Self Service Enrollment

Self-Service Runner Enrollment

Guide for the remaining GitLab compatibility enrollment path.

GitHub is the primary GloriousFlywheel runner surface. If your repo can use the Tinyland GitHub App and shared GitHub labels, start with GitHub Actions Runners instead.

Scope

Use this guide only when you still need the GitLab compatibility surface.

Current compatibility truth:

  • GitLab runners still exist on honey
  • they are not the primary product surface
  • they use GitLab runner managers plus HPA, not ARC’s queue-driven scale-to-zero
  • live honey tfvars keep manager and job pods on the sting compute node with explicit concurrent-job, HPA, and ephemeral-storage caps
  • cache and runtime defaults should match the current live platform contract

Quick Start

Runners are registered at the GitLab group level. Projects inside the matching group hierarchy can use them by adding workload tags in .gitlab-ci.yml.

build:
  tags: [nix]
  script:
    - nix build .#default

Available GitLab Compatibility Tags

Workload Tag Meaning
general CI docker ordinary validation, tests, docs, and build jobs
container builds dind Docker-in-Docker jobs
Nix workloads nix Nix and flake workloads on the compatibility runner path

These tags are compatibility labels, not the GitHub shared-label contract.

Cache Contract

Nix

Nix-capable GitLab runners should receive:

  • ATTIC_SERVER=http://attic.nix-cache.svc.cluster.local
  • ATTIC_CACHE=main
  • ATTIC_PUBLIC_KEY
  • NIX_CONFIG with the Attic substituter and trusted public key

If a project intentionally uses its own internal Attic cache, it may override those variables explicitly at the job level.

Bazel

Where the compatibility runner path supports Bazel acceleration, use the runner-provided BAZEL_REMOTE_CACHE value rather than hard-coding an endpoint. Docker, DinD, and Nix compatibility lanes should also receive GF_BAZEL_SUBSTRATE_MODE=shared-cache-backed when the cache endpoint is present.

Do not use historical values such as:

  • grpc://bazel-cache.attic-cache-dev.svc.cluster.local:9092
  • https://attic.dev-cluster.example.com

Minimal Examples

Docker job

lint:
  tags: [docker]
  image: node:22
  script:
    - pnpm install --frozen-lockfile
    - pnpm check

Nix job

build:nix:
  tags: [nix]
  script:
    - nix build .#default

Verification

After tagging a job:

  1. run a pipeline
  2. confirm the job lands on the intended shared compatibility runner
  3. verify that Nix jobs see cache hits rather than rebuilding everything
  4. verify that Bazel jobs see GF_BAZEL_SUBSTRATE_MODE=shared-cache-backed before relying on cache-backed behavior

If the job only works with a legacy hostname override, the repo is still pinned to a stale cache contract and should be corrected.

GitHub Actions Reminder

For new enrollment or repo-first product guidance, prefer the GitHub runner path:

  • tinyland-nix
  • tinyland-docker
  • tinyland-dind
  • additive lanes such as tinyland-nix-heavy, tinyland-nix-kvm, and tinyland-nix-gpu where available

GloriousFlywheel