add runner image for workflows

.github/workflows/runner.yaml

@@ -0,0 +1,63 @@
+name: Runner
+
+on:
+  workflow_dispatch: {}
+  schedule:
+    - cron: "40 1 * * *" # 1 AM UTC, 6 PM PST
+
+jobs:
+  buildx:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      attestations: write
+      id-token: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: SHA
+        id: sha
+        run: echo "sha=$(/usr/bin/git log -1 --format='%H')" >> $GITHUB_OUTPUT
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Login to quay.io
+        uses: docker/login-action@v3
+        with:
+          registry: quay.io
+          username: ${{ secrets.QUAY_USER }}
+          password: ${{ secrets.QUAY_TOKEN }}
+      - name: Login to ghcr.io
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Set Tags
+        id: tags
+        run: |
+          echo "date_stamp=$(date +"%F")" >> $GITHUB_OUTPUT
+          echo "week_stamp=$(date +"%Y-%U")" >> $GITHUB_OUTPUT
+      - name: Build and push
+        uses: docker/build-push-action@v6
+        with:
+          context: runner
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: |
+            ${{ vars.REGISTRY }}${{ vars.IMAGE_PREFIX }}/runner:latest
+            ${{ vars.REGISTRY }}${{ vars.IMAGE_PREFIX }}/runner:${{ steps.tags.outputs.date_stamp}}
+            ${{ vars.REGISTRY }}${{ vars.IMAGE_PREFIX }}/runner:${{ steps.tags.outputs.week_stamp}}
+            ${{ vars.REGISTRY }}${{ vars.IMAGE_PREFIX }}/runner:bookworm
+            ${{ vars.REGISTRY }}${{ vars.IMAGE_PREFIX }}/runner:bookworm-${{ steps.tags.outputs.date_stamp}}
+            ${{ vars.REGISTRY }}${{ vars.IMAGE_PREFIX }}/runner:bookworm-${{ steps.tags.outputs.week_stamp}}
+            ghcr.io/holos-run/runner:latest
+            ghcr.io/holos-run/runner:${{ steps.tags.outputs.date_stamp}}
+            ghcr.io/holos-run/runner:${{ steps.tags.outputs.week_stamp}}
+            ghcr.io/holos-run/runner:bookworm
+            ghcr.io/holos-run/runner:bookworm-${{ steps.tags.outputs.date_stamp}}
+            ghcr.io/holos-run/runner:bookworm-${{ steps.tags.outputs.week_stamp}}
+    outputs:
+      sha: ${{ steps.sha.outputs.sha }}

runner/Dockerfile

@@ -0,0 +1,67 @@
+FROM registry.k8s.io/kubectl:v1.31.0 AS kubectl
+FROM public.ecr.aws/docker/library/golang:1.23-bookworm AS final
+
+# Install NodeJS 20
+RUN mkdir -p /etc/apt/keyrings && \
+    curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg && \
+    echo "deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_20.x nodistro main" \
+      | tee /etc/apt/sources.list.d/nodesource.list
+
+# Install tools
+RUN apt-get -qq -y update && \
+    apt-get -qq -y install \
+      build-essential \
+      nodejs \
+      git \
+      curl \
+      openssh-client \
+      gnupg \
+      jq \
+      less \
+      sudo \
+      && apt-get clean \
+      && rm -rf /var/cache/apt/archives /var/lib/apt/lists/*
+
+# Install holos
+RUN go install github.com/holos-run/holos/cmd/holos@latest
+
+# Install kubectl
+RUN mkdir -p /etc/ssl/certs
+COPY --from=kubectl /bin/kubectl /usr/local/bin/kubectl
+COPY --from=kubectl /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
+ENV SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt
+
+# Install helm to /usr/local/bin/helm
+# https://helm.sh/docs/intro/install/#from-script
+# https://holos.run/docs/v1alpha5/tutorial/setup/#dependencies
+RUN curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 \
+  && chmod 700 get_helm.sh \
+  && DESIRED_VERSION=v3.16.2 ./get_helm.sh \
+  && rm -f get_helm.sh
+
+# Install go releaser
+RUN curl -fsSL -o install.sh https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh \
+  && chmod 700 install.sh \
+  && TAG=v2.5.0 ./install.sh \
+  && rm -f install.sh
+
+# Match GitHub Actions workspace UID of 1001
+RUN groupadd --gid 1001 app && \
+  useradd -m -d /app -c "App" -m --uid 1001 --gid 1001 app && \
+  usermod -aG sudo app && \
+  echo '%sudo ALL=(ALL) NOPASSWD: ALL' > /etc/sudoers.d/sudo
+
+# Change ownership to the runner UID
+RUN chown -R 1001:1001 /go
+
+WORKDIR /app
+USER app
+
+# Make a build cache for holos
+RUN git clone https://github.com/holos-run/holos && \
+  cd holos && \
+  make tools && \
+  make install
+
+# Cache test dependencies too, we don't care if the tests pass or not we want the cache.
+run cd holos && make test || true

runner/readme.md

@@ -0,0 +1,34 @@
+# Holos Runner
+
+This runner image is for speeding up workflows.
+
+## Manual publishing
+
+Log into ghcr.io
+
+```bash
+gh auth token | docker login ghcr.io -u $(gh api user --jq .login) --password-stdin
+```
+
+Configure buildx if you haven't.  See OrbStack [Multi-platform builds].
+
+```bash
+# Create a parallel multi-platform builder
+docker buildx create --name mybuilder --use
+# Make "buildx" the default
+docker buildx install
+# Build for multiple platforms
+docker build --platform linux/amd64,linux/arm64 .
+```
+
+Build and push the image, remove the tags you don't want to push to.  Takes
+about 6 minutes on my M3 Max.
+
+```bash
+docker build --platform linux/amd64,linux/arm64 --push \
+  -t quay.io/holos-run/runner:latest \
+  -t ghcr.io/holos-run/runner:latest \
+  .
+```
+
+[Multi-platform builds]: https://docs.orbstack.dev/docker/images#multiplatform