carrtech/ct-ops
2
0
Fork 0
Code Issues 2 Pull requests 1 Projects Releases 130 Packages Wiki Activity Actions

fix(ci): restore Forgejo runner autoscaler capacity #14

New issue
Open
opened 2026-05-18 21:56:52 +00:00 by simon · 0 comments
simon commented 2026-05-18 21:56:52 +00:00
Owner
Copy link

Summary

During the web/v0.159.1 publication recovery, organization-level Forgejo Actions runners did not scale as expected. The queue had many waiting ubuntu-latest jobs, but only one active runner was attached to a stale pre-patch publish job. The documented runner host (claude@192.168.8.235) was not reachable from this environment (No route to host), so I could not restart or inspect the autoscaler directly.

Evidence

  • orgs/carrtech/actions/runners/jobs showed many ubuntu-latest jobs waiting while the stale Build and publish web image task remained running.
  • Three old jobs remain waiting on ubuntu-24.04-arm:
    • Build web image (linux/arm64)
    • Build ingest image (linux/arm64)
    • Build ansible-api image (linux/arm64)
  • Deleting the active runner registration did not clear the stuck task.
  • Forgejo API does not expose cancel/stop endpoints for actions runs on this instance.
  • I had to register a temporary local ephemeral runner to publish docker.io/carrtechdev/ct-ops-web:v0.159.1.

Impact

Release publication can stall when the autoscaler does not start enough ubuntu-latest runners or when jobs target labels with no active runner, especially ubuntu-24.04-arm.

Suggested Fix

  • Inspect and restart forgejo-runner-autoscaler.service on the runner host.
  • Confirm stale Incus runner VMs are cleaned up and MAX_RUNNERS capacity is available.
  • Either provision ubuntu-24.04-arm runners or migrate those jobs to the supported ubuntu-latest multi-arch Buildx path.
  • Add an operational runbook for cancelling stuck Forgejo Actions runs or stale runner registrations.
## Summary During the web/v0.159.1 publication recovery, organization-level Forgejo Actions runners did not scale as expected. The queue had many waiting `ubuntu-latest` jobs, but only one active runner was attached to a stale pre-patch publish job. The documented runner host (`claude@192.168.8.235`) was not reachable from this environment (`No route to host`), so I could not restart or inspect the autoscaler directly. ## Evidence - `orgs/carrtech/actions/runners/jobs` showed many `ubuntu-latest` jobs waiting while the stale `Build and publish web image` task remained running. - Three old jobs remain waiting on `ubuntu-24.04-arm`: - `Build web image (linux/arm64)` - `Build ingest image (linux/arm64)` - `Build ansible-api image (linux/arm64)` - Deleting the active runner registration did not clear the stuck task. - Forgejo API does not expose cancel/stop endpoints for actions runs on this instance. - I had to register a temporary local ephemeral runner to publish `docker.io/carrtechdev/ct-ops-web:v0.159.1`. ## Impact Release publication can stall when the autoscaler does not start enough `ubuntu-latest` runners or when jobs target labels with no active runner, especially `ubuntu-24.04-arm`. ## Suggested Fix - Inspect and restart `forgejo-runner-autoscaler.service` on the runner host. - Confirm stale Incus runner VMs are cleaned up and `MAX_RUNNERS` capacity is available. - Either provision `ubuntu-24.04-arm` runners or migrate those jobs to the supported `ubuntu-latest` multi-arch Buildx path. - Add an operational runbook for cancelling stuck Forgejo Actions runs or stale runner registrations.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
codex/docs-menu-link
ci/forgejo-ansible-api-debian
ci/forgejo-nexus-docker-proxy-apk
ci/forgejo-nexus-docker-proxy
release-please--branches--main
chore/sync-shared-agent-instructions-25823681308
fix/agent-token-url-modal
chore/sync-shared-agent-instructions-25823634922
codex/fix-docker-inventory-conn-busy
codex/docker-host-retention-done
codex/docker-host-retention
codex/docker-global-retention
codex/fix-ansible-host-log-scope
codex/fix-people-direct-signups
codex/show-unscoped-pending-users
codex/fix-people-after-org-removal
codex/remove-org-task-11-run8
codex/fix-dashboard-instance-scope
codex/remove-org-task-11-run6
codex/remove-org-task-5-run3
codex/remove-org-task2-auth-onboarding
codex/remove-org-task1-reset-schema
fix/install-api-403
fix/bundle-agent-0343
fix/agent-self-update-release-probe
fix/web-release-self-update-cert
fix/agent-self-update-download-tls
fix/patch-age-calendar-days
codex/carrtech-ct-ops-brand
fix/auth-2fa-login-action
perf/password-manager-user-experience
codex/legal-notice-licence-tiers
codex/legal-risk-disclaimer
feat/password-manager-task15-e2e-v2
feat/password-manager-route-shell
codex/task7-password-manager-bundle-v2
fix/bug-scan-agent-org-token
fix/issue-908-ldap-2fa-run2
fix/issue-908-ldap-2fa
fix/issue-888-notification-access
copilot/fix-privileged-server-actions
copilot/fix-slack-webhook-credential-exposure
copilot/fix-cross-user-inbox-access
copilot/fix-drizzle-migration-metadata-drift
chore/sync-shared-agent-instructions-25329056889
chore/sync-shared-agent-instructions-25326253587
feat/password-vault-schema
docs/password-vault-architecture
chore/sync-shared-agent-instructions-25313095713
chore/sync-shared-agent-instructions-25312041197
docs/remove-ct-passwd-plan
docs/ct-passwd-dedicated-repo-note
automation/impliment-ct-passwd
feat/licence-verifier-key-rotation
docs/ct-passwd-implementation-plan
fix/seat-licence-activation-refresh
fix/upgrade-licence-key-perms
fix/upgrade-missing-backup
fix/force-web-licence-key-release
fix/release-fetch-licence-public-key
feat/licence-public-key-repo
fix/invite-membership
feat/ct-ops-seat-expiry-admission
fix/start-tls-dir-permissions
fix/web-entrypoint-postgres-env
codex/add-upgrade-helper
codex/fix-installer-web-release
fix/install-db-url-password
docs/plugin-auth-licensing
docs/ct-cve-final-residue-audit
fix/web-release-cve-cleanup
fix/ct-cve-release-guidance
feat/ct-cve-residue-audit
feat/remove-ct-cve-source-settings
feat/ct-cve-connector-setup-ui
feat/ct-cve-gui-logs
feat/ct-cve-next-task
codex/fix-auth-cookie-redirect-loop
fix/auth-redirect-loop
feat/ct-cve-connection-status
feat/ct-cve-inventory-export
feat/ct-cve-finding-ingest
feat/ct-ops-ct-cve-connector
feat/ct-cve-source-config-ui
feat/ct-cve-gui-phase8
docs/track-ct-cve-distro-sync
ct-cve-phase7-next
docs/track-ct-cve-feed-sync
ct-cve-next-slice
docs/track-ct-cve-release-publishing
docs/ct-cve-dependent-product-plan
feat/ct-cve-bootstrap
ct-cve-api-contract
docs/licensing-ui-seat-docs
docs/migration-coordination-refresh
feat/remove-pro-core-gates
feat/remove-pro-gates
feat/seat-capacity-model
docs/migration-plan-cleanup-rule
feat/seat-enforcement
docs/free-enterprise-seat-licensing
docs/ct-cve-migration-plan
automation/create-e2e-tests-for-ct-ops-20260429n
codex/tighten-rpm-version-compare
codex/redhat-csaf-package-ingest
automation/create-e2e-tests-for-ct-ops-20260429m
automation/create-e2e-tests-for-ct-ops-20260429k
fix/delete-host-patch-status
automation/create-e2e-tests-for-ct-ops-20260429j
fix/enrolment-token-command
automation/create-e2e-tests-for-ct-ops-20260429i
automation/create-e2e-tests-for-ct-ops-20260429T090218Z
automation/create-e2e-tests-for-ct-ops-20260429g
codex/rhel-compatible-rpm-hosts
codex/confirmed-linux-cve-matching
automation/create-e2e-tests-for-ct-ops-20260429f
fix/issue-760-tooling-role-gate
fix/agent-update-version-discovery
automation/create-e2e-tests-for-ct-ops-20260429e2
automation/create-e2e-tests-for-ct-ops-20260429e
codex/create-e2e-tests-for-ct-ops-20260429
fix/issue-743-install-token-leak
automation/create-e2e-tests-for-ct-ops-20260429d
automation/create-e2e-tests-for-ct-ops-20260429c
daily-bug-scan-20260429
automation/create-e2e-tests-for-ct-ops-20260429b
test/web-e2e-coverage-20260429
codex/create-e2e-tests-for-ct-ops-20260428run3
automation/create-e2e-tests-for-ct-ops-20260428run2
automation/create-e2e-tests-for-ct-ops-20260428z
codex/build-docs-rich-editor
automation/create-e2e-tests-for-ct-ops-20260428k
feat/vulnerability-detail-modal
fix/web-directory-lookup-e2e-release
automation/create-e2e-tests-for-ct-ops-20260428j
feat/vulnerability-management-interface
fix/web-certificate-checker-private-targets
feat/admin-ingest-status
automation/create-e2e-tests-for-ct-ops-20260428i
automation/create-e2e-tests-for-ct-ops-20260428h
codex/build-docs-capability
feat/linux-cve-checking
automation/create-e2e-tests-for-ct-ops-20260428g
fix/password-reset-smtp-relay
automation/create-e2e-tests-for-ct-ops-20260428f
feat/support-data-script
codex/create-e2e-tests-for-ct-ops
fix/agent-auto-update
feat/patch-status-report
codex/create-e2e-tests-for-ct-ops-20260428-100235
fix/move-network-tab
fix/web-admin-e2e-release
automation/create-e2e-tests-for-ct-ops-20260428090108
feat/admin-layout
automation/create-e2e-tests-for-ct-ops-20260428e
fix/e2e-auth-session-harness
feat/smtp-relay-test-recipient
codex/create-e2e-tests-for-ct-ops-20260428
automation/create-e2e-tests-for-ct-ops-20260428c
automation/create-e2e-tests-for-ct-ops-20260428b
automation/create-e2e-tests-for-ct-ops-20260428
feat/e2e-coverage-20260428
codex/create-e2e-tests-for-ct-ops-20260428-000235
fix/docs-pnpm-install-eagain
feat/central-smtp-settings
automation/create-e2e-tests-for-ct-ops-20260427
codex/email-verification-resend
docs/conventional-pr-titles
feat/notification-purge
docs/agents-worktree-instructions
codex/optional-email-verification
codex/add-test-completion-rule
codex/update-agent-security-rules
fix/issue-319-agent-config-perms
automation/create-e2e-tests-for-ct-ops
codex/fix-customer-bundle-image-ref-export
fix/web-docker-pnpm-retry
codex/fix-agent-heartbeat-jwt
codex/ssh-backed-terminal-access
automation/e2e-coverage-20260426
fix/bundle-transfer-mtls
fix/bundle-transfer-streaming
feat/bundle-transfer
fix/issue-274-session-auth
fix/bundle-transfer-route-types
feat/gitlab-latest-target
fix/pin-buildkit-image
feature/gitlab-bundler
fix/plugin-download-status
fix/web-installer-release-checks
fix/installer-release-bundle
claude/jenkins-plugin-dependency-test-GRblf
claude/jenkins-bundler-offline-script
claude/validate-jenkins-java-compatibility-5ee9d
claude/ingest-slowloris-fix
claude/jenkins-bundler-java-and-war-only
claude/release-event-trigger-recovery
claude/fix-release-docker-publish-dispatch
claude/debug-github-actions-HrpO8
claude/fix-duplicate-builds-0pL35
claude/jenkins-plugin-automation-pMCDp
claude/resolve-pr520-conflicts-LPXcm
claude/debug-github-actions-aH3Ce
claude/cleanup-github-actions-runners-wy27V
claude/fix-install-script-skip-verify
claude/fix-nginx-tls-init
claude/verify-secure-comms-MIPad
claude/debug-agent-install-3zc05
claude/add-mtls-security-PWQM7
feat/bake-agent-binaries-into-web-image
chore/rename-to-ct-ops
security/grpc-limits-jwt-symlink-perms
claude/fix-cloudflare-tunnel-terminal-ZVhJB
ci/self-hosted-runners
claude/pensive-dijkstra-6dd249
fix/ingest-dockerfile-harden
claude/github-issue-work-MkOq4
claude/fix-cloudflare-origin-error-IzjG1
claude/sweet-buck-4ebfe3
claude/add-support-uploads-qzgsl
claude/amazing-austin-35334d
claude/add-doc-reference-links-n6WPJ
feat/support-admin-health
feat/support-ticket-autorefresh
feat/support-markdown-rendering
fix/support-ai-trees-search
fix/support-worker-tool-logging
fix/support-worker-env
chore/support-env-example
claude/amazing-zhukovsky-65a873
claude/agent-windows-eventlog
claude/nervous-cannon-2c1634
claude/plan-ct-ops-features-SAqqo
fix/issue-357-agent-log-mode
fix/issue-352-timing-safe-comparisons
fix/issue-348-drop-sha1-fingerprint
fix/issue-350-env-example-comments
fix/issue-349-dev-tls-cert-expiry
fix/dependabot-broaden-major-ignores
fix/react-hooks-set-state-in-effect
fix/361-sast-scans
fix/363-secret-scanning
fix/364-sbom-per-release
fix/362-dependabot-config
fix/360-security-disclosure-policy
claude/thirsty-edison-812951
claude/condescending-gagarin-4aafe0
claude/romantic-volhard-f6eb45
claude/zealous-spence-f524ef
claude/cool-matsumoto-cf7094
claude/stripe-price-source-of-truth
claude/flat-pricing-no-seats
claude/mystifying-lichterman-e5b806
claude/distracted-ishizaka-91a269
claude/fix-deploy-docs-package-filter
claude/remove-licence-public-key-override
claude/recursing-yalow-0cd636
claude/amazing-kare-6c9f0d
claude/github-issues-Gxgxu
claude/improve-readme-Yb7v7
claude/github-issue-j7rds
fix/c09-delete-certificate-auth-check
fix/licence-purchase-contact-display
fix/licence-purchase-bootstrap-org
claude/recursing-driscoll-2d51a4
feat/notes-data-layer
claude/confident-heyrovsky-7750cb
feat/command-palette-scaffold
claude/competent-vaughan-38eeea
claude/keen-nobel-d2f362
claude/practical-ramanujan-275b00
revert/remove-podman-support
fix/rootless-podman-session-check
fix/podman-compose-compat
fix/podman-compose-missing-provider
claude/frosty-grothendieck-03ca48
claude/competent-roentgen-d7b502
claude/zen-wright-dfe08f
feat/podman-runtime-detection
claude/determined-rosalind-475a9a
claude/fix-ramp-sem-leak
claude/fix-connpool-negative-index
claude/fix-runid-test-flake
claude/loadtest-admin-key-forward
claude/cool-spence-511593
claude/nice-galileo-ea5007
claude/dreamy-knuth-258473
claude/fix-enrolment-url-env-JS3qR
claude/cert-checker-paste-and-key-input
claude/ssl-certificate-checker-kvI78
claude/update-start-sh-repo-CaoP7
claude/elated-taussig-d1af01
claude/work-github-issue-mi6fu
feat/directory-lookup-improvements
claude/funny-yalow-44f103
fix/directory-lookup-error-surfacing
feat/directory-lookup
docs/networks-graph-vuepress
feat/terminal-font-size
feat/terminal-tabs-and-splits
copilot/add-tty-terminal-capability
feat/network-graph-dashed-edges
feat/network-graph-animated-edges
feat/networks
copilot/fix-system-diagram-image-aspect-ratio
feat/migrate-docs-to-vuepress
fix/deploy-docs-pnpm-version
gh-pages
feat/docusaurus-docs-site
fix/export-rate-limit-and-error-modal
fix/software-report-chart-darkmode
feat/software-report-charts-firstseen
feat/software-report-unified-table
fix/delete-host-software-scans-fk
fix/delete-host-cascade
fix/delete-host-notifications-fk
fix/jwt-key-db-persistence
fix/inventory-failed-scan-visibility
fix/inventory-scan-polling
feat/software-report-improvements
fix/monitoring-cpu-spikes-and-alert-evaluation
fix/software-report-select-empty-value
fix/reports-fragment-keys
fix/windows-registry-import-conflict
feature/software-inventory
fix/agent-uninstall-cgroup-escape
feature/host-delete-uninstall-agent
feature/terminal-fixed-bottom
feature/host-notification-charts
feature/notification-trend-timerange
fix/notification-chart-axis-labels
feature/notification-improvements
feature/notification-channels
feature/terminal-ux-improvements
feature/terminal-persist-tabs
fix/terminal-panel-provider-scope
feature/terminal-panel-tabs
fix/terminal-login-auth
feature/terminal-per-user-auth
fix/terminal-shell-env-and-alma
fix/terminal-heartbeat-response-push
fix/terminal-agent-connection-diagnostics
fix/terminal-xterm-hidden-container
fix/terminal-heartbeat-and-ws-url
feat/chart-zoom-metrics-bucketing
docs/progress-update-sessions-21-27
feat/106-agent-task-framework
feat/105-host-groups
feat/101-token-list-copy-actions
fix/92-ldap-cert-preview-height
fix/92-ldap-cert-textarea-overflow
fix/heartbeat-liveness-check
fix/enrollment-token-usage-count
feat/agent-uninstall
feat/phase4-service-accounts
fix/agent-checks-reliability
fix/ci-agent-dist-missing
feat/phase2-complete-session15
claude/youthful-blackwell
fix/agent-heartbeat-backoff-reset
ci/inline-customer-bundle
fix/customer-bundle-dispatch
feat/customer-bundle
fix/ingest-bake-manifest-no-source-deps
fix/agent-self-update-restart
ci/docker-multi-arch
fix/start-pull-from-ghcr
copilot/explain-repository-structure
feat/agent-version-flag-and-ui-version
feat/alert-rules-and-notifications
release-please--branches--main--components--agent
feat/host-realtime-sse
bundle/v0.28.7
web/v0.160.0
bundle/v0.28.6
web/v0.159.5
bundle/v0.28.5
web/v0.159.4
bundle/v0.28.4
bundle/v0.28.3
web/v0.159.3
web/v0.159.2
bundle/v0.28.2
web/v0.159.1
bundle/v0.28.1
forgejo-ci-proof/v2026.05.17.2
ansible-api/v0.5.0
bundle/v0.28.0
web/v0.159.0
bundle/v0.27.3
web/v0.158.2
bundle/v0.27.2
ingest/v0.17.2
bundle/v0.27.1
ingest/v0.17.1
web/v0.158.1
bundle/v0.27.0
ingest/v0.17.0
web/v0.158.0
bundle/v0.26.0
bundle/v0.25.1
web/v0.157.1
bundle/v0.25.0
web/v0.157.0
bundle/v0.24.0
web/v0.156.0
bundle/v0.23.0
web/v0.155.0
ansible-api/v0.4.0
bundle/v0.22.0
web/v0.154.0
bundle/v0.21.0
web/v0.153.0
bundle/v0.20.3
web/v0.152.2
bundle/v0.20.2
bundle/v0.20.1
web/v0.152.1
bundle/v0.20.0
web/v0.152.0
bundle/v0.19.4
web/v0.151.4
bundle/v0.19.3
web/v0.151.3
bundle/v0.19.2
web/v0.151.2
bundle/v0.19.1
web/v0.151.1
bundle/v0.19.0
web/v0.151.0
bundle/v0.18.1
web/v0.150.1
bundle/v0.18.0
bundle/v0.17.0
ingest/v0.16.0
web/v0.150.0
bundle/v0.16.0
web/v0.149.0
bundle/v0.15.1
ingest/v0.15.1
bundle/v0.15.0
web/v0.148.0
agent/v0.38.1
bundle/v0.14.1
web/v0.147.1
bundle/v0.14.0
ingest/v0.15.0
web/v0.147.0
bundle/v0.13.0
ingest/v0.14.0
web/v0.146.0
bundle/v0.12.0
web/v0.145.0
bundle/v0.11.0
ingest/v0.13.0
bundle/v0.10.0
web/v0.144.0
bundle/v0.9.0
web/v0.143.0
bundle/v0.8.0
web/v0.142.0
agent/v0.38.0
bundle/v0.7.0
ingest/v0.12.0
web/v0.141.0
agent/v0.37.0
bundle/v0.6.0
web/v0.140.0
bundle/v0.5.0
ingest/v0.11.0
web/v0.139.0
agent/v0.36.0
bundle/v0.4.0
web/v0.138.0
bundle/v0.3.0
ingest/v0.10.0
web/v0.137.0
agent/v0.35.0
bundle/v0.2.0
ansible-api/v0.3.3
bundle/v0.1.7
bundle/v0.1.6
web/v0.136.2
bundle/v0.1.5
bundle/v0.1.4
web/v0.136.1
bundle/v0.1.3
bundle/v0.1.2
bundle/v0.1.1
ansible-api/v0.3.2
ansible-api/v0.3.1
ansible-api/v0.3.0
web/v0.136.0
web/v0.135.2
web/v0.135.1
web/v0.135.0
web/v0.134.0
web/v0.133.1
web/v0.133.0
web/v0.132.1
web/v0.132.0
web/v0.131.9
Labels
Clear labels   
E2E Failure
Regression found by end-to-end automation

  
area:agent
Go agent

  
area:audit-log
Audit logging

  
area:auth
Authentication

  
area:authz
Authorisation / RBAC

  
area:ci
CI / tooling / scanning

  
area:crypto
Cryptography / secrets

  
area:db
Database / schema

  
area:docker
Docker / deployment

  
area:headers
HTTP headers / CSP

  
area:ingest
gRPC ingest service

  
area:ldap
LDAP integration

  
area:rate-limit
Rate limiting / abuse prevention

  
area:ssrf
Server-side request forgery

  
area:supply-chain
Supply chain / deploy

  
area:terminal
Terminal / PTY

  
autorelease: pending

   
autorelease: tagged

   
bug
Something isn't working

  
claude-working

   
documentation
Improvements or additions to documentation

  
duplicate
This issue or pull request already exists

  
enhancement
New feature or request

  
good first issue
Good for newcomers

  
help wanted
Extra attention is needed

  
invalid
This doesn't seem right

  
priority: critical
Critical - blocking or data loss

  
priority: high
High priority - should be addressed soon

  
priority: low
Low priority - nice to have

  
priority: medium
Medium priority - address after high priority items

  
question
Further information is requested

  
security
Security finding from pre-pentest audit

  
sev:critical
Severity: Critical

  
sev:high
Severity: High

  
sev:info
Severity: Informational / Hardening

  
sev:low
Severity: Low

  
sev:medium
Severity: Medium

  
tests-required
Needs tests or stronger coverage before fix is complete

  
wontfix
This will not be worked on

No labels
E2E Failure
area:agent
area:audit-log
area:auth
area:authz
area:ci
area:crypto
area:db
area:docker
area:headers
area:ingest
area:ldap
area:rate-limit
area:ssrf
area:supply-chain
area:terminal
autorelease: pending
autorelease: tagged
bug
claude-working
documentation
duplicate
enhancement
good first issue
help wanted
invalid
priority: critical
priority: high
priority: low
priority: medium
question
security
sev:critical
sev:high
sev:info
sev:low
sev:medium
tests-required
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
carrtech/ct-ops#14
No description provided.