FROM registry.fedoraproject.org/fedora:43

ARG ACT_RUNNER_VERSION=0.6.1

# Mirror resilience: longer timeouts + fastest-mirror probing, and retry the
# install loop a few times so a single bad mirror picked for one transaction
# doesn't fail the build.
RUN printf 'fastestmirror=True\nretries=10\ntimeout=300\n' >> /etc/dnf/dnf.conf

# Base packages: git for checkout, podman-remote for job containers,
# ca-certificates for internal PKI, jq for workflow expressions.
RUN n=0; \
    until dnf install -y --setopt=install_weak_deps=False \
            appstream \
            ca-certificates \
            curl \
            desktop-file-utils \
            git \
            jq \
            nodejs \
            npm \
            podman-remote \
            rsync; do \
        n=$((n+1)); \
        [ "$n" -ge 3 ] && exit 1; \
        echo "dnf install attempt $n failed, retrying in 10s..."; \
        sleep 10; \
    done \
    && dnf clean all

# Fedora's nodejs rpm does not bundle corepack, so install pnpm directly
# via npm rather than going through corepack.
RUN npm install -g pnpm@latest

# Install act_runner binary.
RUN curl -fsSL \
        "https://gitea.com/gitea/act_runner/releases/download/v${ACT_RUNNER_VERSION}/act_runner-${ACT_RUNNER_VERSION}-linux-amd64" \
        -o /usr/local/bin/act_runner \
    && chmod +x /usr/local/bin/act_runner

# Internal CA trust — the host's root CA will be bind-mounted or baked in.
# If baked in, copy it here; if bind-mounted, this is a no-op.
COPY root-internal.pem /etc/pki/ca-trust/source/anchors/root-internal.pem
RUN update-ca-trust

# Runner runs as root inside the container because it needs the
# bind-mounted host Podman socket (rootful).
# The entrypoint is set by gongfoo-agent via the container command.
ENTRYPOINT ["/bin/sh", "-c"]
