Test new container

.github/workflows/_containerTemplate.yml

@@ -56,7 +56,7 @@ jobs:
       - name: Install cosign
         id: install_cosign
         uses: sigstore/cosign-installer@v3.7.0
-        if: github.event_name != 'pull_request'
+        # if: github.event_name != 'pull_request'
         with:
           cosign-release: 'v2.2.0'
 
@@ -74,7 +74,7 @@ jobs:
       - name: Login Container Registry
         id: registry_login
         uses: docker/login-action@v3.3.0
-        if: github.event_name != 'pull_request'
+        # if: github.event_name != 'pull_request'
         with:
           registry: ${{ inputs.registry_uri }}
           username: ${{ secrets.USER_NAME }}
@@ -101,7 +101,7 @@ jobs:
         with:
           context: ${{ inputs.working_directory }}
           file: ${{ inputs.working_directory }}/Dockerfile
-          push: ${{ github.event_name != 'pull_request' }}
+          push: true # ${{ github.event_name != 'pull_request' }}
           tags: ${{ steps.metadata.outputs.tags }}
           labels: ${{ steps.metadata.outputs.labels }}
           cache-from: type=gha

code/container/Dockerfile

@@ -1,28 +1,28 @@
-FROM myoung34/github-runner-base:ubuntu-focal
+FROM ghcr.io/actions/actions-runner:2.322.0
 LABEL maintainer="info@perfectthymetech.com"
 
-ENV AGENT_TOOLSDIRECTORY=/opt/hostedtoolcache
-RUN mkdir -p /opt/hostedtoolcache
+USER root
+
+# install curl and jq
+RUN apt-get update && apt-get install -y curl jq && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/*
 
-ARG GH_RUNNER_VERSION="2.322.0"
 ARG AZURE_CLI_VERSION="2.68.0"
 ARG PWSH_VERSION="7.5.0"
-ARG TARGETPLATFORM
 
-SHELL ["/bin/bash", "-o", "pipefail", "-c"]
+# SHELL ["/bin/bash", "-o", "pipefail", "-c"]
+
+COPY install_dependencies.sh /install_dependencies.sh
 
-WORKDIR /actions-runner
-COPY install_actions.sh install_dependencies.sh /actions-runner/
+RUN chmod +x /install_dependencies.sh \
+  && /install_dependencies.sh ${AZURE_CLI_VERSION} ${PWSH_VERSION} \
+  && rm /install_dependencies.sh
 
-RUN chmod +x /actions-runner/install_actions.sh /actions-runner/install_dependencies.sh \
-  && /actions-runner/install_actions.sh ${GH_RUNNER_VERSION} ${TARGETPLATFORM} \
-  && /actions-runner/install_dependencies.sh ${AZURE_CLI_VERSION} ${PWSH_VERSION} \
-  && rm /actions-runner/install_actions.sh \
-  && rm /actions-runner/install_dependencies.sh \
-  && chown runner /_work /actions-runner /opt/hostedtoolcache
+COPY /entrypoint.sh ./entrypoint.sh
+RUN chmod +x ./entrypoint.sh
 
-COPY token.sh entrypoint.sh app_token.sh /
-RUN chmod +x /token.sh /entrypoint.sh /app_token.sh
+USER runner
 
-ENTRYPOINT ["/entrypoint.sh"]
-CMD ["./bin/Runner.Listener", "run", "--startuptype", "service"]
+ENTRYPOINT ["./entrypoint.sh"]
+# CMD ["./bin/Runner.Listener", "run", "--startuptype", "service"]

code/container/entrypoint.sh

@@ -1,210 +1,11 @@
-#!/usr/bin/dumb-init /bin/bash
-# shellcheck shell=bash
+#!/bin/sh -l
 
-export RUNNER_ALLOW_RUNASROOT=1
-export PATH=${PATH}:/actions-runner
+# Retrieve a short lived runner registration token using the PAT
+REGISTRATION_TOKEN="$(curl -X POST -fsSL \
+  -H 'Accept: application/vnd.github.v3+json' \
+  -H "Authorization: Bearer $GITHUB_PAT" \
+  -H 'X-GitHub-Api-Version: 2022-11-28' \
+  "$REGISTRATION_TOKEN_API_URL" \
+  | jq -r '.token')"
 
-# Un-export these, so that they must be passed explicitly to the environment of
-# any command that needs them.  This may help prevent leaks.
-export -n ACCESS_TOKEN
-export -n RUNNER_TOKEN
-export -n APP_ID
-export -n APP_PRIVATE_KEY
-
-trap_with_arg() {
-    func="$1" ; shift
-    for sig ; do
-        trap "$func $sig" "$sig"
-    done
-}
-
-deregister_runner() {
-  echo "Caught $1 - Deregistering runner"
-  if [[ -n "${ACCESS_TOKEN}" ]]; then
-    _TOKEN=$(ACCESS_TOKEN="${ACCESS_TOKEN}" bash /token.sh)
-    RUNNER_TOKEN=$(echo "${_TOKEN}" | jq -r .token)
-  fi
-  ./config.sh remove --token "${RUNNER_TOKEN}"
-  exit
-}
-
-_DISABLE_AUTOMATIC_DEREGISTRATION=${DISABLE_AUTOMATIC_DEREGISTRATION:-false}
-
-_RANDOM_RUNNER_SUFFIX=${RANDOM_RUNNER_SUFFIX:="true"}
-
-_RUNNER_NAME=${RUNNER_NAME:-${RUNNER_NAME_PREFIX:-github-runner}-$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 13 ; echo '')}
-if [[ ${RANDOM_RUNNER_SUFFIX} != "true" ]]; then
-  # In some cases this file does not exist
-  if [[ -f "/etc/hostname" ]]; then
-    # in some cases it can also be empty
-    if [[ $(stat --printf="%s" /etc/hostname) -ne 0 ]]; then
-      _RUNNER_NAME=${RUNNER_NAME:-${RUNNER_NAME_PREFIX:-github-runner}-$(cat /etc/hostname)}
-      echo "RANDOM_RUNNER_SUFFIX is ${RANDOM_RUNNER_SUFFIX}. /etc/hostname exists and has content. Setting runner name to ${_RUNNER_NAME}"
-    else
-      echo "RANDOM_RUNNER_SUFFIX is ${RANDOM_RUNNER_SUFFIX} ./etc/hostname exists but is empty. Not using /etc/hostname."
-    fi
-  else
-    echo "RANDOM_RUNNER_SUFFIX is ${RANDOM_RUNNER_SUFFIX} but /etc/hostname does not exist. Not using /etc/hostname."
-  fi
-fi
-
-_RUNNER_WORKDIR=${RUNNER_WORKDIR:-/_work/${_RUNNER_NAME}}
-_LABELS=${LABELS:-default}
-_RUNNER_GROUP=${RUNNER_GROUP:-Default}
-_GITHUB_HOST=${GITHUB_HOST:="github.com"}
-_RUN_AS_ROOT=${RUN_AS_ROOT:="true"}
-_START_DOCKER_SERVICE=${START_DOCKER_SERVICE:="false"}
-
-# ensure backwards compatibility
-if [[ -z ${RUNNER_SCOPE} ]]; then
-  if [[ ${ORG_RUNNER} == "true" ]]; then
-    echo 'ORG_RUNNER is now deprecated. Please use RUNNER_SCOPE="org" instead.'
-    export RUNNER_SCOPE="org"
-  else
-    export RUNNER_SCOPE="repo"
-  fi
-fi
-
-RUNNER_SCOPE="${RUNNER_SCOPE,,}" # to lowercase
-
-case ${RUNNER_SCOPE} in
-  org*)
-    [[ -z ${ORG_NAME} ]] && ( echo "ORG_NAME required for org runners"; exit 1 )
-    _SHORT_URL="https://${_GITHUB_HOST}/${ORG_NAME}"
-    RUNNER_SCOPE="org"
-    if [[ -n "${APP_ID}" ]] && [[ -z "${APP_LOGIN}" ]]; then
-      APP_LOGIN=${ORG_NAME}
-    fi
-    ;;
-
-  ent*)
-    [[ -z ${ENTERPRISE_NAME} ]] && ( echo "ENTERPRISE_NAME required for enterprise runners"; exit 1 )
-    _SHORT_URL="https://${_GITHUB_HOST}/enterprises/${ENTERPRISE_NAME}"
-    RUNNER_SCOPE="enterprise"
-    ;;
-
-  *)
-    [[ -z ${REPO_URL} ]] && ( echo "REPO_URL required for repo runners"; exit 1 )
-    _SHORT_URL=${REPO_URL}
-    RUNNER_SCOPE="repo"
-    if [[ -n "${APP_ID}" ]] && [[ -z "${APP_LOGIN}" ]]; then
-      APP_LOGIN=${REPO_URL%/*}
-      APP_LOGIN=${APP_LOGIN##*/}
-    fi
-    ;;
-esac
-
-configure_runner() {
-  ARGS=()
-  if [[ -n "${APP_ID}" ]] && [[ -n "${APP_PRIVATE_KEY}" ]] && [[ -n "${APP_LOGIN}" ]]; then
-    if [[ -n "${ACCESS_TOKEN}" ]] || [[ -n "${RUNNER_TOKEN}" ]]; then
-      echo "ERROR: ACCESS_TOKEN or RUNNER_TOKEN provided but are mutually exclusive with APP_ID, APP_PRIVATE_KEY and APP_LOGIN." >&2
-      exit 1
-    fi
-    echo "Obtaining access token for app_id ${APP_ID} and login ${APP_LOGIN}"
-    nl="
-"
-    ACCESS_TOKEN=$(APP_ID="${APP_ID}" APP_PRIVATE_KEY="${APP_PRIVATE_KEY//\\n/${nl}}" APP_LOGIN="${APP_LOGIN}" bash /app_token.sh)
-  elif [[ -n "${APP_ID}" ]] || [[ -n "${APP_PRIVATE_KEY}" ]] || [[ -n "${APP_LOGIN}" ]]; then
-    echo "ERROR: All of APP_ID, APP_PRIVATE_KEY and APP_LOGIN must be specified." >&2
-    exit 1
-  fi
-
-  if [[ -n "${ACCESS_TOKEN}" ]]; then
-    echo "Obtaining the token of the runner"
-    _TOKEN=$(ACCESS_TOKEN="${ACCESS_TOKEN}" bash /token.sh)
-    RUNNER_TOKEN=$(echo "${_TOKEN}" | jq -r .token)
-  fi
-
-  # shellcheck disable=SC2153
-  if [ -n "${EPHEMERAL}" ]; then
-    echo "Ephemeral option is enabled"
-    ARGS+=("--ephemeral")
-  fi
-
-  if [ -n "${DISABLE_AUTO_UPDATE}" ]; then
-    echo "Disable auto update option is enabled"
-    ARGS+=("--disableupdate")
-  fi
-
-  if [ -n "${NO_DEFAULT_LABELS}" ]; then
-    echo "Disable adding the default self-hosted, platform, and architecture labels"
-    ARGS+=("--no-default-labels")
-  fi
-
-  echo "Configuring"
-  ./config.sh \
-      --url "${_SHORT_URL}" \
-      --token "${RUNNER_TOKEN}" \
-      --name "${_RUNNER_NAME}" \
-      --work "${_RUNNER_WORKDIR}" \
-      --labels "${_LABELS}" \
-      --runnergroup "${_RUNNER_GROUP}" \
-      --unattended \
-      --replace \
-      "${ARGS[@]}"
-
-  [[ ! -d "${_RUNNER_WORKDIR}" ]] && mkdir "${_RUNNER_WORKDIR}"
-
-}
-
-
-# Opt into runner reusage because a value was given
-if [[ -n "${CONFIGURED_ACTIONS_RUNNER_FILES_DIR}" ]]; then
-  echo "Runner reusage is enabled"
-
-  # directory exists, copy the data
-  if [[ -d "${CONFIGURED_ACTIONS_RUNNER_FILES_DIR}" ]]; then
-    echo "Copying previous data"
-    cp -p -r "${CONFIGURED_ACTIONS_RUNNER_FILES_DIR}/." "/actions-runner"
-  fi
-
-  if [ -f "/actions-runner/.runner" ]; then
-    echo "The runner has already been configured"
-  else
-    configure_runner
-  fi
-else
-  echo "Runner reusage is disabled"
-  configure_runner
-fi
-
-if [[ -n "${CONFIGURED_ACTIONS_RUNNER_FILES_DIR}" ]]; then
-  echo "Reusage is enabled. Storing data to ${CONFIGURED_ACTIONS_RUNNER_FILES_DIR}"
-  # Quoting (even with double-quotes) the regexp brokes the copying
-  cp -p -r "/actions-runner/_diag" "/actions-runner/svc.sh" /actions-runner/.[^.]* "${CONFIGURED_ACTIONS_RUNNER_FILES_DIR}"
-fi
-
-if [[ ${_DISABLE_AUTOMATIC_DEREGISTRATION} == "false" ]]; then
-  trap_with_arg deregister_runner SIGINT SIGQUIT SIGTERM INT TERM QUIT
-fi
-
-# Start docker service if needed (e.g. for docker-in-docker)
-if [[ ${_START_DOCKER_SERVICE} == "true" ]]; then
-  echo "Starting docker service"
-  _PREFIX=""
-  [[ ${_RUN_AS_ROOT} != "true" ]] && _PREFIX="sudo"
-  ${_PREFIX} service docker start
-fi
-
-# Container's command (CMD) execution as runner user
-
-
-if [[ ${_RUN_AS_ROOT} == "true" ]]; then
-  if [[ $(id -u) -eq 0 ]]; then
-    "$@"
-  else
-    echo "ERROR: RUN_AS_ROOT env var is set to true but the user has been overridden and is not running as root, but UID '$(id -u)'"
-    exit 1
-  fi
-else
-  if [[ $(id -u) -eq 0 ]]; then
-    [[ -n "${CONFIGURED_ACTIONS_RUNNER_FILES_DIR}" ]] && chown -R runner "${CONFIGURED_ACTIONS_RUNNER_FILES_DIR}"
-    chown -R runner "${_RUNNER_WORKDIR}" /actions-runner
-    # The toolcache is not recursively chowned to avoid recursing over prepulated tooling in derived docker images
-    chown runner /opt/hostedtoolcache/
-    /usr/sbin/gosu runner "$@"
-  else
-    "$@"
-  fi
-fi
+./config.sh --url $GH_URL --token $REGISTRATION_TOKEN --unattended --ephemeral && ./run.sh

code/container/install_dependencies.sh

@@ -3,20 +3,21 @@ AZURE_CLI_VERSION=$1
 PWSH_VERSION=$2
 
 # Install Azure CLI
-sudo apt-get install -y ca-certificates curl apt-transport-https lsb-release gnupg \
-    && sudo mkdir -p /etc/apt/keyrings \
-    && curl -sLS https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor | sudo tee /etc/apt/keyrings/microsoft.gpg > /dev/null \
-    && sudo chmod go+r /etc/apt/keyrings/microsoft.gpg \
+apt-get install -y ca-certificates curl apt-transport-https lsb-release gnupg \
+    && mkdir -p /etc/apt/keyrings \
+    && curl -sLS https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor | tee /etc/apt/keyrings/microsoft.gpg > /dev/null \
+    && chmod go+r /etc/apt/keyrings/microsoft.gpg \
     && AZ_DIST=$(lsb_release -cs) \
-    && echo "deb [arch=`dpkg --print-architecture` signed-by=/etc/apt/keyrings/microsoft.gpg] https://packages.microsoft.com/repos/azure-cli/ $AZ_DIST main" | sudo tee /etc/apt/sources.list.d/azure-cli.list \
-    && sudo apt-get update \
+    && echo "deb [arch=`dpkg --print-architecture` signed-by=/etc/apt/keyrings/microsoft.gpg] https://packages.microsoft.com/repos/azure-cli/ $AZ_DIST main" | tee /etc/apt/sources.list.d/azure-cli.list \
+    && apt-get update \
     && AZ_DIST=$(lsb_release -cs) \
-    && sudo apt-get install -y azure-cli=$AZURE_CLI_VERSION-1~$AZ_DIST
+    && apt-get install -y azure-cli=$AZURE_CLI_VERSION-1~$AZ_DIST
 
 # Install Powershell
-sudo apt-get install -y wget \
+apt-get update \
+    && apt-get install -y wget \
     && wget https://github.com/PowerShell/PowerShell/releases/download/v$PWSH_VERSION/powershell_$PWSH_VERSION-1.deb_amd64.deb \
-    && sudo dpkg -i powershell_$PWSH_VERSION-1.deb_amd64.deb \
-    && sudo apt-get install -fy \
+    && dpkg -i powershell_$PWSH_VERSION-1.deb_amd64.deb \
+    && apt-get install -fy \
     && rm powershell_$PWSH_VERSION-1.deb_amd64.deb \
     && pwsh -Command "Install-Module -Name Az -Repository PSGallery -Force"