docker-github-runner/docker-compose.yml at main · blackoutsecure/docker-github-runner · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
version: '2.4'

networks:
  gh-runner-isolated:
    driver: bridge
    driver_opts:
      com.docker.network.bridge.enable_icc: "false"
      com.docker.network.bridge.enable_ip_masquerade: "true"
    ipam:
      config:
        - subnet: 172.28.0.0/16
          gateway: 172.28.0.1

services:
  gh-runner:
    image: docker.io/blackoutsecure/github-runner:latest
    networks:
      - gh-runner-isolated
    environment:
      TZ: Etc/UTC
      RUNNER_EPHEMERAL: "true"
      DOCKER_IN_DOCKER: "true"
      AUTO_DOCKER_LABEL: "false"
      CLEANUP_OFFLINE_RUNNERS: "true"
      CLEANUP_OFFLINE_IMMEDIATE: "true"
      CLEANUP_OFFLINE_NAME_REGEX: "^gh-runner"
      CLEANUP_OFFLINE_MAX: "25"
      CLEANUP_OFFLINE_DRY_RUN: "false"
      DISABLE_RUNNER_UPDATE: "true"
      LOG_LEVEL: "info"
      HEARTBEAT_INTERVAL: "120"
      JOB_HEARTBEAT_INTERVAL: "120"
      HEALTH_STALE_AFTER: "300"
      ON_OFFLINE_ACTION: "restart"
      ONLINE_PROBE_EVERY: "1"
      ONLINE_FAIL_THRESHOLD: "3"
      IDLE_RECYCLE_ACTION: "shutdown"
      # IDLE_RECYCLE_AFTER unset on purpose -- the image picks an
      # ephemeral-aware default:
      #   RUNNER_EPHEMERAL=true  -> 21600s  (6 hours)
      #   RUNNER_EPHEMERAL=false -> 172800s (2 days)
      # Override with e.g. IDLE_RECYCLE_AFTER: "14400" or "0" to disable.

      # ── Runtime tunables (May 2026 refactor) ──
      # LOG_WATCH_INTERVAL controls how often svc-gh-runner-logs polls for
      # new workers / log files. Lower = faster JOB STARTED/FINISHED
      # banners; higher = lower idle CPU wakeups. Range 1-10s.
      LOG_WATCH_INTERVAL: "2"
      # Bound the silent busy-waits for Runner.Listener and _diag/. 0 = wait
      # forever (pre-May-2026 behaviour). Warnings emit every 30s past 30s.
      LISTENER_WAIT_TIMEOUT: "600"
      DIAG_WAIT_TIMEOUT: "120"
      # Hard cap on a single config.sh invocation so a wedged TCP connection
      # to api.github.com can't hang init forever. 0 = disable wrapper.
      CONFIG_TIMEOUT: "90"
      # Set true to keep the runner visible in GitHub across container
      # restarts (avoid the small window where queued jobs could be lost).
      # Recommended only for long-lived persistent runners, not ephemeral.
      SKIP_DEREGISTER: "false"

    labels:
      io.balena.features.supervisor-api: '1'
      io.balena.features.balena-api: '1'
      io.balena.features.balena-socket: '1'

    ipc: "private"
    dns_search: []

    cap_drop:
      - ALL
    cap_add:
      - CHOWN
      - SETUID
      - SETGID
      - DAC_OVERRIDE
      - FOWNER
      # AUDIT_WRITE: lets sudo emit a single audit record per syscall to
      # the kernel audit subsystem. Without it sudo still works but
      # prints a benign "unable to send audit message: Operation not
      # permitted" warning to stderr on every invocation, which trips
      # workflow log scanners. Default-Docker hands this to every
      # container; `ubuntu-latest` has it.
      - AUDIT_WRITE
    tmpfs:
      - /run:exec,size=64m
      # /tmp lives in RAM via tmpfs; size to your job's scratch needs.
      # 1g is a comfortable default for typical CI; raise on devices
      # with abundant RAM, lower (e.g. 512m) on Pi 3B+ / Pi Zero.
      - /tmp:exec,size=1g,mode=1777
      - /var/log:size=32m
      - /config:size=128m,mode=1777
    stop_grace_period: 30s
    # /dev/shm is only used by IPC-heavy workloads (Chrome headless,
    # some scientific Python). Standard CI (npm/pip/docker buildx)
    # does not touch it, so 256m is plenty and keeps RAM free for the
    # actual build. Bump to 1gb+ only if a specific job needs it.
    shm_size: 256m
    restart: always