From 993856b6f5472cbc4c399377651372707d03bb4f Mon Sep 17 00:00:00 2001 From: Andrea Grillo Date: Fri, 1 Mar 2024 16:23:47 +0100 Subject: [PATCH] feat: Refactor Dockerfile to better support new DevOps scenarios with Container App Jobs (#18) --- .dockerignore | 118 +++++++++++++++++++++++ .github/workflows/beta-docker-branch.yml | 48 ++++++--- .github/workflows/release.yml | 46 ++++++--- .github/workflows/trivy.yml | 55 +++++++---- Dockerfile | 58 +++++++---- docker-compose.yaml | 9 +- dockerfile-setup.sh | 93 ------------------ github-runner-entrypoint.sh | 71 ++++---------- 8 files changed, 279 insertions(+), 219 deletions(-) create mode 100644 .dockerignore delete mode 100644 dockerfile-setup.sh diff --git a/.dockerignore b/.dockerignore new file mode 100644 index 0000000..ec5ce6e --- /dev/null +++ b/.dockerignore @@ -0,0 +1,118 @@ +**/.dockerignore +**/.git +apps/onboarding-ms/.idea/.gitignore +**/bin +**/docker-compose* +**/Dockerfile* +**/node_modules +**/npm-debug.log +**/obj +**/secrets.dev.yaml +**/values.dev.yaml +LICENSE +README.md + +**/.idea +.idea +**/.mvn +.mvn + +**/target + +# Created by .ignore support plugin (hsz.mobi) +### Maven template +target/ +pom.xml.tag +pom.xml.releaseBackup +pom.xml.versionsBackup +pom.xml.next +release.properties +dependency-reduced-pom.xml +buildNumber.properties +.mvn/timing.properties +.mvn/wrapper/maven-wrapper.jar +### Java template +# Compiled class file +*.class + +# Log file +*.log + +# BlueJ files +*.ctxt + +# Mobile Tools for Java (J2ME) +.mtj.tmp/ + +# Package Files # +*.jar +*.war +*.nar +*.ear +*.zip +*.tar.gz +*.rar + +# virtual machine crash logs, see http://www.java.com/en/download/help/error_hotspot.xml +hs_err_pid* +### JetBrains template +# Covers JetBrains IDEs: IntelliJ, RubyMine, PhpStorm, AppCode, PyCharm, CLion, Android Studio and WebStorm +# Reference: https://intellij-support.jetbrains.com/hc/en-us/articles/206544839 + +# User-specific stuff +.idea/**/workspace.xml +.idea/**/tasks.xml +.idea/**/usage.statistics.xml +.idea/**/dictionaries +.idea/**/shelf + +# Sensitive or high-churn files +.idea/**/dataSources/ +.idea/**/dataSources.ids +.idea/**/dataSources.local.xml +.idea/**/sqlDataSources.xml +.idea/**/dynamic.xml +.idea/**/uiDesigner.xml +.idea/**/dbnavigator.xml + +# Gradle +.idea/**/gradle.xml +.idea/**/libraries + +# Gradle and Maven with auto-import +# When using Gradle or Maven with auto-import, you should exclude module files, +# since they will be recreated, and may cause churn. Uncomment if using +# auto-import. +# .idea/modules.xml +# .idea/*.iml +# .idea/modules + +# CMake +cmake-build-*/ + +# Mongo Explorer plugin +.idea/**/mongoSettings.xml + +# File-based project format +*.iws + +# IntelliJ +out/ + +# mpeltonen/sbt-idea plugin +.idea_modules/ + +# JIRA plugin +atlassian-ide-plugin.xml + +# Cursive Clojure plugin +.idea/replstate.xml + +# Crashlytics plugin (for Android Studio and IntelliJ) +com_crashlytics_export_strings.xml +crashlytics.properties +crashlytics-build.properties +fabric.properties + +# Editor-based Rest Client +.idea/httpRequests diff --git a/.github/workflows/beta-docker-branch.yml b/.github/workflows/beta-docker-branch.yml index fcad890..fd74a9e 100644 --- a/.github/workflows/beta-docker-branch.yml +++ b/.github/workflows/beta-docker-branch.yml @@ -2,7 +2,6 @@ name: Beta docker on dev branch on: push: - # Sequence of patterns matched against refs/heads branches-ignore: - 'main' paths-ignore: @@ -10,38 +9,57 @@ on: - '**.md' - '.**' +env: + REGISTRY: ghcr.io + IMAGE_NAME: ${{ github.repository }} + jobs: release: name: Beta docker on dev branch runs-on: ubuntu-22.04 steps: + - name: Checkout id: checkout - # from https://github.com/actions/checkout/commits/main - uses: actions/checkout@1f9a0c22da41e6ebfa534300ef656657ea2c6707 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1 with: persist-credentials: false fetch-depth: 0 + - name: Setup Docker buildx + uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 + - name: Log in to the Container registry - id: docker_login - # from https://github.com/docker/login-action/commits/master - uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 with: - registry: ghcr.io + registry: ${{ env.REGISTRY }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} + - name: Docker meta + uses: docker/metadata-action@dbef88086f6cef02e264edb7dbf63250c17cef6c # v5.5.0 + id: meta + with: + images: | + ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + tags: | + type=raw,value=beta-${{ github.ref_name }} + labels: + org.opencontainers.image.title=${{ env.IMAGE_NAME }}-beta + org.opencontainers.image.description=GitHub self hosted runner + org.opencontainers.image.authors=PagoPA + org.opencontainers.image.url=github.com/pagopa/${{ github.repository }} + org.opencontainers.image.source=https://github.com/pagopa/${{ github.repository }} + - name: Build and push Docker image - id: docker_build_push - # from https://github.com/docker/build-push-action/commits/master - uses: docker/build-push-action@c56af957549030174b10d6867f20e78cfd7debc5 + uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 with: context: . push: true - tags: | - ghcr.io/${{ github.repository }}:beta-${{ github.ref_name }} - labels: | - maintainer=https://pagopa.it - org.opencontainers.image.source=https://github.com/${{ github.repository }} + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + file: Dockerfile + cache-from: type=gha + cache-to: type=gha,mode=min + platforms: linux/amd64,linux/arm64 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index d438931..116ccd5 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,7 +1,6 @@ name: Release on: - # Trigger the workflow on push on the main branch push: branches: - main @@ -10,23 +9,26 @@ on: - '**.md' - '.**' +env: + REGISTRY: ghcr.io + IMAGE_NAME: ${{ github.repository }} + jobs: release: name: Release runs-on: ubuntu-22.04 steps: + - name: Checkout id: checkout - # from https://github.com/actions/checkout/commits/main - uses: actions/checkout@1f9a0c22da41e6ebfa534300ef656657ea2c6707 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1 with: persist-credentials: false fetch-depth: 0 - name: Release id: release - # from https://github.com/cycjimmy/semantic-release-action/commits/main uses: cycjimmy/semantic-release-action@bdd914ff2423e2792c73475f11e8da603182f32d with: semantic_version: 18.0.0 @@ -39,24 +41,38 @@ jobs: - name: Log in to the Container registry id: docker_login if: steps.release.outputs.new_release_published == 'true' - # from https://github.com/docker/login-action/commits/master - uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 with: - registry: ghcr.io + registry: ${{ env.REGISTRY }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} + - name: Docker meta + uses: docker/metadata-action@dbef88086f6cef02e264edb7dbf63250c17cef6c # v5.5.0 + id: meta + with: + images: | + ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + tags: | + type=raw,value=latest + type=raw,value=v${{ steps.release.outputs.new_release_version }} + labels: + org.opencontainers.image.title=${{ env.IMAGE_NAME }} + org.opencontainers.image.description=GitHub self hosted runner + org.opencontainers.image.authors=PagoPA + org.opencontainers.image.url=github.com/PagoPA/${{ github.repository }} + org.opencontainers.image.source=https://github.com/${{ github.repository }} + - name: Build and push Docker image id: docker_build_push if: steps.release.outputs.new_release_published == 'true' - # from https://github.com/docker/build-push-action/commits/master - uses: docker/build-push-action@c56af957549030174b10d6867f20e78cfd7debc5 + uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 with: context: . push: true - tags: | - ghcr.io/${{ github.repository }}:latest - ghcr.io/${{ github.repository }}:v${{ steps.release.outputs.new_release_version }} - labels: | - maintainer=https://pagopa.it - org.opencontainers.image.source=https://github.com/${{ github.repository }} + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + file: Dockerfile + cache-from: type=gha + cache-to: type=gha,mode=min + platforms: linux/amd64,linux/arm64 diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index ceff89c..5cdc9c2 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -1,52 +1,65 @@ -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. - name: Docker security scan on: push: branches: [ "main", "master" ] pull_request: - # The branches below must be a subset of the branches above branches: [ "main", "master" ] schedule: - cron: '00 07 * * *' -permissions: - contents: read +env: + REGISTRY: ghcr.io + IMAGE_NAME: ${{ github.repository }} jobs: build: + name: Build + runs-on: ubuntu-22.04 permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status - name: Build - runs-on: ubuntu-22.04 + steps: + - name: Checkout code - # from https://github.com/actions/checkout/commits/main uses: actions/checkout@1f9a0c22da41e6ebfa534300ef656657ea2c6707 - - name: Build an image from Dockerfile - run: | - docker build -t docker.io/my-organization/my-app:${{ github.sha }} . + - name: Setup Docker buildx + uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 + + - name: Docker meta + uses: docker/metadata-action@dbef88086f6cef02e264edb7dbf63250c17cef6c # v5.5.0 + id: meta + with: + images: | + ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + tags: | + type=sha,enable=true,format=long + + - name: Build Docker image + uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 + with: + context: . + load: true + push: false + tags: ${{ steps.meta.outputs.tags }} + file: Dockerfile + cache-from: type=gha + cache-to: type=gha,mode=min + platforms: linux/amd64 - name: Run Trivy vulnerability scanner - # from https://github.com/aquasecurity/trivy-action/commits/master - uses: aquasecurity/trivy-action@d63413b0a4a4482237085319f7f4a1ce99a8f2ac + uses: aquasecurity/trivy-action@84384bd6e777ef152729993b8145ea352e9dd3ef # v0.17.0 with: - image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}' - format: 'template' - template: '@/contrib/sarif.tpl' + image-ref: '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:sha-${{ github.sha }}' + format: 'sarif' output: 'trivy-results.sarif' severity: 'CRITICAL,HIGH' timeout: '10m0s' - name: Upload Trivy scan results to GitHub Security tab - # from https://github.com/github/codeql-action/commits/main - uses: github/codeql-action/upload-sarif@f0a12816612c7306b485a22cb164feb43c6df818 + uses: github/codeql-action/upload-sarif@592977e6ae857384aa79bb31e7a1d62d63449ec5 # v2.16.3 with: sarif_file: 'trivy-results.sarif' diff --git a/Dockerfile b/Dockerfile index 876a9ce..a71b4bc 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,25 +1,45 @@ -# from https://hub.docker.com/_/ubuntu/tags?page=1&name=22.04 -FROM ubuntu:22.04@sha256:bcc511d82482900604524a8e8d64bf4c53b2461868dac55f4d04d660e61983cb +FROM ghcr.io/actions/actions-runner:2.313.0 AS base +USER root +RUN apt-get update \ + && apt-get install -y curl jq \ + && apt-get -y install zip unzip \ + && apt-get -y install ca-certificates curl wget apt-transport-https lsb-release gnupg \ + && apt-get clean \ + && rm -rf /var/lib/apt/lists/ -WORKDIR / +FROM base AS deps +RUN bash bin/installdependencies.sh \ + && apt-get clean \ + && rm -rf /var/lib/apt/lists/* -COPY dockerfile-setup.sh dockerfile-setup.sh -RUN bash dockerfile-setup.sh +FROM deps AS deps-az +RUN curl -sL https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor | tee /etc/apt/trusted.gpg.d/microsoft.gpg > /dev/null +RUN AZ_REPO=$(lsb_release -cs) && \ + echo "deb [arch=$(dpkg --print-architecture)] https://packages.microsoft.com/repos/azure-cli/ $AZ_REPO main" | tee /etc/apt/sources.list.d/azure-cli.list +RUN apt-get update && \ + apt-get -y install azure-cli \ + && apt-get clean \ + && rm -rf /var/lib/apt/lists/* +RUN az config set extension.use_dynamic_install=yes_without_prompt +ENV KUBELOGIN_VERSION="${ENV_KUBELOGIN_VERSION:-0.0.26}" +RUN az aks install-cli --kubelogin-version "${KUBELOGIN_VERSION}" -COPY github-runner-entrypoint.sh /github-runner-entrypoint.sh -RUN chmod +x /github-runner-entrypoint.sh +FROM deps-az AS deps-kube +RUN curl https://baltocdn.com/helm/signing.asc | gpg --dearmor | tee /usr/share/keyrings/helm.gpg > /dev/null +RUN echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/helm.gpg] https://baltocdn.com/helm/stable/debian/ all main" | tee /etc/apt/sources.list.d/helm-stable-debian.list +RUN apt-get update \ + && apt-get satisfy "helm" -y \ + && apt-get clean \ + && rm -rf /var/lib/apt/lists/* -# changed user to avoid root user -USER github +FROM deps-kube AS deps-yq +ENV YQ_VERSION="${ENV_YQ_VERSION:-v4.30.6}" +ENV YQ_BINARY="yq_linux_amd64" +RUN wget https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/${YQ_BINARY}.tar.gz -O - | tar xz && mv ${YQ_BINARY} /usr/bin/yq -RUN whoami && \ - az --version && \ - kubectl --help && \ - kubelogin --version && \ - helm --help && \ - yq --version && \ - node --version && \ - npm --version && \ - yarn --version +FROM deps-yq AS final +COPY ./github-runner-entrypoint.sh ./entrypoint.sh +RUN chmod +x ./entrypoint.sh +USER runner -ENTRYPOINT ["/github-runner-entrypoint.sh"] +ENTRYPOINT ["./entrypoint.sh"] diff --git a/docker-compose.yaml b/docker-compose.yaml index d2dfb3b..fc24968 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -1,10 +1,11 @@ version: "3.9" + services: + github_runner: - # build: . - image: ghcr.io/pagopa/github-self-hosted-runner-azure:beta-kubelogin-setup + build: + context: . + dockerfile: ./Dockerfile environment: - GITHUB_REPOSITORY=${GITHUB_REPOSITORY} - GITHUB_TOKEN=${GITHUB_TOKEN} - - diff --git a/dockerfile-setup.sh b/dockerfile-setup.sh deleted file mode 100644 index 4106ae4..0000000 --- a/dockerfile-setup.sh +++ /dev/null @@ -1,93 +0,0 @@ -#!/usr/bin/env bash -# base packages -apt-get update \ - && apt-get -y install curl git vim \ - && apt-get -y install zip unzip \ - && apt-get -y install ca-certificates apt-transport-https lsb-release gnupg \ - && apt-get -y install jq \ - && apt-get satisfy "python3-pip (<= 22.1)" -y - -# -# Github Action runner -# -mkdir -p actions-runner -cd actions-runner || exit -# from https://github.com/actions/runner/releases -GITHUB_RUNNER_VERSION="2.313.0" -GITHUB_RUNNER_VERSION_SHA="56910d6628b41f99d9a1c5fe9df54981ad5d8c9e42fc14899dcc177e222e71c4" -curl -fsSL https://github.com/actions/runner/releases/download/v"${GITHUB_RUNNER_VERSION}"/actions-runner-linux-x64-"${GITHUB_RUNNER_VERSION}".tar.gz -o actions-runner-linux-x64-"${GITHUB_RUNNER_VERSION}".tar.gz -echo "${GITHUB_RUNNER_VERSION_SHA} actions-runner-linux-x64-${GITHUB_RUNNER_VERSION}.tar.gz" | sha256sum -c -tar xzf ./actions-runner-linux-x64-"${GITHUB_RUNNER_VERSION}".tar.gz -rm actions-runner-linux-x64-"${GITHUB_RUNNER_VERSION}".tar.gz -bash bin/installdependencies.sh -echo "✅ Installed GitHub action runner" - -# keyrings folder -mkdir -p /etc/apt/keyrings - -# -# AZCLI -# -curl -fsSL https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor -o /etc/apt/keyrings/microsoft.gpg -chmod go+r /etc/apt/keyrings/microsoft.gpg -AZ_DIST=$(lsb_release -cs) -# we build only for amd64 -echo "deb [arch=amd64 signed-by=/etc/apt/keyrings/microsoft.gpg] https://packages.microsoft.com/repos/azure-cli/ $AZ_DIST main" | tee /etc/apt/sources.list.d/azure-cli.list -apt-get update \ - && apt-get -y install azure-cli -az config set extension.use_dynamic_install=yes_without_prompt -which az >/dev/null && echo "✅ Installed az" || echo "❌ failed to install az" - -# -# Node and Yarn install -# -curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg -NODE_MAJOR_VERSION="20" -echo "deb [arch=amd64 signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_$NODE_MAJOR_VERSION.x nodistro main" | tee /etc/apt/sources.list.d/nodesource.list -apt-get update \ - && apt-get -y install nodejs \ - && npm install -g yarn -which node >/dev/null && echo "✅ Installed node" || echo "❌ failed to install node" -which npm >/dev/null && echo "✅ Installed npm" || echo "❌ failed to install npm" -which yarn >/dev/null && echo "✅ Installed yarn" || echo "❌ failed to install yarn" - -# -# KUBERNETES DEPENDENCIES -# -# install kubectl from https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/#install-using-native-package-management -curl -fsSL https://packages.cloud.google.com/apt/doc/apt-key.gpg | gpg --dearmor -o /etc/apt/keyrings/kubernetes-archive-keyring.gpg -echo "deb [arch=amd64 signed-by=/etc/apt/keyrings/kubernetes-archive-keyring.gpg] https://apt.kubernetes.io/ kubernetes-xenial main" | tee /etc/apt/sources.list.d/kubernetes.list -# install helm from https://helm.sh/docs/intro/install/#from-apt-debianubuntu -curl -fsSL https://baltocdn.com/helm/signing.asc | gpg --dearmor -o /etc/apt/keyrings/helm.gpg -echo "deb [arch=amd64 signed-by=/etc/apt/keyrings/helm.gpg] https://baltocdn.com/helm/stable/debian/ all main" | tee /etc/apt/sources.list.d/helm-stable-debian.list -apt-get update -apt-get satisfy "kubectl" -y -which kubectl >/dev/null && echo "✅ Installed kubectl" || echo "❌ failed to install kubectl" -apt-get satisfy "helm" -y -which helm >/dev/null && echo "✅ Installed helm" || echo "❌ failed to install helm" - -# -# install yq from https://github.com/mikefarah/yq#install -# -YQ_VERSION="v4.40.7" -YQ_VERSION_SHA="b895bad59fe6a24d5c38a73d09f8b8e7cef45a5049e16504c02176ebed6d572e" -YQ_BINARY="yq_linux_amd64" -curl -fsSL https://github.com/mikefarah/yq/releases/download/"${YQ_VERSION}"/${YQ_BINARY}.tar.gz -o ${YQ_BINARY}.tar.gz -echo "${YQ_VERSION_SHA}" $YQ_BINARY.tar.gz | sha256sum -c -mkdir -p yq && tar xz -f ${YQ_BINARY}.tar.gz -C yq && mv yq/${YQ_BINARY} /usr/bin/yq -which yq >/dev/null && echo "✅ Installed yq" || echo "❌ failed to install yq" - -# -# Kubelogin install (use kubectl to install packages) -# -KUBELOGIN_VERSION="0.0.34" -az aks install-cli --kubelogin-version "${KUBELOGIN_VERSION}" -which kubelogin >/dev/null && echo "✅ Installed kubelogin" || echo "❌ failed to install kubelogin" - -# -# USER CONFIGURATIONS -# -useradd github -mkdir -p /home/github -chown -R github:github /home/github -chown -R github:github /actions-runner diff --git a/github-runner-entrypoint.sh b/github-runner-entrypoint.sh index 0f632d6..a6e757b 100644 --- a/github-runner-entrypoint.sh +++ b/github-runner-entrypoint.sh @@ -1,54 +1,21 @@ #!/usr/bin/env bash -INTERACTIVE="FALSE" -if [ "$(echo "$INTERACTIVE_MODE" | tr '[:upper:]' '[:lower:]')" == "true" ]; then - INTERACTIVE="TRUE" -fi - -# Verify some Repo URL and token have been given, otherwise we must be interactive mode. -if [ -z "$GITHUB_REPOSITORY" ] || [ -z "$GITHUB_TOKEN" ]; then - if [ "$INTERACTIVE" == "FALSE" ]; then - echo "GITHUB_REPOSITORY and GITHUB_TOKEN cannot be empty" - exit 1 - fi -fi - -# Calculate default configuration values. -GITHUB_REPOSITORY_BANNER="$GITHUB_REPOSITORY" -if [ -z "$GITHUB_REPOSITORY_BANNER" ]; then - export GITHUB_REPOSITORY_BANNER="" -fi - -if [ -z "$RUNNER_NAME" ]; then - RUNNER_NAME="$(hostname)" - export RUNNER_NAME -fi - -if [ -z "$WORK_DIR" ]; then - export WORK_DIR=".workdir" -fi - -# Calculate runner replacement policy. -REPLACEMENT_POLICY="\n\n\n" -REPLACEMENT_POLICY_LABEL="FALSE" -if [ "$(echo "$REPLACE_EXISTING_RUNNER" | tr '[:upper:]' '[:lower:]')" == "true" ]; then - REPLACEMENT_POLICY="Y\n\n" - REPLACEMENT_POLICY_LABEL="TRUE" -fi - -# Configure runner interactively, or with the given replacement policy. -printf "Configuring GitHub Runner for %s\n\t" "$GITHUB_REPOSITORY_BANNER" -printf "Runner Name: %s\n\t" "$RUNNER_NAME" -printf "Working Directory: %s\n\t" "$WORK_DIR" -printf "Replace Existing Runners: %s\n" "$REPLACEMENT_POLICY_LABEL" - -# actions-runner is a folder inside the github runner zip -if [ "$INTERACTIVE" == "FALSE" ]; then - echo -ne "$REPLACEMENT_POLICY" | ./actions-runner/config.sh --url "$GITHUB_REPOSITORY" --token "$GITHUB_TOKEN" --name "$RUNNER_NAME" --work "$WORK_DIR" --labels "$LABELS" --disableupdate -else - ./actions-runner/config.sh --url "$GITHUB_REPOSITORY" --token "$GITHUB_TOKEN" --name "$RUNNER_NAME" --work "$WORK_DIR" --labels "$LABELS" --disableupdate -fi - -# Start the runner. -printf "Executing GitHub Runner for %s\n" "$GITHUB_REPOSITORY" -./actions-runner/run.sh +# Retrieve a short lived runner registration token using the PAT +REGISTRATION_TOKEN="$(curl -X POST -fsSL \ + -H 'Accept: application/vnd.github.v3+json' \ + -H "Authorization: Bearer $GITHUB_PAT" \ + -H 'X-GitHub-Api-Version: 2022-11-28' \ + "$REGISTRATION_TOKEN_API_URL" \ + | jq -r '.token')" + +./config.sh \ + --url $REPO_URL \ + --token $REGISTRATION_TOKEN \ + --unattended \ + --disableupdate \ + --ephemeral \ + --replace \ + && ./run.sh + +export GITHUB_PAT=_REDACTED_ +export REGISTRATION_TOKEN=_REDACTED_