UGA-Innovation-Factory/athenix
3
1
Fork 0
Code Issues Pull Requests Actions Projects Releases Activity

gh runner cleanup

Browse Source
This commit is contained in:
Hunter Halloran
2025-12-17 11:22:01 -05:00
parent 35cbfceb81
commit 36550aafd5
1 changed files with 12 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
sw/builders/services.nix
View File

@@ -51,6 +51,10 @@ mkIf builderCfg.githubRunner.enable {
ProtectKernelModules = mkForce false; ProtectKernelModules = mkForce false;
ProtectControlGroups = mkForce false; ProtectControlGroups = mkForce false;
# Use LoadCredential to securely pass the token file to the service
# This allows the service to read the token even when running as non-root
LoadCredential = "token:${builderCfg.githubRunner.tokenFile}";
# Don't override ExecStartPre - let the default module handle configuration # Don't override ExecStartPre - let the default module handle configuration
# Just make the cleanup more tolerant by wrapping the original script # Just make the cleanup more tolerant by wrapping the original script
ExecStartPre = mkForce ( ExecStartPre = mkForce (
@@ -81,7 +85,14 @@ mkIf builderCfg.githubRunner.enable {
set -e set -e
runnerDir="${builderCfg.githubRunner.workDir}/${builderCfg.githubRunner.name}" runnerDir="${builderCfg.githubRunner.workDir}/${builderCfg.githubRunner.name}"
token=$(cat "${builderCfg.githubRunner.tokenFile}")
# Read token from systemd credential (passed via LoadCredential)
if [ -n "''${CREDENTIALS_DIRECTORY:-}" ] && [ -f "''${CREDENTIALS_DIRECTORY}/token" ]; then
token=$(cat "''${CREDENTIALS_DIRECTORY}/token")
else
echo "Error: Token credential not available"
exit 1
fi
cd "$runnerDir" cd "$runnerDir"