the three dep lists stay in sync. - docs/operators/runner-setup.md: "Optional: pre-built runner image" section documenting build → push → switch-by-digest.
feat(ci): add pre-built runner image Dockerfile (backlog C2)
All checks were successful
validate / shellcheck (pull_request) Successful in 12s
Details
validate / yamllint (pull_request) Successful in 12s
Details
validate / pycompile (pull_request) Successful in 4s
Details
validate / intent-matches-policy (pull_request) Successful in 4s
Details
validate / no-placeholder-digests (pull_request) Has been skipped
Details
1b7f929fdd 
Bake the kernel-build toolchain (apt-get build-dep linux + the explicit
fetch/patch/sign/upload deps + gcc-*-plugin-dev) into an optional runner
image so build-kernel.yml's ~5-min per-build "install build deps" step
can become a no-op.

Dockerfile only — NOT wired in. build-kernel.yml still apt-installs the
same set at job start; switching container.image to this image (by digest)
is a deliberate follow-up commit the operator makes only AFTER building +
pushing the image to the Forgejo container registry, or every build breaks.

- containers/Dockerfile.runner-trixie-amd64: FROM the same pinned
  debian:trixie digest the workflow runs in; package set mirrors the
  workflow's "install build deps" step exactly (verified: 18/18 explicit
  packages + build-dep linux + gcc-$(major)-plugin-dev). Header comment
  cross-references build-kernel.yml and tools/repro-check.sh so the three
  dep lists stay in sync.
- docs/operators/runner-setup.md: "Optional: pre-built runner image"
  section documenting build -> push -> switch (by digest, follow-up commit).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Merge branch 'main' into feat/runner-image
All checks were successful
validate / shellcheck (pull_request) Successful in 12s
Details
validate / yamllint (pull_request) Successful in 12s
Details
validate / workflow-expressions (pull_request) Successful in 4s
Details
validate / pycompile (pull_request) Successful in 4s
Details
validate / intent-matches-policy (pull_request) Successful in 4s
Details
validate / no-placeholder-digests (pull_request) Has been skipped
Details
c8f1da6e57
zach merged commit 302fcb6c33 into main 2026-06-06 05:56:32 +00:00
zach deleted branch feat/runner-image 2026-06-06 05:56:35 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
unredacted/linux-hardened-unredacted!10
No description provided.