fix: separate runner token from API token, proper workdir

- RUNNER_TOKEN env for act_runner registration (separate from GITEA_TOKEN)
- Create /opt/runner/work as workdir_parent (fixes .cache path error)
- Runner config via .runner.yaml with explicit workdir
- IMDSv2 for instance metadata
- PATH includes /usr/local/go/bin

orchestrator/dispatch/main.go

@@ -110,28 +110,28 @@ var labelToSpot = map[string]spotConfig{
 // --- Config from env ---
 
 type cfg struct {
-	GiteaURL      string
-	GiteaToken    string
-	ExecFnName    string
-	AMI           string // pre-baked AMI with Go, Node, Docker, AWS CLI, act_runner
-	Subnet        string
-	SecurityGroup string
-	DDBTable      string
+	GiteaURL        string
+	GiteaToken      string // API token (for fetching workflows, setting commit status)
+	RunnerToken     string // Runner registration token (for act_runner register)
+	ExecFnName      string
+	AMI             string // pre-baked AMI with Go, Node, Docker, AWS CLI, act_runner
+	Subnet          string
+	SecurityGroup   string
+	DDBTable        string
 	InstanceProfile string
-	Region        string
 }
 
 func loadCfg() cfg {
 	return cfg{
 		GiteaURL:        os.Getenv("GITEA_URL"),
 		GiteaToken:      os.Getenv("GITEA_TOKEN"),
+		RunnerToken:     os.Getenv("RUNNER_TOKEN"),
 		ExecFnName:      os.Getenv("EXECUTOR_FUNCTION_NAME"),
 		AMI:             os.Getenv("RUNNER_AMI"),
 		Subnet:          os.Getenv("SUBNET"),
 		SecurityGroup:   os.Getenv("SECURITY_GROUP"),
 		DDBTable:        os.Getenv("DDB_TABLE"),
-		InstanceProfile: os.Getenv("INSTANCE_PROFILE"), // IAM instance profile ARN
-		Region:          os.Getenv("AWS_REGION"),
+		InstanceProfile: os.Getenv("INSTANCE_PROFILE"),
 	}
 }
 
@@ -144,8 +144,11 @@ set -euo pipefail
 exec > /var/log/tinqs-ci.log 2>&1
 
 echo "=== Tinqs CI Runner: %s ==="
-INSTANCE_ID=$(curl -s http://169.254.169.254/latest/meta-data/instance-id)
-REGION=%s
+
+# Get instance metadata (IMDSv2)
+TOKEN=$(curl -s -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 60")
+INSTANCE_ID=$(curl -s -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/instance-id)
+REGION=$(curl -s -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/placement/region)
 
 # Self-termination trap — kill instance on exit (success or failure)
 cleanup() {
@@ -154,8 +157,12 @@ cleanup() {
 }
 trap cleanup EXIT
 
-# act_runner is pre-installed in the AMI at /usr/local/bin/act_runner
-cd /tmp
+# Source Go/Node paths from AMI
+export PATH=$PATH:/usr/local/go/bin
+export HOME=/root
+
+# Create proper working directory for act_runner
+mkdir -p /opt/runner && cd /opt/runner
 
 # Register as ephemeral runner (picks one job, then exits)
 act_runner register --no-interactive \
@@ -164,11 +171,24 @@ act_runner register --no-interactive \
   --name %s \
   --labels "%s:host"
 
+# Configure runner to use /opt/runner as workdir
+cat > .runner.yaml << 'RUNCFG'
+log:
+  level: info
+runner:
+  capacity: 1
+  timeout: 30m
+host:
+  workdir_parent: /opt/runner/work
+RUNCFG
+
+mkdir -p /opt/runner/work
+
 # Run — blocks until the job completes, then exits (ephemeral mode)
-act_runner daemon
+act_runner daemon --config .runner.yaml
 
 echo "=== Runner exited, cleanup will terminate instance ==="
-`, runnerName, c.Region, c.GiteaURL, c.GiteaToken, runnerName, label)
+`, runnerName, c.GiteaURL, c.RunnerToken, runnerName, label)
 
 	return base64.StdEncoding.EncodeToString([]byte(script))
 }