Hosted runner image
Workflows that target runs-on: fremforge execute inside our hosted runner image (runner-base). It’s a deliberately lean image, Alpine 3.22 + the things every CI step touches. Customers pin specific language toolchain versions per-job using standard setup-* actions, the same UX as GitHub Actions.
What’s baked in
| Group | Tools | Why baked in |
|---|---|---|
| Base | Alpine 3.22 | Smallest viable distro. |
| Shell + GNU coreutils | bash, coreutils, util-linux, findutils, grep, sed, gawk, diffutils, tzdata | Many actions assume GNU flag semantics; busybox alone breaks them. |
| Network + crypto | ca-certificates, curl, wget, openssl, openssh-client | Every workflow makes HTTP + SSH calls. |
| Archives | tar, gzip, xz, bzip2, unzip, zip | Standard formats CI workflows pull/produce. |
| VCS | git, git-lfs (initialised system-wide) | actions/checkout@v4 requires git ≥ 2.18. |
| Build essentials | build-base (gcc 14.x + make), pkgconf, autoconf, automake, libtool, cmake, linux-headers | Native node modules / Python wheels with C extensions / Go cgo build out of the box. |
| Data shape | jq, yq | Used by ~every CI step. |
| JS runtime | Node 22 LTS + npm | Required to run JavaScript-based actions (the `runs.using: node20 |
| Lint helpers | shellcheck, shfmt | Tiny footprint, big ergonomics for shell-heavy CI. |
| Security scan | gitleaks v8.30.1, trivy 0.70.0 | Pre-baked so secret/CVE scans add no setup time. |
| Container build | kaniko-executor v1.23.2 | Rootless OCI image build (no Docker daemon, see below). |
| Init | tini as PID 1 | Clean signal handling + zombie reaping. |
What’s NOT baked in (use setup-* actions)
We deliberately keep the image lean (~280 MB compressed; GitHub’s ubuntu-latest is ~50 GB). Customers pin the version they want via standard actions:
| Tool | How to install in your workflow |
|---|---|
| Python | actions/setup-python@v5 |
| Go | actions/setup-go@v5 |
| Rust | dtolnay/rust-toolchain@stable (or actions/setup-rust@vN once stable) |
| Java | actions/setup-java@v4 |
| .NET | actions/setup-dotnet@v4 |
| Ruby | ruby/setup-ruby@v1 |
| PHP | shivammathur/setup-php@v2 |
| kubectl / helm | azure/setup-kubectl@v4 / azure/setup-helm@v4 |
| Cloud CLIs (T Cloud / AWS / Azure / gcloud) | Per-job install via apk add, pip install, or vendor-provided actions |
| Docker daemon / docker CLI / docker-compose | Not available, see Container builds below for the kaniko-based alternative |
Container builds
CCI v2 (the runtime that backs every fremforge runner pod) doesn’t permit privileged containers, so Docker-in-Docker is not possible. Use kaniko (pre-baked at /usr/local/bin/kaniko) for rootless OCI image builds:
- name: Build + push image
run: |
/usr/local/bin/kaniko \
--context=$GITHUB_WORKSPACE \
--dockerfile=Dockerfile \
--destination=registry.example.com/$GITHUB_REPOSITORY:$GITHUB_SHAFor pure image copy (e.g. retag-and-push between registries) you can also use skopeo if you apk add skopeo at the start of your step.
Image size & cold-start time
The runner image is pinned weekly (every Monday 06:00 UTC), we rebuild on the latest Alpine patch set, run Trivy with HIGH/CRITICAL hard-fail, and publish the manifest at the runner-image manifests in Changelog. Each customer pod cold-starts in ~60-90 seconds (image pull + container init).
Sample workflow
A minimal “hello world” workflow that runs on fremforge runners:
name: hello
on:
push:
branches: [main]
workflow_dispatch: {}
jobs:
smoke:
runs-on: fremforge
steps:
- uses: actions/checkout@v4
- name: Show what's available
run: |
echo "Hello from fremforge"
uname -a
node --version
git --version
jq --version
shellcheck --version | head -2
gitleaks version
trivy --version | head -1For a more realistic example with a language toolchain, see the workflow examples in Actions and CI/CD.
Reporting issues with the runner image
If a tool you expected isn’t available, or you hit a Pod-runtime issue (security context, resource limits, network), file an issue at frem.sh/fremforge/runner-base or contact support. We respond same-business-day for hosted-runner regressions.