Previously, we passed the JIT config to the runner execution script via
command-line arguments using xargs. This included the JIT token in the
transient systemd unit file generated by systemd-run, which sometimes
failed with "Failed to resolve unit specifiers" errors. These issues are
hard to reproduce locally, but may be caused by template expansion
limits or token size.
We take direct control over the unit file instead of relying on
systemd-run’s transient unit generation, to better understand and debug
any related issues.
We now pass the JIT config via a file. This is more reliable for large
strings and avoids leaking sensitive tokens into the unit description.
This change is currently behind a feature flag. Once verified in
production, we’ll move the file creation to the image generation step.
e2627b5c96