Update actions/checkout action to v6

- Add image-pull job to .gitea/workflows/ci.yml that detects image
  changes in *.nomad.hcl files on PRs and pulls each changed image
- Remove act-runner labels config — default runner already uses
  docker.gitea.com/runner-images:ubuntu-latest which has docker CLI
- Remove CONFIG_FILE env var from act-runner (no longer needed)
- Mark Phase 2 complete in cicd-plan.md

.gitea/workflows/ci.yml

@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
 
       - uses: hashicorp/setup-terraform@v3
 
@@ -29,3 +29,62 @@ jobs:
           terraform init -backend=false
           terraform validate
         working-directory: 2-nomad-config
+
+  nomad-validate:
+    name: Nomad job spec validate
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Install Nomad CLI
+        run: |
+          curl -fsSL https://apt.releases.hashicorp.com/gpg | gpg --dearmor -o /usr/share/keyrings/hashicorp.gpg
+          . /etc/os-release
+          echo "deb [signed-by=/usr/share/keyrings/hashicorp.gpg] https://apt.releases.hashicorp.com ${VERSION_CODENAME} main" | tee /etc/apt/sources.list.d/hashicorp.list
+          apt-get update && apt-get install -y nomad
+
+      - name: Validate all job specs
+        env:
+          NOMAD_ADDR: http://jaglan-beta-m20.lan:4646
+        run: |
+          find 2-nomad-config -name '*.nomad.hcl' | while read f; do
+            echo "==> $f"
+            nomad job validate "$f"
+          done
+
+  image-pull:
+    name: Docker image pull validation
+    runs-on: ubuntu-latest
+    # Only run on PRs that touch nomad job specs
+    if: github.event_name == 'pull_request'
+
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+
+      - name: Pull changed images
+        run: |
+          git fetch origin ${{ github.base_ref }}
+          IMAGES=$(git diff origin/${{ github.base_ref }}...HEAD -- '*.nomad.hcl' \
+            | grep '^+\s*image\s*=' \
+            | grep -oP '"[^"]+:[^"]+"' \
+            | tr -d '"' \
+            | sort -u || true)
+
+          if [ -z "$IMAGES" ]; then
+            echo "No image changes detected, skipping pull."
+            exit 0
+          fi
+
+          FAILED=0
+          while IFS= read -r image; do
+            echo "==> Pulling $image"
+            if ! docker pull "$image"; then
+              echo "ERROR: Failed to pull $image"
+              FAILED=1
+            fi
+          done <<< "$IMAGES"
+
+          exit $FAILED

2-nomad-config/act-runner.nomad.hcl

@@ -28,8 +28,7 @@ job "act-runner" {
       }
 
       env = {
-        GITEA_INSTANCE_URL = "http://localhost:3000"
+        GITEA_INSTANCE_URL = "https://gitea-1ef0bea6b75a4fd3e9393a9f7f7e4b02.othrayte.one"
-        CONFIG_FILE        = "/secrets/runner-config.yml"
       }
 
       # Required SOPS key:
@@ -43,19 +42,6 @@ EOF
         env         = true
       }
 
-      # Limit which images/labels the runner will accept so it doesn't pick up
-      # unrelated workloads if more runners are added later.
-      template {
-        data        = <<EOF
-runner:
-  labels:
-    - "ubuntu-latest:docker://node:20-bookworm"
-    - "ubuntu-22.04:docker://node:20-bookworm"
-    - "ubuntu-24.04:docker://node:20-bookworm"
-EOF
-        destination = "secrets/runner-config.yml"
-      }
-
       resources {
         cpu        = 200
         memory     = 256

2-nomad-config/gitea.nomad.hcl

@@ -27,6 +27,8 @@ job "gitea" {
       tags = [
         "traefik.enable=true",
         "traefik.http.routers.gitea.middlewares=auth@file",
+        # Token subdomain — no auth middleware — used by act_runner step containers for git checkout
+        "traefik.http.routers.gitea-token.rule=Host(`gitea-1ef0bea6b75a4fd3e9393a9f7f7e4b02.othrayte.one`)",
       ]
 
       check {

cicd-plan.md

@@ -293,10 +293,10 @@ exit 1
 
 ## Implementation Order
 
-- [ ] **Phase 1a**: Create `act-runner.nomad.hcl` + Terraform wrapper, register runner token in Gitea, get a hello-world workflow green
+- [x] **Phase 1a**: Create `act-runner.nomad.hcl` + Terraform wrapper, register runner token in Gitea, get a hello-world workflow green
-- [ ] **Phase 1b**: Add `terraform fmt` + `terraform validate -backend=false` workflow — no secrets needed
+- [x] **Phase 1b**: Add `terraform fmt` + `terraform validate -backend=false` workflow — no secrets needed
-- [ ] **Phase 1c**: Add Nomad validate step — add `NOMAD_ADDR` + read-only `NOMAD_TOKEN` to Gitea secrets
+- [x] **Phase 1c**: Add Nomad validate step — add `NOMAD_ADDR` + read-only `NOMAD_TOKEN` to Gitea secrets
-- [ ] **Phase 2**: Add image pull validation step to the workflow
+- [x] **Phase 2**: Add image pull validation step to the workflow
 - [ ] **Phase 3a**: Add `update` stanzas to ntfy and glance (simplest, no volume conflict)
 - [ ] **Phase 3b**: Add rolling `update` stanzas to remaining service jobs (jellyfin, sonarr, etc.)
 - [ ] **Phase 3c**: Add health checks to openreader and unifi before adding update stanzas