Add isolation-check workflow

.gitea/workflows/isolation-check.yaml

@@ -0,0 +1,111 @@
+name: Runner Isolation Check
+on:
+  workflow_dispatch:
+
+jobs:
+  isolation-test:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Prepare environment
+        run: |
+          echo "=== INSTALLING TEST TOOLS ==="
+          apt-get update -y
+          DEBIAN_FRONTEND=noninteractive apt-get install -y \
+            curl iproute2 net-tools util-linux procps coreutils \
+            iputils-ping dnsutils libcap2-bin
+
+      - name: Basic system info
+        run: |
+          echo "=== SYSTEM INFO ==="
+          uname -a
+          id
+          cat /etc/os-release || true
+          echo "Running as user: $(whoami)"
+          pwd
+          df -h
+
+      - name: Dumping environment variables
+        run: |
+          echo "--- Check for parent variables ---"
+          printenv | grep -Pi 'GITEA_RUNNER_REGISTRATION_FILE|GITEA_RUNNER_REGISTRATION_TOKEN_FILE|GITEA_RUNNER_REGISTRATION_TOKEN'
+          echo "--- List all variables ---"
+          printenv
+
+      - name: Network routes and interfaces
+        run: |
+          echo "=== NETWORK ==="
+          ip addr
+          echo
+          ip route
+          echo
+          cat /etc/resolv.conf
+
+      - name: LAN reachability test
+        run: |
+          echo "=== LAN REACHABILITY ==="
+          for subnet in 192.168.0.1 192.168.1.1 10.0.0.1 172.16.0.1 172.17.0.1 \
+          172.18.0.1 172.19.0.1 172.20.0.1 172.21.0.1 172.22.0.1 172.23.0.1 \
+          172.24.0.1 192.168.1.185; do
+            echo "--- Pinging $subnet:8098 ---"
+            ping -4 -n -c 4 $subnet || echo "no ping response"
+            echo "--- Contacting http://${subnet}:8098/docker-compose.yaml ---"
+            curl -s -m 5 http://$subnet:8098/docker-compose.yaml || echo "no http response"
+          done
+          echo "--- Checking private IP routes ---"
+          ip route | grep -E "192\.168|10\.|172\.(1[6-9]|2[0-9]|3[01])" \
+            && echo "!! Possible LAN route detected !!" \
+            || echo "No direct LAN route found."
+
+      - name: Check external IP
+        run: |
+          echo "--- Checking external IP (https://ifconfig.me)"
+          curl -s https://ifconfig.me
+
+      - name: Host reachability sanity check
+        run: |
+          echo "=== OUTBOUND TEST ==="
+          curl -fsSL https://google.com >/dev/null && echo "Internet access OK" || echo "No internet access?"
+ 
+      - name: Traceroute to google.com
+        run: |
+          echo "=== Traceroute to google ==="
+          traceroute -4 -n google.com
+
+      - name: Process visibility
+        run: |
+          echo "=== PROCESS VISIBILITY ==="
+          ps aux | head -20
+          ps aux | grep -E "dockerd|systemd|sshd|python" \
+            && echo "!! Possible host process visible !!" \
+            || echo "Looks isolated."
+
+      - name: Privilege and device access
+        run: |
+          echo "=== PRIVILEGE CHECK ==="
+          id -Gn
+          ls -l /dev | head -30
+          mount | head -20
+          test -S /var/run/docker.sock \
+            && echo "!! Host docker.sock mounted !!" \
+            || echo "No docker.sock (good)"
+
+      - name: File system sanity check
+        run: |
+          echo "=== FILESYSTEM ==="
+          ls -1 /
+          echo
+          test -f /root/.bashrc && echo "Root home accessible!" || echo "No /root home (good)"
+          head -n 3 /etc/passwd
+
+      - name: Capability check
+        run: |
+          echo "=== CAPABILITIES ==="
+          capsh --print 2>/dev/null || echo "capsh not available"
+          dmesg 2>&1 | head -5 && echo "!! dmesg readable !!" || echo "dmesg not accessible (good)"
+
+      - name: Mount Info
+        run: |
+          echo "=== Mount Info ==="
+          findmnt -a
+