# runner-config.yaml — only the relevant section
container:
  # passed as DOCKER_HOST inside the job container
  docker_host: "unix:///var/run/docker.sock"
  # whitelists the socket path so workflows can mount it
  valid_volumes:
    - "/var/run/docker.sock"
  # appended to `docker run` when the runner spawns a job container
  # SECURITY: Mounting the Docker socket grants job containers root-equivalent
  # access to the host Docker daemon. Acceptable here because only trusted code
  # from this private repo runs on this runner. Do NOT use on a runner that
  # accepts untrusted PRs from external contributors.
  options: "-v /var/run/docker.sock:/var/run/docker.sock"
  # keep network mode default (bridge) — Testcontainers handles its own networking
  force_pull: false