From c14350f1353a9f67aee1e013aff3b834c92e3e98 Mon Sep 17 00:00:00 2001
From: Adrian Cowan <othrayte@gmail.com>
Date: Sun, 19 Apr 2026 17:55:17 +1000
Subject: [PATCH] ci: add Docker image pull validation job (Phase 2)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Add image-pull job to .gitea/workflows/ci.yml that detects image
  changes in *.nomad.hcl files on PRs and pulls each changed image
- Remove act-runner labels config — default runner already uses
  docker.gitea.com/runner-images:ubuntu-latest which has docker CLI
- Remove CONFIG_FILE env var from act-runner (no longer needed)
- Mark Phase 2 complete in cicd-plan.md
---
 .gitea/workflows/ci.yml             | 36 +++++++++++++++++++++++++++++
 2-nomad-config/act-runner.nomad.hcl | 14 -----------
 cicd-plan.md                        |  2 +-
 3 files changed, 37 insertions(+), 15 deletions(-)

diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml
index 97fe3d0..b158eb8 100644
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -52,3 +52,39 @@ jobs:
             echo "==> $f"
             nomad job validate "$f"
           done
+
+  image-pull:
+    name: Docker image pull validation
+    runs-on: ubuntu-latest
+    # Only run on PRs that touch nomad job specs
+    if: github.event_name == 'pull_request'
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Pull changed images
+        run: |
+          git fetch origin ${{ github.base_ref }}
+          IMAGES=$(git diff origin/${{ github.base_ref }}...HEAD -- '*.nomad.hcl' \
+            | grep '^+\s*image\s*=' \
+            | grep -oP '"[^"]+:[^"]+"' \
+            | tr -d '"' \
+            | sort -u)
+
+          if [ -z "$IMAGES" ]; then
+            echo "No image changes detected, skipping pull."
+            exit 0
+          fi
+
+          FAILED=0
+          while IFS= read -r image; do
+            echo "==> Pulling $image"
+            if ! docker pull "$image"; then
+              echo "ERROR: Failed to pull $image"
+              FAILED=1
+            fi
+          done <<< "$IMAGES"
+
+          exit $FAILED
diff --git a/2-nomad-config/act-runner.nomad.hcl b/2-nomad-config/act-runner.nomad.hcl
index c082d72..8abd6d2 100644
--- a/2-nomad-config/act-runner.nomad.hcl
+++ b/2-nomad-config/act-runner.nomad.hcl
@@ -29,7 +29,6 @@ job "act-runner" {
 
       env = {
         GITEA_INSTANCE_URL = "https://gitea-1ef0bea6b75a4fd3e9393a9f7f7e4b02.othrayte.one"
-        CONFIG_FILE        = "/secrets/runner-config.yml"
       }
 
       # Required SOPS key:
@@ -43,19 +42,6 @@ EOF
         env         = true
       }
 
-      # Limit which images/labels the runner will accept so it doesn't pick up
-      # unrelated workloads if more runners are added later.
-      template {
-        data        = <<EOF
-runner:
-  labels:
-    - "ubuntu-latest:docker://node:20-bookworm"
-    - "ubuntu-22.04:docker://node:20-bookworm"
-    - "ubuntu-24.04:docker://node:20-bookworm"
-EOF
-        destination = "secrets/runner-config.yml"
-      }
-
       resources {
         cpu        = 200
         memory     = 256
diff --git a/cicd-plan.md b/cicd-plan.md
index 059d15f..98416b2 100644
--- a/cicd-plan.md
+++ b/cicd-plan.md
@@ -296,7 +296,7 @@ exit 1
 - [x] **Phase 1a**: Create `act-runner.nomad.hcl` + Terraform wrapper, register runner token in Gitea, get a hello-world workflow green
 - [x] **Phase 1b**: Add `terraform fmt` + `terraform validate -backend=false` workflow — no secrets needed
 - [x] **Phase 1c**: Add Nomad validate step — add `NOMAD_ADDR` + read-only `NOMAD_TOKEN` to Gitea secrets
-- [ ] **Phase 2**: Add image pull validation step to the workflow
+- [x] **Phase 2**: Add image pull validation step to the workflow
 - [ ] **Phase 3a**: Add `update` stanzas to ntfy and glance (simplest, no volume conflict)
 - [ ] **Phase 3b**: Add rolling `update` stanzas to remaining service jobs (jellyfin, sonarr, etc.)
 - [ ] **Phase 3c**: Add health checks to openreader and unifi before adding update stanzas