I left Github a while ago and have been relying on simple pre-push scripts in my workflow, but would like to be able to test PRs from others without putting my machine at risk. Besides codeberg and radicle (neither of which have reliable CI), I also have a build machine, where I could run CI jobs, however it is important that the CI jobs can also run locally so that external people do not require access to the build machine.
Is there a CI that can do those things (run locally and remotely)?
I use forjero with forgero runners.
Basicly 100% compatible with GitHub actions and all locally run via podman.
Strong recommend. It’s all designed to work together and everything just works.
Isn’t Forgejo runner still in alpha though? How stable is it?
I can’t speak for general use. But use it to:
- Build Rust artifacts
- Rebuild static sites, upload them to a bucket, then clear the CDN cache.
It works perfectly for me and I have not run into issues. But it might be bad for other people. I just know it works well for me.
Great timing. I’m interested in this as well. I am currently attempting an ansible setup that runs podman containers in a couple lxc incus containers (developnent setup to mimic production) with forgejo and woodpecker on the other lxc container but it has been a battle.
Currently unable to figure out why the ‘general.community’ modules won’t get recognized by ansible.
Woodpecker with Ansible. Woodpecker will give container environment and using Ansible will reduce dependency on the CI tool.
Woodpecker has a alpine linux based container for Ansible. It will take some time to setup, but will make the life much easier.
Why ansible? I’m not sure how that fits in. Does that make running it locally easier? An example of working setup that I can checkout and run would be useful.
As I mentioned it is to reduce dependency on CI tool. You may have to shift the tool in the future and if you use a lot of commands specific to the CI tool, that is going to be a nightmare.
Ansible is agent less and only needs SSH access. You can SSH into your local system, from the same local system. Need to add few entries in your SSH
configandknown_hosts. Essentially everything in Ansible are shell commands. So you are not really that much locked into Ansible.On the question,
Does that make running it locally easier?
If you mean making it easier compared to remote, on the surface level, the answer is ‘no’. But it makes CI pipeline easier to run independent of your environment. Ansible is here to reduce dependency on a specific tool.
Bonus point is you can also create a working but basic CD system with Ansible.
I’m attempting this setup as well. It’s been a struggle but i am also new to a lot of this.
Gitlab runners can run locally
I don’t think that’s accurate, the post is from seven years ago. Additionally there are a lot of materials online that indicate your still can - https://virtualizare.net/devops/how-to-run-gitlab-runner-locally-best-practices.html
Oh, thanks for letting me know
I set up Forgejo with Woodpecker CI some days ago and it’s been great so far
Are you able to run woodpecker locally from the repository? As in can
woodpecker runin the checked out repository run the CI jobs?It also has a CLI tool that I know can re-run your pipeline locally for debugging, so just running it normally should also be possible. Haven’t used either so far though.
I can’t find documentation about that unfortunately 🧐 There’s
woodpecker-cli execbut after testing that on the example pipeline, it does nothing even with verbose logging.Do you have a functional example somewhere?
I remember seeing dagger trying to solve exactly this problem around 3 years ago, but it was still in alpha at that time. Not sure how good it is now.
After perusing the docs, this looks more like it. Thank you. I’ll just have to explore how it can be combined with projects that use nix and those that don’t. My biggest issue with CIs has always been caching, but as the saying goes “there are 2 hard problems in computer science…”
You may try out https://github.com/melezhik/sparky which is a local / remote task runner with nice front end and scripts could be written on many languages
Earthly!
would like to be able to test PRs from others without putting my machine at risk
I know what you mean, but do you not read the diff? Are you working on codebases that are so obfuscated that you can’t spot a malicious command?
What if they pull in a new dependency with a CVE or that executes malicious code? How am I supposed to check that? Or what if I miss a bug in the justfile or shell script?