fix(ci): pin docker-capable runner label in both publish workflows (closes #576)

Coin-flip failure: publish-workspace-server-image / build-and-push lands on runners without /var/run/docker.sock (molecule-runner-1 vs molecule-runner-4), failing the Docker daemon health check. Fix: - runs-on: ubuntu-latest → runs-on: [ubuntu-latest, docker] infra-sre registers a `docker` label on every act-runner that mounts /var/run/docker.sock (group=docker, perms 660+). Jobs without the `docker` label are never queued on socket-less runners. - Health check step now echoes the runner hostname in both the success path and the error path so failures are traceable to a specific host. Applied to: .gitea/workflows/publish-workspace-server-image.yml .gitea/workflows/publish-canvas-image.yml Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-11 23:12:22 +00:00 · 2026-05-11 23:12:22 +00:00 · adabf319dc
commit adabf319dc
parent 303cc4623e
2 changed files with 15 additions and 2 deletions
--- a/.gitea/workflows/publish-canvas-image.yml
+++ b/.gitea/workflows/publish-canvas-image.yml
@ -54,7 +54,11 @@ env:
 jobs:
  build-and-push:
    name: Build & push canvas image
-    runs-on: ubuntu-latest
+    # NOTE: infra-sre must register a `docker` label on every act-runner that
+    # mounts /var/run/docker.sock (group=docker, socket perms 660+). Jobs without
+    # the `docker` label land on runners that lack the socket and fail here.
+    # See issue #576.
+    runs-on: [ubuntu-latest, docker]
    # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
    continue-on-error: true
    steps:
@ -79,8 +83,10 @@ jobs:
        run: |
          set -euo pipefail
          echo "::group::Docker daemon health check"
+          echo "Runner: ${HOSTNAME:-unknown}"
          docker info 2>&1 | head -5 || {
            echo "::error::Docker daemon is not accessible at /var/run/docker.sock"
+            echo "::error::Runner: ${HOSTNAME:-unknown}"
            echo "::error::Check: (1) daemon running, (2) runner user in docker group, (3) sock perms 660+"
            exit 1
          }
--- a/.gitea/workflows/publish-workspace-server-image.yml
+++ b/.gitea/workflows/publish-workspace-server-image.yml
@ -52,7 +52,12 @@ env:

 jobs:
  build-and-push:
-    runs-on: ubuntu-latest
+    # NOTE: infra-sre must register a `docker` label on every act-runner that
+    # mounts /var/run/docker.sock (group=docker, socket perms 660+). Jobs without
+    # the `docker` label land on runners that lack the socket and fail here.
+    # molecule-runner-1 (no socket) vs molecule-runner-4 (socket) — coin-flip
+    # without this label gate.  See issue #576.
+    runs-on: [ubuntu-latest, docker]
    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@ -68,8 +73,10 @@ jobs:
        run: |
          set -euo pipefail
          echo "::group::Docker daemon health check"
+          echo "Runner: ${HOSTNAME:-unknown}"
          docker info 2>&1 | head -5 || {
            echo "::error::Docker daemon is not accessible at /var/run/docker.sock"
+            echo "::error::Runner: ${HOSTNAME:-unknown}"
            echo "::error::Check: (1) daemon is running, (2) runner user is in docker group, (3) sock permissions are 660+"
            exit 1
          }