From ebb42a6dd2708e9068512139db63fba4e7d2efee Mon Sep 17 00:00:00 2001
From: Will Anderson <will@neuralplatform.ai>
Date: Wed, 25 Mar 2026 20:27:58 -0500
Subject: [PATCH] gitea-runner: switch to native host execution with Legion
 tool mounts

---
 servers/legion/apps/gitea-runner.yaml | 58 +++++++++++++++++++++++----
 1 file changed, 50 insertions(+), 8 deletions(-)

diff --git a/servers/legion/apps/gitea-runner.yaml b/servers/legion/apps/gitea-runner.yaml
index fcf8e57..ff58b88 100644
--- a/servers/legion/apps/gitea-runner.yaml
+++ b/servers/legion/apps/gitea-runner.yaml
@@ -15,6 +15,9 @@ spec:
       labels:
         app: gitea-runner
     spec:
+      securityContext:
+        runAsUser: 1000
+        runAsGroup: 1000
       initContainers:
         - name: register
           image: gitea/act_runner:latest
@@ -26,20 +29,18 @@ spec:
                 --instance "$GITEA_INSTANCE_URL" \
                 --token "$GITEA_RUNNER_REGISTRATION_TOKEN" \
                 --name legion \
-                --labels "self-hosted:docker://ghcr.io/catthehacker/ubuntu:act-22.04,linux:docker://ghcr.io/catthehacker/ubuntu:act-22.04,x64:docker://ghcr.io/catthehacker/ubuntu:act-22.04,legion:docker://ghcr.io/catthehacker/ubuntu:act-22.04" \
+                --labels "self-hosted,linux,x64,legion" \
                 --no-interactive
-              # Write runner config enabling docker socket passthrough for build jobs
               cat > /data/config.yaml << 'EOF'
               runner:
                 capacity: 2
-                envs: {}
                 timeout: 3h
-              container:
-                network: host
-                docker_host: "unix:///var/run/docker.sock"
-                force_pull: false
-                options: -v /usr/local/bin/kubectl:/usr/local/bin/kubectl:ro
+              host:
+                workdir_parent: /data/workspace
               EOF
+          env:
+            - name: HOME
+              value: /home/will
           envFrom:
             - secretRef:
                 name: gitea-runner-secret
@@ -51,6 +52,11 @@ spec:
           image: gitea/act_runner:latest
           workingDir: /data
           command: ["act_runner", "daemon", "--config", "/data/config.yaml"]
+          env:
+            - name: HOME
+              value: /home/will
+            - name: PATH
+              value: /home/will/.local/bin:/usr/local/bin:/usr/bin:/bin
           envFrom:
             - secretRef:
                 name: gitea-runner-secret
@@ -59,6 +65,24 @@ spec:
               mountPath: /data
             - name: docker-sock
               mountPath: /var/run/docker.sock
+            - name: usr-local-bin
+              mountPath: /usr/local/bin
+              readOnly: true
+            - name: usr-bin
+              mountPath: /usr/bin
+              readOnly: true
+            - name: usr-local-lib
+              mountPath: /usr/local/lib
+              readOnly: true
+            - name: usr-lib-python3
+              mountPath: /usr/lib/python3
+              readOnly: true
+            - name: usr-lib-python312
+              mountPath: /usr/lib/python3.12
+              readOnly: true
+            - name: home-will-local
+              mountPath: /home/will/.local
+              readOnly: true
           resources:
             requests:
               memory: 512Mi
@@ -73,3 +97,21 @@ spec:
           hostPath:
             path: /var/run/docker.sock
             type: Socket
+        - name: usr-local-bin
+          hostPath:
+            path: /usr/local/bin
+        - name: usr-bin
+          hostPath:
+            path: /usr/bin
+        - name: usr-local-lib
+          hostPath:
+            path: /usr/local/lib
+        - name: usr-lib-python3
+          hostPath:
+            path: /usr/lib/python3
+        - name: usr-lib-python312
+          hostPath:
+            path: /usr/lib/python3.12
+        - name: home-will-local
+          hostPath:
+            path: /home/will/.local