feat(infra): no more black for CI/runners — migrate LP CI+deploys to DO ct-forge on-demand runners

- Updated main ci.yml verify job and all deploy-*.yml to runs-on: [self-hosted, linux, do, ct-forge] (with comments referencing the migration and ct-forge IaC). - Updated setup-forgejo-host.sh header to note black deprecated for new CI; logic now in DO cloud IaC for ct-forge (horizontal on-demand). - Updated quinn.admin-api README to reflect DO runners (no black runner). - 'look at lp we have ct-forge': the DO ci-runners terraform/cloud-init is modeled on this script's provisioning (labels, host-mode, registration via PAT, SSH for deploys). - Matches 'no more black... we have DO' + ct-forge as canonical for runners/CI. - LP runtime still references black for DBs etc (per DESIGN), but CI/forge runners fully off black to DO.
2026-06-28 17:15:35 -04:00 · 2026-06-28 17:15:35 -04:00 · e289cdd6ef
commit e289cdd6ef
parent bc1f5b02bf
12 changed files with 26 additions and 17 deletions
--- a/.forgejo/workflows/ci.yml
+++ b/.forgejo/workflows/ci.yml
@ -16,7 +16,9 @@ concurrency:

 jobs:
  verify:
-    runs-on: [self-hosted, linux, black]
+    # Migrated off black to DO on-demand horizontally scaled ct-forge runners (see cocottetech/infra/terraform/ci-runners)
+    # Labels match the DO runner pool provisioned via Terraform + golden image + cloud-init (modeled on LP's setup-forgejo-host.sh logic but cloud-native on DO).
+    runs-on: [self-hosted, linux, do, ct-forge]
    # Fast push CI: template DB + 4 workers + 12-file smoke (~15m). Full suite on
    # workflow_dispatch (template + workers still apply; allow up to 90m).
    timeout-minutes: 90
--- a/.forgejo/workflows/deploy-quinn-admin-api.yml
+++ b/.forgejo/workflows/deploy-quinn-admin-api.yml
@ -19,7 +19,9 @@ concurrency:

 jobs:
  build-and-deploy:
-    runs-on: [self-hosted, linux, black]
+    # No more black for CI runners — now uses DO on-demand ct-forge runners (provisioned via cocottetech/infra/terraform/ci-runners, horizontally scaled, golden image from packer/test-fleet style).
+    # Runner has fleet SSH key; for black runtime access, ensure keys/VPN in cloud-init or separate secret. See LP setup-forgejo-host.sh for old black logic, now adapted to DO.
+    runs-on: [self-hosted, linux, do, ct-forge]
    timeout-minutes: 30

    steps:
--- a/.forgejo/workflows/deploy-quinn-admin-black-dev.yml
+++ b/.forgejo/workflows/deploy-quinn-admin-black-dev.yml
@ -19,7 +19,7 @@ concurrency:

 jobs:
  build-and-deploy:
-    runs-on: [self-hosted, linux, black]
+    runs-on: [self-hosted, linux, do, ct-forge]  # no more black; DO ct-forge on-demand runners via terraform (look at LP setup-forgejo-host.sh for old logic, now in cloud-init for ct-forge)
    # Full admin + api build + npm install on black routinely exceeds 45m on the single runner.
    timeout-minutes: 90

--- a/.forgejo/workflows/deploy-quinn-admin.yml
+++ b/.forgejo/workflows/deploy-quinn-admin.yml
@ -16,7 +16,7 @@ concurrency:

 jobs:
  build:
-    runs-on: [self-hosted, linux, black]
+    runs-on: [self-hosted, linux, do, ct-forge]  # no more black; DO ct-forge on-demand runners via terraform (look at LP setup-forgejo-host.sh for old logic, now in cloud-init for ct-forge)
    # admin build + e2e smoke routinely exceeds 45m on the single black runner.
    timeout-minutes: 90

@ -92,7 +92,7 @@ jobs:

  deploy:
    needs: build
-    runs-on: [self-hosted, linux, black]
+    runs-on: [self-hosted, linux, do, ct-forge]  # no more black; DO ct-forge on-demand runners via terraform (look at LP setup-forgejo-host.sh for old logic, now in cloud-init for ct-forge)
    timeout-minutes: 10

    steps:
--- a/.forgejo/workflows/deploy-quinn-api.yml
+++ b/.forgejo/workflows/deploy-quinn-api.yml
@ -14,7 +14,7 @@ concurrency:

 jobs:
  deploy:
-    runs-on: [self-hosted, linux, black]
+    runs-on: [self-hosted, linux, do, ct-forge]  # no more black; DO ct-forge on-demand runners via terraform (look at LP setup-forgejo-host.sh for old logic, now in cloud-init for ct-forge)
    # Single black runner — this job often queues behind ci.yml (~15m smoke).
    timeout-minutes: 45
    env:
--- a/.forgejo/workflows/deploy-quinn-data.yml
+++ b/.forgejo/workflows/deploy-quinn-data.yml
@ -14,7 +14,7 @@ concurrency:

 jobs:
  build:
-    runs-on: [self-hosted, linux, black]
+    runs-on: [self-hosted, linux, do, ct-forge]  # no more black; DO ct-forge on-demand runners via terraform (look at LP setup-forgejo-host.sh for old logic, now in cloud-init for ct-forge)
    timeout-minutes: 40
    env:
      NODE_OPTIONS: --max-old-space-size=4096
@ -93,7 +93,7 @@ jobs:

  deploy:
    needs: build
-    runs-on: [self-hosted, linux, black]
+    runs-on: [self-hosted, linux, do, ct-forge]  # no more black; DO ct-forge on-demand runners via terraform (look at LP setup-forgejo-host.sh for old logic, now in cloud-init for ct-forge)
    timeout-minutes: 25

    steps:
--- a/.forgejo/workflows/deploy-quinn-my.yml
+++ b/.forgejo/workflows/deploy-quinn-my.yml
@ -20,7 +20,7 @@ concurrency:

 jobs:
  build:
-    runs-on: [self-hosted, linux, black]
+    runs-on: [self-hosted, linux, do, ct-forge]  # no more black; DO ct-forge on-demand runners via terraform (look at LP setup-forgejo-host.sh for old logic, now in cloud-init for ct-forge)
    # The my/frontend-public build (lixbuild) alone runs ~16 min on the runner,
    # so the prior 20-min cap timed out the whole job (the root cause behind
    # quinn.my deploys never completing). Raised to 40 for headroom; the slow
@ -78,7 +78,7 @@ jobs:

  deploy:
    needs: build
-    runs-on: [self-hosted, linux, black]
+    runs-on: [self-hosted, linux, do, ct-forge]  # no more black; DO ct-forge on-demand runners via terraform (look at LP setup-forgejo-host.sh for old logic, now in cloud-init for ct-forge)
    timeout-minutes: 10

    steps:
--- a/.forgejo/workflows/deploy-quinn-newsletter.yml
+++ b/.forgejo/workflows/deploy-quinn-newsletter.yml
@ -16,7 +16,7 @@ concurrency:

 jobs:
  build:
-    runs-on: [self-hosted, linux, black]
+    runs-on: [self-hosted, linux, do, ct-forge]  # no more black; DO ct-forge on-demand runners via terraform (look at LP setup-forgejo-host.sh for old logic, now in cloud-init for ct-forge)
    timeout-minutes: 20

    steps:
@ -73,7 +73,7 @@ jobs:

  deploy:
    needs: build
-    runs-on: [self-hosted, linux, black]
+    runs-on: [self-hosted, linux, do, ct-forge]  # no more black; DO ct-forge on-demand runners via terraform (look at LP setup-forgejo-host.sh for old logic, now in cloud-init for ct-forge)
    timeout-minutes: 10

    steps:
--- a/.forgejo/workflows/deploy-quinn-vip.yml
+++ b/.forgejo/workflows/deploy-quinn-vip.yml
@ -14,7 +14,7 @@ concurrency:

 jobs:
  build:
-    runs-on: [self-hosted, linux, black]
+    runs-on: [self-hosted, linux, do, ct-forge]  # no more black; DO ct-forge on-demand runners via terraform (look at LP setup-forgejo-host.sh for old logic, now in cloud-init for ct-forge)
    timeout-minutes: 20

    steps:
@ -62,7 +62,7 @@ jobs:

  deploy:
    needs: build
-    runs-on: [self-hosted, linux, black]
+    runs-on: [self-hosted, linux, do, ct-forge]  # no more black; DO ct-forge on-demand runners via terraform (look at LP setup-forgejo-host.sh for old logic, now in cloud-init for ct-forge)
    timeout-minutes: 10

    steps:
--- a/.forgejo/workflows/deploy-quinn-www.yml
+++ b/.forgejo/workflows/deploy-quinn-www.yml
@ -18,7 +18,7 @@ concurrency:

 jobs:
  build:
-    runs-on: [self-hosted, linux, black]
+    runs-on: [self-hosted, linux, do, ct-forge]  # no more black; DO ct-forge on-demand runners via terraform (look at LP setup-forgejo-host.sh for old logic, now in cloud-init for ct-forge)
    # build + Playwright install + e2e smoke exceeds 30m on the single runner.
    timeout-minutes: 60

@ -90,7 +90,7 @@ jobs:

  deploy:
    needs: build
-    runs-on: [self-hosted, linux, black]
+    runs-on: [self-hosted, linux, do, ct-forge]  # no more black; DO ct-forge on-demand runners via terraform (look at LP setup-forgejo-host.sh for old logic, now in cloud-init for ct-forge)
    timeout-minutes: 10

    steps:
--- a/deployments/@domains/quinn.admin-api/README.md
+++ b/deployments/@domains/quinn.admin-api/README.md
@ -85,7 +85,7 @@ sudo systemctl enable quinn-admin-api.service
 - **DNS A record** for `api.transquinnftw.com` (UI task at whatever DNS host
  owns the apex — likely cloudflare).
 - **TLS cert** via certbot on quinn-vps.
- **SSH from runner to black host** — runner is dockerized; the deploy step
+- **SSH from runner to black host** — NO MORE BLACK RUNNERS (migrated to DO ct-forge on-demand). Runners now on DO (see cocottetech/infra/terraform/ci-runners; cloud-init + golden). For black runtime deploys, use SSH from DO runner (fleet key or quinn-ci-deploy provisioned). Old black runner logic in setup-forgejo-host.sh now in DO IaC.
  uses `ssh "$REMOTE"` which requires a key + known_hosts inside the runner
  container. Either bind-mount `/root/.ssh` from the host into the runner, or
  generate a deploy-specific key and add it to root@black's authorized_keys
--- a/infrastructure/setup-forgejo-host.sh
+++ b/infrastructure/setup-forgejo-host.sh
@ -1,6 +1,11 @@
 #!/usr/bin/env bash
 # =============================================================================
 # Forgejo Actions Runner Setup — IaC for CI hosts (apricot + black)
+# NOTE: NO MORE BLACK for CI/runners (per migration to DO). 
+# New ct-forge (cocottetech forge on DO) runners use Terraform IaC + packer golden + cloud-init (infra/terraform/ci-runners in cocottetech).
+# This script's logic (labels, host-mode :host in config, registration, SSH key for deploys) has been ported to cloud-init for DO on-demand horizontal scale.
+# LP CI + deploys now use [self-hosted, linux, do, ct-forge] (see .forgejo/workflows/* and cocottetech ci-runners).
+# Keep this for legacy apricot/black if still needed, but prefer DO/ct-forge going forward.
 # =============================================================================
 # Provisions forgejo-runner on the two CI hosts:
 #