# Self-hosted GitHub Actions runner image with twin baked in.
#
# Replaces the off-the-shelf actions/actions-runner image we currently
# use on the homebase ARC scaleset. Every workflow run now starts with
# the runner having a peer identity, registers itself in the capability
# catalog, and emits `runner_job_started/finished` acts to substrate.
#
# Structural fix for the GHA-runner ghs_* leak we found tonight:
# - The runner is now a peer with its own ephemeral identity per job.
# - `twin-fs-watcher` running inside catches any persistent `~/.gitconfig`
#   accumulation in real time + emits `git_config_modified`.
# - A SIGTERM handler in start.sh runs `git config --global --unset-all
#   url..insteadOf` so even if the cleanup step is skipped, the runner
#   purges its own tokens.
#
# Build + push:
#   docker buildx build --platform linux/amd64,linux/arm64 \
#     --build-arg TWIN_VERSION=v0.3.0 \
#     -t ghcr.io/arqera-io/arc-runner-with-twin:v0.3.0 \
#     --push .

ARG RUNNER_VERSION=2.319.1
ARG TWIN_VERSION=v0.3.0

FROM ghcr.io/actions/actions-runner:${RUNNER_VERSION}

USER root

ARG TARGETARCH
ARG TWIN_VERSION

RUN case "$TARGETARCH" in \
        amd64) ARCH="x86_64-unknown-linux-musl" ;; \
        arm64) ARCH="aarch64-unknown-linux-musl" ;; \
        *) echo "unsupported arch" >&2; exit 1 ;; \
    esac && \
    BASE="https://github.com/Arqera-IO/ara-protocol/releases/download/${TWIN_VERSION}" && \
    curl -fsSL "$BASE/twin-${ARCH}.tar.xz" | tar -xJ -C /usr/local/bin --strip-components=1 && \
    curl -fsSL "$BASE/twin-fs-watcher-${ARCH}.tar.xz" | tar -xJ -C /usr/local/bin --strip-components=1 && \
    chmod +x /usr/local/bin/twin /usr/local/bin/twin-fs-watcher

COPY runner-entrypoint.sh /usr/local/bin/runner-entrypoint.sh
RUN chmod +x /usr/local/bin/runner-entrypoint.sh

USER runner

# Override the default entrypoint so we wrap the runner's start with
# our peer-bootstrap + cleanup hooks.
ENTRYPOINT ["/usr/local/bin/runner-entrypoint.sh"]
