Adding hmpps-github-actions-runner image

.github/workflows/docker-build-push.yml

@@ -21,6 +21,7 @@ jobs:
           - hmpps-localstack
           - hmpps-clamav
           - hmpps-python-deps
+          - hmpps-github-actions-runner
     permissions:
       packages: write
       contents: read

hmpps-github-actions-runner/Dockerfile

@@ -0,0 +1,78 @@
+#checkov:skip=CKV_DOCKER_2:actions/runner does not provider a mechanism for checking the health of the service
+FROM public.ecr.aws/ubuntu/ubuntu@sha256:4f5ca1c8b7abe2bd1162e629cafbd824c303b98954b1a168526aca6021f8affe
+
+LABEL org.opencontainers.image.vendor="Ministry of Justice" \
+      org.opencontainers.image.authors="HMPPS DPS" \
+      org.opencontainers.image.title="Actions Runner" \
+      org.opencontainers.image.description="Actions Runner image for HMPPS DPS" \
+      org.opencontainers.image.url="https://github.com/ministryofjustice/hmpps-utility-container-images"
+
+ENV CONTAINER_USER="runner" \
+    CONTAINER_UID="10000" \
+    CONTAINER_GROUP="runner" \
+    CONTAINER_GID="10000" \
+    CONTAINER_HOME="/actions-runner" \
+    DEBIAN_FRONTEND="noninteractive"
+
+# Checked by renovate
+ENV ACTIONS_RUNNER_VERSION="2.321.0" 
+
+SHELL ["/bin/bash", "-e", "-u", "-o", "pipefail", "-c"]
+
+RUN <<EOF
+groupadd \
+  --gid ${CONTAINER_GID} \
+  --system \
+  ${CONTAINER_GROUP}
+
+useradd \
+  --uid ${CONTAINER_UID} \
+  --gid ${CONTAINER_GROUP} \
+  --create-home \
+  ${CONTAINER_USER}
+
+mkdir --parents ${CONTAINER_HOME}
+
+chown --recursive ${CONTAINER_USER}:${CONTAINER_GROUP} ${CONTAINER_HOME}
+
+apt-get update
+
+apt-get install --yes --no-install-recommends \
+  "apt-transport-https" \
+  "ca-certificates" \
+  "curl" \
+  "git" \
+  "jq" \
+  "libicu-dev" \
+  "lsb-release" \
+  "gcc" \
+  "libsqlite3-dev" \
+  "python3" \
+  "httpie"
+
+apt-get clean
+
+rm -rf /var/lib/apt/lists/*
+
+curl --location "https://github.com/actions/runner/releases/download/v${ACTIONS_RUNNER_VERSION}/actions-runner-linux-x64-${ACTIONS_RUNNER_VERSION}.tar.gz" \
+  --output "actions-runner-linux-x64-${ACTIONS_RUNNER_VERSION}.tar.gz"
+
+# Validate the checksum
+ACTIONS_RUNNER_PKG_SHA=$(curl -s --location "https://github.com/actions/runner/releases/tag/v${ACTIONS_RUNNER_VERSION}" | grep -A10 "SHA-256 Checksums" | grep actions-runner-linux-x64-${ACTIONS_RUNNER_VERSION} | awk -F'[<> ]' '{print $4}')
+echo "Release ACTIONS_RUNNER_PKG_SHA   : ${ACTIONS_RUNNER_PKG_SHA}"
+echo "Downloaded ACTIONS_RUNNER_PKG_SHA: $(sha256sum -b actions-runner-linux-x64-${ACTIONS_RUNNER_VERSION}.tar.gz) | cut -d\  -f1"
+
+echo "${ACTIONS_RUNNER_PKG_SHA}"  "actions-runner-linux-x64-${ACTIONS_RUNNER_VERSION}.tar.gz" | /usr/bin/sha256sum --check
+
+tar --extract --gzip --file="actions-runner-linux-x64-${ACTIONS_RUNNER_VERSION}.tar.gz" --directory="${CONTAINER_HOME}"
+
+rm --force "actions-runner-linux-x64-${ACTIONS_RUNNER_VERSION}.tar.gz"
+EOF
+
+COPY --chown=nobody:nobody --chmod=0755 src/usr/local/bin/entrypoint.sh /usr/local/bin/entrypoint.sh
+
+USER ${CONTAINER_UID}
+
+WORKDIR ${CONTAINER_HOME}
+
+ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]

hmpps-github-actions-runner/src/usr/local/bin/entrypoint.sh

@@ -0,0 +1,57 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+ACTIONS_RUNNER_DIRECTORY="/actions-runner"
+EPHEMERAL="${EPHEMERAL:-"false"}"
+
+echo "Runner parameters:"
+echo "  Repository: ${GITHUB_REPOSITORY}"
+echo "  Runner Name: $(hostname)"
+echo "  Runner Labels: ${RUNNER_LABELS}"
+
+echo "Obtaining registration token"
+getRegistrationToken=$(
+  curl \
+    --silent \
+    --location \
+    --request "POST" \
+    --header "X-GitHub-Api-Version: 2022-11-28" \
+    --header "Authorization: Bearer ${GH_AUTH_TOKEN}" \
+    https://api.github.com/repos/"${GITHUB_REPOSITORY}"/actions/runners/registration-token | jq -r '.token'
+)
+export getRegistrationToken
+
+echo "Checking if registration token exists"
+if [[ -z "${getRegistrationToken}" ]]; then
+  echo "Failed to obtain registration token"
+  exit 1
+else
+  echo "Registration token obtained successfully"
+  REPO_TOKEN="${getRegistrationToken}"
+fi
+
+if [[ "${EPHEMERAL}" == "true" ]]; then
+  EPHEMERAL_FLAG="--ephemeral"
+  trap 'echo "Shutting down runner"; exit' SIGINT SIGQUIT SIGTERM INT TERM QUIT
+else
+  EPHEMERAL_FLAG=""
+fi
+
+echo "Checking the runner"
+bash "${ACTIONS_RUNNER_DIRECTORY}/config.sh" --check --url "https://github.com/${GITHUB_REPOSITORY}" --pat ${GH_AUTH_TOKEN}
+
+echo "Configuring runner"
+bash "${ACTIONS_RUNNER_DIRECTORY}/config.sh" ${EPHEMERAL_FLAG} \
+  --unattended \
+  --disableupdate \
+  --url "https://github.com/${GITHUB_REPOSITORY}" \
+  --token "${REPO_TOKEN}" \
+  --name "$(hostname)" \
+  --labels "${RUNNER_LABELS}"
+
+echo "Setting the 'ready' flag for Kubernetes liveness probe"
+touch /tmp/runner.ready
+
+echo "Starting runner"
+bash "${ACTIONS_RUNNER_DIRECTORY}/run.sh"