fix(deps): update module github.com/docker/cli to v25.0.7+incompatible (#855)

This PR contains the following updates:

| Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [github.com/docker/cli](https://github.com/docker/cli) | `v25.0.3+incompatible` → `v25.0.7+incompatible` | ![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2fdocker%2fcli/v25.0.7+incompatible?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2fdocker%2fcli/v25.0.3+incompatible/v25.0.7+incompatible?slim=true) |

---

### Release Notes

<details>
<summary>docker/cli (github.com/docker/cli)</summary>

### [`v25.0.7+incompatible`](https://github.com/docker/cli/compare/v25.0.6...v25.0.7)

[Compare Source](https://github.com/docker/cli/compare/v25.0.6...v25.0.7)

### [`v25.0.6+incompatible`](https://github.com/docker/cli/compare/v25.0.5...v25.0.6)

[Compare Source](https://github.com/docker/cli/compare/v25.0.5...v25.0.6)

### [`v25.0.5+incompatible`](https://github.com/docker/cli/compare/v25.0.4...v25.0.5)

[Compare Source](https://github.com/docker/cli/compare/v25.0.4...v25.0.5)

### [`v25.0.4+incompatible`](https://github.com/docker/cli/compare/v25.0.3...v25.0.4)

[Compare Source](https://github.com/docker/cli/compare/v25.0.3...v25.0.4)

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - At any time (no schedule defined)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->

Reviewed-on: https://gitea.com/gitea/act_runner/pulls/855
Reviewed-by: silverwind <2021+silverwind@noreply.gitea.com>
Co-authored-by: Renovate Bot <renovate-bot@gitea.com>
Co-committed-by: Renovate Bot <renovate-bot@gitea.com>

act/common/git/git.go

@@ -277,6 +277,7 @@ func CloneIfRequired(ctx context.Context, refName plumbing.ReferenceName, input
 
 func gitOptions(token string) (fetchOptions git.FetchOptions, pullOptions git.PullOptions) {
 	fetchOptions.RefSpecs = []config.RefSpec{"refs/*:refs/*", "HEAD:refs/heads/HEAD"}
+	fetchOptions.Force = true
 	pullOptions.Force = true
 
 	if token != "" {

act/common/git/git_test.go

@@ -10,6 +10,7 @@ import (
 	"os"
 	"os/exec"
 	"path/filepath"
+	"strings"
 	"syscall"
 	"testing"
 
@@ -220,6 +221,62 @@ func TestGitCloneExecutor(t *testing.T) {
 	}
 }
 
+func TestGitCloneExecutorNonFastForwardRef(t *testing.T) {
+	// Simulate the scenario where a remote ref (e.g. a GitHub PR head ref) changes
+	// non-fast-forward between two fetches. Before the fix, the fetch used Force=false,
+	// causing go-git to return ErrForceNeeded and short-circuit the checkout.
+
+	gitConfig()
+
+	// Create a bare "remote" repo with an initial commit on main and a feature branch.
+	remoteDir := t.TempDir()
+	require.NoError(t, gitCmd("init", "--bare", "--initial-branch=main", remoteDir))
+
+	// We need a working clone to push commits from.
+	workDir := t.TempDir()
+	require.NoError(t, gitCmd("clone", remoteDir, workDir))
+	require.NoError(t, gitCmd("-C", workDir, "checkout", "-b", "main"))
+	require.NoError(t, gitCmd("-C", workDir, "commit", "--allow-empty", "-m", "initial"))
+	require.NoError(t, gitCmd("-C", workDir, "push", "-u", "origin", "main"))
+
+	// Create a feature branch (simulates refs/pull/N/head).
+	require.NoError(t, gitCmd("-C", workDir, "checkout", "-b", "feature"))
+	require.NoError(t, gitCmd("-C", workDir, "commit", "--allow-empty", "-m", "feature-1"))
+	require.NoError(t, gitCmd("-C", workDir, "push", "origin", "feature"))
+
+	// First clone via the executor — should succeed and cache the repo.
+	cloneDir := t.TempDir()
+	clone := NewGitCloneExecutor(NewGitCloneExecutorInput{
+		URL: remoteDir,
+		Ref: "main",
+		Dir: cloneDir,
+	})
+	require.NoError(t, clone(context.Background()))
+
+	// Now force-push the feature branch to a non-fast-forward commit (simulates
+	// a PR rebase). This makes refs/heads/feature non-fast-forward.
+	require.NoError(t, gitCmd("-C", workDir, "checkout", "main"))
+	require.NoError(t, gitCmd("-C", workDir, "branch", "-D", "feature"))
+	require.NoError(t, gitCmd("-C", workDir, "checkout", "-b", "feature"))
+	require.NoError(t, gitCmd("-C", workDir, "commit", "--allow-empty", "-m", "feature-rewritten"))
+	require.NoError(t, gitCmd("-C", workDir, "push", "--force", "origin", "feature"))
+
+	// Also advance main so we can verify the clone picks up the new commit.
+	require.NoError(t, gitCmd("-C", workDir, "checkout", "main"))
+	require.NoError(t, gitCmd("-C", workDir, "commit", "--allow-empty", "-m", "second"))
+	require.NoError(t, gitCmd("-C", workDir, "push", "origin", "main"))
+
+	// Second clone to the same directory — before the fix this returned ErrForceNeeded
+	// and left the working tree at the old commit.
+	err := clone(context.Background())
+	require.NoError(t, err, "fetch with non-fast-forward refs must not fail when Force=true")
+
+	// Verify the working tree was actually updated to the latest main commit.
+	out, err := exec.Command("git", "-C", cloneDir, "log", "--oneline", "-1", "--format=%s").Output()
+	require.NoError(t, err)
+	assert.Equal(t, "second", strings.TrimSpace(string(out)), "working tree should be at the latest commit")
+}
+
 func gitConfig() {
 	if os.Getenv("GITHUB_ACTIONS") == "true" {
 		var err error

go.mod

@@ -4,7 +4,7 @@ go 1.26.0
 
 require (
 	code.gitea.io/actions-proto-go v0.4.1
-	connectrpc.com/connect v1.19.1
+	connectrpc.com/connect v1.19.2
 	github.com/avast/retry-go/v4 v4.7.0
 	github.com/docker/docker v25.0.13+incompatible
 	github.com/joho/godotenv v1.5.1
@@ -24,7 +24,7 @@ require (
 	github.com/Masterminds/semver v1.5.0
 	github.com/creack/pty v1.1.24
 	github.com/distribution/reference v0.6.0
-	github.com/docker/cli v25.0.3+incompatible
+	github.com/docker/cli v25.0.7+incompatible
 	github.com/docker/go-connections v0.6.0
 	github.com/go-git/go-billy/v5 v5.8.0
 	github.com/go-git/go-git/v5 v5.18.0

go.sum

@@ -2,6 +2,8 @@ code.gitea.io/actions-proto-go v0.4.1 h1:l0EYhjsgpUe/1VABo2eK7zcoNX2W44WOnb0MSLr
 code.gitea.io/actions-proto-go v0.4.1/go.mod h1:mn7Wkqz6JbnTOHQpot3yDeHx+O5C9EGhMEE+htvHBas=
 connectrpc.com/connect v1.19.1 h1:R5M57z05+90EfEvCY1b7hBxDVOUl45PrtXtAV2fOC14=
 connectrpc.com/connect v1.19.1/go.mod h1:tN20fjdGlewnSFeZxLKb0xwIZ6ozc3OQs2hTXy4du9w=
+connectrpc.com/connect v1.19.2 h1:McQ83FGdzL+t60peksi0gXC7MQ/iLKgLduAnThbM0mo=
+connectrpc.com/connect v1.19.2/go.mod h1:tN20fjdGlewnSFeZxLKb0xwIZ6ozc3OQs2hTXy4du9w=
 cyphar.com/go-pathrs v0.2.3 h1:0pH8gep37wB0BgaXrEaN1OtZhUMeS7VvaejSr6i822o=
 cyphar.com/go-pathrs v0.2.3/go.mod h1:y8f1EMG7r+hCuFf/rXsKqMJrJAUoADZGNh5/vZPKcGc=
 dario.cat/mergo v1.0.2 h1:85+piFYR1tMbRrLcDwR18y4UKJ3aH1Tbzi24VRW1TK8=
@@ -53,6 +55,8 @@ github.com/distribution/reference v0.5.0 h1:/FUIFXtfc/x2gpa5/VGfiGLuOIdYa1t65IKK
 github.com/distribution/reference v0.5.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
 github.com/docker/cli v25.0.3+incompatible h1:KLeNs7zws74oFuVhgZQ5ONGZiXUUdgsdy6/EsX/6284=
 github.com/docker/cli v25.0.3+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
+github.com/docker/cli v25.0.7+incompatible h1:scW/AbGafKmANsonsFckFHTwpz2QypoPA/zpoLnDs/E=
+github.com/docker/cli v25.0.7+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
 github.com/docker/docker v25.0.13+incompatible h1:YeBrkUd3q0ZoRDNoEzuopwCLU+uD8GZahDHwBdsTnkU=
 github.com/docker/docker v25.0.13+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/docker-credential-helpers v0.9.5 h1:EFNN8DHvaiK8zVqFA2DT6BjXE0GzfLOZ38ggPTKePkY=

internal/pkg/report/reporter.go

@@ -10,6 +10,7 @@ import (
 	"regexp"
 	"strings"
 	"sync"
+	"sync/atomic"
 	"time"
 
 	"gitea.com/gitea/act_runner/internal/pkg/client"
@@ -48,6 +49,10 @@ type Reporter struct {
 	outputs      sync.Map
 	daemon       chan struct{}
 
+	// Unix-nanos of the last successful UpdateTask. Atomic so the heartbeat
+	// guard in ReportState reads it without contending stateMu.
+	lastReportedAtNanos atomic.Int64
+
 	// Adaptive batching control
 	logReportInterval   time.Duration
 	logReportMaxLatency time.Duration
@@ -489,8 +494,12 @@ func (r *Reporter) ReportState(reportResult bool) error {
 
 	// Consume stateChanged atomically with the snapshot; restored on error
 	// below so a concurrent Fire() during UpdateTask isn't silently lost.
+	// Heartbeat at stateReportInterval even when nothing changed, so the server
+	// doesn't time out long-running silent jobs as orphaned (#826).
+	last := r.lastReportedAtNanos.Load()
+	withinHeartbeatInterval := last != 0 && time.Since(time.Unix(0, last)) < r.stateReportInterval
 	r.stateMu.Lock()
-	if !reportResult && !r.stateChanged && len(outputs) == 0 {
+	if !reportResult && !r.stateChanged && len(outputs) == 0 && withinHeartbeatInterval {
 		r.stateMu.Unlock()
 		return nil
 	}
@@ -517,6 +526,7 @@ func (r *Reporter) ReportState(reportResult bool) error {
 		return err
 	}
 	metrics.ReportStateTotal.WithLabelValues(metrics.LabelResultSuccess).Inc()
+	r.lastReportedAtNanos.Store(time.Now().UnixNano())
 
 	for _, k := range resp.Msg.SentOutputs {
 		r.outputs.Store(k, struct{}{})

internal/pkg/report/reporter_test.go

@@ -597,3 +597,45 @@ func TestReporter_StateNotifyFlush(t *testing.T) {
 	}, 500*time.Millisecond, 10*time.Millisecond,
 		"step transition should have triggered immediate state flush via stateNotify")
 }
+
+// TestReporter_StateHeartbeat verifies that ReportState sends a heartbeat
+// UpdateTask once stateReportInterval has elapsed since the last successful
+// report, even when nothing has changed. Without this, long-running silent
+// jobs (no log output, no step transitions) cause the server to time the
+// task out and cancel it (#826).
+func TestReporter_StateHeartbeat(t *testing.T) {
+	var updateTaskCalls atomic.Int64
+
+	client := mocks.NewClient(t)
+	client.On("UpdateTask", mock.Anything, mock.Anything).Return(
+		func(_ context.Context, _ *connect_go.Request[runnerv1.UpdateTaskRequest]) (*connect_go.Response[runnerv1.UpdateTaskResponse], error) {
+			updateTaskCalls.Add(1)
+			return connect_go.NewResponse(&runnerv1.UpdateTaskResponse{}), nil
+		},
+	)
+
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+	taskCtx, err := structpb.NewStruct(map[string]any{})
+	require.NoError(t, err)
+	cfg, _ := config.LoadDefault("")
+	cfg.Runner.StateReportInterval = 50 * time.Millisecond
+	reporter := NewReporter(ctx, cancel, client, &runnerv1.Task{Context: taskCtx}, cfg)
+	reporter.ResetSteps(1)
+
+	// First call has no prior report — sends to seed lastReportedAt.
+	reporter.stateMu.Lock()
+	reporter.stateChanged = true
+	reporter.stateMu.Unlock()
+	require.NoError(t, reporter.ReportState(false))
+	require.Equal(t, int64(1), updateTaskCalls.Load())
+
+	// Second call immediately after with nothing changed — must skip.
+	require.NoError(t, reporter.ReportState(false))
+	assert.Equal(t, int64(1), updateTaskCalls.Load(), "no-op ReportState within stateReportInterval must skip")
+
+	// After stateReportInterval elapses, a heartbeat must fire even with no changes.
+	time.Sleep(2 * cfg.Runner.StateReportInterval)
+	require.NoError(t, reporter.ReportState(false))
+	assert.Equal(t, int64(2), updateTaskCalls.Load(), "ReportState must heartbeat after stateReportInterval even with no state change")
+}

scripts/s6/act_runner/run

@@ -1,5 +1,9 @@
 #!/usr/bin/env bash
 
+while [ ! -d /etc/s6/docker/supervise ]; do
+    sleep 0.1
+done
+
 s6-svwait -U /etc/s6/docker
 
 exec run.sh