Forgejo Runner in rootless Podman on Debian

I wanted to experiment with Forgejo’s Actions as a DIY alternative to GitHub Actions, using a nearby Raspberry Pi as a build server. I also wanted to deviate slightly from their Runner installation process by executing the Runner and rootless Podman as a regular, non-privileged user and without using the system-level systemctl. It was pretty easy once I wrapped my head around it.

  1. Set up the runner user. Since I was using Podman, not Docker, I didn’t have to add it to the docker group. As root:
root# useradd --create-home forgejo-runner

This created user number 1001 on my system. Remember that number later when it’s time to configure systemd.

  1. Allow that user to run commands via systemctl without logging in and launching them manually:
root# loginctl enable-linger forgejo-runner
  1. Use machinectl instead of su to become the forgejo-runner user. Without this, most systemd commands will fail with the Failed to connect to bus: No medium found message. I’m certain there’s a way to get su or sudo to play nicely with dbus but I had more interesting problems to solve today than this.
root# apt install systemd-container
root# machinectl shell forgejo-runner@
  1. Run podman-system-service as the forgejo-runner user:
$ systemctl --user enable podman.socket
$ systemctl --user start podman.socket
  1. Run the forgejo-runner program as the forgejo-runner user. I lightly modified the standard forgejo-runner.service file:
$ cat > .config/systemd/user/forgejo-runner.service <<EOHD
[Unit]
Description=Forgejo Runner
Documentation=https://forgejo.org/docs/latest/admin/actions/
After=podman.socket

[Service]
ExecStart=/usr/local/bin/forgejo-runner daemon
ExecReload=/bin/kill -s HUP $MAINPID
# 1001 is the forgejo-runner user's UID
Environment="DOCKER_HOST=unix:///run/user/1001/podman/podman.sock"

# This user and working directory must already exist
WorkingDirectory=/home/forgejo-runner
Restart=on-failure
TimeoutSec=0
RestartSec=10

[Install]
WantedBy=default.target
EOHD
$ systemctl --user daemon-reload
$ systemctl --user enable forgejo-runner.service
$ systemctl --user start forgejo-runner.service

I rebooted my RPi to make sure it would start on its own and it did. Yay! Now I can run Forgejo Actions on my little server and everything works as documented.

How California sent residents’ personal health data to LinkedIn – The Markup:

As visitors filled out forms on the website, trackers on the same pages told LinkedIn their answers to questions about whether they were blind, pregnant, or used a high number of prescription medications.

Do not, ever, use a web browser without an ad-blocker. Even the FBI and NSA officially recommend it.

Gitea vs Forgejo development activity

I was curious whether Gitea or its recent fork, Forgejo, has had more development activity. I cloned both repos (Gitea’s from GitHub; Forgejo’s from Codeberg, which runs on Forgejo) and ran this command:

$ git log --since="1 year ago" --format="%an" | sort | uniq -c | sort -n | wc -l

to get an overview of things. That showed 153 people (including a small handful of bots) contributing to Gitea, and 232 people (and a couple of bots) contributing to Forgejo. There are some dupes in each list — showing separate accounts for “John Doe” and “johndoe”, that kind of thing — but the numbers look small and similar to me so I think they can be safely ignored.

Some commenters have suggested that Gitea’s development model rebases pull requests onto the main branch instead of applying the individual commits, and that Forgejo does the opposite. This would make it artificially look as though Forgejo has more commit activity.

However, it looks to me like Forgejo is using a similar process of combining lots of smaller PR commits into a single merge commit. The wide majority of its commits since June 2024 or so seem to be 1-commit-per-PR. Changing the above command to --since="2024-07-01" reduces the number of unique contributors to 136 for Gitea and 217 for Forgejo. It also shows 1,228 commits for Gitea and 3,039 for Forgejo, and I do think that’s a legitimately apples-to-apples comparison.

If we brute force it and run

$ git log --since="1 year ago" | rg '\(\#\d{4,5}\)' | wc -l

to match lines that mention a PR (like “Simplify review UI (#31062)” or “Remove title from email heads (#3810)”), then I find 1,256 PR-like Gitea commits and 2,181 Forgejo commits.

I also wondered how many committers were in both repos. I got this from:

$ git log --since="2024-07-01" --format="%an" | sort | uniq > /tmp/users.{whichever}
$ comm -12 users.gitea users.forgejo | wc -l # Users with commits in both
      67
$ comm -13 users.gitea users.forgejo | wc -l # Users with Forgejo commits, but not Gitea
     150
$ comm -23 users.gitea users.forgejo | wc -l # Users with Gitea commits, but not Forgejo
      69

67 users committed to both. Without digging into it, the likeliest explanation to me is that this is mostly due to the projects pulling commits from each other, although nothing I know of keeps an author from sending patches to both. 69 contributors participated in Gitea and not Forgeo. Another 150 contributed to Forgejo but not Gitea.

And finally, their respective activity pages (for Gitea and for Forgejo) show a similar story.

I’m not an expert in methodology here, but from my initial poking around, it would seem to me that Forgejo has a lot more activity and a larger variety of contributors than Gitea does.

Updated rate limits for unauthenticated requests - GitHub Changelog

Summary: Microsoft is locking down access to FOSS source code unless viewers create accounts and log in. This is an excellent time to move projects you own to something you can actually control, like Forgejo.

I just noticed that Forgejo 11 LTS is out now. It’s time to upgrade my older v7 LTS setup!

Released Wonk v0.8.0

I just pushed Policy Wonk v.0.8.0.

There are no code changes, just dependency updates and other cleanups. Now requires Python 3.9+, the oldest supported version. Migrated from poetry=>uv, black/flake/pylint=>ruff. Fixed minor typing deprecations.

Send help, can’t move, besieged by wildcats.

A tiny, orange kitty is sound asleep against someone’s leg.

Happy Mother’s Day to anyone who’s ever been Mom!

Trump’s national security adviser Mike Waltz and his deputy to leave posts in White House, sources say - CBS News

In March, Waltz came under scrutiny after he put together a Signal chat and mistakenly included The Atlantic’s Jeffrey Goldberg, disclosing discussions with top national security officials about plans for a military strike on Houthi targets in Yemen.

Part of being a security adviser is being, you know, competent at security.

Down the liminal line.

Down the length of the SF Transit Center, with a row of lights disappearing into a distant vanishing point.

The new office’s view is quite nice.

View from 20 floors up in a building, overlooking SF's Transamerica Pyramid, Coit Tower in the distance, lots of fog, and Angel Island on the horizon.

My camera can’t capture the glowing orangey-pinks and violets of these flowering bushes on the sidewalk.

The aforementioned orangey-pink and violet flower bushes

Researchers Secretly Ran a Massive, Unauthorized AI Persuasion Experiment on Reddit Users:

This is utterly despicable. “Scientists” perform human research on unconsenting persons, and reported that they successfully persuaded some people to change their views by lying to them with AIs.

Did they contact all those people later to explain that they’d been lied to? Or are they still wandering around with their changed opinions, persuading their friends, and voting?

  1. Screenshot your LinkedIn app home screen.

  2. Make a web page with that background.

  3. Add a link at the top to display the QR code of your choice.

  4. Add a link to that on your home screen.

Voila. Now you can make anyone at any tech conference open the QR code of your choosing. “Hey, let’s be buddies!”

Sharon Osbourne calls for Irish band’s U.S. visas to be revoked after Coachella show - pennlive.com

“At a time when the world is experiencing significant unrest, music should serve as an escape, not a stage for political discourse.”

This is the stupidest possible take on music and art. Her husband sang “War Pigs”.

California is now 4th-largest economy in world, surpassing Japan

Some Americans constantly talk about how much CA supposedly sucks and is on the edge of collapse. My favorite criticism is that “no one wants to live there because it’s so expensive”, although the fundamentals of capitalism explain that it’s so expensive because so many people want to live there.

Meanwhile, back in reality…

Synology Lost the Plot with Hard Drive Locking Move - ServeTheHome

Summary: Synology wants to force users to buy Synology-branded HDs in even their consumer NASes. If they do this, I’ll never buy another NAS from them, ever.

Imagine Toyota requiring you to use Toyota gasoline. No way, no how.

How to bypass Credit Karma's 2FA

Locked out of your Credit Karma account’s 2FA? No problem! Here’s how I can log into mine:

  1. Log in with my username and password.
  2. Try the 2FA challenge once and let it fail.
  3. Navigate to accounts.creditkarma.com

Ta-da! I’m in. I reported this a month ago but they haven’t acknowledged it as an issue yet. If I stumbled across this, you can bet the bad guys are already using it.

Street art in Berlin.

A painting hanging on a brick wall. It’s black and white of a young woman in a leather jacket, captioned “Look into your heart, There I’ll be”.

The afternoon’s adventure: Traveler’s Notebook aficionado nerdery.

Photo of a page in a notebook: “- Went to a nearby stationery store to get a Traveler’s Notebook stamp” And a red stamp saying “Luiban Berlin, Germany \[…\] Official Partner Shop Visit Pass”