✧✦Catherine✦✧the expectation of being able to run docker whenever in CI jobs is probably the single worst outcome of free GitHub Actions minutes because reproducing it in a bring-your-own-compute environment is borderline impossible unless you make every machine single-tenant
even if you make every machine single-tenant, most configurations of Forgejo Actions runners would enable malware to escape the build container, persist itself and infect all future releases
it's possible that LXC or firecracker-containerd would solve my problem here
I love this, so I@whitequark about 2 weeks ago I learned that “incus” is the new LXC
@whitequark so it turns out the folks who run linuxcontainers dot org have basically told canonical to play hide and go fuck yourself and blocked container image downloads from LXC tools. Theres a very simple LXC-to-incus migration script available, and then everything just keeps on trucking after you change lxc to incus in commands lines.
Also, nested containers works, I’ve got podman running inside an incus guest without elevated privileges.