ci: dump hardhat actions catalog at image build time

Without this, the runner image ships /app/actions-catalog.json missing,
runner.ts falls back to actionsCatalog = {}, and Talos admin's
fetchRunnerEditableFlags() gets 404 on /actions/<task>/params for every
task, surfacing as "No editable flags are registered for this task" in
the action edit dialog (regardless of params actually defined on the
hardhat task).

Mirrors the dump step already in talos/docker/arm-oeth.Dockerfile
(used by docker-compose dev). The talos-owned Dockerfile is not the
one CI builds with — this workflow uses ./dockerfile-actions — so the
dump was silently absent in production. Self-contained CommonJS script
copied verbatim from talos/docker/dump-actions-catalog.cjs.

Author: sparrowDom

dockerfile-actions

@@ -53,6 +53,18 @@ RUN --mount=type=ssh \
 # Copy the rest of the workspace.
 COPY . .
 
+# Dump the hardhat task catalog to /app/actions-catalog.json at build time.
+# Runs under Node (where hardhat works) — the bun parent can't load hardhat
+# itself (keccak native module crashes; bun#18546). The runner reads this
+# file at boot and passes it to runContainer's `actionsCatalog`. A dump
+# failure is non-fatal: empty catalog ⇒ admin UI shows zero editable flags
+# per action (fail-closed), the rest of the runner is unaffected.
+RUN cd /app \
+    && NODE_PATH=/app/node_modules/.pnpm/node_modules \
+       node dump-actions-catalog.cjs > /app/actions-catalog.json \
+    || (echo "[build] hardhat catalog dump failed; shipping empty catalog" \
+        && echo "{}" > /app/actions-catalog.json)
+
 # Hand /app over to the runtime user. After this, all reads/writes by
 # the runner process are as `runner`, not root. Closes security/M-012.
 RUN chown -R runner:runner /app

dump-actions-catalog.cjs

@@ -0,0 +1,62 @@
+#!/usr/bin/env node
+/**
+ * Dump the sibling's hardhat task registry as a JSON catalog the Talos
+ * admin UI can intersect with its global EDITABLE_FLAGS whitelist.
+ *
+ * Invoked at sibling-image build time (Node, not bun): the runner's bun
+ * parent process cannot load hardhat directly — keccak's native module
+ * uses libuv functions bun doesn't implement (oven-sh/bun#18546). Hardhat
+ * stays in Node-land here; the bundled JSON is shipped into the image
+ * and read by `runner.ts` at boot.
+ *
+ * Output shape matches `ActionParam[]` from `@talos/client/actions-catalog`.
+ * Self-contained on purpose — no @talos/client import (the bundle is ESM
+ * and this script runs under Node CJS).
+ */
+
+const hre = require("hardhat");
+
+function camelToKebab(s) {
+  return s.replace(/[A-Z]/g, (c) => `-${c.toLowerCase()}`);
+}
+
+function normalizeType(name) {
+  return ["string", "int", "float", "boolean"].includes(name)
+    ? name
+    : "unknown";
+}
+
+function normalizeDefault(v) {
+  if (v === undefined) return { hasDefault: false, defaultValue: null };
+  if (v === null) return { hasDefault: true, defaultValue: null };
+  if (
+    typeof v === "string" ||
+    typeof v === "number" ||
+    typeof v === "boolean"
+  ) {
+    return { hasDefault: true, defaultValue: v };
+  }
+  return { hasDefault: true, defaultValue: null };
+}
+
+const catalog = {};
+for (const [taskName, def] of Object.entries(hre.tasks)) {
+  const params = [];
+  const pd = def.paramDefinitions || {};
+  for (const p of Object.values(pd)) {
+    const { hasDefault, defaultValue } = normalizeDefault(p.defaultValue);
+    params.push({
+      paramName: p.name,
+      cliFlag: `--${camelToKebab(p.name)}`,
+      description: p.description || "",
+      type: normalizeType(p.type?.name),
+      isOptional: p.isOptional !== false,
+      isFlag: !!p.isFlag,
+      hasDefault,
+      defaultValue,
+    });
+  }
+  catalog[taskName] = params;
+}
+
+process.stdout.write(JSON.stringify(catalog));