blob: 6a5d7a46158c1c8143e0a5fd32a7b80def00c219 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
|
[Unit]
Description=GitHub Actions Listener Daemon
After=network.target
[Service]
User=github-actions
WorkingDirectory=/var/lib/github-actions
Environment=HOME=/var/lib/github-actions
Type=exec
ExecStart=/var/lib/github-actions/run.sh
# Security hardening
NoNewPrivileges=true
ProtectSystem=strict
ReadWritePaths=/var/lib/github-actions
ProtectHome=yes
InaccessiblePaths=/home /root /srv
PrivateTmp=true
# Devices — allow GPU if needed
DevicePolicy=closed
DeviceAllow=/dev/nvidiactl rwm
DeviceAllow=/dev/nvidia0 rwm
DeviceAllow=/dev/nvidia-uvm rwm
DeviceAllow=/dev/dri/card0 rwm
DeviceAllow=/dev/dri/renderD128 rwm
# Capabilities
CapabilityBoundingSet=
AmbientCapabilities=
[Install]
WantedBy=multi-user.target
|