chore: remove gce-github-runner, use GitHub-hosted runners (PDE-229)

Remove self-hosted GCE runner infrastructure in favor of GitHub-hosted
runners. This eliminates the security risk from shared service accounts
mounted into workflows.

Changes:
- Remove create-runner and delete-runner jobs
- Switch to ubuntu-latest runners
- GCP auth via Workload Identity Federation remains unchanged

Co-authored-by: Ona <no-reply@ona.com>

Author: corneliusludmann

.github/workflows/pull-request.yml

@@ -3,29 +3,26 @@ on:
   pull_request:
 
 jobs:
-  create-runner:
-    uses: gitpod-io/gce-github-runner/.github/workflows/create-vm.yml@main
-    secrets:
-      runner_token: ${{ secrets.SELF_HOSTED_GITHUB_RUNNER_TOKEN }}
-      gcp_credentials: ${{ secrets.SELF_HOSTED_GITHUB_RUNNER_GCP_CREDENTIALS }}
-    concurrency:
-      group: ${{ github.ref == 'refs/heads/main' && github.run_id || github.sha }}-create-runner
-      cancel-in-progress: false
-
   build:
-    runs-on: ${{ needs.create-runner.outputs.label }}
-    needs: create-runner
+    runs-on: ubuntu-latest
     concurrency:
       group: ${{ github.ref == 'refs/heads/main' && github.run_id || github.sha }}-build
       cancel-in-progress: true
     env:
       DAZZLE_VERSION: 0.1.17
       BUILDKIT_VERSION: 0.12.3
     steps:
+      - name: 🧹 Free disk space
+        run: |
+          echo "Before cleanup:"
+          df -h
+          sudo rm -rf /usr/share/dotnet /usr/local/lib/android /opt/ghc /opt/hostedtoolcache/CodeQL
+          sudo docker image prune --all --force
+          echo "After cleanup:"
+          df -h
+
       - name: 📥 Checkout workspace-images
         uses: actions/checkout@v5
-        with:
-          repository: gitpod-io/workspace-images
 
       - name: 🔧 Setup pre-commit
         run: |
@@ -40,14 +37,20 @@ jobs:
 
       - name: 🔆 Install dazzle
         run: |
-          curl -sSL https://github.com/gitpod-io/dazzle/releases/download/v${{env.DAZZLE_VERSION}}/dazzle_${{env.DAZZLE_VERSION}}_Linux_x86_64.tar.gz | sudo tar -xvz -C /usr/local/bin
+          curl -fsSL --retry 3 --retry-delay 5 -o /tmp/dazzle.tar.gz https://github.com/gitpod-io/dazzle/releases/download/v${{env.DAZZLE_VERSION}}/dazzle_${{env.DAZZLE_VERSION}}_Linux_x86_64.tar.gz
+          sudo tar -xvzf /tmp/dazzle.tar.gz -C /usr/local/bin
+          rm /tmp/dazzle.tar.gz
 
       - name: 🏗️ Setup buildkit
         run: |
-          curl -sSL https://github.com/moby/buildkit/releases/download/v${{env.BUILDKIT_VERSION}}/buildkit-v${{env.BUILDKIT_VERSION}}.linux-amd64.tar.gz | sudo tar xvz -C /usr
-          sudo buildkitd --oci-worker=true --oci-worker-net=host --debug --group docker &
-          sudo su -c "while ! test -S /run/buildkit/buildkitd.sock; do sleep 0.1; done"
-          sudo chmod +777 /run/buildkit/buildkitd.sock
+          curl -fsSL --retry 3 --retry-delay 5 -o /tmp/buildkit.tar.gz https://github.com/moby/buildkit/releases/download/v${{env.BUILDKIT_VERSION}}/buildkit-v${{env.BUILDKIT_VERSION}}.linux-amd64.tar.gz
+          sudo tar -xvzf /tmp/buildkit.tar.gz -C /usr
+          rm /tmp/buildkit.tar.gz
+          sudo nohup buildkitd --oci-worker=true --oci-worker-net=host --debug --group docker > /tmp/buildkitd.log 2>&1 &
+          echo "Waiting for buildkitd socket..."
+          timeout 30 bash -c 'while ! test -S /run/buildkit/buildkitd.sock; do sleep 0.5; done'
+          sudo chmod 777 /run/buildkit/buildkitd.sock
+          echo "buildkitd is ready"
 
       # A hack as GH action does not allow you to force override cache storing if there was a cache hit
       # https://github.com/actions/cache/issues/628#issuecomment-986118455
@@ -76,15 +79,3 @@ jobs:
       - name: 🖇️ Dazzle combine
         run: |
           dazzle combine localhost:5000/workspace-base-images --all
-
-  delete-runner:
-    if: always()
-    needs:
-      - create-runner
-      - build
-    uses: gitpod-io/gce-github-runner/.github/workflows/delete-vm.yml@main
-    secrets:
-      gcp_credentials: ${{ secrets.SELF_HOSTED_GITHUB_RUNNER_GCP_CREDENTIALS }}
-    with:
-      runner-label: ${{ needs.create-runner.outputs.label }}
-      machine-zone: ${{ needs.create-runner.outputs.machine-zone }}

.github/workflows/push-main.yml

@@ -6,24 +6,14 @@ on:
       - main
 
 jobs:
-  create-runner:
-    uses: gitpod-io/gce-github-runner/.github/workflows/create-vm.yml@main
-    secrets:
-      runner_token: ${{ secrets.SELF_HOSTED_GITHUB_RUNNER_TOKEN }}
-      gcp_credentials: ${{ secrets.SELF_HOSTED_GITHUB_RUNNER_GCP_CREDENTIALS }}
-    concurrency:
-      group: ${{ github.ref == 'refs/heads/main' && github.run_id || github.sha }}-create-runner
-      cancel-in-progress: false
-
   # Build images using artifactory as image registry.
   # To implement manual approvals, the workflow uses an Environment.
   #
   # From your GitHub repo click Settings. In the left menu, click Environments.
   # Click New environment, set the name production, and click Configure environment.
   # Check the "Required reviewers" box and enter at least one user or team name.
   sync:
-    runs-on: ${{ needs.create-runner.outputs.label }}
-    needs: create-runner
+    runs-on: ubuntu-latest
     concurrency:
       group: ${{ github.ref == 'refs/heads/main' && github.run_id || github.sha }}-sync
       cancel-in-progress: true
@@ -199,15 +189,3 @@ jobs:
             --keep-going \
             --dest docker \
             /.github/promote-images.yml "${DH_IMAGE_REGISTRY}/gitpod"
-
-  delete-runner:
-    if: always()
-    needs:
-      - create-runner
-      - sync
-    uses: gitpod-io/gce-github-runner/.github/workflows/delete-vm.yml@main
-    secrets:
-      gcp_credentials: ${{ secrets.SELF_HOSTED_GITHUB_RUNNER_GCP_CREDENTIALS }}
-    with:
-      runner-label: ${{ needs.create-runner.outputs.label }}
-      machine-zone: ${{ needs.create-runner.outputs.machine-zone }}

chunks/tool-vnc/gp-vncsession

@@ -52,7 +52,7 @@ if test ! -e /tmp/.X0-lock; then {
 	# Start vncserver
 	log::info "Starting tigerVNC server on port $VNC_PORT"
 	# vncserver -kill "${DISPLAY}"
-	start_service "$(command -v vncserver)" -geometry "${TIGERVNC_GEOMETRY:-1920x1080}" -SecurityTypes None $DISPLAY
+	start_service "$(command -v vncserver)" -geometry "${TIGERVNC_GEOMETRY:-1920x1080}" -SecurityTypes None "$DISPLAY"
 
 	# Wait
 	log::info "Waiting for the desktop to be fully loaded ..."