From 634f9389173a99fe10ca2494f3c047cdfc40e6ca Mon Sep 17 00:00:00 2001
From: Molecule AI Infra-SRE <infra-sre@agents.moleculesai.app>
Date: Mon, 11 May 2026 23:14:17 +0000
Subject: [PATCH] fix(ci): pin docker-build jobs to docker-capable runners
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Fixes #576: publish-workspace-server-image / build-and-push red every run
due to runner landing on non-docker-capable machine.

Per gitea-operational-quirks.md §3: Hetzner act_runner containers
register labels self-hosted + ubuntu-latest + docker. Only docker-labeled
runners have /var/run/docker.sock mounted. The previous
`runs-on: ubuntu-latest` coin-flipped between docker-capable and
non-docker runners, causing Verify Docker daemon access to fail.

Fix: runs-on: [self-hosted, docker] for both docker-build workflows:
  - publish-workspace-server-image.yml
  - publish-canvas-image.yml (also uses docker/build-push-action)

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 .gitea/workflows/publish-canvas-image.yml           | 6 +++++-
 .gitea/workflows/publish-workspace-server-image.yml | 8 +++++++-
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/.gitea/workflows/publish-canvas-image.yml b/.gitea/workflows/publish-canvas-image.yml
index 51ee0270..54476e96 100644
--- a/.gitea/workflows/publish-canvas-image.yml
+++ b/.gitea/workflows/publish-canvas-image.yml
@@ -54,7 +54,11 @@ env:
 jobs:
   build-and-push:
     name: Build & push canvas image
-    runs-on: ubuntu-latest
+    # Pin to docker-capable runners (self-hosted + docker label).
+    # Per gitea-operational-quirks.md §3: Hetzner act_runner containers
+    # register labels self-hosted + ubuntu-latest + docker. Only runners
+    # with docker label have /var/run/docker.sock mounted.
+    runs-on: [self-hosted, docker]
     # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
     continue-on-error: true
     steps:
diff --git a/.gitea/workflows/publish-workspace-server-image.yml b/.gitea/workflows/publish-workspace-server-image.yml
index db84492b..8d6d1247 100644
--- a/.gitea/workflows/publish-workspace-server-image.yml
+++ b/.gitea/workflows/publish-workspace-server-image.yml
@@ -52,7 +52,13 @@ env:
 
 jobs:
   build-and-push:
-    runs-on: ubuntu-latest
+    # Pin to docker-capable runners (self-hosted + docker label).
+    # Per gitea-operational-quirks.md §3: Hetzner act_runner containers
+    # register labels self-hosted + ubuntu-latest + docker. Only runners
+    # with docker label have /var/run/docker.sock mounted. The previous
+    # `runs-on: ubuntu-latest` coin-flipped between docker-capable and
+    # non-docker runners, causing Verify Docker daemon access to fail.
+    runs-on: [self-hosted, docker]
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-- 
2.45.2