[pull] master from myoung34:master#1
Open
pull[bot] wants to merge 254 commits into
Open
Conversation
Bugfix: fix platforms to remove slash
Remove the final command test from the base, make it a "defaults" test
…h-service feat: Prevent exposure of configuration environment variables to runner workflows
Additionally, this change: - Configures upfront to reduce number of apt updates - Removes use of lsb-release to allow simplification and avoid unnecessary dependencies in the base image (i.e. Python)
Refactored to a set of install scripts to avoid adding further complexity to the base Dockerfile and make it easier to disable tools
Add runner dir test output to goss
Fix temp dir location for tests
Wrap all tests and docker/build-push-action into nick-fields/retry
Goss: change deprecated file.contains to file.contents
Fix readme for tests
This allows users to specify ids that are consistent with their host users
Config driven install
Add information on how to view and modify the included packages and configuration
…tion-4.x chore(deps): update docker/setup-buildx-action action to v4
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Solves this problem: ```Runner version v2.324.0 is deprecated and cannot receive messages.```
Update GH_RUNNER_VERSION to 2.333.0
chore(deps): update nick-fields/retry action to v4
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
chore(deps): update github/codeql-action action to v4.34.1
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
The Dockerfile (and the actions-runner tarball it extracts) ships
/actions-runner/ fully runner-owned, including ~50 MB of bin/ and
~330 MB of externals/ that contain node / .NET runtime libs used by
actions like setup-node and setup-python. Verify on a pristine image:
docker run --rm --entrypoint sh myoung34/github-runner:ubuntu-noble \
-c 'find /actions-runner -not -user runner'
# => prints nothing
Yet `chown -R runner "${_RUNNER_WORKDIR}" /actions-runner` in
entrypoint.sh walks 9100+ files on every start. On overlayfs each chown
triggers copy-up regardless of whether ownership actually changes, so
the walk costs real disk I/O to flip exactly nothing. Under parallel
starts (e.g. 12 containers on one host) the resulting storage-driver
contention dominates time-to-healthy.
The files that do need flipping are the ones config.sh writes as root
earlier in this same entrypoint (.runner, .credentials,
.credentials_rsaparams, .env, .path, svc.sh, and eventually _diag/).
Enumerating them is fragile if config.sh ever adds an output, so instead
blacklist the two known-heavy dirs and chown everything else under
/actions-runner at depth 1:
- chown runner /actions-runner "${_RUNNER_WORKDIR}" (non-recursive)
- find /actions-runner -mindepth 1 -maxdepth 1 \
! -name bin ! -name externals -exec chown -R runner {} +
This catches every top-level config-written file/dir (plus anything new
that may appear), skips the two bulk runtime dirs, and leaves -R on the
small subtrees that may legitimately need it (e.g. _diag/).
Unchanged:
- _CONFIGURED_ACTIONS_RUNNER_FILES_DIR chown on the preceding line
- toolcache flat-chown on the following line
- the RUN_AS_ROOT=true and non-root branches
Observed impact on a host running 12 parallel runners (ZFS-backed LXC
on Proxmox): time-to-all-healthy dropped from ~5 minutes to ~25 seconds;
per-container `docker compose up -d` returns in ~1 s instead of racing
11 peers for overlay copy-up I/O.
entrypoint: skip recursive chown over /actions-runner/{bin,externals}
Harden the invariant that entrypoint.sh #583 now relies on: every file under /actions-runner is runner-owned in the image. Previously this was true only because GitHub's actions-runner release tarball happens to encode UIDs that coincide with this image's runner user (UID 1001). The non-recursive chown in this RUN step only touched the three top-level directories; ownership of the ~9 000 files extracted from the tarball was inherited verbatim from the archive metadata. Making the chown recursive establishes the invariant in this repo instead of inheriting it by coincidence: - entrypoint.sh #583 skips chown -R over bin/ and externals/ on every container start; that optimisation now has a locally-enforced precondition rather than one that depends on upstream tarball packaging conventions. - Derived images (FROM myoung34/github-runner:...) no longer depend on the tarball's happen-to-be-runner-owned ownership either. - Forks that rebuild the base image with a different runner UID get correct ownership without having to remember to re-chown. Cost is paid once at image build time, inside the same RUN that extracts the tarball, so it does not add a new layer or inflate image size beyond the chown metadata in the existing layer.
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Dockerfile: recursive chown /actions-runner after tarball extract
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
chore(config): migrate Renovate config
Support GitHub Enterprise Cloud data residency API URLs (*.ghe.com)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
10 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot] (v2.0.0-alpha.4)
Can you help keep this open source service alive? 💖 Please sponsor : )