From 6c23bdbe63cdfa044ec8c090c86276693123c6bb Mon Sep 17 00:00:00 2001
From: Steve Cliff <steve@devcloud.guru>
Date: Fri, 8 May 2026 21:06:38 +0100
Subject: [PATCH] ci: run jobs in ci-runner-go container
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Pin every job to gitea.dcglab.co.uk/steve/ci-runner-go:2026-05-08
so Go, Node, and Docker tooling are already installed when the
job starts. Drops three actions/setup-go invocations from ci.yml
(redundant — Go is on PATH) and inherits Buildx + Compose v2 in
e2e.yml and release.yml without per-job apt-installs.

Recipe lives in steve/ci. Bump the date pin in lockstep across
the three workflows when picking up a fresher image (e.g. when
the Go floor moves).
---
 .gitea/workflows/ci.yml      | 70 +++++++++++++++++-------------------
 .gitea/workflows/e2e.yml     |  1 +
 .gitea/workflows/release.yml |  1 +
 3 files changed, 34 insertions(+), 38 deletions(-)

diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml
index a69d2c1..3fc922b 100644
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -2,28 +2,34 @@
 #
 # Notes for anyone editing this file:
 #
+# Custom runner image
+#   Every job runs inside `gitea.dcglab.co.uk/steve/ci-runner-go`
+#   (recipe: https://gitea.dcglab.co.uk/steve/ci/src/branch/main/images/ci-runner-go).
+#   That image already ships:
+#     * Go on PATH at /usr/local/go/bin (so `actions/setup-go` is
+#       redundant and intentionally NOT used here — the action would
+#       otherwise re-download Go on every job)
+#     * Node.js + npm (used by docs / e2e workflows)
+#     * Docker CLI, Buildx, Compose v2 (used by docker-build steps)
+#   When bumping the Go floor, push a new ci-runner-go image with
+#   the matching Go version and bump the date pin in IMAGE below.
+#
 # Self-hosted runner expectations
-#   The Gitea runners are provisioned out-of-band (the infra team owns
-#   the script). Each runner host bind-mounts persistent volumes for
-#   /root/go/pkg/mod (GOMODCACHE), /root/.cache/go-build (GOCACHE), and
-#   /root/.cache/act (action clones) into every job container. As a
+#   Each runner host bind-mounts persistent volumes for
+#   /root/go/pkg/mod (GOMODCACHE), /root/.cache/go-build (GOCACHE),
+#   and /root/.cache/act (action clones) into every job container —
+#   regardless of which image the container is built from. As a
 #   result:
-#     * `cache: true` on actions/setup-go is intentionally OMITTED — the
-#       action would otherwise tar/untar GOMODCACHE+GOCACHE through the
-#       Gitea cache backend on every job, undoing the host-volume cache
-#       and adding ~10s of redundant zstd round-trip per job.
-#     * Common GitHub actions (actions/checkout, actions/setup-go,
-#       actions/upload-artifact, golangci/golangci-lint-action) are
-#       pre-cloned into /root/.cache/act on the runner, so the per-job
-#       "git clone https://github.com/actions/..." step is a fetch, not
-#       a full clone.
+#     * Common GitHub actions (actions/checkout, actions/upload-artifact,
+#       golangci/golangci-lint-action) are pre-cloned into
+#       /root/.cache/act on the runner, so the per-job
+#       "git clone https://github.com/actions/..." step is a fetch,
+#       not a full clone.
 #     * golangci-lint is pre-installed at /usr/local/bin/golangci-lint
-#       on the runner (latest v2.x). The golangci-lint-action below
-#       still pins a specific version and re-downloads — that's fine
-#       (deterministic CI > marginal speed) but means the host-installed
-#       binary is currently unused. Drop the `version:` arg below to
-#       use the host-installed one if you want to trade determinism
-#       for speed.
+#       on the runner host BUT that's outside the job's filesystem
+#       view; the golangci-lint-action below pins a specific version
+#       and re-downloads — that's fine (deterministic CI > marginal
+#       speed).
 #
 # Build matrix
 #   Linux amd64 + arm64 + Windows amd64. CGO_ENABLED=0 throughout —
@@ -32,10 +38,10 @@
 #   binaries.
 #
 # Go version
-#   The GO_VERSION env var anchors all three jobs. Floor is set by the
-#   heaviest dep (modernc.org/sqlite v1.50+ requires Go 1.23+ today;
-#   we run 1.25 so golangci-lint's Go-version compatibility check is
-#   happy — see the version pin in the lint job).
+#   Anchored by the ci-runner-go image (currently Go 1.25.7). Floor
+#   is set by the heaviest dep (modernc.org/sqlite v1.50+ requires
+#   Go 1.23+; we run 1.25 so golangci-lint's Go-version compatibility
+#   check is happy — see the version pin in the lint job).
 #
 # upload-artifact
 #   Pinned at v3 historically; v3 was deprecated upstream. v4 should
@@ -48,9 +54,6 @@ on:
   pull_request:
     branches: [main]
 
-env:
-  GO_VERSION: "1.25"
-
 jobs:
   test:
     # Sharded by package group. server/http and store are the two
@@ -60,6 +63,7 @@ jobs:
     # one runner. The third shard ("rest") covers everything else.
     name: Test (${{ matrix.name }})
     runs-on: ubuntu-latest
+    container: gitea.dcglab.co.uk/steve/ci-runner-go:2026-05-08
     strategy:
       fail-fast: false
       matrix:
@@ -73,10 +77,6 @@ jobs:
             packages: ""
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
-        with:
-          go-version: ${{ env.GO_VERSION }}
-          # cache: true intentionally omitted — see header notes.
       - name: go vet
         run: go vet ./...
       - name: go test
@@ -98,12 +98,9 @@ jobs:
   lint:
     name: Lint
     runs-on: ubuntu-latest
+    container: gitea.dcglab.co.uk/steve/ci-runner-go:2026-05-08
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
-        with:
-          go-version: ${{ env.GO_VERSION }}
-          # cache: true intentionally omitted — see header notes.
       - uses: golangci/golangci-lint-action@v7
         with:
           # Must be built against the same Go release as go.mod targets,
@@ -117,6 +114,7 @@ jobs:
   build:
     name: Build (${{ matrix.goos }}/${{ matrix.goarch }})
     runs-on: ubuntu-latest
+    container: gitea.dcglab.co.uk/steve/ci-runner-go:2026-05-08
     strategy:
       fail-fast: false
       matrix:
@@ -130,10 +128,6 @@ jobs:
             ext: ".exe"
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
-        with:
-          go-version: ${{ env.GO_VERSION }}
-          # cache: true intentionally omitted — see header notes.
       - name: build server + agent
         env:
           GOOS: ${{ matrix.goos }}
diff --git a/.gitea/workflows/e2e.yml b/.gitea/workflows/e2e.yml
index 199f7a0..7ac2ae1 100644
--- a/.gitea/workflows/e2e.yml
+++ b/.gitea/workflows/e2e.yml
@@ -26,6 +26,7 @@ jobs:
   e2e:
     name: Playwright vs docker-compose
     runs-on: ubuntu-latest
+    container: gitea.dcglab.co.uk/steve/ci-runner-go:2026-05-08
     timeout-minutes: 15
     steps:
       - uses: actions/checkout@v4
diff --git a/.gitea/workflows/release.yml b/.gitea/workflows/release.yml
index 14a5929..7a423aa 100644
--- a/.gitea/workflows/release.yml
+++ b/.gitea/workflows/release.yml
@@ -41,6 +41,7 @@ jobs:
   image:
     name: Build + push image
     runs-on: ubuntu-latest
+    container: gitea.dcglab.co.uk/steve/ci-runner-go:2026-05-08
     steps:
       - uses: actions/checkout@v4