sanderknape / github-runner Goto Github PK

View Code? Open in Web Editor NEW

133.0 133.0 117.0 17 KB

License: MIT License

Dockerfile 29.25% Shell 70.75%

github-runner's People

Contributors

Stargazers

Watchers

Forkers

dictcp saltcreek-alex vojtechvitek rbrto philipstaffordwood flanksource jakekeeys testorg-kp tribalnightowl karthick-kk sgryczan greatwhiteape hazrac luukxt8 jpmolinamatute idealo bbrowning nd-cse-30341-fa20 okteto devhubco alphawong garnercorp imgnnthn denzil-briffa highstreet-ly mudler dntsk indresh-pandey-db meierbr lyoninc crazynuxer ercpereda darren-rose bengentree ameliaikeda rliconnect jonico sm-ai smart-transportation secana ksrisurapaneni grafana dlethin vilmarconsul marketron scalebuilder isaacrowntree alyragab ahmetk-kubra michaelsew zryfish sanzmahajan spicybackend you4su imambux tomkneitas mvieth-conga automatewithpipelines benjvi greg-hunt1 fxc775 anindra axa-ch-cloud malesci armagankaratosun folusomaine kayryu alknopfler davidburela nwe01 suresh051 yourmoonlight georgen88 broodingmawlek khalidbinsattar mikejoseph-ef thynix gruzewski victorfu demo2886 dfourmanfsquared hilkinr kaslrca-dentall fpommerening digitalidf digitty-forks wirsich-forks pierre-chesne 2good4hisowngood workflowy naveedkumbhar ljhanson williamsun-hha klapcsik joshjohanning-org jlin880 abhijeetsingh0401 am-i-b-v doct0r navmlk

github-runner's Issues

Github's automatic upgrade flow breaks in Kubernetes

When a container exits, Kubernetes replaces it with a fresh copy of the container image. So this runner enters a restart loop when Github uploads a new worker version.

...
√ Connected to GitHub

2020-11-17 14:27:57Z: Listening for Jobs
Runner update in progress, do not shutdown runner.
Downloading 2.274.2 runner
Waiting for current job finish running.
Generate and execute update script.
Runner will exit shortly for update, should back online within 10 seconds.

This happens over and over (CrashLoopBackOff) until a newer docker image is built/deployed.

To fix this, the runner needs to be run in a loop so it can be restarted in-place by the entrypoint when it wants to do an upgrade.
The exit code 3 means the agent wants to upgrade.

This comment references a script that knows how to do the restart: actions/runner#246 (comment)

Issue deploying on openshift

Getting the following error when deploying on openshift, strill trying to track it down. replaced the env variables with their variable names.

Requesting token at 'https://api.github.com/repos/GITHUB_OWNER/GITHUB_REPOSITORY/actions/runners/registration-token'
touch: cannot touch '.env': Permission denied
./env.sh: line 36: .path: Permission denied
Unhandled exception. System.UnauthorizedAccessException: Access to the path '/home/github/_diag' is denied.
 ---> System.IO.IOException: Permission denied
   --- End of inner exception stack trace ---
   at System.IO.FileSystem.CreateDirectory(String fullPath)
   at System.IO.Directory.CreateDirectory(String path)
   at GitHub.Runner.Common.HostTraceListener..ctor(String logFileDirectory, String logFilePrefix, Int32 pageSizeLimit, Int32 retentionDays)
   at GitHub.Runner.Common.HostContext..ctor(String hostType, String logFile)
   at GitHub.Runner.Listener.Program.Main(String[] args)
./config.sh: line 81:    46 Aborted                 (core dumped) ./bin/Runner.Listener configure "$@"
/home/github/entrypoint.sh: 38: /home/github/entrypoint.sh: ./runsvc.sh: Permission denied

Building Docker images

Hi! This looks cool. Can it build Docker images or do I need to change the dockerfile somehow? Thanks!

Unrecognized command-line input arguments: 'token, labels'.

When I use this Docker image, I'm getting an error during registration

Requesting token at 'https://api.github.com/repos/<myorg>/<myrepo>/actions/runners/registration-token'
Unrecognized command-line input arguments: 'token, labels'. For usage refer to: .\config.cmd --help or ./config.sh --help
--------------------------------------------------------------------------------
| ____ _ _ _ _ _ _ _ _ |
| / ___(_) |_| | | |_ _| |__ / \ ___| |_(_) ___ _ __ ___ |
| | | _| | __| |_| | | | | '_ \ / _ \ / __| __| |/ _ \| '_ \/ __| |
| | |_| | | |_| _ | |_| | |_) | / ___ \ (__| |_| | (_) | | | \__ \ |
| \____|_|\__|_| |_|\__,_|_.__/ /_/ \_\___|\__|_|\___/|_| |_|___/ |
| |
| Self-hosted runner registration |
| |
--------------------------------------------------------------------------------
# Authentication
Invalid configuration provided for token. Terminating unattended configuration.
An error occurred: Not configured

Mismatch env name

According to your blog post and docker, it should be GITHUB_PAT rather than RUNNER_TOKEN.

github-runner/deployment.yml

Line 25 in ebccbbe

- name: RUNNER_TOKEN # stored separately in a Kubernetes secret

github enterprise - "runner-registration" - give example ?

Hello.,

We are using licensed version of github enterprise and running in our data center, we want to enable github runner using this script, however, when we run the ./config using this below

./config.sh \
    --name "github-runner-768944b598-jbsxd" \
    --token "AAAAVL63KSSB6Q2BHVPLZ33APVKX2" \
    --url "https://github.example.com/dev" \
    --work "_work" \
    --labels "test" \
    --unattended \
    --replace

And i am getting this below error :


# Authentication

Http response code: NotFound from 'POST https://github.example.com/api/v3/actions/runner-registration'
{"message":"Not Found","documentation_url":"https://docs.github.com/enterprise/2.22/rest"}
Response status code does not indicate success: 404 (Not Found).

Can any one please confirm the example for passing "--url" ?

No API for creating a registration token for a repository?

Thanks for writing this article https://sanderknape.com/2020/03/self-hosted-github-actions-runner-kubernetes/

In that article, it creates the registration token for a repository using this API https://developer.github.com/v3/actions/self-hosted-runners/#create-a-registration-token-for-a-repository.

But this API is outdated and the new API documentation doesn't seem to have any API for creating the registration token for the repo anymore. It has one for the organization https://docs.github.com/en/free-pro-team@latest/rest/reference/actions#create-a-registration-token-for-an-organization.

I am getting this error when I run the docker with my personal token. Is it still possible to add the self-hosted runner to the repo? I also read somewhere that we can't use PAT for adding the self-hosted runner. So what do we need to pass?

{"message":"Not Found","documentation_url":"https://docs.github.com/rest"}
Response status code does not indicate success: 404 (Not Found).
An error occurred: Not configured

Thanks.

[SECURITY CONCERNS] Environment variables (including PAT) exposed to github actions

When running the runner with

$ docker run --rm \
                     --name github-runner \
                     -e GITHUB_OWNER=5nafu \
                     -e GITHUB_REPOSITORY=sanderKnape_github-runner_env_exposure 
                     -e GITHUB_PAT=<TOKEN> \
                     -e RUNNER_LABELS=comma,separated,labels \
                     -e ARBITRARY_ENV=value \
                    sanderknape/github-runner

all environment variables supplied to the runner are exposed to the github actions. This includes (but is not limited) to the personal access token used to register a runner:

An attacker could use a malicious action to leak the tokens and thus gain access to the code.

Action:

name: Go
on:
  - push
jobs:
  debug:
    name: Output Debug
    runs-on: self-hosted
    steps:
    - name: Output simple environment
      run: >
        echo GITHUB_PAT: $GITHUB_PAT

Logs:

2021-05-12T13:41:32.5870992Z ##[group]Run echo GITHUB_OWNER: $GITHUB_OWNER echo GITHUB_REPOSITORY: $GITHUB_REPOSITORY echo GITHUB_PAT: $GITHUB_PAT echo RUNNER_LABELS: $RUNNER_LABELS echo ARBITRARY_ENV: $ARBITRARY_ENV
2021-05-12T13:41:32.5872899Z �[36;1mecho GITHUB_OWNER: $GITHUB_OWNER echo GITHUB_REPOSITORY: $GITHUB_REPOSITORY echo GITHUB_PAT: $GITHUB_PAT echo RUNNER_LABELS: $RUNNER_LABELS echo ARBITRARY_ENV: $ARBITRARY_ENV�[0m
2021-05-12T13:41:32.5884176Z shell: /bin/bash -e {0}
2021-05-12T13:41:32.5884735Z ##[endgroup]
2021-05-12T13:41:32.5941776Z GITHUB_OWNER: 5nafu echo GITHUB_REPOSITORY: 5nafu/sanderKnape_github-runner_env_exposure echo GITHUB_PAT: *** echo RUNNER_LABELS: comma,separated,labels echo ARBITRARY_ENV: value

You can check the action in 5nafu/sanderKnape_github-runner_env_exposure:.github/workflows/debug.yml and the output in /5nafu/sanderKnape_github-runner_env_exposure/actions/runs/835647428

How to use the github app/oauth app to register the self-hosted runner at the organization?

I have made some changes to your Dockerfile and the bash file so I can use it to register the self-hosted docker runner at the organization level.

The problem is that I need the Personal Access Token of the Github organization admin. I am not sure if it's a good practice. I looked the Github app or Oauth app with device flow but it still needs some manual things like entering the code and etc..

What is the best way to authenticate for registering the runner?

No License

There is no license to use this code - I would love to use this in other projects, can one be defined?

Fails to remove "Does not exist"

I've been using this image in Kubernetes, not sure if relevant, but I noticed when I deleted the Pods, the runners were failing to cleanup.

I'm able to reproduce this manually

github@github-runner-6647c669fb-8ntbt:~$ registration_url="https://github.com/${GITHUB_OWNER}"
github@github-runner-6647c669fb-8ntbt:~$ token_url="https://api.github.com/orgs/${GITHUB_OWNER}/actions/runners/registration-token"
github@github-runner-6647c669fb-8ntbt:~$ payload=$(curl -sX POST -H "Authorization: token ${GITHUB_PAT}" "${token_url%/registration-token}/remove-token")
github@github-runner-6647c669fb-8ntbt:~$ REMOVE_TOKEN=$(echo "$payload" | jq .token --raw-output)
github@github-runner-6647c669fb-8ntbt:~$ ./config.sh remove --unattended --token "${REMOVE_TOKEN}"

# Runner removal

Does not exist. Skipping Removing runner from the server
√ Removed .credentials
√ Removed .runner

github@github-runner-6647c669fb-8ntbt:~$

I'm not sure why I'm getting the "Does not exist" error.
Otherwise the image is working well.

Allow usage of Repository token to bind the runner, preventing loss of functionality when a user leaves a repository

When using the repository-connected runner in a organization or team setup, using a PAT for getting the authorization token might result in the team/organization loosing access to the runner.

Unfortunately this might not happen immediately after the person loses access to the repository, but will happen when the runner pod is restarted.

To remediate it would be great if there would be a possibility to set the RUNNER_TOKEN via environment (See line entrypoint.sh#L13 ) and skip lines 2-12 in the same file

This would make the runner independent from the user setting it up.

I would be very happy to supply a pull request for this issue.

github-runner starts up with CrashLoopBackoff and Error

I have followed the instructions at: https://vitobotta.com/2020/09/29/self-hosted-github-actions-runners-in-kubernetes/ and the pod starts up with CrashLoopBackoff. That is typically an error with the entry point. I was able to get a log (see below):

I am using vitobotta/github-actions-runner:0.0.5

From the error below it looks like the config.sh argument labels is incorrect??

k logs github-runner-6b8db49996-mrtfb -n github-actions
Requesting token at 'https://api.github.com/repos/darnone/Foobar/k8s_helm_charts_lamp_feature_DEVOP-667-ansible/actions/runners/registration-token'
Unrecognized command-line input arguments: 'labels'. For usage refer to: .\config.cmd --help or ./config.sh --help

--------------------------------------------------------------------------------
|        ____ _ _   _   _       _          _        _   _                      |
|       / ___(_) |_| | | |_   _| |__      / \   ___| |_(_) ___  _ __  ___      |
|      | |  _| | __| |_| | | | | '_ \    / _ \ / __| __| |/ _ \| '_ \/ __|     |
|      | |_| | | |_|  _  | |_| | |_) |  / ___ \ (__| |_| | (_) | | | \__ \     |
|       \____|_|\__|_| |_|\__,_|_.__/  /_/   \_\___|\__|_|\___/|_| |_|___/     |
|                                                                              |
|                       Self-hosted runner registration                        |
|                                                                              |
--------------------------------------------------------------------------------

# Authentication

Http response code: NotFound from 'POST https://api.github.com/actions/runner-registration'
{"message":"Not Found","documentation_url":"https://docs.github.com/rest"}
Response status code does not indicate success: 404 (Not Found).
An error occurred: Not configured