diff --git a/.github/workflows/_containerTemplate.yml b/.github/workflows/_containerTemplate.yml index e72c182..bbf00b0 100644 --- a/.github/workflows/_containerTemplate.yml +++ b/.github/workflows/_containerTemplate.yml @@ -56,7 +56,7 @@ jobs: - name: Install cosign id: install_cosign uses: sigstore/cosign-installer@v3.7.0 - if: github.event_name != 'pull_request' + # if: github.event_name != 'pull_request' with: cosign-release: 'v2.2.0' @@ -74,7 +74,7 @@ jobs: - name: Login Container Registry id: registry_login uses: docker/login-action@v3.3.0 - if: github.event_name != 'pull_request' + # if: github.event_name != 'pull_request' with: registry: ${{ inputs.registry_uri }} username: ${{ secrets.USER_NAME }} @@ -101,7 +101,7 @@ jobs: with: context: ${{ inputs.working_directory }} file: ${{ inputs.working_directory }}/Dockerfile - push: ${{ github.event_name != 'pull_request' }} + push: true # ${{ github.event_name != 'pull_request' }} tags: ${{ steps.metadata.outputs.tags }} labels: ${{ steps.metadata.outputs.labels }} cache-from: type=gha diff --git a/code/container/Dockerfile b/code/container/Dockerfile index 509ed69..5ec6239 100644 --- a/code/container/Dockerfile +++ b/code/container/Dockerfile @@ -1,28 +1,28 @@ -FROM myoung34/github-runner-base:ubuntu-focal +FROM ghcr.io/actions/actions-runner:2.322.0 LABEL maintainer="info@perfectthymetech.com" -ENV AGENT_TOOLSDIRECTORY=/opt/hostedtoolcache -RUN mkdir -p /opt/hostedtoolcache +USER root + +# install curl and jq +RUN apt-get update && apt-get install -y curl jq && \ + apt-get clean && \ + rm -rf /var/lib/apt/lists/* -ARG GH_RUNNER_VERSION="2.322.0" ARG AZURE_CLI_VERSION="2.68.0" ARG PWSH_VERSION="7.5.0" -ARG TARGETPLATFORM -SHELL ["/bin/bash", "-o", "pipefail", "-c"] +# SHELL ["/bin/bash", "-o", "pipefail", "-c"] + +COPY install_dependencies.sh /install_dependencies.sh -WORKDIR /actions-runner -COPY install_actions.sh install_dependencies.sh /actions-runner/ +RUN chmod +x /install_dependencies.sh \ + && /install_dependencies.sh ${AZURE_CLI_VERSION} ${PWSH_VERSION} \ + && rm /install_dependencies.sh -RUN chmod +x /actions-runner/install_actions.sh /actions-runner/install_dependencies.sh \ - && /actions-runner/install_actions.sh ${GH_RUNNER_VERSION} ${TARGETPLATFORM} \ - && /actions-runner/install_dependencies.sh ${AZURE_CLI_VERSION} ${PWSH_VERSION} \ - && rm /actions-runner/install_actions.sh \ - && rm /actions-runner/install_dependencies.sh \ - && chown runner /_work /actions-runner /opt/hostedtoolcache +COPY /entrypoint.sh ./entrypoint.sh +RUN chmod +x ./entrypoint.sh -COPY token.sh entrypoint.sh app_token.sh / -RUN chmod +x /token.sh /entrypoint.sh /app_token.sh +USER runner -ENTRYPOINT ["/entrypoint.sh"] -CMD ["./bin/Runner.Listener", "run", "--startuptype", "service"] +ENTRYPOINT ["./entrypoint.sh"] +# CMD ["./bin/Runner.Listener", "run", "--startuptype", "service"] diff --git a/code/container/entrypoint.sh b/code/container/entrypoint.sh index e62633e..68b6fcd 100644 --- a/code/container/entrypoint.sh +++ b/code/container/entrypoint.sh @@ -1,210 +1,11 @@ -#!/usr/bin/dumb-init /bin/bash -# shellcheck shell=bash +#!/bin/sh -l -export RUNNER_ALLOW_RUNASROOT=1 -export PATH=${PATH}:/actions-runner +# Retrieve a short lived runner registration token using the PAT +REGISTRATION_TOKEN="$(curl -X POST -fsSL \ + -H 'Accept: application/vnd.github.v3+json' \ + -H "Authorization: Bearer $GITHUB_PAT" \ + -H 'X-GitHub-Api-Version: 2022-11-28' \ + "$REGISTRATION_TOKEN_API_URL" \ + | jq -r '.token')" -# Un-export these, so that they must be passed explicitly to the environment of -# any command that needs them. This may help prevent leaks. -export -n ACCESS_TOKEN -export -n RUNNER_TOKEN -export -n APP_ID -export -n APP_PRIVATE_KEY - -trap_with_arg() { - func="$1" ; shift - for sig ; do - trap "$func $sig" "$sig" - done -} - -deregister_runner() { - echo "Caught $1 - Deregistering runner" - if [[ -n "${ACCESS_TOKEN}" ]]; then - _TOKEN=$(ACCESS_TOKEN="${ACCESS_TOKEN}" bash /token.sh) - RUNNER_TOKEN=$(echo "${_TOKEN}" | jq -r .token) - fi - ./config.sh remove --token "${RUNNER_TOKEN}" - exit -} - -_DISABLE_AUTOMATIC_DEREGISTRATION=${DISABLE_AUTOMATIC_DEREGISTRATION:-false} - -_RANDOM_RUNNER_SUFFIX=${RANDOM_RUNNER_SUFFIX:="true"} - -_RUNNER_NAME=${RUNNER_NAME:-${RUNNER_NAME_PREFIX:-github-runner}-$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 13 ; echo '')} -if [[ ${RANDOM_RUNNER_SUFFIX} != "true" ]]; then - # In some cases this file does not exist - if [[ -f "/etc/hostname" ]]; then - # in some cases it can also be empty - if [[ $(stat --printf="%s" /etc/hostname) -ne 0 ]]; then - _RUNNER_NAME=${RUNNER_NAME:-${RUNNER_NAME_PREFIX:-github-runner}-$(cat /etc/hostname)} - echo "RANDOM_RUNNER_SUFFIX is ${RANDOM_RUNNER_SUFFIX}. /etc/hostname exists and has content. Setting runner name to ${_RUNNER_NAME}" - else - echo "RANDOM_RUNNER_SUFFIX is ${RANDOM_RUNNER_SUFFIX} ./etc/hostname exists but is empty. Not using /etc/hostname." - fi - else - echo "RANDOM_RUNNER_SUFFIX is ${RANDOM_RUNNER_SUFFIX} but /etc/hostname does not exist. Not using /etc/hostname." - fi -fi - -_RUNNER_WORKDIR=${RUNNER_WORKDIR:-/_work/${_RUNNER_NAME}} -_LABELS=${LABELS:-default} -_RUNNER_GROUP=${RUNNER_GROUP:-Default} -_GITHUB_HOST=${GITHUB_HOST:="github.com"} -_RUN_AS_ROOT=${RUN_AS_ROOT:="true"} -_START_DOCKER_SERVICE=${START_DOCKER_SERVICE:="false"} - -# ensure backwards compatibility -if [[ -z ${RUNNER_SCOPE} ]]; then - if [[ ${ORG_RUNNER} == "true" ]]; then - echo 'ORG_RUNNER is now deprecated. Please use RUNNER_SCOPE="org" instead.' - export RUNNER_SCOPE="org" - else - export RUNNER_SCOPE="repo" - fi -fi - -RUNNER_SCOPE="${RUNNER_SCOPE,,}" # to lowercase - -case ${RUNNER_SCOPE} in - org*) - [[ -z ${ORG_NAME} ]] && ( echo "ORG_NAME required for org runners"; exit 1 ) - _SHORT_URL="https://${_GITHUB_HOST}/${ORG_NAME}" - RUNNER_SCOPE="org" - if [[ -n "${APP_ID}" ]] && [[ -z "${APP_LOGIN}" ]]; then - APP_LOGIN=${ORG_NAME} - fi - ;; - - ent*) - [[ -z ${ENTERPRISE_NAME} ]] && ( echo "ENTERPRISE_NAME required for enterprise runners"; exit 1 ) - _SHORT_URL="https://${_GITHUB_HOST}/enterprises/${ENTERPRISE_NAME}" - RUNNER_SCOPE="enterprise" - ;; - - *) - [[ -z ${REPO_URL} ]] && ( echo "REPO_URL required for repo runners"; exit 1 ) - _SHORT_URL=${REPO_URL} - RUNNER_SCOPE="repo" - if [[ -n "${APP_ID}" ]] && [[ -z "${APP_LOGIN}" ]]; then - APP_LOGIN=${REPO_URL%/*} - APP_LOGIN=${APP_LOGIN##*/} - fi - ;; -esac - -configure_runner() { - ARGS=() - if [[ -n "${APP_ID}" ]] && [[ -n "${APP_PRIVATE_KEY}" ]] && [[ -n "${APP_LOGIN}" ]]; then - if [[ -n "${ACCESS_TOKEN}" ]] || [[ -n "${RUNNER_TOKEN}" ]]; then - echo "ERROR: ACCESS_TOKEN or RUNNER_TOKEN provided but are mutually exclusive with APP_ID, APP_PRIVATE_KEY and APP_LOGIN." >&2 - exit 1 - fi - echo "Obtaining access token for app_id ${APP_ID} and login ${APP_LOGIN}" - nl=" -" - ACCESS_TOKEN=$(APP_ID="${APP_ID}" APP_PRIVATE_KEY="${APP_PRIVATE_KEY//\\n/${nl}}" APP_LOGIN="${APP_LOGIN}" bash /app_token.sh) - elif [[ -n "${APP_ID}" ]] || [[ -n "${APP_PRIVATE_KEY}" ]] || [[ -n "${APP_LOGIN}" ]]; then - echo "ERROR: All of APP_ID, APP_PRIVATE_KEY and APP_LOGIN must be specified." >&2 - exit 1 - fi - - if [[ -n "${ACCESS_TOKEN}" ]]; then - echo "Obtaining the token of the runner" - _TOKEN=$(ACCESS_TOKEN="${ACCESS_TOKEN}" bash /token.sh) - RUNNER_TOKEN=$(echo "${_TOKEN}" | jq -r .token) - fi - - # shellcheck disable=SC2153 - if [ -n "${EPHEMERAL}" ]; then - echo "Ephemeral option is enabled" - ARGS+=("--ephemeral") - fi - - if [ -n "${DISABLE_AUTO_UPDATE}" ]; then - echo "Disable auto update option is enabled" - ARGS+=("--disableupdate") - fi - - if [ -n "${NO_DEFAULT_LABELS}" ]; then - echo "Disable adding the default self-hosted, platform, and architecture labels" - ARGS+=("--no-default-labels") - fi - - echo "Configuring" - ./config.sh \ - --url "${_SHORT_URL}" \ - --token "${RUNNER_TOKEN}" \ - --name "${_RUNNER_NAME}" \ - --work "${_RUNNER_WORKDIR}" \ - --labels "${_LABELS}" \ - --runnergroup "${_RUNNER_GROUP}" \ - --unattended \ - --replace \ - "${ARGS[@]}" - - [[ ! -d "${_RUNNER_WORKDIR}" ]] && mkdir "${_RUNNER_WORKDIR}" - -} - - -# Opt into runner reusage because a value was given -if [[ -n "${CONFIGURED_ACTIONS_RUNNER_FILES_DIR}" ]]; then - echo "Runner reusage is enabled" - - # directory exists, copy the data - if [[ -d "${CONFIGURED_ACTIONS_RUNNER_FILES_DIR}" ]]; then - echo "Copying previous data" - cp -p -r "${CONFIGURED_ACTIONS_RUNNER_FILES_DIR}/." "/actions-runner" - fi - - if [ -f "/actions-runner/.runner" ]; then - echo "The runner has already been configured" - else - configure_runner - fi -else - echo "Runner reusage is disabled" - configure_runner -fi - -if [[ -n "${CONFIGURED_ACTIONS_RUNNER_FILES_DIR}" ]]; then - echo "Reusage is enabled. Storing data to ${CONFIGURED_ACTIONS_RUNNER_FILES_DIR}" - # Quoting (even with double-quotes) the regexp brokes the copying - cp -p -r "/actions-runner/_diag" "/actions-runner/svc.sh" /actions-runner/.[^.]* "${CONFIGURED_ACTIONS_RUNNER_FILES_DIR}" -fi - -if [[ ${_DISABLE_AUTOMATIC_DEREGISTRATION} == "false" ]]; then - trap_with_arg deregister_runner SIGINT SIGQUIT SIGTERM INT TERM QUIT -fi - -# Start docker service if needed (e.g. for docker-in-docker) -if [[ ${_START_DOCKER_SERVICE} == "true" ]]; then - echo "Starting docker service" - _PREFIX="" - [[ ${_RUN_AS_ROOT} != "true" ]] && _PREFIX="sudo" - ${_PREFIX} service docker start -fi - -# Container's command (CMD) execution as runner user - - -if [[ ${_RUN_AS_ROOT} == "true" ]]; then - if [[ $(id -u) -eq 0 ]]; then - "$@" - else - echo "ERROR: RUN_AS_ROOT env var is set to true but the user has been overridden and is not running as root, but UID '$(id -u)'" - exit 1 - fi -else - if [[ $(id -u) -eq 0 ]]; then - [[ -n "${CONFIGURED_ACTIONS_RUNNER_FILES_DIR}" ]] && chown -R runner "${CONFIGURED_ACTIONS_RUNNER_FILES_DIR}" - chown -R runner "${_RUNNER_WORKDIR}" /actions-runner - # The toolcache is not recursively chowned to avoid recursing over prepulated tooling in derived docker images - chown runner /opt/hostedtoolcache/ - /usr/sbin/gosu runner "$@" - else - "$@" - fi -fi +./config.sh --url $GH_URL --token $REGISTRATION_TOKEN --unattended --ephemeral && ./run.sh diff --git a/code/container/install_dependencies.sh b/code/container/install_dependencies.sh index 3380a11..6fd80e0 100644 --- a/code/container/install_dependencies.sh +++ b/code/container/install_dependencies.sh @@ -3,20 +3,21 @@ AZURE_CLI_VERSION=$1 PWSH_VERSION=$2 # Install Azure CLI -sudo apt-get install -y ca-certificates curl apt-transport-https lsb-release gnupg \ - && sudo mkdir -p /etc/apt/keyrings \ - && curl -sLS https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor | sudo tee /etc/apt/keyrings/microsoft.gpg > /dev/null \ - && sudo chmod go+r /etc/apt/keyrings/microsoft.gpg \ +apt-get install -y ca-certificates curl apt-transport-https lsb-release gnupg \ + && mkdir -p /etc/apt/keyrings \ + && curl -sLS https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor | tee /etc/apt/keyrings/microsoft.gpg > /dev/null \ + && chmod go+r /etc/apt/keyrings/microsoft.gpg \ && AZ_DIST=$(lsb_release -cs) \ - && echo "deb [arch=`dpkg --print-architecture` signed-by=/etc/apt/keyrings/microsoft.gpg] https://packages.microsoft.com/repos/azure-cli/ $AZ_DIST main" | sudo tee /etc/apt/sources.list.d/azure-cli.list \ - && sudo apt-get update \ + && echo "deb [arch=`dpkg --print-architecture` signed-by=/etc/apt/keyrings/microsoft.gpg] https://packages.microsoft.com/repos/azure-cli/ $AZ_DIST main" | tee /etc/apt/sources.list.d/azure-cli.list \ + && apt-get update \ && AZ_DIST=$(lsb_release -cs) \ - && sudo apt-get install -y azure-cli=$AZURE_CLI_VERSION-1~$AZ_DIST + && apt-get install -y azure-cli=$AZURE_CLI_VERSION-1~$AZ_DIST # Install Powershell -sudo apt-get install -y wget \ +apt-get update \ + && apt-get install -y wget \ && wget https://github.com/PowerShell/PowerShell/releases/download/v$PWSH_VERSION/powershell_$PWSH_VERSION-1.deb_amd64.deb \ - && sudo dpkg -i powershell_$PWSH_VERSION-1.deb_amd64.deb \ - && sudo apt-get install -fy \ + && dpkg -i powershell_$PWSH_VERSION-1.deb_amd64.deb \ + && apt-get install -fy \ && rm powershell_$PWSH_VERSION-1.deb_amd64.deb \ && pwsh -Command "Install-Module -Name Az -Repository PSGallery -Force"