Improving my self-hosted actions runner setup

Summary

For a while now, I’ve self-hosted a runner to integrate with Gitea Action. But there was something about it that was leaving me worried: in an age where software supply chain security is becoming more and more important, I felt like I needed to improve the security of the setup. The answer I arrived at, while not perfect (yet), it’s a great improvement over what I had before. This post will be a walk through of what I had, what and why I chose to replace it, how I did it, and where I could still improve it. In the beginning, there was act# The act runner started a long while ago, to offer the ability to run GitHub Actions, but locally. This would allow for both fast feedback loops, as a dev could now simulate GHA locally without any costs, as well as having a local task runner. This seemed like a perfect fit for a project like Gitea; in our day and age, a git forge without an integrated CI/CD pipeline is pretty much a no-go for any “serious work”. As of roughly 3 weeks ago, the fork became more pronounced. “act_runner” became just “runner”, the semver jumped to v1.0.0, and the pace of development seems to have accelerated considerably - I fear we all know why, but let’s hope this doesn’t translate into a rotting of the software. In any case, this ties into my worries. I have to admit that I haven’t been a very good sysadmin. For a while now, I was running the runner directly on my system. Old-school, bare-metal. Now, I’m not an idiot-sandwich, the runner was properly configured with its own user, dirs, and permissions. More importantly, I was only running it for my own pipelines, so I had a reasonable degree of confidence that this was okay. But every day, I kept reading about shai-hulud; github tokens getting stolen; worms spreading; CI/CD pipelines getting pwned left and right. And while I only write software in Go, and the ecosystem has been relatively safe for now, there is no reason for me to relax. On the contrary, the time to improve the situation is before p...