From 507c841a92e045fa81b437c25aefaad4a3d22c75 Mon Sep 17 00:00:00 2001
From: Kyle Pope <kyle.a.pope@outlook.com>
Date: Wed, 18 Mar 2026 04:39:59 +0800
Subject: [PATCH] Fix act_runner: SELinux label:disable, host network, pin
 image

Docker specialist review findings:
- Replace :z with security_opt: label:disable (correct SELinux fix)
- Remove user: 0:0 (unnecessary with SELinux handled)
- Remove redundant DOCKER_HOST env var
- Add network_mode: host (workflow steps need host access)
- Pin image to 0.2.11 (avoid non-deterministic latest tag)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 docker-compose.yaml | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/docker-compose.yaml b/docker-compose.yaml
index 217f3c9..e71be77 100644
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@@ -64,14 +64,15 @@ services:
           cpus: "0.5"
 
   act_runner:
-    image: gitea/act_runner:latest
+    image: gitea/act_runner:0.2.11
     restart: unless-stopped
-    user: "0:0"
+    security_opt:
+      - label:disable
+    network_mode: host
     volumes:
       - act_runner_data:/data
-      - /var/run/docker.sock:/var/run/docker.sock:z
+      - /var/run/docker.sock:/var/run/docker.sock
     environment:
-      - DOCKER_HOST=unix:///var/run/docker.sock
       - GITEA_INSTANCE_URL=https://git.sentinelforest.xyz
       - GITEA_RUNNER_REGISTRATION_TOKEN=${GITEA_RUNNER_REGISTRATION_TOKEN}
       - GITEA_RUNNER_NAME=umbra-runner