Restart the listener if pod is evicted (#4332 )

Typo in test name caused test to not execute (#4330 )
Bump the actions group with 3 updates (#4328 )
2025-12-10 19:50:30 +00:00 · 2025-12-09 17:55:09 +01:00 · 2025-11-27 15:31:57 +01:00 · 2025-11-25 12:00:40 +01:00 · 2025-11-25 00:37:32 +01:00 · 2025-11-21 19:23:19 +01:00
377 changed files with 132313 additions and 22830 deletions
--- a/.gitattributes
+++ b/.gitattributes
@@ -0,0 +1 @@
 *.png filter=lfs diff=lfs merge=lfs -text
--- a/.github/ISSUE_TEMPLATE/config.yml
+++ b/.github/ISSUE_TEMPLATE/config.yml
@@ -1,5 +1,8 @@
 blank_issues_enabled: false
 contact_links:
 - name: Feature requests for the gha-runner-scale-set (actions.github.com API group)
  about: Feature requests associated with the actions.github.com group should be posted on the GitHub Community Support Forum
  url: https://github.com/orgs/community/discussions/categories/actions
 - name: Sponsor ARC Maintainers
  about: If your business relies on the continued maintainance of actions-runner-controller, please consider sponsoring the project and the maintainers.
  url: https://github.com/actions/actions-runner-controller/tree/master/CODEOWNERS
--- a/.github/ISSUE_TEMPLATE/github_bug_report.yaml
+++ b/.github/ISSUE_TEMPLATE/github_bug_report.yaml
@@ -0,0 +1,113 @@
 name: Bug Report (actions.github.com API group)
 description: File a bug report for actions.github.com API group
 title: "<Please write what didn't work for you here>"
 labels: ["bug", "needs triage", "gha-runner-scale-set"]
 body:
 - type: checkboxes
  id: read-troubleshooting-guide
  attributes:
    label: Checks
    description: Please check all the boxes below before submitting
    options:
    - label: I've already read https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/troubleshooting-actions-runner-controller-errors and I'm sure my issue is not covered in the troubleshooting guide.
      required: true
    - label: I am using charts that are officially provided
 - type: input
  id: controller-version
  attributes:
    label: Controller Version
    description: Refers to semver-like release tags for controller versions. Any release tags prefixed with `gha-runner-scale-set-` are releases associated with this API group
    placeholder: ex. 0.6.1
  validations:
    required: true
 - type: dropdown
  id: deployment-method
  attributes:
    label: Deployment Method
    description: Which deployment method did you use to install ARC?
    options:
      - Helm
      - Kustomize
      - ArgoCD
      - Other
  validations:
    required: true
 - type: checkboxes
  id: checks
  attributes:
    label: Checks
    description: Please check all the boxes below before submitting
    options:
    - label: This isn't a question or user support case (For Q&A and community support, go to [Discussions](https://github.com/actions/actions-runner-controller/discussions)).
      required: true
    - label: I've read the [Changelog](https://github.com/actions/actions-runner-controller/blob/master/docs/gha-runner-scale-set-controller/README.md#changelog) before submitting this issue and I'm sure it's not due to any recently-introduced backward-incompatible changes
      required: true
 - type: textarea
  id: reproduction-steps
  attributes:
    label: To Reproduce
    description: "Steps to reproduce the behavior"
    render: markdown
    placeholder: |
      1. Go to '...'
      2. Click on '....'
      3. Scroll down to '....'
      4. See error
  validations:
    required: true
 - type: textarea
  id: actual-behavior
  attributes:
    label: Describe the bug
    description: Also tell us, what did happen?
    placeholder: A clear and concise description of what happened.
  validations:
    required: true
 - type: textarea
  id: expected-behavior
  attributes:
    label: Describe the expected behavior
    description: Also tell us, what did you expect to happen?
    placeholder: A clear and concise description of what the expected behavior is.
  validations:
    required: true
 - type: textarea
  id: additional-context
  attributes:
    label: Additional Context
    render: yaml
    description: |
      Provide `values.yaml` files that are relevant for this issue. PLEASE REDACT ANY INFORMATION THAT SHOULD NOT BE PUBLICALY AVAILABLE, LIKE GITHUB TOKEN FOR EXAMPLE.
    placeholder: |
      PLEASE REDACT ANY INFORMATION THAT SHOULD NOT BE PUBLICALY AVAILABLE, LIKE GITHUB TOKEN FOR EXAMPLE.
  validations:
    required: true
 - type: textarea
  id: controller-logs
  attributes:
    label: Controller Logs
    description: "NEVER EVER OMIT THIS! Include complete logs from `actions-runner-controller`'s controller-manager pod."
    render: shell
    placeholder: |
      PROVIDE THE LOGS VIA A GIST LINK (https://gist.github.com/), NOT DIRECTLY IN THIS TEXT AREA
      To grab controller logs:
      kubectl logs -n $NAMESPACE deployments/$CONTROLLER_DEPLOYMENT
  validations:
    required: true
 - type: textarea
  id: runner-pod-logs
  attributes:
    label: Runner Pod Logs
    description: "Include logs and kubectl describe output from runner pod(s)."
    render: shell
    placeholder: |
      PROVIDE THE WHOLE LOGS VIA A GIST LINK (https://gist.github.com/), NOT DIRECTLY IN THIS TEXT AREA
  validations:
    required: true
--- a/.github/ISSUE_TEMPLATE/summerwind_bug_report.yaml
+++ b/.github/ISSUE_TEMPLATE/summerwind_bug_report.yaml
@@ -1,7 +1,7 @@
-name: Bug Report
+name: Bug Report (actions.summerwind.net API group)
-description: File a bug report
+description: File a bug report for actions.summerwind.net API group
 title: "<Please write what didn't work for you here>"
-labels: ["bug", "needs triage"]
+labels: ["bug", "needs triage", "community"]
 body:
 - type: checkboxes
  id: read-troubleshooting-guide
@@ -146,7 +146,7 @@ body:
    render: shell
    placeholder: |
      PROVIDE THE LOGS VIA A GIST LINK (https://gist.github.com/), NOT DIRECTLY IN THIS TEXT AREA
-      
+
      To grab controller logs:
      # Set NS according to your setup
@@ -166,7 +166,7 @@ body:
    render: shell
    placeholder: |
      PROVIDE THE WHOLE LOGS VIA A GIST LINK (https://gist.github.com/), NOT DIRECTLY IN THIS TEXT AREA
-      
+
      To grab the runner pod logs:
      # Set NS according to your setup. It should match your RunnerDeployment's metadata.namespace.
@@ -177,7 +177,7 @@ body:
      kubectl -n $NS logs $POD_NAME -c runner > runnerpod_runner.log
      kubectl -n $NS logs $POD_NAME -c docker > runnerpod_docker.log
-      
+
      If any of the containers are getting terminated immediately, try adding `--previous` to the kubectl-logs command to obtain logs emitted before the termination.
  validations:
    required: true
--- a/.github/ISSUE_TEMPLATE/summerwind_feature_request.md
+++ b/.github/ISSUE_TEMPLATE/summerwind_feature_request.md
@@ -1,7 +1,7 @@
 ---
-name: Feature request
+name: Feature request (actions.summerwind.net API group)
 about: Suggest an idea for this project
-labels: ["enhancement", "needs triage"]
+labels: ["enhancement", "needs triage", "community"]
 title: ''
 assignees: ''
 ---
--- a/.github/actions/e2e-arc-test/action.yaml
+++ b/.github/actions/e2e-arc-test/action.yaml
@@ -1,45 +0,0 @@
 name: 'E2E ARC Test Action'
 description: 'Includes common arc installation, setup and test file run'
 inputs:
  github-token:
    description: 'JWT generated with Github App inputs'
    required: true
  config-url:
    description: "URL of the repo, org or enterprise where the runner scale sets will be registered"
    required: true
  docker-image-repo:
    description: "Local docker image repo for testing"
    required: true
  docker-image-tag:
    description: "Tag of ARC Docker image for testing"
    required: true
 runs:
  using: "composite"
  steps:
    - name: Install ARC
      run: helm install arc --namespace "arc-systems" --create-namespace --set image.tag=${{ inputs.docker-image-tag }}  --set image.repository=${{ inputs.docker-image-repo }} ./charts/gha-runner-scale-set-controller
      shell: bash
    - name: Get datetime
      # We are using this value further in the runner installation to avoid runner name collision that are a risk with hard coded values.
      # A datetime including the 3 nanoseconds are a good option for this and also adds to readability and runner sorting if needed.
      run: echo "DATE_TIME=$(date +'%Y-%m-%d-%H-%M-%S-%3N')" >> $GITHUB_ENV
      shell: bash
    - name: Install runners
      run: |
          helm install "arc-runner-${{ env.DATE_TIME }}" \
          --namespace "arc-runners" \
          --create-namespace \
          --set githubConfigUrl="${{ inputs.config-url }}" \
          --set githubConfigSecret.github_token="${{ inputs.github-token }}" \
          ./charts/gha-runner-scale-set \
          --debug
          kubectl get pods -A
      shell: bash
    - name: Test ARC scales pods up and down
      run: |
          export GITHUB_TOKEN="${{ inputs.github-token }}"
          export DATE_TIME="${{ env.DATE_TIME }}"
          go test ./test_e2e_arc -v
      shell: bash
--- a/.github/actions/setup-docker-environment/action.yaml
+++ b/.github/actions/setup-docker-environment/action.yaml
@@ -1,47 +0,0 @@
 name: "Setup Docker"
 inputs:
  username:
    description: "Username"
    required: true
  password:
    description: "Password"
    required: true
  ghcr_username:
    description: "GHCR username. Usually set from the github.actor variable"
    required: true
  ghcr_password:
    description: "GHCR password. Usually set from the secrets.GITHUB_TOKEN variable"
    required: true
 runs:
  using: "composite"
  steps:
    - name: Get Short SHA
      id: vars
      run: |
        echo "sha_short=${GITHUB_SHA::7}" >> $GITHUB_ENV
      shell: bash
    - name: Set up QEMU
      uses: docker/setup-qemu-action@v2
    - name: Set up Docker Buildx
      uses: docker/setup-buildx-action@v2
      with:
        version: latest
    - name: Login to DockerHub
      if: ${{ github.event_name == 'release' || github.event_name == 'push' && github.ref == 'refs/heads/master' && inputs.password != ''  }}
      uses: docker/login-action@v2
      with:
        username: ${{ inputs.username }}
        password: ${{ inputs.password }}
    - name: Login to GitHub Container Registry
      if: ${{ github.event_name == 'release' || github.event_name == 'push' && github.ref == 'refs/heads/master' && inputs.ghcr_password != ''  }}
      uses: docker/login-action@v2
      with:
        registry: ghcr.io
        username: ${{ inputs.ghcr_username }}
        password: ${{ inputs.ghcr_password }}
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -9,3 +9,15 @@ updates:
    directory: "/" # Location of package manifests
    schedule:
      interval: "weekly"
    groups:
      gomod:
        patterns:
          - "*"
  - package-ecosystem: github-actions
    directory: "/"
    schedule:
      interval: "weekly"
    groups:
      actions:
        patterns:
          - "*"
--- a/.github/renovate.json5
+++ b/.github/renovate.json5
@@ -1,43 +0,0 @@
 {
  "extends": ["config:base"],
  "labels": ["dependencies"],
  "packageRules": [
    {
      // automatically merge an update of runner
      "matchPackageNames": ["actions/runner"],
      "extractVersion": "^v(?<version>.*)$",
      "automerge": true
    }
  ],
  "regexManagers": [
    {
      // use https://github.com/actions/runner/releases
      "fileMatch": [
        ".github/workflows/runners.yaml"
      ],
      "matchStrings": ["RUNNER_VERSION: +(?<currentValue>.*?)\\n"],
      "depNameTemplate": "actions/runner",
      "datasourceTemplate": "github-releases"
    },
    {
      "fileMatch": [
        "runner/Makefile",
        "Makefile"
      ],
      "matchStrings": ["RUNNER_VERSION \\?= +(?<currentValue>.*?)\\n"],
      "depNameTemplate": "actions/runner",
      "datasourceTemplate": "github-releases"
    },
    {
      "fileMatch": [
        "runner/actions-runner.ubuntu-20.04.dockerfile",
        "runner/actions-runner.ubuntu-22.04.dockerfile",
        "runner/actions-runner-dind.ubuntu-20.04.dockerfile",
        "runner/actions-runner-dind-rootless.ubuntu-20.04.dockerfile"
      ],
      "matchStrings": ["RUNNER_VERSION=+(?<currentValue>.*?)\\n"],
      "depNameTemplate": "actions/runner",
      "datasourceTemplate": "github-releases"
    }
  ]
 }
--- a/.github/workflows/arc-publish-chart.yaml
+++ b/.github/workflows/arc-publish-chart.yaml
@@ -1,4 +1,4 @@
-name: Publish Helm Chart
+name: Publish ARC Helm Charts
 # Revert to https://github.com/actions-runner-controller/releases#releases
 # for details on why we use this approach
@@ -7,20 +7,30 @@ on:
    branches:
      - master
    paths:
-      - 'charts/**'
+      - "charts/**"
-      - '.github/workflows/publish-chart.yaml'
+      - ".github/workflows/arc-publish-chart.yaml"
-      - '!charts/actions-runner-controller/docs/**'
+      - "!charts/actions-runner-controller/docs/**"
-      - '!charts/gha-runner-scale-set-controller/**'
+      - "!charts/gha-runner-scale-set-controller/**"
-      - '!charts/gha-runner-scale-set/**'
+      - "!charts/gha-runner-scale-set/**"
-      - '!**.md'
+      - "!**.md"
  workflow_dispatch:
    inputs:
      force:
        description: "Force publish even if the chart version is not bumped"
        type: boolean
        required: true
        default: false
 env:
  KUBE_SCORE_VERSION: 1.10.0
  HELM_VERSION: v3.8.0
 permissions:
-  contents: read
+  contents: write
 concurrency:
  group: ${{ github.workflow }}
  cancel-in-progress: true
 jobs:
  lint-chart:
@@ -30,12 +40,12 @@ jobs:
      publish-chart: ${{ steps.publish-chart-step.outputs.publish }}
    steps:
      - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v6
        with:
          fetch-depth: 0
      - name: Set up Helm
-        uses: azure/setup-helm@v3.4
+        uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4
        with:
          version: ${{ env.HELM_VERSION }}
@@ -45,30 +55,22 @@ jobs:
          chmod 755 kube-score
      - name: Kube-score generated manifests
-        run: helm template  --values charts/.ci/values-kube-score.yaml charts/* | ./kube-score score -
+        run: helm template  --values charts/.ci/values-kube-score.yaml charts/* | ./kube-score score - --ignore-test pod-networkpolicy --ignore-test deployment-has-poddisruptionbudget --ignore-test deployment-has-host-podantiaffinity --ignore-test container-security-context --ignore-test pod-probes --ignore-test container-image-tag --enable-optional-test container-security-context-privileged --enable-optional-test container-security-context-readonlyrootfilesystem
              --ignore-test pod-networkpolicy
              --ignore-test deployment-has-poddisruptionbudget
              --ignore-test deployment-has-host-podantiaffinity
              --ignore-test container-security-context
              --ignore-test pod-probes
              --ignore-test container-image-tag
              --enable-optional-test container-security-context-privileged
              --enable-optional-test container-security-context-readonlyrootfilesystem
      # python is a requirement for the chart-testing action below (supports yamllint among other tests)
-      - uses: actions/setup-python@v4
+      - uses: actions/setup-python@v6
        with:
-          python-version: '3.7'
+          python-version: "3.11"
      - name: Set up chart-testing
-        uses: helm/chart-testing-action@v2.3.1
+        uses: helm/chart-testing-action@6ec842c01de15ebb84c8627d2744a0c2f2755c9f
      - name: Run chart-testing (list-changed)
        id: list-changed
        run: |
          changed=$(ct list-changed --config charts/.ci/ct-config.yaml)
          if [[ -n "$changed" ]]; then
-            echo "::set-output name=changed::true"
+            echo "changed=true" >> $GITHUB_OUTPUT
          fi
      - name: Run chart-testing (lint)
@@ -77,11 +79,11 @@ jobs:
      - name: Create kind cluster
        if: steps.list-changed.outputs.changed == 'true'
-        uses: helm/kind-action@v1.4.0
+        uses: helm/kind-action@92086f6be054225fa813e0a4b13787fc9088faab
      # We need cert-manager already installed in the cluster because we assume the CRDs exist
      - name: Install cert-manager
-        if: steps.list-changed.outputs.changed == 'true'      
+        if: steps.list-changed.outputs.changed == 'true'
        run: |
          helm repo add jetstack https://charts.jetstack.io --force-update
          helm install cert-manager jetstack/cert-manager --set installCRDs=true --wait
@@ -98,9 +100,12 @@ jobs:
          NEW_CHART_VERSION=$(echo "$CHART_TEXT" | grep version: | cut -d ' ' -f 2)
          RELEASE_LIST=$(curl -fs https://api.github.com/repos/${{ github.repository }}/releases  | jq .[].tag_name | grep actions-runner-controller | cut -d '"' -f 2 | cut -d '-' -f 4)
          LATEST_RELEASED_CHART_VERSION=$(echo $RELEASE_LIST | cut -d ' ' -f 1)
          echo "CHART_VERSION_IN_MASTER=$NEW_CHART_VERSION" >> $GITHUB_ENV
          echo "LATEST_CHART_VERSION=$LATEST_RELEASED_CHART_VERSION" >> $GITHUB_ENV
-          if [[ $NEW_CHART_VERSION != $LATEST_RELEASED_CHART_VERSION ]]; then
+
          # Always publish if force is true
          if [[ $NEW_CHART_VERSION != $LATEST_RELEASED_CHART_VERSION || "${{ inputs.force }}" == "true" ]]; then
            echo "publish=true" >> $GITHUB_OUTPUT
          else
            echo "publish=false" >> $GITHUB_OUTPUT
@@ -121,15 +126,15 @@ jobs:
    name: Publish Chart
    runs-on: ubuntu-latest
    permissions:
-      contents: write  # for helm/chart-releaser-action to push chart release and create a release
+      contents: write # for helm/chart-releaser-action to push chart release and create a release
    env:
      CHART_TARGET_ORG: actions-runner-controller
      CHART_TARGET_REPO: actions-runner-controller.github.io
      CHART_TARGET_BRANCH: master
-    
+
    steps:
      - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v6
        with:
          fetch-depth: 0
@@ -140,14 +145,14 @@ jobs:
      - name: Get Token
        id: get_workflow_token
-        uses: peter-murray/workflow-application-token-action@8e1ba3bf1619726336414f1014e37f17fbadf1db
+        uses: peter-murray/workflow-application-token-action@d17e3a9a36850ea89f35db16c1067dd2b68ee343
        with:
          application_id: ${{ secrets.ACTIONS_ACCESS_APP_ID }}
          application_private_key: ${{ secrets.ACTIONS_ACCESS_PK }}
          organization: ${{ env.CHART_TARGET_ORG }}
      - name: Install chart-releaser
-        uses: helm/chart-releaser-action@v1.4.1
+        uses: helm/chart-releaser-action@cae68fefc6b5f367a0275617c9f83181ba54714f
        with:
          install_only: true
          install_dir: ${{ github.workspace }}/bin
@@ -170,14 +175,16 @@ jobs:
            --owner "$(echo ${{ github.repository }} | cut -d '/' -f 1)" \
            --git-repo "$(echo ${{ github.repository }} | cut -d '/' -f 2)" \
            --index-path ${{ github.workspace }}/index.yaml \
            --token ${{ secrets.GITHUB_TOKEN }} \
            --push \
            --pages-branch 'gh-pages' \
            --pages-index-path 'index.yaml'
      # Chart Release was never intended to publish to a different repo
      # this workaround is intended to move the index.yaml to the target repo
      # where the github pages are hosted
-      - name: Checkout pages repository
+      - name: Checkout target repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v6
        with:
          repository: ${{ env.CHART_TARGET_ORG }}/${{ env.CHART_TARGET_REPO }}
          path: ${{ env.CHART_TARGET_REPO }}
@@ -187,8 +194,8 @@ jobs:
      - name: Copy index.yaml
        run: |
          cp ${{ github.workspace }}/index.yaml ${{ env.CHART_TARGET_REPO }}/actions-runner-controller/index.yaml
-      
+
-      - name: Commit and push
+      - name: Commit and push to target repository
        run: |
          git config user.name "$GITHUB_ACTOR"
          git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
@@ -202,4 +209,4 @@ jobs:
          echo "New helm chart has been published" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "**Status:**" >> $GITHUB_STEP_SUMMARY
-          echo "- New [index.yaml](https://github.com/${{ env.CHART_TARGET_ORG }}/${{ env.CHART_TARGET_REPO }}/tree/main/actions-runner-controller) pushed" >> $GITHUB_STEP_SUMMARY
+          echo "- New [index.yaml](https://github.com/${{ env.CHART_TARGET_ORG }}/${{ env.CHART_TARGET_REPO }}/tree/master/actions-runner-controller) pushed" >> $GITHUB_STEP_SUMMARY
--- a/.github/workflows/arc-publish.yaml
+++ b/.github/workflows/arc-publish.yaml
@@ -1,4 +1,4 @@
-name: Publish ARC
+name: Publish ARC Image
 # Revert to https://github.com/actions-runner-controller/releases#releases
 # for details on why we use this approach
@@ -9,33 +9,41 @@ on:
  workflow_dispatch:
    inputs:
      release_tag_name:
-        description: 'Tag name of the release to publish'
+        description: "Tag name of the release to publish"
        required: true
      push_to_registries:
-        description: 'Push images to registries'
+        description: "Push images to registries"
        required: true
        type: boolean
        default: false
 permissions:
- contents: write 
+  contents: write
- packages: write
+  packages: write
 env:
  TARGET_ORG: actions-runner-controller
  TARGET_REPO: actions-runner-controller
 concurrency:
  group: ${{ github.workflow }}
  cancel-in-progress: true
 jobs:
  release-controller:
    name: Release
    runs-on: ubuntu-latest
    # gha-runner-scale-set has its own release workflow.
    # We don't want to publish a new actions-runner-controller image
    # we release gha-runner-scale-set.
    if: ${{ !startsWith(github.event.inputs.release_tag_name, 'gha-runner-scale-set-') }}
    steps:
      - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v6
-      - uses: actions/setup-go@v3
+      - uses: actions/setup-go@v6
        with:
-          go-version: '1.18.2'
+          go-version-file: "go.mod"
      - name: Install tools
        run: |
@@ -65,7 +73,7 @@ jobs:
      - name: Get Token
        id: get_workflow_token
-        uses: peter-murray/workflow-application-token-action@8e1ba3bf1619726336414f1014e37f17fbadf1db
+        uses: peter-murray/workflow-application-token-action@d17e3a9a36850ea89f35db16c1067dd2b68ee343
        with:
          application_id: ${{ secrets.ACTIONS_ACCESS_APP_ID }}
          application_private_key: ${{ secrets.ACTIONS_ACCESS_PK }}
--- a/.github/workflows/arc-release-runners.yaml
+++ b/.github/workflows/arc-release-runners.yaml
@@ -1,4 +1,6 @@
-name: Runners
+name: Release ARC Runner Images
 permissions:
  contents: read
 # Revert to https://github.com/actions-runner-controller/releases#releases
 # for details on why we use this approach
@@ -7,34 +9,39 @@ on:
  # are available to the workflow run
  push:
    branches:
-      - 'master'
+      - "master"
    paths:
-      - 'runner/VERSION'
+      - "runner/VERSION"
-      - '.github/workflows/release-runners.yaml'
+      - ".github/workflows/arc-release-runners.yaml"
 env:
  # Safeguard to prevent pushing images to registeries after build
  PUSH_TO_REGISTRIES: true
  TARGET_ORG: actions-runner-controller
  TARGET_WORKFLOW: release-runners.yaml
-  DOCKER_VERSION: 20.10.21
+  DOCKER_VERSION: 28.0.4
-  RUNNER_CONTAINER_HOOKS_VERSION: 0.2.0
+
 concurrency:
  group: ${{ github.workflow }}
  cancel-in-progress: true
 jobs:
  build-runners:
    name: Trigger Build and Push of Runner Images
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v6
      - name: Get runner version
-        id: runner_version
+        id: versions
        run: |
-          version=$(echo -n $(cat runner/VERSION))
+          runner_current_version="$(echo -n $(cat runner/VERSION | grep 'RUNNER_VERSION=' | cut -d '=' -f2))"
-          echo runner_version=$version >> $GITHUB_OUTPUT
+          container_hooks_current_version="$(echo -n $(cat runner/VERSION | grep 'RUNNER_CONTAINER_HOOKS_VERSION=' | cut -d '=' -f2))"
          echo runner_version=$runner_current_version >> $GITHUB_OUTPUT
          echo container_hooks_version=$container_hooks_current_version >> $GITHUB_OUTPUT
      - name: Get Token
        id: get_workflow_token
-        uses: peter-murray/workflow-application-token-action@8e1ba3bf1619726336414f1014e37f17fbadf1db
+        uses: peter-murray/workflow-application-token-action@d17e3a9a36850ea89f35db16c1067dd2b68ee343
        with:
          application_id: ${{ secrets.ACTIONS_ACCESS_APP_ID }}
          application_private_key: ${{ secrets.ACTIONS_ACCESS_PK }}
@@ -42,7 +49,8 @@ jobs:
      - name: Trigger Build And Push Runner Images To Registries
        env:
-          RUNNER_VERSION: ${{ steps.runner_version.outputs.runner_version }}
+          RUNNER_VERSION: ${{ steps.versions.outputs.runner_version }}
          CONTAINER_HOOKS_VERSION: ${{ steps.versions.outputs.container_hooks_version }}
        run: |
          # Authenticate
          gh auth login --with-token <<< ${{ steps.get_workflow_token.outputs.token }}
@@ -51,20 +59,21 @@ jobs:
          gh workflow run ${{ env.TARGET_WORKFLOW }} -R ${{ env.TARGET_ORG }}/releases \
            -f runner_version=${{ env.RUNNER_VERSION }} \
            -f docker_version=${{ env.DOCKER_VERSION }} \
-            -f runner_container_hooks_version=${{ env.RUNNER_CONTAINER_HOOKS_VERSION }} \
+            -f runner_container_hooks_version=${{ env.CONTAINER_HOOKS_VERSION }} \
            -f sha='${{ github.sha }}' \
            -f push_to_registries=${{ env.PUSH_TO_REGISTRIES }}
      - name: Job summary
        env:
-          RUNNER_VERSION: ${{ steps.runner_version.outputs.runner_version }}
+          RUNNER_VERSION: ${{ steps.versions.outputs.runner_version }}
          CONTAINER_HOOKS_VERSION: ${{ steps.versions.outputs.container_hooks_version }}
        run: |
          echo "The [release-runners.yaml](https://github.com/actions-runner-controller/releases/blob/main/.github/workflows/release-runners.yaml) workflow has been triggered!" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "**Parameters:**" >> $GITHUB_STEP_SUMMARY
          echo "- runner_version: ${{ env.RUNNER_VERSION }}" >> $GITHUB_STEP_SUMMARY
          echo "- docker_version: ${{ env.DOCKER_VERSION }}" >> $GITHUB_STEP_SUMMARY
-          echo "- runner_container_hooks_version: ${{ env.RUNNER_CONTAINER_HOOKS_VERSION }}" >> $GITHUB_STEP_SUMMARY
+          echo "- runner_container_hooks_version: ${{ env.CONTAINER_HOOKS_VERSION }}" >> $GITHUB_STEP_SUMMARY
          echo "- sha: ${{ github.sha }}" >> $GITHUB_STEP_SUMMARY
          echo "- push_to_registries: ${{ env.PUSH_TO_REGISTRIES }}" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
--- a/.github/workflows/arc-update-runners-scheduled.yaml
+++ b/.github/workflows/arc-update-runners-scheduled.yaml
@@ -0,0 +1,158 @@
 # This workflows polls releases from actions/runner and in case of a new one it
 # updates files containing runner version and opens a pull request.
 name: Runner Updates Check (Scheduled Job)
 permissions:
  pull-requests: write
  contents: write
 on:
  schedule:
    # run daily
    - cron: "0 9 * * *"
  workflow_dispatch:
 jobs:
  # check_versions compares our current version and the latest available runner
  # version and sets them as outputs.
  check_versions:
    runs-on: ubuntu-latest
    env:
      GH_TOKEN: ${{ github.token }}
    outputs:
      runner_current_version: ${{ steps.runner_versions.outputs.runner_current_version }}
      runner_latest_version: ${{ steps.runner_versions.outputs.runner_latest_version }}
      container_hooks_current_version: ${{ steps.container_hooks_versions.outputs.container_hooks_current_version }}
      container_hooks_latest_version: ${{ steps.container_hooks_versions.outputs.container_hooks_latest_version }}
    steps:
      - uses: actions/checkout@v6
      - name: Get runner current and latest versions
        id: runner_versions
        run: |
          CURRENT_VERSION="$(echo -n $(cat runner/VERSION | grep 'RUNNER_VERSION=' | cut -d '=' -f2))"
          echo "Current version: $CURRENT_VERSION"
          echo runner_current_version=$CURRENT_VERSION >> $GITHUB_OUTPUT
          LATEST_VERSION=$(gh release list --exclude-drafts --exclude-pre-releases --limit 1 -R actions/runner | grep -oP '(?<=v)[0-9.]+' | head -1)
          echo "Latest version: $LATEST_VERSION"
          echo runner_latest_version=$LATEST_VERSION >> $GITHUB_OUTPUT
      - name: Get container-hooks current and latest versions
        id: container_hooks_versions
        run: |
          CURRENT_VERSION="$(echo -n $(cat runner/VERSION | grep 'RUNNER_CONTAINER_HOOKS_VERSION=' | cut -d '=' -f2))"
          echo "Current version: $CURRENT_VERSION"
          echo container_hooks_current_version=$CURRENT_VERSION >> $GITHUB_OUTPUT
          LATEST_VERSION=$(gh release list --exclude-drafts --exclude-pre-releases --limit 1 -R actions/runner-container-hooks | grep -oP '(?<=v)[0-9.]+' | head -1)
          echo "Latest version: $LATEST_VERSION"
          echo container_hooks_latest_version=$LATEST_VERSION >> $GITHUB_OUTPUT
  # check_pr checks if a PR for the same update already exists. It only runs if
  # runner latest version != our current version. If no existing PR is found,
  # it sets a PR name as output.
  check_pr:
    runs-on: ubuntu-latest
    permissions:
      contents: read
    needs: check_versions
    if: needs.check_versions.outputs.runner_current_version != needs.check_versions.outputs.runner_latest_version || needs.check_versions.outputs.container_hooks_current_version != needs.check_versions.outputs.container_hooks_latest_version
    outputs:
      pr_name: ${{ steps.pr_name.outputs.pr_name }}
    env:
      GH_TOKEN: ${{ github.token }}
    steps:
      - name: debug
        run:
          echo "RUNNER_CURRENT_VERSION=${{ needs.check_versions.outputs.runner_current_version }}"
          echo "RUNNER_LATEST_VERSION=${{ needs.check_versions.outputs.runner_latest_version }}"
          echo "CONTAINER_HOOKS_CURRENT_VERSION=${{ needs.check_versions.outputs.container_hooks_current_version }}"
          echo "CONTAINER_HOOKS_LATEST_VERSION=${{ needs.check_versions.outputs.container_hooks_latest_version }}"
      - uses: actions/checkout@v6
      - name: PR Name
        id: pr_name
        env:
          RUNNER_CURRENT_VERSION: ${{ needs.check_versions.outputs.runner_current_version }}
          RUNNER_LATEST_VERSION: ${{ needs.check_versions.outputs.runner_latest_version }}
          CONTAINER_HOOKS_CURRENT_VERSION: ${{ needs.check_versions.outputs.container_hooks_current_version }}
          CONTAINER_HOOKS_LATEST_VERSION: ${{ needs.check_versions.outputs.container_hooks_latest_version }}
        # Generate a PR name with the following title:
        # Updates: runner to v2.304.0 and container-hooks to v0.3.1
        run: |
          RUNNER_MESSAGE="runner to v${RUNNER_LATEST_VERSION}"
          CONTAINER_HOOKS_MESSAGE="container-hooks to v${CONTAINER_HOOKS_LATEST_VERSION}"
          PR_NAME="Updates:"
          if [ "$RUNNER_CURRENT_VERSION" != "$RUNNER_LATEST_VERSION" ]
          then
            PR_NAME="$PR_NAME $RUNNER_MESSAGE"
          fi
          if [ "$CONTAINER_HOOKS_CURRENT_VERSION" != "$CONTAINER_HOOKS_LATEST_VERSION" ]
          then
            PR_NAME="$PR_NAME $CONTAINER_HOOKS_MESSAGE"
          fi
          result=$(gh pr list --search "$PR_NAME" --json number --jq ".[].number" --limit 1)
          if [ -z "$result" ]
          then
            echo "No existing PRs found, setting output with pr_name=$PR_NAME"
            echo pr_name=$PR_NAME >> $GITHUB_OUTPUT
          else
            echo "Found a PR with title '$PR_NAME' already existing: ${{ github.server_url }}/${{ github.repository }}/pull/$result"
          fi
  # update_version updates runner version in the files listed below, commits
  # the changes and opens a pull request as `github-actions` bot.
  update_version:
    runs-on: ubuntu-latest
    needs:
      - check_versions
      - check_pr
    if: needs.check_pr.outputs.pr_name
    permissions:
      pull-requests: write
      contents: write
      actions: write
    env:
      GH_TOKEN: ${{ github.token }}
      RUNNER_CURRENT_VERSION: ${{ needs.check_versions.outputs.runner_current_version }}
      RUNNER_LATEST_VERSION: ${{ needs.check_versions.outputs.runner_latest_version }}
      CONTAINER_HOOKS_CURRENT_VERSION: ${{ needs.check_versions.outputs.container_hooks_current_version }}
      CONTAINER_HOOKS_LATEST_VERSION: ${{ needs.check_versions.outputs.container_hooks_latest_version }}
      PR_NAME: ${{ needs.check_pr.outputs.pr_name }}
    steps:
      - uses: actions/checkout@v6
      - name: New branch
        run: git checkout -b update-runner-"$(date +%Y-%m-%d)"
      - name: Update files
        run: |
          CURRENT_VERSION="${RUNNER_CURRENT_VERSION//./\\.}"
          LATEST_VERSION="${RUNNER_LATEST_VERSION//./\\.}"
          sed -i "s/$CURRENT_VERSION/$LATEST_VERSION/g" runner/VERSION
          sed -i "s/$CURRENT_VERSION/$LATEST_VERSION/g" runner/Makefile
          sed -i "s/$CURRENT_VERSION/$LATEST_VERSION/g" Makefile
          sed -i "s/$CURRENT_VERSION/$LATEST_VERSION/g" test/e2e/e2e_test.go
          CURRENT_VERSION="${CONTAINER_HOOKS_CURRENT_VERSION//./\\.}"
          LATEST_VERSION="${CONTAINER_HOOKS_LATEST_VERSION//./\\.}"
          sed -i "s/$CURRENT_VERSION/$LATEST_VERSION/g" runner/VERSION
          sed -i "s/$CURRENT_VERSION/$LATEST_VERSION/g" runner/Makefile
          sed -i "s/$CURRENT_VERSION/$LATEST_VERSION/g" Makefile
          sed -i "s/$CURRENT_VERSION/$LATEST_VERSION/g" test/e2e/e2e_test.go
      - name: Commit changes
        run: |
          # from https://github.com/orgs/community/discussions/26560
          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
          git config user.name "github-actions[bot]"
          git add .
          git commit -m "$PR_NAME"
          git push -u origin HEAD
      - name: Create pull request
        run: gh pr create -f -l "runners update"
--- a/.github/workflows/arc-validate-chart.yaml
+++ b/.github/workflows/arc-validate-chart.yaml
@@ -5,16 +5,20 @@ on:
    branches:
      - master
    paths:
-      - 'charts/**'
+      - "charts/**"
-      - '.github/workflows/validate-chart.yaml'
+      - ".github/workflows/arc-validate-chart.yaml"
-      - '!charts/actions-runner-controller/docs/**'
+      - "!charts/actions-runner-controller/docs/**"
-      - '!**.md'
+      - "!**.md"
      - "!charts/gha-runner-scale-set-controller/**"
      - "!charts/gha-runner-scale-set/**"
  push:
    paths:
-      - 'charts/**'
+      - "charts/**"
-      - '.github/workflows/validate-chart.yaml'
+      - ".github/workflows/arc-validate-chart.yaml"
-      - '!charts/actions-runner-controller/docs/**'
+      - "!charts/actions-runner-controller/docs/**"
-      - '!**.md'
+      - "!**.md"
      - "!charts/gha-runner-scale-set-controller/**"
      - "!charts/gha-runner-scale-set/**"
  workflow_dispatch:
 env:
  KUBE_SCORE_VERSION: 1.10.0
@@ -23,52 +27,42 @@ env:
 permissions:
  contents: read
 concurrency:
  # This will make sure we only apply the concurrency limits on pull requests
  # but not pushes to master branch by making the concurrency group name unique
  # for pushes
  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
  cancel-in-progress: true
 jobs:
  validate-chart:
    name: Lint Chart
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v6
        with:
          fetch-depth: 0
      - name: Set up Helm
-        # Using https://github.com/Azure/setup-helm/releases/tag/v3.5
+        uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4
        uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78
        with:
          version: ${{ env.HELM_VERSION }}
      - name: Set up kube-score
        run: |
          wget https://github.com/zegl/kube-score/releases/download/v${{ env.KUBE_SCORE_VERSION }}/kube-score_${{ env.KUBE_SCORE_VERSION }}_linux_amd64 -O kube-score
          chmod 755 kube-score
      - name: Kube-score generated manifests
        run: helm template  --values charts/.ci/values-kube-score.yaml charts/* | ./kube-score score -
              --ignore-test pod-networkpolicy
              --ignore-test deployment-has-poddisruptionbudget
              --ignore-test deployment-has-host-podantiaffinity
              --ignore-test container-security-context
              --ignore-test pod-probes
              --ignore-test container-image-tag
              --enable-optional-test container-security-context-privileged
              --enable-optional-test container-security-context-readonlyrootfilesystem
      # python is a requirement for the chart-testing action below (supports yamllint among other tests)
-      - uses: actions/setup-python@v4
+      - uses: actions/setup-python@v6
        with:
-          python-version: '3.7'
+          python-version: "3.11"
      - name: Set up chart-testing
-        uses: helm/chart-testing-action@v2.3.1
+        uses: helm/chart-testing-action@6ec842c01de15ebb84c8627d2744a0c2f2755c9f
      - name: Run chart-testing (list-changed)
        id: list-changed
        run: |
          changed=$(ct list-changed --config charts/.ci/ct-config.yaml)
          if [[ -n "$changed" ]]; then
-            echo "::set-output name=changed::true"
+            echo "changed=true" >> $GITHUB_OUTPUT
          fi
      - name: Run chart-testing (lint)
@@ -76,7 +70,7 @@ jobs:
          ct lint --config charts/.ci/ct-config.yaml
      - name: Create kind cluster
-        uses: helm/kind-action@v1.4.0
+        uses: helm/kind-action@92086f6be054225fa813e0a4b13787fc9088faab
        if: steps.list-changed.outputs.changed == 'true'
      # We need cert-manager already installed in the cluster because we assume the CRDs exist
--- a/.github/workflows/arc-validate-runners.yaml
+++ b/.github/workflows/arc-validate-runners.yaml
@@ -0,0 +1,40 @@
 name: Validate ARC Runners
 on:
  pull_request:
    branches:
      - "**"
    paths:
      - "runner/**"
      - "test/startup/**"
      - "!**.md"
 permissions:
  contents: read
 concurrency:
  # This will make sure we only apply the concurrency limits on pull requests
  # but not pushes to master branch by making the concurrency group name unique
  # for pushes
  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
  cancel-in-progress: true
 jobs:
  shellcheck:
    name: runner / shellcheck
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v6
      - name: "Run shellcheck"
        run: make shellcheck
  test-runner-entrypoint:
    name: Test entrypoint
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v6
      - name: Run tests
        run: |
          make acceptance/runner/startup
--- a/.github/workflows/e2e-test-dispatch-workflow.yaml
+++ b/.github/workflows/e2e-test-dispatch-workflow.yaml
@@ -1,16 +0,0 @@
 name: ARC Reusable Workflow
 on:
  workflow_dispatch:
    inputs:
      date_time:
        description: 'Datetime for runner name uniqueness, format: %Y-%m-%d-%H-%M-%S-%3N, example: 2023-02-14-13-00-16-791'
        required: true
 jobs:
  arc-runner-job:
    strategy:
      fail-fast: false
      matrix:
        job: [1, 2, 3]
    runs-on: arc-runner-${{ inputs.date_time }}
    steps:
      - run: echo "Hello World!" >> $GITHUB_STEP_SUMMARY
--- a/.github/workflows/e2e-test-linux-vm.yaml
+++ b/.github/workflows/e2e-test-linux-vm.yaml
@@ -1,51 +0,0 @@
 name: CI ARC E2E Linux VM Test
 on:
  push:
    branches:
      - master
  pull_request:
  workflow_dispatch:
 env:
  TARGET_ORG: actions-runner-controller
  CLUSTER_NAME: e2e-test
  RUNNER_VERSION: 2.302.1
  IMAGE_REPO: "test/test-image"
 jobs:
  setup-steps:
    runs-on: [ubuntu-latest]
    steps:
      - uses: actions/checkout@v3
      - name: Add env variables
        run: |
            TAG=$(echo "0.0.$GITHUB_SHA")
            echo "TAG=$TAG" >> $GITHUB_ENV
            echo "IMAGE=$IMAGE_REPO:$TAG" >> $GITHUB_ENV
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v2
        with:
          version: latest
      - name: Docker Build Test Image
        run: |
            DOCKER_CLI_EXPERIMENTAL=enabled DOCKER_BUILDKIT=1 docker buildx build --build-arg RUNNER_VERSION=$RUNNER_VERSION --build-arg TAG=$TAG -t $IMAGE . --load
      - name: Create Kind cluster
        run: |
          PATH=$(go env GOPATH)/bin:$PATH
          kind create cluster --name $CLUSTER_NAME
      - name: Load Image to Kind Cluster
        run: kind load docker-image $IMAGE --name $CLUSTER_NAME
      - name: Get Token
        id: get_workflow_token
        uses: peter-murray/workflow-application-token-action@8e1ba3bf1619726336414f1014e37f17fbadf1db
        with:
          application_id: ${{ secrets.ACTIONS_ACCESS_APP_ID }}
          application_private_key: ${{ secrets.ACTIONS_ACCESS_PK }}
          organization: ${{ env.TARGET_ORG }}
      - uses: ./.github/actions/e2e-arc-test
        with:
          github-token: ${{ steps.get_workflow_token.outputs.token }}
          config-url: "https://github.com/actions-runner-controller/arc_e2e_test_dummy"
          docker-image-repo: $IMAGE_REPO
          docker-image-tag: $TAG
--- a/.github/workflows/gha-e2e-tests.yaml
+++ b/.github/workflows/gha-e2e-tests.yaml
@@ -0,0 +1,234 @@
 name: (gha) E2E Tests
 on:
  push:
    branches:
      - master
  pull_request:
    branches:
      - master
  workflow_dispatch:
 permissions:
  contents: read
 env:
  TARGET_ORG: actions-runner-controller
  TARGET_REPO: arc_e2e_test_dummy
  IMAGE_NAME: "arc-test-image"
  IMAGE_VERSION: "0.13.0"
 concurrency:
  # This will make sure we only apply the concurrency limits on pull requests
  # but not pushes to master branch by making the concurrency group name unique
  # for pushes
  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
  cancel-in-progress: true
 jobs:
  default-setup:
    runs-on: ubuntu-latest
    timeout-minutes: 20
    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.id == github.repository_id
    steps:
      - uses: actions/checkout@v6
        with:
          ref: ${{github.head_ref}}
      - name: Get configure token
        id: config-token
        uses: peter-murray/workflow-application-token-action@d17e3a9a36850ea89f35db16c1067dd2b68ee343
        with:
          application_id: ${{ secrets.E2E_TESTS_ACCESS_APP_ID }}
          application_private_key: ${{ secrets.E2E_TESTS_ACCESS_PK }}
          organization: ${{ env.TARGET_ORG }}
      - name: Run default setup test
        run: hack/e2e-test.sh default-setup
        env:
          GITHUB_TOKEN: "${{steps.config-token.outputs.token}}"
        shell: bash
  single-namespace-setup:
    runs-on: ubuntu-latest
    timeout-minutes: 20
    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.id == github.repository_id
    steps:
      - uses: actions/checkout@v6
        with:
          ref: ${{github.head_ref}}
      - name: Get configure token
        id: config-token
        uses: peter-murray/workflow-application-token-action@d17e3a9a36850ea89f35db16c1067dd2b68ee343
        with:
          application_id: ${{ secrets.E2E_TESTS_ACCESS_APP_ID }}
          application_private_key: ${{ secrets.E2E_TESTS_ACCESS_PK }}
          organization: ${{ env.TARGET_ORG }}
      - name: Run single namespace setup test
        run: hack/e2e-test.sh single-namespace-setup
        env:
          GITHUB_TOKEN: "${{steps.config-token.outputs.token}}"
        shell: bash
  dind-mode-setup:
    runs-on: ubuntu-latest
    timeout-minutes: 20
    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.id == github.repository_id
    steps:
      - uses: actions/checkout@v6
        with:
          ref: ${{github.head_ref}}
      - name: Get configure token
        id: config-token
        uses: peter-murray/workflow-application-token-action@d17e3a9a36850ea89f35db16c1067dd2b68ee343
        with:
          application_id: ${{ secrets.E2E_TESTS_ACCESS_APP_ID }}
          application_private_key: ${{ secrets.E2E_TESTS_ACCESS_PK }}
          organization: ${{ env.TARGET_ORG }}
      - name: Run dind mode setup test
        run: hack/e2e-test.sh dind-mode-setup
        env:
          GITHUB_TOKEN: "${{steps.config-token.outputs.token}}"
        shell: bash
  kubernetes-mode-setup:
    runs-on: ubuntu-latest
    timeout-minutes: 20
    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.id == github.repository_id
    steps:
      - uses: actions/checkout@v6
        with:
          ref: ${{github.head_ref}}
      - name: Get configure token
        id: config-token
        uses: peter-murray/workflow-application-token-action@d17e3a9a36850ea89f35db16c1067dd2b68ee343
        with:
          application_id: ${{ secrets.E2E_TESTS_ACCESS_APP_ID }}
          application_private_key: ${{ secrets.E2E_TESTS_ACCESS_PK }}
          organization: ${{ env.TARGET_ORG }}
      - name: Run kubernetes mode setup test
        run: hack/e2e-test.sh kubernetes-mode-setup
        env:
          GITHUB_TOKEN: "${{steps.config-token.outputs.token}}"
        shell: bash
  auth-proxy-setup:
    runs-on: ubuntu-latest
    timeout-minutes: 20
    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.id == github.repository_id
    steps:
      - uses: actions/checkout@v6
        with:
          ref: ${{github.head_ref}}
      - name: Get configure token
        id: config-token
        uses: peter-murray/workflow-application-token-action@d17e3a9a36850ea89f35db16c1067dd2b68ee343
        with:
          application_id: ${{ secrets.E2E_TESTS_ACCESS_APP_ID }}
          application_private_key: ${{ secrets.E2E_TESTS_ACCESS_PK }}
          organization: ${{ env.TARGET_ORG }}
      - name: Run single namespace setup test
        run: hack/e2e-test.sh single-namespace-setup
        env:
          GITHUB_TOKEN: "${{steps.config-token.outputs.token}}"
        shell: bash
  anonymous-proxy-setup:
    runs-on: ubuntu-latest
    timeout-minutes: 20
    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.id == github.repository_id
    steps:
      - uses: actions/checkout@v6
        with:
          ref: ${{github.head_ref}}
      - name: Get configure token
        id: config-token
        uses: peter-murray/workflow-application-token-action@d17e3a9a36850ea89f35db16c1067dd2b68ee343
        with:
          application_id: ${{ secrets.E2E_TESTS_ACCESS_APP_ID }}
          application_private_key: ${{ secrets.E2E_TESTS_ACCESS_PK }}
          organization: ${{ env.TARGET_ORG }}
      - name: Run anonymous proxy setup test
        run: hack/e2e-test.sh anonymous-proxy-setup
        env:
          GITHUB_TOKEN: "${{steps.config-token.outputs.token}}"
        shell: bash
  self-signed-ca-setup:
    runs-on: ubuntu-latest
    timeout-minutes: 20
    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.id == github.repository_id
    steps:
      - uses: actions/checkout@v6
        with:
          ref: ${{github.head_ref}}
      - name: Get configure token
        id: config-token
        uses: peter-murray/workflow-application-token-action@d17e3a9a36850ea89f35db16c1067dd2b68ee343
        with:
          application_id: ${{ secrets.E2E_TESTS_ACCESS_APP_ID }}
          application_private_key: ${{ secrets.E2E_TESTS_ACCESS_PK }}
          organization: ${{ env.TARGET_ORG }}
      - name: Run self signed CA setup test
        run: hack/e2e-test.sh self-signed-ca-setup
        env:
          GITHUB_TOKEN: "${{steps.config-token.outputs.token}}"
        shell: bash
  update-strategy-tests:
    runs-on: ubuntu-latest
    timeout-minutes: 20
    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.id == github.repository_id
    steps:
      - uses: actions/checkout@v6
        with:
          ref: ${{github.head_ref}}
      - name: Get configure token
        id: config-token
        uses: peter-murray/workflow-application-token-action@d17e3a9a36850ea89f35db16c1067dd2b68ee343
        with:
          application_id: ${{ secrets.E2E_TESTS_ACCESS_APP_ID }}
          application_private_key: ${{ secrets.E2E_TESTS_ACCESS_PK }}
          organization: ${{ env.TARGET_ORG }}
      - name: Run update strategy test
        run: hack/e2e-test.sh update-strategy
        env:
          GITHUB_TOKEN: "${{steps.config-token.outputs.token}}"
        shell: bash
  init-with-min-runners:
    runs-on: ubuntu-latest
    timeout-minutes: 20
    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.id == github.repository_id
    steps:
      - uses: actions/checkout@v6
        with:
          ref: ${{github.head_ref}}
      - name: Get configure token
        id: config-token
        uses: peter-murray/workflow-application-token-action@d17e3a9a36850ea89f35db16c1067dd2b68ee343
        with:
          application_id: ${{ secrets.E2E_TESTS_ACCESS_APP_ID }}
          application_private_key: ${{ secrets.E2E_TESTS_ACCESS_PK }}
          organization: ${{ env.TARGET_ORG }}
      - name: Run init with min runners test
        run: hack/e2e-test.sh init-with-min-runners
        env:
          GITHUB_TOKEN: "${{steps.config-token.outputs.token}}"
        shell: bash
--- a/.github/workflows/publish-runner-scale-set.yaml
+++ b/.github/workflows/publish-runner-scale-set.yaml
@@ -1,30 +1,30 @@
-name: Publish Runner Scale Set Controller Charts
+name: (gha) Publish Helm Charts
 on:
  workflow_dispatch:
    inputs:
      ref:
-        description: 'The branch, tag or SHA to cut a release from'
+        description: "The branch, tag or SHA to cut a release from"
        required: false
        type: string
-        default: ''
+        default: ""
      release_tag_name:
-        description: 'The name to tag the controller image with'
+        description: "The name to tag the controller image with"
        required: true
        type: string
-        default: 'canary'
+        default: "canary"
      push_to_registries:
-        description: 'Push images to registries'
+        description: "Push images to registries"
        required: true
        type: boolean
        default: false
      publish_gha_runner_scale_set_controller_chart:
-        description: 'Publish new helm chart for gha-runner-scale-set-controller'
+        description: "Publish new helm chart for gha-runner-scale-set-controller"
        required: true
        type: boolean
        default: false
      publish_gha_runner_scale_set_chart:
-        description: 'Publish new helm chart for gha-runner-scale-set'
+        description: "Publish new helm chart for gha-runner-scale-set"
        required: true
        type: boolean
        default: false
@@ -33,20 +33,31 @@ env:
  HELM_VERSION: v3.8.0
 permissions:
- packages: write
+  packages: write
 concurrency:
  group: ${{ github.workflow }}
  cancel-in-progress: true
 jobs:
-  build-push-image: 
+  build-push-image:
    name: Build and push controller image
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v6
        with:
          # If inputs.ref is empty, it'll resolve to the default branch
          ref: ${{ inputs.ref }}
-      - name: Resolve parameters 
+      - name: Check chart versions
        # Binary version and chart versions need to match.
        # In case of an upgrade, the controller will try to clean up
        # resources with older versions that should have been cleaned up
        # during the upgrade process
        run: ./hack/check-gh-chart-versions.sh ${{ inputs.release_tag_name }}
      - name: Resolve parameters
        id: resolve_parameters
        run: |
          resolvedRef="${{ inputs.ref }}"
@@ -61,26 +72,26 @@ jobs:
          echo "repository_owner=$(echo ${{ github.repository_owner }} | tr '[:upper:]' '[:lower:]')" >> $GITHUB_OUTPUT
      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130
      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435
        with:
          # Pinning v0.9.1 for Buildx and BuildKit v0.10.6
-          # BuildKit v0.11 which has a bug causing intermittent 
+          # BuildKit v0.11 which has a bug causing intermittent
          # failures pushing images to GHCR
          version: v0.9.1
          driver-opts: image=moby/buildkit:v0.10.6
      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v2
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Build & push controller image
-        uses: docker/build-push-action@v3
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83
        with:
          file: Dockerfile
          platforms: linux/amd64,linux/arm64
@@ -89,12 +100,10 @@ jobs:
          tags: |
            ghcr.io/${{ steps.resolve_parameters.outputs.repository_owner }}/gha-runner-scale-set-controller:${{ inputs.release_tag_name }}
            ghcr.io/${{ steps.resolve_parameters.outputs.repository_owner }}/gha-runner-scale-set-controller:${{ inputs.release_tag_name }}-${{ steps.resolve_parameters.outputs.short_sha }}
          cache-from: type=gha
          cache-to: type=gha,mode=max
      - name: Job summary
        run: |
-          echo "The [publish-runner-scale-set.yaml](https://github.com/actions/actions-runner-controller/blob/main/.github/workflows/publish-runner-scale-set.yaml) workflow run was completed successfully!" >> $GITHUB_STEP_SUMMARY
+          echo "The [gha-publish-chart.yaml](https://github.com/actions/actions-runner-controller/blob/main/.github/workflows/gha-publish-chart.yaml) workflow run was completed successfully!" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "**Parameters:**" >> $GITHUB_STEP_SUMMARY
          echo "- Ref: ${{ steps.resolve_parameters.outputs.resolvedRef }}" >> $GITHUB_STEP_SUMMARY
@@ -110,12 +119,12 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v6
        with:
          # If inputs.ref is empty, it'll resolve to the default branch
          ref: ${{ inputs.ref }}
-      - name: Resolve parameters 
+      - name: Resolve parameters
        id: resolve_parameters
        run: |
          resolvedRef="${{ inputs.ref }}"
@@ -126,11 +135,10 @@ jobs:
          echo "INFO: Resolving short SHA for $resolvedRef"
          echo "short_sha=$(git rev-parse --short $resolvedRef)" >> $GITHUB_OUTPUT
          echo "INFO: Normalizing repository name (lowercase)"
-          echo "repository_owner=$(echo ${{ github.repository_owner }} | tr '[:upper:]' '[:lower:]')" >> $GITHUB_OUTPUT 
+          echo "repository_owner=$(echo ${{ github.repository_owner }} | tr '[:upper:]' '[:lower:]')" >> $GITHUB_OUTPUT
      - name: Set up Helm
-        # Using https://github.com/Azure/setup-helm/releases/tag/v3.5
+        uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4
        uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78
        with:
          version: ${{ env.HELM_VERSION }}
@@ -158,12 +166,12 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v6
        with:
          # If inputs.ref is empty, it'll resolve to the default branch
          ref: ${{ inputs.ref }}
-      - name: Resolve parameters 
+      - name: Resolve parameters
        id: resolve_parameters
        run: |
          resolvedRef="${{ inputs.ref }}"
@@ -174,11 +182,10 @@ jobs:
          echo "INFO: Resolving short SHA for $resolvedRef"
          echo "short_sha=$(git rev-parse --short $resolvedRef)" >> $GITHUB_OUTPUT
          echo "INFO: Normalizing repository name (lowercase)"
-          echo "repository_owner=$(echo ${{ github.repository_owner }} | tr '[:upper:]' '[:lower:]')" >> $GITHUB_OUTPUT 
+          echo "repository_owner=$(echo ${{ github.repository_owner }} | tr '[:upper:]' '[:lower:]')" >> $GITHUB_OUTPUT
      - name: Set up Helm
-        # Using https://github.com/Azure/setup-helm/releases/tag/v3.5
+        uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4
        uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78
        with:
          version: ${{ env.HELM_VERSION }}
--- a/.github/workflows/gha-validate-chart.yaml
+++ b/.github/workflows/gha-validate-chart.yaml
@@ -0,0 +1,122 @@
 name: (gha) Validate Helm Charts
 on:
  pull_request:
    branches:
      - master
    paths:
      - "charts/**"
      - ".github/workflows/gha-validate-chart.yaml"
      - "!charts/actions-runner-controller/**"
      - "!**.md"
  push:
    paths:
      - "charts/**"
      - ".github/workflows/gha-validate-chart.yaml"
      - "!charts/actions-runner-controller/**"
      - "!**.md"
  workflow_dispatch:
 env:
  KUBE_SCORE_VERSION: 1.16.1
  HELM_VERSION: v3.17.0
 permissions:
  contents: read
 concurrency:
  # This will make sure we only apply the concurrency limits on pull requests
  # but not pushes to master branch by making the concurrency group name unique
  # for pushes
  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
  cancel-in-progress: true
 jobs:
  validate-chart:
    name: Lint Chart
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v6
        with:
          fetch-depth: 0
      - name: Set up Helm
        uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4
        with:
          version: ${{ env.HELM_VERSION }}
      # python is a requirement for the chart-testing action below (supports yamllint among other tests)
      - uses: actions/setup-python@v6
        with:
          python-version: "3.11"
      - name: Set up chart-testing
        uses: helm/chart-testing-action@6ec842c01de15ebb84c8627d2744a0c2f2755c9f
      - name: Run chart-testing (list-changed)
        id: list-changed
        run: |
          ct version
          changed=$(ct list-changed --config charts/.ci/ct-config-gha.yaml)
          if [[ -n "$changed" ]]; then
            echo "changed=true" >> $GITHUB_OUTPUT
          fi
      - name: Run chart-testing (lint)
        run: |
          ct lint --config charts/.ci/ct-config-gha.yaml
      - name: Set up docker buildx
        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435
        if: steps.list-changed.outputs.changed == 'true'
        with:
          version: latest
      - name: Build controller image
        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83
        if: steps.list-changed.outputs.changed == 'true'
        with:
          file: Dockerfile
          platforms: linux/amd64
          load: true
          build-args: |
            DOCKER_IMAGE_NAME=test-arc
            VERSION=dev
          tags: |
            test-arc:dev
          cache-from: type=gha
          cache-to: type=gha,mode=max
      - name: Create kind cluster
        uses: helm/kind-action@92086f6be054225fa813e0a4b13787fc9088faab
        if: steps.list-changed.outputs.changed == 'true'
        with:
          cluster_name: chart-testing
      - name: Load image into cluster
        if: steps.list-changed.outputs.changed == 'true'
        run: |
          export DOCKER_IMAGE_NAME=test-arc
          export VERSION=dev
          export IMG_RESULT=load
          make docker-buildx
          kind load docker-image test-arc:dev --name chart-testing
      - name: Run chart-testing (install)
        if: steps.list-changed.outputs.changed == 'true'
        run: |
          ct install --config charts/.ci/ct-config-gha.yaml
  test-chart:
    name: Test Chart
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v6
      - uses: actions/setup-go@v6
        with:
          go-version-file: "go.mod"
          cache: false
      - name: Test gha-runner-scale-set
        run: go test ./charts/gha-runner-scale-set/...
      - name: Test gha-runner-scale-set-controller
        run: go test ./charts/gha-runner-scale-set-controller/...
--- a/.github/workflows/global-publish-canary.yaml
+++ b/.github/workflows/global-publish-canary.yaml
@@ -0,0 +1,133 @@
 name: Publish Canary Images
 # Revert to https://github.com/actions-runner-controller/releases#releases
 # for details on why we use this approach
 on:
  push:
    branches:
      - master
    paths-ignore:
      - "**.md"
      - ".github/actions/**"
      - ".github/ISSUE_TEMPLATE/**"
      - ".github/workflows/e2e-test-dispatch-workflow.yaml"
      - ".github/workflows/gha-e2e-tests.yaml"
      - ".github/workflows/arc-publish.yaml"
      - ".github/workflows/arc-publish-chart.yaml"
      - ".github/workflows/gha-publish-chart.yaml"
      - ".github/workflows/arc-release-runners.yaml"
      - ".github/workflows/global-run-codeql.yaml"
      - ".github/workflows/global-run-first-interaction.yaml"
      - ".github/workflows/global-run-stale.yaml"
      - ".github/workflows/arc-update-runners-scheduled.yaml"
      - ".github/workflows/validate-arc.yaml"
      - ".github/workflows/arc-validate-chart.yaml"
      - ".github/workflows/gha-validate-chart.yaml"
      - ".github/workflows/arc-validate-runners.yaml"
      - ".github/dependabot.yml"
      - ".github/RELEASE_NOTE_TEMPLATE.md"
      - "runner/**"
      - ".gitignore"
      - "PROJECT"
      - "LICENSE"
      - "Makefile"
 # https://docs.github.com/en/rest/overview/permissions-required-for-github-apps
 permissions:
  contents: read
  packages: write
 concurrency:
  group: ${{ github.workflow }}
  cancel-in-progress: true
 env:
  # Safeguard to prevent pushing images to registeries after build
  PUSH_TO_REGISTRIES: true
 jobs:
  legacy-canary-build:
    name: Build and Publish Legacy Canary Image
    runs-on: ubuntu-latest
    env:
      DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
      TARGET_ORG: actions-runner-controller
      TARGET_REPO: actions-runner-controller
    steps:
      - name: Checkout
        uses: actions/checkout@v6
      - name: Get Token
        id: get_workflow_token
        uses: peter-murray/workflow-application-token-action@d17e3a9a36850ea89f35db16c1067dd2b68ee343
        with:
          application_id: ${{ secrets.ACTIONS_ACCESS_APP_ID }}
          application_private_key: ${{ secrets.ACTIONS_ACCESS_PK }}
          organization: ${{ env.TARGET_ORG }}
      - name: Trigger Build And Push Images To Registries
        run: |
          # Authenticate
          gh auth login --with-token <<< ${{ steps.get_workflow_token.outputs.token }}
          # Trigger the workflow run
          jq -n '{"event_type": "canary", "client_payload": {"sha": "${{ github.sha }}", "push_to_registries": ${{ env.PUSH_TO_REGISTRIES }}}}' \
            | gh api -X POST /repos/actions-runner-controller/releases/dispatches --input -
      - name: Job summary
        run: |
          echo "The [publish-canary](https://github.com/actions-runner-controller/releases/blob/main/.github/workflows/publish-canary.yaml) workflow has been triggered!" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "**Parameters:**" >> $GITHUB_STEP_SUMMARY
          echo "- sha: ${{ github.sha }}" >> $GITHUB_STEP_SUMMARY
          echo "- Push to registries: ${{ env.PUSH_TO_REGISTRIES }}" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "**Status:**" >> $GITHUB_STEP_SUMMARY
          echo "[https://github.com/actions-runner-controller/releases/actions/workflows/publish-canary.yaml](https://github.com/actions-runner-controller/releases/actions/workflows/publish-canary.yaml)" >> $GITHUB_STEP_SUMMARY
  canary-build:
    name: Build and Publish gha-runner-scale-set-controller Canary Image
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v6
      - name: Login to GitHub Container Registry
        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
      # Normalization is needed because upper case characters are not allowed in the repository name
      # and the short sha is needed for image tagging
      - name: Resolve parameters
        id: resolve_parameters
        run: |
          echo "INFO: Resolving short sha"
          echo "short_sha=$(git rev-parse --short ${{ github.ref }})" >> $GITHUB_OUTPUT
          echo "INFO: Normalizing repository name (lowercase)"
          echo "repository_owner=$(echo ${{ github.repository_owner }} | tr '[:upper:]' '[:lower:]')" >> $GITHUB_OUTPUT
      - name: Set up QEMU
        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435
        with:
          version: latest
      # Unstable builds - run at your own risk
      - name: Build and Push
        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83
        with:
          context: .
          file: ./Dockerfile
          platforms: linux/amd64,linux/arm64
          build-args: VERSION=canary-${{ steps.resolve_parameters.outputs.short_sha }}
          push: ${{ env.PUSH_TO_REGISTRIES }}
          tags: |
            ghcr.io/${{ steps.resolve_parameters.outputs.repository_owner }}/gha-runner-scale-set-controller:canary
            ghcr.io/${{ steps.resolve_parameters.outputs.repository_owner }}/gha-runner-scale-set-controller:canary-${{ steps.resolve_parameters.outputs.short_sha }}
          cache-from: type=gha
          cache-to: type=gha,mode=max
--- a/.github/workflows/global-run-codeql.yaml
+++ b/.github/workflows/global-run-codeql.yaml
@@ -0,0 +1,44 @@
 name: Run CodeQL
 on:
  push:
    branches:
      - master
  pull_request:
    branches:
      - master
  schedule:
    - cron: '30 1 * * 0'
 concurrency:
  # This will make sure we only apply the concurrency limits on pull requests
  # but not pushes to master branch by making the concurrency group name unique
  # for pushes
  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
  cancel-in-progress: true
 jobs:
  analyze:
    name: Analyze
    runs-on: ubuntu-latest
    permissions:
      security-events: write
    steps:
      - name: Checkout repository
        uses: actions/checkout@v6
      - name: Install Go
        uses: actions/setup-go@v6
        with:
          go-version-file: go.mod
      - name: Initialize CodeQL
        uses: github/codeql-action/init@v4
        with:
          languages: go, actions
      - name: Autobuild
        uses: github/codeql-action/autobuild@v4
      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@v4
--- a/.github/workflows/global-run-first-interaction.yaml
+++ b/.github/workflows/global-run-first-interaction.yaml
@@ -1,4 +1,9 @@
-name: first-interaction
+name: First Interaction
 permissions:
  contents: read
  issues: write
  pull-requests: write
 on:
  issues:
@@ -11,19 +16,19 @@ jobs:
  check_for_first_interaction:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v6
-      - uses: actions/first-interaction@main
+      - uses: actions/first-interaction@v3
        with:
-          repo-token: ${{ secrets.GITHUB_TOKEN }}
+          repo_token: ${{ secrets.GITHUB_TOKEN }}
-          issue-message: |
+          issue_message: |
            Hello! Thank you for filing an issue.
            The maintainers will triage your issue shortly.
            In the meantime, please take a look at the [troubleshooting guide](https://github.com/actions/actions-runner-controller/blob/master/TROUBLESHOOTING.md) for bug reports.
-            
+
            If this is a feature request, please review our [contribution guidelines](https://github.com/actions/actions-runner-controller/blob/master/CONTRIBUTING.md).
-          pr-message: |
+          pr_message: |
            Hello! Thank you for your contribution.
            Please review our [contribution guidelines](https://github.com/actions/actions-runner-controller/blob/master/CONTRIBUTING.md) to understand the project's testing and code conventions.
--- a/.github/workflows/global-run-stale.yaml
+++ b/.github/workflows/global-run-stale.yaml
@@ -14,7 +14,7 @@ jobs:
      issues: write         # for actions/stale to close stale issues
      pull-requests: write  # for actions/stale to close stale PRs
    steps:
-      - uses: actions/stale@v6
+      - uses: actions/stale@v10
        with:
          stale-issue-message: 'This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.'
          # turn off stale for both issues and PRs
--- a/.github/workflows/go.yaml
+++ b/.github/workflows/go.yaml
@@ -0,0 +1,88 @@
 name: Go
 on:
  push:
    branches:
      - master
    paths:
      - ".github/workflows/go.yaml"
      - "**.go"
      - "go.mod"
      - "go.sum"
  pull_request:
    paths:
      - ".github/workflows/go.yaml"
      - "**.go"
      - "go.mod"
      - "go.sum"
 permissions:
  contents: read
 concurrency:
  # This will make sure we only apply the concurrency limits on pull requests
  # but not pushes to master branch by making the concurrency group name unique
  # for pushes
  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
  cancel-in-progress: true
 jobs:
  fmt:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v6
      - uses: actions/setup-go@v6
        with:
          go-version-file: "go.mod"
          cache: false
      - name: fmt
        run: go fmt ./...
      - name: Check diff
        run: git diff --exit-code
  lint:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v6
      - uses: actions/setup-go@v6
        with:
          go-version-file: "go.mod"
          cache: false
      - name: golangci-lint
        uses: golangci/golangci-lint-action@e7fa5ac41e1cf5b7d48e45e42232ce7ada589601
        with:
          only-new-issues: true
          version: v2.5.0
  generate:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v6
      - uses: actions/setup-go@v6
        with:
          go-version-file: "go.mod"
          cache: false
      - name: Generate
        run: make generate
      - name: Check diff
        run: git diff --exit-code
  test:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v6
      - uses: actions/setup-go@v6
        with:
          go-version-file: "go.mod"
      - run: make manifests
      - name: Check diff
        run: git diff --exit-code
      - name: Install kubebuilder
        run: |
          curl -D headers.txt -fsL "https://storage.googleapis.com/kubebuilder-tools/kubebuilder-tools-1.30.0-linux-amd64.tar.gz" -o kubebuilder-tools
          echo "$(grep -i etag headers.txt -m 1 | cut -d'"' -f2) kubebuilder-tools" > sum
          md5sum -c sum
          tar -zvxf kubebuilder-tools
          sudo mv kubebuilder /usr/local/
      - name: Run go tests
        run: |
          go test -short `go list ./... | grep -v ./test_e2e_arc`
--- a/.github/workflows/golangci-lint.yaml
+++ b/.github/workflows/golangci-lint.yaml
@@ -1,23 +0,0 @@
 name: golangci-lint
 on:
  push:
    branches:
      - master
  pull_request:
 permissions:
  contents: read
  pull-requests: read
 jobs:
  golangci:
    name: lint
    runs-on: ubuntu-latest
    steps:
      - uses: actions/setup-go@v3
        with:
          go-version: 1.19
      - uses: actions/checkout@v3
      - name: golangci-lint
        uses: golangci/golangci-lint-action@v3
        with:
          only-new-issues: true
          version: v1.49.0
--- a/.github/workflows/publish-canary.yaml
+++ b/.github/workflows/publish-canary.yaml
@@ -1,70 +0,0 @@
 name: Publish Canary Image
 # Revert to https://github.com/actions-runner-controller/releases#releases
 # for details on why we use this approach
 on:
  push:
    branches:
      - master
    paths-ignore:
      - '**.md'
      - '.github/ISSUE_TEMPLATE/**'
      - '.github/workflows/validate-chart.yaml'
      - '.github/workflows/publish-chart.yaml'
      - '.github/workflows/publish-arc.yaml'
      - '.github/workflows/runners.yaml'
      - '.github/workflows/validate-entrypoint.yaml'
      - '.github/renovate.*'
      - 'runner/**'
      - '.gitignore'
      - 'PROJECT'
      - 'LICENSE'
      - 'Makefile'
 env:
  # Safeguard to prevent pushing images to registeries after build
  PUSH_TO_REGISTRIES: true
  TARGET_ORG: actions-runner-controller
  TARGET_REPO: actions-runner-controller
 # https://docs.github.com/en/rest/overview/permissions-required-for-github-apps
 permissions:
  contents: read
 jobs:
  canary-build:
    name: Build and Publish Canary Image
    runs-on: ubuntu-latest
    env:
      DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
    steps:
      - name: Checkout
        uses: actions/checkout@v3
      - name: Get Token
        id: get_workflow_token
        uses: peter-murray/workflow-application-token-action@8e1ba3bf1619726336414f1014e37f17fbadf1db
        with:
          application_id: ${{ secrets.ACTIONS_ACCESS_APP_ID }}
          application_private_key: ${{ secrets.ACTIONS_ACCESS_PK }}
          organization: ${{ env.TARGET_ORG }}
      - name: Trigger Build And Push Images To Registries
        run: |
          # Authenticate
          gh auth login --with-token <<< ${{ steps.get_workflow_token.outputs.token }}
          # Trigger the workflow run
          jq -n '{"event_type": "canary", "client_payload": {"sha": "${{ github.sha }}", "push_to_registries": ${{ env.PUSH_TO_REGISTRIES }}}}' \
            | gh api -X POST /repos/actions-runner-controller/releases/dispatches --input -
      - name: Job summary
        run: |
          echo "The [publish-canary](https://github.com/actions-runner-controller/releases/blob/main/.github/workflows/publish-canary.yaml) workflow has been triggered!" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "**Parameters:**" >> $GITHUB_STEP_SUMMARY
          echo "- sha: ${{ github.sha }}" >> $GITHUB_STEP_SUMMARY
          echo "- Push to registries: ${{ env.PUSH_TO_REGISTRIES }}" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "**Status:**" >> $GITHUB_STEP_SUMMARY
          echo "[https://github.com/actions-runner-controller/releases/actions/workflows/publish-canary.yaml](https://github.com/actions-runner-controller/releases/actions/workflows/publish-canary.yaml)" >> $GITHUB_STEP_SUMMARY
--- a/.github/workflows/run-codeql.yaml
+++ b/.github/workflows/run-codeql.yaml
@@ -1,32 +0,0 @@
 name: Run CodeQL
 on:
  push:
    branches: 
      - master
  pull_request:
    branches:
      - master
  schedule:
    - cron: '30 1 * * 0'
 jobs:
  analyze:
    name: Analyze
    runs-on: ubuntu-latest
    permissions:
      security-events: write
    steps:
      - name: Checkout repository
        uses: actions/checkout@v3
      - name: Initialize CodeQL
        uses: github/codeql-action/init@v2
        with:
          languages: go
      - name: Autobuild
        uses: github/codeql-action/autobuild@v2
      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@v2
--- a/.github/workflows/update-runners.yaml
+++ b/.github/workflows/update-runners.yaml
@@ -1,108 +0,0 @@
 # This workflows polls releases from actions/runner and in case of a new one it
 # updates files containing runner version and opens a pull request.
 name: Update runners
 on:
  schedule:
    # run daily
    - cron: "0 9 * * *"
  workflow_dispatch:
 jobs:
  # check_versions compares our current version and the latest available runner
  # version and sets them as outputs.
  check_versions:
    runs-on: ubuntu-latest
    env:
      GH_TOKEN: ${{ github.token }}
    outputs:
      current_version: ${{ steps.versions.outputs.current_version }}
      latest_version: ${{ steps.versions.outputs.latest_version }}
    steps:
      - uses: actions/checkout@v3
      - name: Get current and latest versions
        id: versions
        run: |
          CURRENT_VERSION=$(echo -n $(cat runner/VERSION))
          echo "Current version: $CURRENT_VERSION"
          echo current_version=$CURRENT_VERSION >> $GITHUB_OUTPUT
          LATEST_VERSION=$(gh release list --exclude-drafts --exclude-pre-releases --limit 1 -R actions/runner | grep -oP '(?<=v)[0-9.]+' | head -1)
          echo "Latest version: $LATEST_VERSION"
          echo latest_version=$LATEST_VERSION >> $GITHUB_OUTPUT
  # check_pr checks if a PR for the same update already exists. It only runs if
  # runner latest version != our current version. If no existing PR is found,
  # it sets a PR name as output.
  check_pr:
    runs-on: ubuntu-latest
    needs: check_versions
    if: needs.check_versions.outputs.current_version != needs.check_versions.outputs.latest_version
    outputs:
      pr_name: ${{ steps.pr_name.outputs.pr_name }}
    env:
      GH_TOKEN: ${{ github.token }}
    steps:
      - name: debug
        run:
          echo ${{ needs.check_versions.outputs.current_version }}
          echo ${{ needs.check_versions.outputs.latest_version }}
      - uses: actions/checkout@v3
      - name: PR Name
        id: pr_name
        env:
          LATEST_VERSION: ${{ needs.check_versions.outputs.latest_version }}
        run: |
          PR_NAME="Update runner to version ${LATEST_VERSION}"
          result=$(gh pr list --search "$PR_NAME" --json number --jq ".[].number" --limit 1)
          if [ -z "$result" ]
          then
            echo "No existing PRs found, setting output with pr_name=$PR_NAME"
            echo pr_name=$PR_NAME >> $GITHUB_OUTPUT
          else
            echo "Found a PR with title '$PR_NAME' already existing: ${{ github.server_url }}/${{ github.repository }}/pull/$result"
          fi
  # update_version updates runner version in the files listed below, commits
  # the changes and opens a pull request as `github-actions` bot.
  update_version:
    runs-on: ubuntu-latest
    needs:
      - check_versions
      - check_pr
    if: needs.check_pr.outputs.pr_name
    permissions:
      pull-requests: write
      contents: write
    env:
      GH_TOKEN: ${{ github.token }}
      CURRENT_VERSION: ${{ needs.check_versions.outputs.current_version }}
      LATEST_VERSION: ${{ needs.check_versions.outputs.latest_version }}
      PR_NAME: ${{ needs.check_pr.outputs.pr_name }}
    steps:
      - uses: actions/checkout@v3
      - name: New branch
        run: git checkout -b update-runner-$LATEST_VERSION
      - name: Update files
        run: |
          sed -i "s/$CURRENT_VERSION/$LATEST_VERSION/g" runner/VERSION
          sed -i "s/$CURRENT_VERSION/$LATEST_VERSION/g" runner/Makefile
          sed -i "s/$CURRENT_VERSION/$LATEST_VERSION/g" Makefile
          sed -i "s/$CURRENT_VERSION/$LATEST_VERSION/g" test/e2e/e2e_test.go
          sed -i "s/$CURRENT_VERSION/$LATEST_VERSION/g" .github/workflows/e2e_test_linux_vm.yaml
      - name: Commit changes
        run: |
          # from https://github.com/orgs/community/discussions/26560
          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
          git config user.name "github-actions[bot]"
          git add .
          git commit -m "$PR_NAME"
          git push -u origin HEAD
      - name: Create pull request
        run: gh pr create -f
--- a/.github/workflows/validate-arc.yaml
+++ b/.github/workflows/validate-arc.yaml
@@ -1,60 +0,0 @@
 name: Validate ARC
 on:
  pull_request:
    branches:
      - master
    paths-ignore:
      - '**.md'
      - '.github/ISSUE_TEMPLATE/**'
      - '.github/workflows/publish-canary.yaml'
      - '.github/workflows/validate-chart.yaml'
      - '.github/workflows/publish-chart.yaml'
      - '.github/workflows/runners.yaml'
      - '.github/workflows/publish-arc.yaml'
      - '.github/workflows/validate-entrypoint.yaml'
      - '.github/renovate.*'
      - 'runner/**'
      - '.gitignore'
      - 'PROJECT'
      - 'LICENSE'
      - 'Makefile'
 permissions:
  contents: read
 jobs:
  test-controller:
    name: Test ARC
    runs-on: ubuntu-latest
    steps:
    - name: Checkout
      uses: actions/checkout@v3
    - name: Set-up Go
      uses: actions/setup-go@v3
      with:
        go-version: '1.19'
        check-latest: false
    - uses: actions/cache@v3
      with:
        path: ~/go/pkg/mod
        key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
        restore-keys: |
          ${{ runner.os }}-go-
    - name: Install kubebuilder
      run: |
        curl -L -O https://github.com/kubernetes-sigs/kubebuilder/releases/download/v2.3.2/kubebuilder_2.3.2_linux_amd64.tar.gz
        tar zxvf kubebuilder_2.3.2_linux_amd64.tar.gz
        sudo mv kubebuilder_2.3.2_linux_amd64 /usr/local/kubebuilder
    - name: Run tests
      run: |
        make test
    - name: Verify manifests are up-to-date
      run: |
        make manifests
        git diff --exit-code
--- a/.github/workflows/validate-runners.yaml
+++ b/.github/workflows/validate-runners.yaml
@@ -1,45 +0,0 @@
 name: Validate Runners
 on:
  pull_request:
    branches:
      - '**'
    paths:
      - 'runner/**'
      - 'test/startup/**'
      - '!**.md'
 permissions:
  contents: read
 jobs:
  shellcheck:
    name: runner / shellcheck
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - name: shellcheck
        uses: reviewdog/action-shellcheck@v1
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          path: "./runner"
          pattern: |
            *.sh
            *.bash
            update-status
          # Make this consistent with `make shellsheck`
          shellcheck_flags: "--shell bash --source-path runner"
          exclude: "./.git/*"
          check_all_files_with_shebangs: "false"
          # Set this to "true" once we addressed all the shellcheck findings
          fail_on_error: "false"
  test-runner-entrypoint:
    name: Test entrypoint
    runs-on: ubuntu-latest
    steps:
    - name: Checkout
      uses: actions/checkout@v3
    - name: Run tests
      run: |
        make acceptance/runner/startup
--- a/.gitignore
+++ b/.gitignore
@@ -35,3 +35,4 @@ bin
 .DS_STORE
 /test-assets
 /.tools
--- a/.golangci.yaml
+++ b/.golangci.yaml
@@ -1,17 +1,14 @@
 version: "2"
 run:
-  timeout: 3m
+  timeout: 5m
-output:
+linters:
-  format: github-actions
+  settings:
-linters-settings:
+    errcheck:
-  errcheck:
+      exclude-functions:
-    exclude-functions:
+        - (net/http.ResponseWriter).Write
-      - (net/http.ResponseWriter).Write
+        - (*net/http.Server).Shutdown
-      - (*net/http.Server).Shutdown
+        - (*github.com/actions/actions-runner-controller/simulator.VisibleRunnerGroups).Add
-      - (*github.com/actions/actions-runner-controller/simulator.VisibleRunnerGroups).Add
+        - (*github.com/actions/actions-runner-controller/testing.Kind).Stop
-      - (*github.com/actions/actions-runner-controller/testing.Kind).Stop
+  exclusions:
-issues:
+    presets:
-  exclude-rules:
+      - std-error-handling
    - path: controllers/suite_test.go
      linters:
        - staticcheck
      text: "SA1019"
--- a/2
+++ b/2
@@ -1,2 +1,2 @@
 # actions-runner-controller maintainers
-* @mumoshu @toast-gear @actions/actions-runtime @nikola-jokic
+* @mumoshu @toast-gear @actions/actions-launch @actions/actions-compute @nikola-jokic @rentziass
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -15,6 +15,13 @@
    - [Opening the Pull Request](#opening-the-pull-request)
  - [Helm Version Changes](#helm-version-changes)
  - [Testing Controller Built from a Pull Request](#testing-controller-built-from-a-pull-request)
  - [Release process](#release-process)
    - [Workflow structure](#workflow-structure)
      - [Releasing legacy actions-runner-controller image and helm charts](#releasing-legacy-actions-runner-controller-image-and-helm-charts)
      - [Release actions-runner-controller runner images](#release-actions-runner-controller-runner-images)
      - [Release gha-runner-scale-set-controller image and helm charts](#release-gha-runner-scale-set-controller-image-and-helm-charts)
      - [Release actions/runner image](#release-actionsrunner-image)
      - [Canary releases](#canary-releases)
 ## Welcome
@@ -25,14 +32,13 @@ reviewed and merged.
 ## Before contributing code
-We welcome code patches, but to make sure things are well coordinated you should  discuss any significant change before starting the work.
+We welcome code patches, but to make sure things are well coordinated you should discuss any significant change before starting the work. The maintainers ask that you signal your intention to contribute to the project using the issue tracker. If there is an existing issue that you want to work on, please let us know so we can get it assigned to you. If you noticed a bug or want to add a new feature, there are issue templates you can fill out.
 The maintainers ask that you signal your intention to contribute to the project using the issue tracker. 
 If there is an existing issue that you want to work on, please let us know so we can get it assigned to you.
 If you noticed a bug or want to add a new feature, there are issue templates you can fill out.
 When filing a feature request, the maintainers will review the change and give you a decision on whether we are willing to accept the feature into the project.
 For significantly large and/or complex features, we may request that you write up an architectural decision record ([ADR](https://github.blog/2020-08-13-why-write-adrs/)) detailing the change.
-Please use the [template](/adrs/0000-TEMPLATE.md) as guidance.
+
 Please use the [template](/docs/adrs/yyyy-mm-dd-TEMPLATE) as guidance.
 <!-- 
  TODO: Add a pre-requisite section describing what developers should
@@ -45,6 +51,7 @@ Depending on what you are patching depends on how you should go about it.
 Below are some guides on how to test patches locally as well as develop the controller and runners.
 When submitting a PR for a change please provide evidence that your change works as we still need to work on improving the CI of the project.
 Some resources are provided for helping achieve this, see this guide for details.
 ### Developing the Controller
@@ -66,7 +73,7 @@ To make your development cycle faster, use the below command to update deploy an
 # Makefile
 VERSION=controller1 \
  RUNNER_TAG=runner1 \
-  make acceptance/pull acceptance/kind docker-build acceptance/load acceptance/deploy
+  make acceptance/pull acceptance/kind docker-buildx acceptance/load acceptance/deploy
 ```
 If you've already deployed actions-runner-controller and only want to recreate pods to use the newer image, you can run:
@@ -130,7 +137,7 @@ GINKGO_FOCUS='[It] should create a new Runner resource from the specified templa
 >
 > If you want to stick with `snap`-provided `docker`, do not forget to set `TMPDIR` to somewhere under `$HOME`.
 > Otherwise `kind load docker-image` fail while running `docker save`.
-> See https://kind.sigs.k8s.io/docs/user/known-issues/#docker-installed-with-snap for more information.
+> See <https://kind.sigs.k8s.io/docs/user/known-issues/#docker-installed-with-snap> for more information.
 To test your local changes against both PAT and App based authentication please run the `acceptance` make target with the authentication configuration details provided:
@@ -186,7 +193,7 @@ Before shipping your PR, please check the following items to make sure CI passes
 - Run `go mod tidy` if you made changes to dependencies.
 - Format the code using `gofmt`
 - Run the `golangci-lint` tool locally.
-  -  We recommend you use `make lint` to run the tool using a Docker container matching the CI version.
+  - We recommend you use `make lint` to run the tool using a Docker container matching the CI version.
 ### Opening the Pull Request
@@ -217,3 +224,146 @@ Please also note that you need to replace `$DOCKER_USER` with your own DockerHub
 Only the maintainers can release a new version of actions-runner-controller, publish a new version of the helm charts, and runner images.
 All release workflows have been moved to [actions-runner-controller/releases](https://github.com/actions-runner-controller/releases) since the packages are owned by the former organization.
 ### Workflow structure
 Following the migration of actions-runner-controller into GitHub actions, all the workflows had to be modified to accommodate the move to a new organization. The following table describes the workflows, their purpose and dependencies.
 | Filename                          | Workflow name                        | Purpose                                                                                                                                                                                                                                                         |
 |-----------------------------------|--------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | gha-e2e-tests.yaml                | (gha) E2E Tests                      | Tests the Autoscaling Runner Set mode end to end. Coverage is restricted to this mode. Legacy modes are not tested.                                                                                                                                          |
 | go.yaml                           | Format, Lint, Unit Tests             | Formats, lints and runs unit tests for the entire codebase.                                                                                                                                                                                                     |
 | arc-publish.yaml                  | Publish ARC Image                    | Uploads release/actions-runner-controller.yaml as an artifact to the newly created release and triggers the [build and publication of the controller image](https://github.com/actions-runner-controller/releases/blob/main/.github/workflows/publish-arc.yaml) |
 | global-publish-canary.yaml        | Publish Canary Images                | Builds and publishes canary controller container images for both new and legacy modes.                                                                                                                                                                          |
 | arc-publish-chart.yaml            | Publish ARC Helm Charts              | Packages and publishes charts/actions-runner-controller (via GitHub Pages)                                                                                                                                                                                      |
 | gha-publish-chart.yaml            | (gha) Publish Helm Charts            | Packages and publishes charts/gha-runner-scale-set-controller and charts/gha-runner-scale-set charts (OCI to GHCR)                                                                                                                                              |
 | arc-release-runners.yaml          | Release ARC Runner Images            | Triggers [release-runners.yaml](https://github.com/actions-runner-controller/releases/blob/main/.github/workflows/release-runners.yaml) which will build and push new runner images used with the legacy ARC modes.                                             |
 | global-run-codeql.yaml            | Run CodeQL                           | Run CodeQL on all the codebase                                                                                                                                                                                                                                  |
 | global-run-first-interaction.yaml | First Interaction                    | Informs first time contributors what to expect when they open a new issue / PR                                                                                                                                                                                  |
 | global-run-stale.yaml             | Run Stale Bot                        | Closes issues / PRs without activity                                                                                                                                                                                                                            |
 | arc-update-runners-scheduled.yaml | Runner Updates Check (Scheduled Job) | Polls [actions/runner](https://github.com/actions/runner) and [actions/runner-container-hooks](https://github.com/actions/runner-container-hooks) for new releases. If found, a PR is created to publish new runner images                                      |
 | arc-validate-chart.yaml           | Validate Helm Chart                  | Run helm chart validators for charts/actions-runner-controller                                                                                                                                                                                                  |
 | gha-validate-chart.yaml           | (gha) Validate Helm Charts           | Run helm chart validators for charts/gha-runner-scale-set-controller and charts/gha-runner-scale-set charts                                                                                                                                                     |
 | arc-validate-runners.yaml         | Validate ARC Runners                 | Run validators for runners                                                                                                                                                                                                                                      |
 There are 7 components that we release regularly:
 1. legacy [actions-runner-controller controller image](https://github.com/actions-runner-controller/actions-runner-controller/pkgs/container/actions-runner-controller)
 2. legacy [actions-runner-controller helm charts](https://actions-runner-controller.github.io/actions-runner-controller/)
 3. legacy actions-runner-controller runner images
   1. [ubuntu-20.04](https://github.com/actions-runner-controller/actions-runner-controller/pkgs/container/actions-runner-controller%2Factions-runner)
   2. [ubuntu-22.04](https://github.com/actions-runner-controller/actions-runner-controller/pkgs/container/actions-runner-controller%2Factions-runner)
   3. [dind-ubuntu-20.04](https://github.com/actions-runner-controller/actions-runner-controller/pkgs/container/actions-runner-controller%2Factions-runner-dind)
   4. [dind-ubuntu-22.04](https://github.com/actions-runner-controller/actions-runner-controller/pkgs/container/actions-runner-controller%2Factions-runner-dind)
   5. [dind-rootless-ubuntu-20.04](https://github.com/actions-runner-controller/actions-runner-controller/pkgs/container/actions-runner-controller%2Factions-runner-dind-rootless)
   6. [dind-rootless-ubuntu-22.04](https://github.com/actions-runner-controller/actions-runner-controller/pkgs/container/actions-runner-controller%2Factions-runner-dind-rootless)
 4. [gha-runner-scale-set-controller image](https://github.com/actions/actions-runner-controller/pkgs/container/gha-runner-scale-set-controller)
 5. [gha-runner-scale-set-controller helm charts](https://github.com/actions/actions-runner-controller/pkgs/container/actions-runner-controller-charts%2Fgha-runner-scale-set-controller)
 6. [gha-runner-scale-set runner helm charts](https://github.com/actions/actions-runner-controller/pkgs/container/actions-runner-controller-charts%2Fgha-runner-scale-set)
 7. [actions/runner image](https://github.com/actions/actions-runner-controller/pkgs/container/actions-runner-controller%2Factions-runner)
 #### Releasing legacy actions-runner-controller image and helm charts
 1. Start by making sure the master branch is stable and all CI jobs are passing
 2. Create a new release in <https://github.com/actions/actions-runner-controller/releases> (Draft a new release)
 3. Bump up the `version` and `appVersion` in charts/actions-runner-controller/Chart.yaml - make sure the `version` matches the release version you just created. (Example: <https://github.com/actions/actions-runner-controller/pull/2577>)
 4. When the workflows finish execution, you will see:
   1. A new controller image published to: <https://github.com/actions-runner-controller/actions-runner-controller/pkgs/container/actions-runner-controller>
   2. Helm charts published to: <https://github.com/actions-runner-controller/actions-runner-controller.github.io/tree/master/actions-runner-controller> (the index.yaml file is updated)
 When a new release is created, the [Publish ARC Image](https://github.com/actions/actions-runner-controller/blob/master/.github/workflows/arc-publish.yaml) workflow is triggered.
 ```mermaid
 flowchart LR
    subgraph repository: actions/actions-runner-controller
    event_a{{"release: published"}} -- triggers --> workflow_a["arc-publish.yaml"]
    event_b{{"workflow_dispatch"}} -- triggers --> workflow_a["arc-publish.yaml"]
    workflow_a["arc-publish.yaml"] -- uploads --> package["actions-runner-controller.tar.gz"]
    end
    subgraph repository: actions-runner-controller/releases
    workflow_a["arc-publish.yaml"] -- triggers --> event_d{{"repository_dispatch"}} --> workflow_b["publish-arc.yaml"]
    workflow_b["publish-arc.yaml"] -- push --> A["GHCR: \nactions-runner-controller/actions-runner-controller:*"]
    workflow_b["publish-arc.yaml"] -- push --> B["DockerHub: \nsummerwind/actions-runner-controller:*"]
    end
 ```
 #### Release actions-runner-controller runner images
 **Manual steps:**
 1. Navigate to the [actions-runner-controller/releases](https://github.com/actions-runner-controller/releases) repository
 2. Trigger [the release-runners.yaml](https://github.com/actions-runner-controller/releases/actions/workflows/release-runners.yaml) workflow.
   1. The list of input prameters for this workflow is defined in the table below (always inspect the workflow file for the latest version)
 <!-- Table of Paramters -->
 | Parameter                        | Description                                                                                                                                                                                                                         | Default       |
 |----------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------|
 | `runner_version`                 | The version of the [actions/runner](https://github.com/actions/runner) to use                                                                                                                                                       | `2.300.2`     |
 | `docker_version`                 | The version of docker to use                                                                                                                                                                                                        | `20.10.12`    |
 | `runner_container_hooks_version` | The version of [actions/runner-container-hooks](https://github.com/actions/runner-container-hooks) to use                                                                                                                           | `0.2.0`       |
 | `sha`                            | The commit sha from [actions/actions-runner-controller](https://github.com/actions/actions-runner-controller) to be used to build the runner images. This will be provided to `actions/checkout` & used to tag the container images | Empty string. |
 | `push_to_registries`             | Whether to push the images to the registries. Use false to test the build                                                                                                                                                           | false         |
 **Automated steps:**
 ```mermaid
 flowchart LR
    workflow["release-runners.yaml"] -- workflow_dispatch* --> workflow_b["release-runners.yaml"]
    subgraph repository: actions/actions-runner-controller
    runner_updates_check["arc-update-runners-scheduled.yaml"] -- "polls (daily)" --> runner_releases["actions/runner/releases"]
    runner_updates_check -- creates --> runner_update_pr["PR: update /runner/VERSION"]****
    runner_update_pr --> runner_update_pr_merge{{"merge"}}
    runner_update_pr_merge -- triggers --> workflow["release-runners.yaml"]
    end
    subgraph repository: actions-runner-controller/releases
    workflow_b["release-runners.yaml"] -- push --> A["GHCR: \n actions-runner-controller/actions-runner:* \n actions-runner-controller/actions-runner-dind:* \n actions-runner-controller/actions-runner-dind-rootless:*"]
    workflow_b["release-runners.yaml"] -- push --> B["DockerHub: \n summerwind/actions-runner:* \n summerwind/actions-runner-dind:* \n summerwind/actions-runner-dind-rootless:*"]
    event_b{{"workflow_dispatch"}} -- triggers --> workflow_b["release-runners.yaml"]
    end
 ```
 #### Release gha-runner-scale-set-controller image and helm charts
 1. Make sure the master branch is stable and all CI jobs are passing
 1. Prepare a release PR (example: <https://github.com/actions/actions-runner-controller/pull/2467>)
   1. Bump up the version of the chart in: charts/gha-runner-scale-set-controller/Chart.yaml
   2. Bump up the version of the chart in: charts/gha-runner-scale-set/Chart.yaml
      1. Make sure that `version`, `appVersion` of both charts are always the same. These versions cannot diverge.
   3. Update the quickstart guide to reflect the latest versions: docs/preview/gha-runner-scale-set-controller/README.md
   4. Add changelog to the PR as well as the quickstart guide
 1. Merge the release PR
 1. Manually trigger the [(gha) Publish Helm Charts](https://github.com/actions/actions-runner-controller/actions/workflows/gha-publish-chart.yaml) workflow
 1. Manually create a tag and release in [actions/actions-runner-controller](https://github.com/actions/actions-runner-controller/releases) with the format: `gha-runner-scale-set-x.x.x` where the version (x.x.x) matches that of the Helm chart
 | Parameter                                       | Description                                                                                            | Default        |
 |-------------------------------------------------|--------------------------------------------------------------------------------------------------------|----------------|
 | `ref`                                           | The branch, tag or SHA to cut a release from.                                                          | default branch |
 | `release_tag_name`                              | The tag of the controller image. This is not a git tag.                                                | canary         |
 | `push_to_registries`                            | Push images to registries. Use false to test the build process.                                        | false          |
 | `publish_gha_runner_scale_set_controller_chart` | Publish new helm chart for gha-runner-scale-set-controller. This will push the new OCI archive to GHCR | false          |
 | `publish_gha_runner_scale_set_chart`            | Publish new helm chart for gha-runner-scale-set. This will push the new OCI archive to GHCR            | false          |
 #### Release actions/runner image
 A new runner image is built and published to <https://github.com/actions/runner/pkgs/container/actions-runner> whenever a new runner binary has been released. There's nothing to do here.
 #### Canary releases
 We publish canary images for both the legacy actions-runner-controller and gha-runner-scale-set-controller images.
 ```mermaid
 flowchart LR
    subgraph org: actions
    event_a{{"push: [master]"}} -- triggers --> workflow_a["publish-canary.yaml"]
    end
    subgraph org: actions-runner-controller
    workflow_a["publish-canary.yaml"] -- triggers --> event_d{{"repository_dispatch"}} --> workflow_b["publish-canary.yaml"]
    workflow_b["publish-canary.yaml"] -- push --> A["GHCR: \nactions-runner-controller/actions-runner-controller:canary"]
    workflow_b["publish-canary.yaml"] -- push --> B["DockerHub: \nsummerwind/actions-runner-controller:canary"]
    end
 ```
 1. [actions-runner-controller canary image](https://github.com/actions-runner-controller/actions-runner-controller/pkgs/container/actions-runner-controller)
 2. [gha-runner-scale-set-controller image](https://github.com/actions/actions-runner-controller/pkgs/container/gha-runner-scale-set-controller)
 These canary images are automatically built and released on each push to the master branch.
--- a/12
+++ b/12
@@ -1,5 +1,5 @@
 # Build the manager binary
-FROM --platform=$BUILDPLATFORM golang:1.19.4 as builder
+FROM --platform=$BUILDPLATFORM golang:1.25.1 AS builder
 WORKDIR /workspace
@@ -24,20 +24,20 @@ RUN go mod download
 # With the above commmand,
 # TARGETOS can be "linux", TARGETARCH can be "amd64", "arm64", and "arm", TARGETVARIANT can be "v7".
-ARG TARGETPLATFORM TARGETOS TARGETARCH TARGETVARIANT VERSION=dev
+ARG TARGETPLATFORM TARGETOS TARGETARCH TARGETVARIANT VERSION=dev COMMIT_SHA=dev
 # We intentionally avoid `--mount=type=cache,mode=0777,target=/go/pkg/mod` in the `go mod download` and the `go build` runs
 # to avoid https://github.com/moby/buildkit/issues/2334
 # We can use docker layer cache so the build is fast enogh anyway
 # We also use per-platform GOCACHE for the same reason.
-ENV GOCACHE /build/${TARGETPLATFORM}/root/.cache/go-build
+ENV GOCACHE="/build/${TARGETPLATFORM}/root/.cache/go-build"
 # Build
 RUN --mount=target=. \
  --mount=type=cache,mode=0777,target=${GOCACHE} \
  export GOOS=${TARGETOS} GOARCH=${TARGETARCH} GOARM=${TARGETVARIANT#v} && \
-  go build -trimpath -ldflags="-s -w -X 'github.com/actions/actions-runner-controller/build.Version=${VERSION}'" -o /out/manager main.go && \
+  go build -trimpath -ldflags="-s -w -X 'github.com/actions/actions-runner-controller/build.Version=${VERSION}' -X 'github.com/actions/actions-runner-controller/build.CommitSHA=${COMMIT_SHA}'" -o /out/manager main.go && \
-  go build -trimpath -ldflags="-s -w" -o /out/github-runnerscaleset-listener ./cmd/githubrunnerscalesetlistener && \
+  go build -trimpath -ldflags="-s -w -X 'github.com/actions/actions-runner-controller/build.Version=${VERSION}' -X 'github.com/actions/actions-runner-controller/build.CommitSHA=${COMMIT_SHA}'" -o /out/ghalistener ./cmd/ghalistener && \
  go build -trimpath -ldflags="-s -w" -o /out/github-webhook-server ./cmd/githubwebhookserver && \
  go build -trimpath -ldflags="-s -w" -o /out/actions-metrics-server ./cmd/actionsmetricsserver && \
  go build -trimpath -ldflags="-s -w" -o /out/sleep ./cmd/sleep
@@ -51,7 +51,7 @@ WORKDIR /
 COPY --from=builder /out/manager .
 COPY --from=builder /out/github-webhook-server .
 COPY --from=builder /out/actions-metrics-server .
-COPY --from=builder /out/github-runnerscaleset-listener .
+COPY --from=builder /out/ghalistener .
 COPY --from=builder /out/sleep .
 USER 65532:65532
--- a/37
+++ b/37
@@ -5,7 +5,8 @@ else
 endif
 DOCKER_USER ?= $(shell echo ${DOCKER_IMAGE_NAME} | cut -d / -f1)
 VERSION ?= dev
-RUNNER_VERSION ?= 2.302.1
+COMMIT_SHA = $(shell git rev-parse HEAD)
 RUNNER_VERSION ?= 2.330.0
 TARGETPLATFORM ?= $(shell arch)
 RUNNER_NAME ?= ${DOCKER_USER}/actions-runner
 RUNNER_TAG  ?= ${VERSION}
@@ -19,10 +20,10 @@ KUBECONTEXT ?= kind-acceptance
 CLUSTER ?= acceptance
 CERT_MANAGER_VERSION ?= v1.1.1
 KUBE_RBAC_PROXY_VERSION ?= v0.11.0
-SHELLCHECK_VERSION ?= 0.8.0
+SHELLCHECK_VERSION ?= 0.10.0
 # Produce CRDs that work back to Kubernetes 1.11 (no version conversion)
-CRD_OPTIONS ?= "crd:generateEmbeddedObjectMeta=true"
+CRD_OPTIONS ?= "crd:generateEmbeddedObjectMeta=true,allowDangerousTypes=true"
 # Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set)
 ifeq (,$(shell go env GOBIN))
@@ -67,7 +68,7 @@ endif
 all: manager
 lint:
-	docker run --rm -v $(PWD):/app -w /app golangci/golangci-lint:v1.49.0 golangci-lint run
+	docker run --rm -v $(PWD):/app -w /app golangci/golangci-lint:v2.5.0 golangci-lint run
 GO_TEST_ARGS ?= -short
@@ -86,15 +87,21 @@ test-with-deps: kube-apiserver etcd kubectl
 # Build manager binary
 manager: generate fmt vet
 	go build -o bin/manager main.go
-	go build -o bin/github-runnerscaleset-listener ./cmd/githubrunnerscalesetlistener
+	go build -o bin/github-runnerscaleset-listener ./cmd/ghalistener
 # Run against the configured Kubernetes cluster in ~/.kube/config
 run: generate fmt vet manifests
 	go run ./main.go
 run-scaleset: generate fmt vet
 	CONTROLLER_MANAGER_POD_NAMESPACE=default \
 	CONTROLLER_MANAGER_CONTAINER_IMAGE="${DOCKER_IMAGE_NAME}:${VERSION}" \
 	go run -ldflags="-s -w -X 'github.com/actions/actions-runner-controller/build.Version=$(VERSION)'" \
 	./main.go --auto-scaling-runner-set-only
 # Install CRDs into a cluster
 install: manifests
-	kustomize build config/crd | kubectl apply -f -
+	kustomize build config/crd | kubectl apply --server-side -f -
 # Uninstall CRDs from a cluster
 uninstall: manifests
@@ -103,16 +110,13 @@ uninstall: manifests
 # Deploy controller in the configured Kubernetes cluster in ~/.kube/config
 deploy: manifests
 	cd config/manager && kustomize edit set image controller=${DOCKER_IMAGE_NAME}:${VERSION}
-	kustomize build config/default | kubectl apply -f -
+	kustomize build config/default | kubectl apply --server-side -f -
 # Generate manifests e.g. CRD, RBAC etc.
 manifests: manifests-gen-crds chart-crds
 manifests-gen-crds: controller-gen yq
 	$(CONTROLLER_GEN) $(CRD_OPTIONS) rbac:roleName=manager-role webhook paths="./..." output:crd:artifacts:config=config/crd/bases
 	for YAMLFILE in config/crd/bases/actions*.yaml; do \
 		$(YQ) '.spec.preserveUnknownFields = false' --inplace "$$YAMLFILE" ; \
 	done
 	make manifests-gen-crds-fix DELETE_KEY=x-kubernetes-list-type
 	make manifests-gen-crds-fix DELETE_KEY=x-kubernetes-list-map-keys
@@ -197,7 +201,7 @@ generate: controller-gen
 # Run shellcheck on runner scripts
 shellcheck: shellcheck-install
-	$(TOOLS_PATH)/shellcheck --shell bash --source-path runner runner/*.sh
+	$(TOOLS_PATH)/shellcheck --shell bash --source-path runner runner/*.sh runner/update-status hack/*.sh
 docker-buildx:
 	export DOCKER_CLI_EXPERIMENTAL=enabled ;\
@@ -206,9 +210,8 @@ docker-buildx:
 		docker buildx create --platform ${PLATFORMS} --name container-builder --use;\
 	fi
 	docker buildx build --platform ${PLATFORMS} \
 		--build-arg RUNNER_VERSION=${RUNNER_VERSION} \
 		--build-arg DOCKER_VERSION=${DOCKER_VERSION} \
 		--build-arg VERSION=${VERSION} \
 		--build-arg COMMIT_SHA=${COMMIT_SHA} \
 		-t "${DOCKER_IMAGE_NAME}:${VERSION}" \
 		-f Dockerfile \
 		. ${PUSH_ARG}
@@ -292,6 +295,10 @@ acceptance/runner/startup:
 e2e:
 	go test -count=1 -v -timeout 600s -run '^TestE2E$$' ./test/e2e
 .PHONY: gha-e2e
 gha-e2e:
 	bash hack/e2e-test.sh
 # Upload release file to GitHub.
 github-release: release
 	ghr ${VERSION} release/
@@ -302,7 +309,7 @@ github-release: release
 # Otherwise we get errors like the below:
 #   Error: failed to install CRD crds/actions.summerwind.dev_runnersets.yaml: CustomResourceDefinition.apiextensions.k8s.io "runnersets.actions.summerwind.dev" is invalid: [spec.validation.openAPIV3Schema.properties[spec].properties[template].properties[spec].properties[containers].items.properties[ports].items.properties[protocol].default: Required value: this property is in x-kubernetes-list-map-keys, so it must have a default or be a required property, spec.validation.openAPIV3Schema.properties[spec].properties[template].properties[spec].properties[initContainers].items.properties[ports].items.properties[protocol].default: Required value: this property is in x-kubernetes-list-map-keys, so it must have a default or be a required property]
 #
-# Note that controller-gen newer than 0.6.0 is needed due to https://github.com/kubernetes-sigs/controller-tools/issues/448
+# Note that controller-gen newer than 0.8.0 is needed due to https://github.com/kubernetes-sigs/controller-tools/issues/448
 # Otherwise ObjectMeta embedded in Spec results in empty on the storage.
 controller-gen:
 ifeq (, $(shell which controller-gen))
@@ -312,7 +319,7 @@ ifeq (, $(wildcard $(GOBIN)/controller-gen))
 	CONTROLLER_GEN_TMP_DIR=$$(mktemp -d) ;\
 	cd $$CONTROLLER_GEN_TMP_DIR ;\
 	go mod init tmp ;\
-	go install sigs.k8s.io/controller-tools/cmd/controller-gen@v0.7.0 ;\
+	go install sigs.k8s.io/controller-tools/cmd/controller-gen@v0.19.0 ;\
 	rm -rf $$CONTROLLER_GEN_TMP_DIR ;\
 	}
 endif
--- a/README.md
+++ b/README.md
@@ -4,42 +4,41 @@
 [![awesome-runners](https://img.shields.io/badge/listed%20on-awesome--runners-blue.svg)](https://github.com/jonico/awesome-runners)
 [![Artifact Hub](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/actions-runner-controller)](https://artifacthub.io/packages/search?repo=actions-runner-controller)
 ## People
 `actions-runner-controller` is an open-source project currently developed and maintained in collaboration with maintainers @mumoshu and @toast-gear, various [contributors](https://github.com/actions/actions-runner-controller/graphs/contributors), and the [awesome community](https://github.com/actions/actions-runner-controller/discussions), mostly in their spare time.
 If you think the project is awesome and it's becoming a basis for your important business, consider [sponsoring us](https://github.com/sponsors/actions-runner-controller)!
 In case you are already the employer of one of contributors, sponsoring via GitHub Sponsors might not be an option. Just support them in other means!
 We don't currently have [any sponsors dedicated to this project yet](https://github.com/sponsors/actions-runner-controller).
 However, [HelloFresh](https://www.hellofreshgroup.com/en/) has recently started sponsoring @mumoshu for this project along with his other works. A part of their sponsorship will enable @mumoshu to add an E2E test to keep ARC even more reliable on AWS. Thank you for your sponsorship!
 [<img src="https://user-images.githubusercontent.com/22009/170898715-07f02941-35ec-418b-8cd4-251b422fa9ac.png" width="219" height="71" />](https://careers.hellofresh.com/)
 ## Status
 Even though actions-runner-controller is used in production environments, it is still in its early stage of development, hence versioned 0.x.
 actions-runner-controller complies to Semantic Versioning 2.0.0 in which v0.x means that there could be backward-incompatible changes for every release.
 The documentation is kept inline with master@HEAD, we do our best to highlight any features that require a specific ARC version or higher however this is not always easily done due to there being many moving parts. Additionally, we actively do not retain compatibly with every GitHub Enterprise Server version nor every Kubernetes version so you will need to ensure you stay current within a reasonable timespan.
 ## About
-[GitHub Actions](https://github.com/features/actions) is a very useful tool for automating development. GitHub Actions jobs are run in the cloud by default, but you may want to run your jobs in your environment. [Self-hosted runner](https://github.com/actions/runner) can be used for such use cases, but requires the provisioning and configuration of a virtual machine instance. Instead if you already have a Kubernetes cluster, it makes more sense to run the self-hosted runner on top of it.
+Actions Runner Controller (ARC) is a Kubernetes operator that orchestrates and scales self-hosted runners for GitHub Actions.
-**actions-runner-controller** makes that possible. Just create a *Runner* resource on your Kubernetes, and it will run and operate the self-hosted runner for the specified repository. Combined with Kubernetes RBAC, you can also build simple Self-hosted runners as a Service.
+With ARC, you can create runner scale sets that automatically scale based on the number of workflows running in your repository, organization, or enterprise. Because controlled runners can be ephemeral and based on containers, new runner instances can scale up or down rapidly and cleanly. For more information about autoscaling, see ["Autoscaling with self-hosted runners."](https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners/autoscaling-with-self-hosted-runners)
 You can set up ARC on Kubernetes using Helm, then create and run a workflow that uses runner scale sets. For more information about runner scale sets, see ["Deploying runner scale sets with Actions Runner Controller."](https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/deploying-runner-scale-sets-with-actions-runner-controller#runner-scale-set)
 ## People
 Actions Runner Controller (ARC) is an open-source project currently developed and maintained in collaboration with the GitHub Actions team, external maintainers @mumoshu and @toast-gear, various [contributors](https://github.com/actions/actions-runner-controller/graphs/contributors), and the [awesome community](https://github.com/actions/actions-runner-controller/discussions).
 If you think the project is awesome and is adding value to your business, please consider directly sponsoring [community maintainers](https://github.com/sponsors/actions-runner-controller) and individual contributors via GitHub Sponsors.
 If you are already the employer of one of the contributors, sponsoring via GitHub Sponsors might not be an option. Just support them by other means!
 See [the sponsorship dashboard](https://github.com/sponsors/actions-runner-controller) for the former and the current sponsors.
 ## Getting Started
 To give ARC a try with just a handful of commands, Please refer to the [Quickstart guide](/docs/quickstart.md). 
-For an overview of ARC, please refer to [About ARC](https://github.com/actions/actions-runner-controller/blob/master/docs/about-arc.md)
+To give ARC a try with just a handful of commands, please refer to the [Quickstart guide](https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/quickstart-for-actions-runner-controller).
-For more information, please refer to detailed documentation below!
+For an overview of ARC, please refer to [About ARC](https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/about-actions-runner-controller).
-## Documentation
+With the introduction of [autoscaling runner scale sets](https://github.com/actions/actions-runner-controller/discussions/2775), the existing [autoscaling modes](./docs/automatically-scaling-runners.md) are now legacy. The legacy modes have certain use cases and will continue to be maintained by the community only.
 For further information on what is supported by GitHub and what's managed by the community, please refer to [this announcement discussion.](https://github.com/actions/actions-runner-controller/discussions/2775)
 ### Documentation
 ARC documentation is available on [docs.github.com](https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/quickstart-for-actions-runner-controller).
 ### Legacy documentation
 The following documentation is for the legacy autoscaling modes that continue to be maintained by the community:
 - [Quickstart guide](/docs/quickstart.md)
 - [About ARC](/docs/about-arc.md)
--- a/TROUBLESHOOTING.md
+++ b/TROUBLESHOOTING.md
@@ -304,3 +304,27 @@ If you noticed that it takes several minutes for sidecar dind container to be cr
 **Solution**
 The solution is to switch to using faster storage, if you are experiencing this issue you are probably using HDD storage. Switching to SSD storage fixed the problem in my case. Most cloud providers have a list of storage options to use just pick something faster that your current disk, for on prem clusters you will need to invest in some SSDs.
 ### Dockerd no space left on device
 **Problem**
 If you are running many containers on your runner you might encounter an issue where docker daemon is unable to start new containers and you see error `no space left on device`.  
 **Solution**
 Add a `dockerVarRunVolumeSizeLimit` key in your runner's spec with a higher size limit (the default is 1M) For instance:
 ```yaml
 apiVersion: actions.summerwind.dev/v1alpha1
 kind: RunnerDeployment
 metadata:
  name: github-runner
  namespace: github-system
 spec:
  replicas: 6
  template:
    spec:
      dockerVarRunVolumeSizeLimit: 50M
      env: []
 ```
--- a/acceptance/deploy.sh
+++ b/acceptance/deploy.sh
@@ -61,6 +61,9 @@ if [ "${tool}" == "helm" ]; then
    flags+=( --set githubWebhookServer.imagePullSecrets[0].name=${IMAGE_PULL_SECRET})
    flags+=( --set actionsMetricsServer.imagePullSecrets[0].name=${IMAGE_PULL_SECRET})
  fi
  if [ "${WATCH_NAMESPACE}" != "" ]; then
    flags+=( --set watchNamespace=${WATCH_NAMESPACE} --set singleNamespace=true)
  fi
  if [ "${CHART_VERSION}" != "" ]; then
    flags+=( --version ${CHART_VERSION})
  fi
@@ -69,6 +72,9 @@ if [ "${tool}" == "helm" ]; then
    flags+=( --set githubWebhookServer.logFormat=${LOG_FORMAT})
    flags+=( --set actionsMetricsServer.logFormat=${LOG_FORMAT})
  fi
  if [ "${ADMISSION_WEBHOOKS_TIMEOUT}" != "" ]; then
    flags+=( --set admissionWebHooks.timeoutSeconds=${ADMISSION_WEBHOOKS_TIMEOUT})
  fi
  if [ -n "${CREATE_SECRETS_USING_HELM}" ]; then
    if [ -z "${WEBHOOK_GITHUB_TOKEN}" ]; then
      echo 'Failed deploying secret "actions-metrics-server" using helm. Set WEBHOOK_GITHUB_TOKEN to deploy.' 1>&2
@@ -77,6 +83,10 @@ if [ "${tool}" == "helm" ]; then
    flags+=( --set actionsMetricsServer.secret.create=true)
    flags+=( --set actionsMetricsServer.secret.github_token=${WEBHOOK_GITHUB_TOKEN})
  fi
  if [ -n "${GITHUB_WEBHOOK_SERVER_ENV_NAME}" ] && [ -n "${GITHUB_WEBHOOK_SERVER_ENV_VALUE}" ]; then
    flags+=( --set githubWebhookServer.env[0].name=${GITHUB_WEBHOOK_SERVER_ENV_NAME})
    flags+=( --set githubWebhookServer.env[0].value=${GITHUB_WEBHOOK_SERVER_ENV_VALUE})
  fi
  set -vx
@@ -92,6 +102,7 @@ if [ "${tool}" == "helm" ]; then
    --set githubWebhookServer.podAnnotations.test-id=${TEST_ID} \
    --set actionsMetricsServer.podAnnotations.test-id=${TEST_ID} \
    ${flags[@]} --set image.imagePullPolicy=${IMAGE_PULL_POLICY} \
    --set image.dindSidecarRepositoryAndTag=${DIND_SIDECAR_REPOSITORY_AND_TAG} \
    -f ${VALUES_FILE}
  set +v
  # To prevent `CustomResourceDefinition.apiextensions.k8s.io "runners.actions.summerwind.dev" is invalid: metadata.annotations: Too long: must have at most 262144 bytes`
--- a/acceptance/deploy_runners.sh
+++ b/acceptance/deploy_runners.sh
@@ -6,6 +6,10 @@ OP=${OP:-apply}
 RUNNER_LABEL=${RUNNER_LABEL:-self-hosted}
 # See https://github.com/actions/actions-runner-controller/issues/2123
 kubectl delete secret generic docker-config || :
 kubectl create secret generic docker-config --from-file .dockerconfigjson=<(jq -M 'del(.aliases)' $HOME/.docker/config.json) --type=kubernetes.io/dockerconfigjson || :
 cat acceptance/testdata/kubernetes_container_mode.envsubst.yaml  | NAMESPACE=${RUNNER_NAMESPACE} envsubst  | kubectl apply -f -
 if [ -n "${TEST_REPO}" ]; then
--- a/acceptance/pipelines/eks-integration-tests.yaml
+++ b/acceptance/pipelines/eks-integration-tests.yaml
@@ -5,22 +5,23 @@ on:
 env:
  IRSA_ROLE_ARN:
-  ASSUME_ROLE_ARN: 
+  ASSUME_ROLE_ARN:
-  AWS_REGION: 
+  AWS_REGION:
 jobs:
  assume-role-in-runner-test:
-    runs-on: ['self-hosted', 'Linux']
+    runs-on: ["self-hosted", "Linux"]
    steps:
      - name: Test aws-actions/configure-aws-credentials Action
-        uses: aws-actions/configure-aws-credentials@v1
+        # https://github.com/aws-actions/configure-aws-credentials/releases/tag/v4.1.0
        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722
        with:
          aws-region: ${{ env.AWS_REGION }}
          role-to-assume: ${{ env.ASSUME_ROLE_ARN }}
          role-duration-seconds: 900
  assume-role-in-container-test:
-    runs-on: ['self-hosted', 'Linux']
+    runs-on: ["self-hosted", "Linux"]
-    container: 
+    container:
      image: amazon/aws-cli
      env:
        AWS_WEB_IDENTITY_TOKEN_FILE: /var/run/secrets/eks.amazonaws.com/serviceaccount/token
@@ -29,7 +30,8 @@ jobs:
        - /var/run/secrets/eks.amazonaws.com/serviceaccount/token:/var/run/secrets/eks.amazonaws.com/serviceaccount/token
    steps:
      - name: Test aws-actions/configure-aws-credentials Action in container
-        uses: aws-actions/configure-aws-credentials@v1
+        # https://github.com/aws-actions/configure-aws-credentials/releases/tag/v4.1.0
        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722
        with:
          aws-region: ${{ env.AWS_REGION }}
          role-to-assume: ${{ env.ASSUME_ROLE_ARN }}
--- a/acceptance/pipelines/runner-integration-tests.yaml
+++ b/acceptance/pipelines/runner-integration-tests.yaml
@@ -8,8 +8,8 @@ env:
 jobs:
  run-step-in-container-test:
-    runs-on: ['self-hosted', 'Linux']
+    runs-on: ["self-hosted", "Linux"]
-    container: 
+    container:
      image: alpine
    steps:
      - name: Test we are working in the container
@@ -21,7 +21,7 @@ jobs:
              exit 1
          fi
  setup-python-test:
-    runs-on: ['self-hosted', 'Linux']
+    runs-on: ["self-hosted", "Linux"]
    steps:
      - name: Print native Python environment
        run: |
@@ -41,12 +41,12 @@ jobs:
            echo "Python version detected : $(python --version 2>&1)"
          fi
  setup-node-test:
-    runs-on: ['self-hosted', 'Linux']
+    runs-on: ["self-hosted", "Linux"]
    steps:
      - uses: actions/setup-node@v2
        with:
-          node-version: '12'
+          node-version: "12"
-      - name: Test actions/setup-node works 
+      - name: Test actions/setup-node works
        run: |
          VERSION=$(node --version | cut -c 2- | cut -d '.' -f1)
          if [[ $VERSION != '12' ]]; then
@@ -57,13 +57,14 @@ jobs:
            echo "Node version detected : $(node --version 2>&1)"
          fi
  setup-ruby-test:
-    runs-on: ['self-hosted', 'Linux']
+    runs-on: ["self-hosted", "Linux"]
    steps:
-      - uses: ruby/setup-ruby@v1
+      # https://github.com/ruby/setup-ruby/releases/tag/v1.227.0
      - uses: ruby/setup-ruby@1a615958ad9d422dd932dc1d5823942ee002799f
        with:
          ruby-version: 3.0
          bundler-cache: true
-      - name: Test ruby/setup-ruby works 
+      - name: Test ruby/setup-ruby works
        run: |
          VERSION=$(ruby --version | cut -d ' ' -f2 | cut -d '.' -f1-2)
          if [[ $VERSION != '3.0' ]]; then
@@ -74,8 +75,8 @@ jobs:
              echo "Ruby version detected : $(ruby --version 2>&1)"
          fi
  python-shell-test:
-    runs-on: ['self-hosted', 'Linux']
+    runs-on: ["self-hosted", "Linux"]
-    steps:      
+    steps:
      - name: Test Python shell works
        run: |
          import os
--- a/acceptance/testdata/runnerdeploy.envsubst.yaml
+++ b/acceptance/testdata/runnerdeploy.envsubst.yaml
@@ -95,6 +95,24 @@ spec:
        # that part is created by dockerd.
        mountPath: /home/runner/.local
        readOnly: false
      # See https://github.com/actions/actions-runner-controller/issues/2123
      # Be sure to omit the "aliases" field from the config.json.
      # Otherwise you may encounter nasty errors like:
      #   $ docker build
      #   docker: 'buildx' is not a docker command.
      #   See 'docker --help'
      # due to the incompatibility between your host docker config.json and the runner environment.
      # That is, your host dockcer config.json might contain this:
      #   "aliases": {
      #     "builder": "buildx"
      #   }
      # And this results in the above error when the runner does not have buildx installed yet.
      - name: docker-config
        mountPath: /home/runner/.docker/config.json
        subPath: config.json
        readOnly: true
      - name: docker-config-root
        mountPath: /home/runner/.docker
      volumes:
      - name: rootless-dind-work-dir
        ephemeral:
@@ -105,6 +123,15 @@ spec:
              resources:
                requests:
                  storage: 3Gi
      - name: docker-config
        # Refer to .dockerconfigjson/.docker/config.json
        secret:
          secretName: docker-config
          items:
          - key: .dockerconfigjson
            path: config.json
      - name: docker-config-root
        emptyDir: {}
      #
      # Non-standard working directory
--- a/adrs/yyyy-mm-dd-TEMPLATE.md
+++ b/adrs/yyyy-mm-dd-TEMPLATE.md
@@ -1,18 +0,0 @@
 # Title
 <!-- ADR titles should typically be imperative sentences. -->
 **Status**: (Proposed|Accepted|Rejected|Superceded|Deprecated)
 ## Context
 *What is the issue or background knowledge necessary for future readers
 to understand why this ADR was written?*
 ## Decision
 **What** is the change being proposed? / **How** will it be implemented?*
 ## Consequences
 *What becomes easier or more difficult to do because of this change?*
--- a/apis/actions.github.com/v1alpha1/appconfig/appconfig.go
+++ b/apis/actions.github.com/v1alpha1/appconfig/appconfig.go
@@ -0,0 +1,89 @@
 package appconfig
 import (
 	"bytes"
 	"encoding/json"
 	"fmt"
 	"strconv"
 	corev1 "k8s.io/api/core/v1"
 )
 type AppConfig struct {
 	AppID             string `json:"github_app_id"`
 	AppInstallationID int64  `json:"github_app_installation_id"`
 	AppPrivateKey     string `json:"github_app_private_key"`
 	Token string `json:"github_token"`
 }
 func (c *AppConfig) tidy() *AppConfig {
 	if len(c.Token) > 0 {
 		return &AppConfig{
 			Token: c.Token,
 		}
 	}
 	return &AppConfig{
 		AppID:             c.AppID,
 		AppInstallationID: c.AppInstallationID,
 		AppPrivateKey:     c.AppPrivateKey,
 	}
 }
 func (c *AppConfig) Validate() error {
 	if c == nil {
 		return fmt.Errorf("missing app config")
 	}
 	hasToken := len(c.Token) > 0
 	hasGitHubAppAuth := c.hasGitHubAppAuth()
 	if hasToken && hasGitHubAppAuth {
 		return fmt.Errorf("both PAT and GitHub App credentials provided. should only provide one")
 	}
 	if !hasToken && !hasGitHubAppAuth {
 		return fmt.Errorf("no credentials provided: either a PAT or GitHub App credentials should be provided")
 	}
 	return nil
 }
 func (c *AppConfig) hasGitHubAppAuth() bool {
 	return len(c.AppID) > 0 && c.AppInstallationID > 0 && len(c.AppPrivateKey) > 0
 }
 func FromSecret(secret *corev1.Secret) (*AppConfig, error) {
 	var appInstallationID int64
 	if v := string(secret.Data["github_app_installation_id"]); v != "" {
 		val, err := strconv.ParseInt(v, 10, 64)
 		if err != nil {
 			return nil, err
 		}
 		appInstallationID = val
 	}
 	cfg := &AppConfig{
 		Token:             string(secret.Data["github_token"]),
 		AppID:             string(secret.Data["github_app_id"]),
 		AppInstallationID: appInstallationID,
 		AppPrivateKey:     string(secret.Data["github_app_private_key"]),
 	}
 	if err := cfg.Validate(); err != nil {
 		return nil, fmt.Errorf("failed to validate config: %v", err)
 	}
 	return cfg.tidy(), nil
 }
 func FromJSONString(v string) (*AppConfig, error) {
 	var appConfig AppConfig
 	if err := json.NewDecoder(bytes.NewBufferString(v)).Decode(&appConfig); err != nil {
 		return nil, err
 	}
 	if err := appConfig.Validate(); err != nil {
 		return nil, fmt.Errorf("failed to validate app config decoded from string: %w", err)
 	}
 	return appConfig.tidy(), nil
 }
--- a/apis/actions.github.com/v1alpha1/appconfig/appconfig_test.go
+++ b/apis/actions.github.com/v1alpha1/appconfig/appconfig_test.go
@@ -0,0 +1,152 @@
 package appconfig
 import (
 	"encoding/json"
 	"testing"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	corev1 "k8s.io/api/core/v1"
 )
 func TestAppConfigValidate_invalid(t *testing.T) {
 	tt := map[string]*AppConfig{
 		"empty": {},
 		"token and app config": {
 			AppID:             "1",
 			AppInstallationID: 2,
 			AppPrivateKey:     "private key",
 			Token:             "token",
 		},
 		"app id not set": {
 			AppInstallationID: 2,
 			AppPrivateKey:     "private key",
 		},
 		"app installation id not set": {
 			AppID:         "2",
 			AppPrivateKey: "private key",
 		},
 		"private key empty": {
 			AppID:             "2",
 			AppInstallationID: 1,
 			AppPrivateKey:     "",
 		},
 	}
 	for name, cfg := range tt {
 		t.Run(name, func(t *testing.T) {
 			err := cfg.Validate()
 			require.Error(t, err)
 		})
 	}
 }
 func TestAppConfigValidate_valid(t *testing.T) {
 	tt := map[string]*AppConfig{
 		"token": {
 			Token: "token",
 		},
 		"app ID": {
 			AppID:             "1",
 			AppInstallationID: 2,
 			AppPrivateKey:     "private key",
 		},
 	}
 	for name, cfg := range tt {
 		t.Run(name, func(t *testing.T) {
 			err := cfg.Validate()
 			require.NoError(t, err)
 		})
 	}
 }
 func TestAppConfigFromSecret_invalid(t *testing.T) {
 	tt := map[string]map[string]string{
 		"empty": {},
 		"token and app provided": {
 			"github_token":              "token",
 			"github_app_id":             "2",
 			"githu_app_installation_id": "3",
 			"github_app_private_key":    "private key",
 		},
 		"invalid app id": {
 			"github_app_id":             "abc",
 			"githu_app_installation_id": "3",
 			"github_app_private_key":    "private key",
 		},
 		"invalid app installation_id": {
 			"github_app_id":             "1",
 			"githu_app_installation_id": "abc",
 			"github_app_private_key":    "private key",
 		},
 		"empty private key": {
 			"github_app_id":             "1",
 			"githu_app_installation_id": "2",
 			"github_app_private_key":    "",
 		},
 	}
 	for name, data := range tt {
 		t.Run(name, func(t *testing.T) {
 			secret := &corev1.Secret{
 				StringData: data,
 			}
 			appConfig, err := FromSecret(secret)
 			assert.Error(t, err)
 			assert.Nil(t, appConfig)
 		})
 	}
 }
 func TestAppConfigFromSecret_valid(t *testing.T) {
 	tt := map[string]map[string]string{
 		"with token": {
 			"github_token": "token",
 		},
 		"app config": {
 			"github_app_id":             "2",
 			"githu_app_installation_id": "3",
 			"github_app_private_key":    "private key",
 		},
 	}
 	for name, data := range tt {
 		t.Run(name, func(t *testing.T) {
 			secret := &corev1.Secret{
 				StringData: data,
 			}
 			appConfig, err := FromSecret(secret)
 			assert.Error(t, err)
 			assert.Nil(t, appConfig)
 		})
 	}
 }
 func TestAppConfigFromString_valid(t *testing.T) {
 	tt := map[string]*AppConfig{
 		"token": {
 			Token: "token",
 		},
 		"app ID": {
 			AppID:             "1",
 			AppInstallationID: 2,
 			AppPrivateKey:     "private key",
 		},
 	}
 	for name, cfg := range tt {
 		t.Run(name, func(t *testing.T) {
 			bytes, err := json.Marshal(cfg)
 			require.NoError(t, err)
 			got, err := FromJSONString(string(bytes))
 			require.NoError(t, err)
 			want := cfg.tidy()
 			assert.Equal(t, want, got)
 		})
 	}
 }
--- a/apis/actions.github.com/v1alpha1/autoscalinglistener_types.go
+++ b/apis/actions.github.com/v1alpha1/autoscalinglistener_types.go
@@ -59,17 +59,26 @@ type AutoscalingListenerSpec struct {
 	Proxy *ProxyConfig `json:"proxy,omitempty"`
 	// +optional
-	GitHubServerTLS *GitHubServerTLSConfig `json:"githubServerTLS,omitempty"`
+	GitHubServerTLS *TLSConfig `json:"githubServerTLS,omitempty"`
 	// +optional
 	VaultConfig *VaultConfig `json:"vaultConfig,omitempty"`
 	// +optional
 	Metrics *MetricsConfig `json:"metrics,omitempty"`
 	// +optional
 	Template *corev1.PodTemplateSpec `json:"template,omitempty"`
 }
 // AutoscalingListenerStatus defines the observed state of AutoscalingListener
 type AutoscalingListenerStatus struct{}
-//+kubebuilder:object:root=true
+// +kubebuilder:object:root=true
-//+kubebuilder:subresource:status
+// +kubebuilder:subresource:status
-//+kubebuilder:printcolumn:JSONPath=".spec.githubConfigUrl",name=GitHub Configure URL,type=string
+// +kubebuilder:printcolumn:JSONPath=".spec.githubConfigUrl",name=GitHub Configure URL,type=string
-//+kubebuilder:printcolumn:JSONPath=".spec.autoscalingRunnerSetNamespace",name=AutoscalingRunnerSet Namespace,type=string
+// +kubebuilder:printcolumn:JSONPath=".spec.autoscalingRunnerSetNamespace",name=AutoscalingRunnerSet Namespace,type=string
-//+kubebuilder:printcolumn:JSONPath=".spec.autoscalingRunnerSetName",name=AutoscalingRunnerSet Name,type=string
+// +kubebuilder:printcolumn:JSONPath=".spec.autoscalingRunnerSetName",name=AutoscalingRunnerSet Name,type=string
 // AutoscalingListener is the Schema for the autoscalinglisteners API
 type AutoscalingListener struct {
@@ -80,8 +89,7 @@ type AutoscalingListener struct {
 	Status AutoscalingListenerStatus `json:"status,omitempty"`
 }
-//+kubebuilder:object:root=true
+// +kubebuilder:object:root=true
 // AutoscalingListenerList contains a list of AutoscalingListener
 type AutoscalingListenerList struct {
 	metav1.TypeMeta `json:",inline"`
--- a/apis/actions.github.com/v1alpha1/autoscalingrunnerset_types.go
+++ b/apis/actions.github.com/v1alpha1/autoscalingrunnerset_types.go
@@ -24,6 +24,7 @@ import (
 	"strings"
 	"github.com/actions/actions-runner-controller/hash"
 	"github.com/actions/actions-runner-controller/vault"
 	"golang.org/x/net/http/httpproxy"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -31,12 +32,16 @@ import (
 // NOTE: json tags are required.  Any new fields you add must have json tags for the fields to be serialized.
-//+kubebuilder:object:root=true
+// +kubebuilder:object:root=true
-//+kubebuilder:subresource:status
+// +kubebuilder:subresource:status
-//+kubebuilder:printcolumn:JSONPath=".spec.minRunners",name=Minimum Runners,type=number
+// +kubebuilder:printcolumn:JSONPath=".spec.minRunners",name=Minimum Runners,type=integer
-//+kubebuilder:printcolumn:JSONPath=".spec.maxRunners",name=Maximum Runners,type=number
+// +kubebuilder:printcolumn:JSONPath=".spec.maxRunners",name=Maximum Runners,type=integer
-//+kubebuilder:printcolumn:JSONPath=".status.currentRunners",name=Current Runners,type=number
+// +kubebuilder:printcolumn:JSONPath=".status.currentRunners",name=Current Runners,type=integer
-//+kubebuilder:printcolumn:JSONPath=".status.state",name=State,type=string
+// +kubebuilder:printcolumn:JSONPath=".status.state",name=State,type=string
 // +kubebuilder:printcolumn:JSONPath=".status.pendingEphemeralRunners",name=Pending Runners,type=integer
 // +kubebuilder:printcolumn:JSONPath=".status.runningEphemeralRunners",name=Running Runners,type=integer
 // +kubebuilder:printcolumn:JSONPath=".status.finishedEphemeralRunners",name=Finished Runners,type=integer
 // +kubebuilder:printcolumn:JSONPath=".status.deletingEphemeralRunners",name=Deleting Runners,type=integer
 // AutoscalingRunnerSet is the Schema for the autoscalingrunnersets API
 type AutoscalingRunnerSet struct {
@@ -65,11 +70,20 @@ type AutoscalingRunnerSetSpec struct {
 	Proxy *ProxyConfig `json:"proxy,omitempty"`
 	// +optional
-	GitHubServerTLS *GitHubServerTLSConfig `json:"githubServerTLS,omitempty"`
+	GitHubServerTLS *TLSConfig `json:"githubServerTLS,omitempty"`
 	// +optional
 	VaultConfig *VaultConfig `json:"vaultConfig,omitempty"`
 	// Required
 	Template corev1.PodTemplateSpec `json:"template,omitempty"`
 	// +optional
 	ListenerMetrics *MetricsConfig `json:"listenerMetrics,omitempty"`
 	// +optional
 	ListenerTemplate *corev1.PodTemplateSpec `json:"listenerTemplate,omitempty"`
 	// +optional
 	// +kubebuilder:validation:Minimum:=0
 	MaxRunners *int `json:"maxRunners,omitempty"`
@@ -79,12 +93,12 @@ type AutoscalingRunnerSetSpec struct {
 	MinRunners *int `json:"minRunners,omitempty"`
 }
-type GitHubServerTLSConfig struct {
+type TLSConfig struct {
 	// Required
 	CertificateFrom *TLSCertificateSource `json:"certificateFrom,omitempty"`
 }
-func (c *GitHubServerTLSConfig) ToCertPool(keyFetcher func(name, key string) ([]byte, error)) (*x509.CertPool, error) {
+func (c *TLSConfig) ToCertPool(keyFetcher func(name, key string) ([]byte, error)) (*x509.CertPool, error) {
 	if c.CertificateFrom == nil {
 		return nil, fmt.Errorf("certificateFrom not specified")
 	}
@@ -132,7 +146,7 @@ type ProxyConfig struct {
 	NoProxy []string `json:"noProxy,omitempty"`
 }
-func (c *ProxyConfig) toHTTPProxyConfig(secretFetcher func(string) (*corev1.Secret, error)) (*httpproxy.Config, error) {
+func (c *ProxyConfig) ToHTTPProxyConfig(secretFetcher func(string) (*corev1.Secret, error)) (*httpproxy.Config, error) {
 	config := &httpproxy.Config{
 		NoProxy: strings.Join(c.NoProxy, ","),
 	}
@@ -191,7 +205,7 @@ func (c *ProxyConfig) toHTTPProxyConfig(secretFetcher func(string) (*corev1.Secr
 }
 func (c *ProxyConfig) ToSecretData(secretFetcher func(string) (*corev1.Secret, error)) (map[string][]byte, error) {
-	config, err := c.toHTTPProxyConfig(secretFetcher)
+	config, err := c.ToHTTPProxyConfig(secretFetcher)
 	if err != nil {
 		return nil, err
 	}
@@ -205,7 +219,7 @@ func (c *ProxyConfig) ToSecretData(secretFetcher func(string) (*corev1.Secret, e
 }
 func (c *ProxyConfig) ProxyFunc(secretFetcher func(string) (*corev1.Secret, error)) (func(*http.Request) (*url.URL, error), error) {
-	config, err := c.toHTTPProxyConfig(secretFetcher)
+	config, err := c.ToHTTPProxyConfig(secretFetcher)
 	if err != nil {
 		return nil, err
 	}
@@ -225,22 +239,103 @@ type ProxyServerConfig struct {
 	CredentialSecretRef string `json:"credentialSecretRef,omitempty"`
 }
 type VaultConfig struct {
 	// +optional
 	Type vault.VaultType `json:"type,omitempty"`
 	// +optional
 	AzureKeyVault *AzureKeyVaultConfig `json:"azureKeyVault,omitempty"`
 	// +optional
 	Proxy *ProxyConfig `json:"proxy,omitempty"`
 }
 type AzureKeyVaultConfig struct {
 	// +required
 	URL string `json:"url,omitempty"`
 	// +required
 	TenantID string `json:"tenantId,omitempty"`
 	// +required
 	ClientID string `json:"clientId,omitempty"`
 	// +required
 	CertificatePath string `json:"certificatePath,omitempty"`
 }
 // MetricsConfig holds configuration parameters for each metric type
 type MetricsConfig struct {
 	// +optional
 	Counters map[string]*CounterMetric `json:"counters,omitempty"`
 	// +optional
 	Gauges map[string]*GaugeMetric `json:"gauges,omitempty"`
 	// +optional
 	Histograms map[string]*HistogramMetric `json:"histograms,omitempty"`
 }
 // CounterMetric holds configuration of a single metric of type Counter
 type CounterMetric struct {
 	Labels []string `json:"labels"`
 }
 // GaugeMetric holds configuration of a single metric of type Gauge
 type GaugeMetric struct {
 	Labels []string `json:"labels"`
 }
 // HistogramMetric holds configuration of a single metric of type Histogram
 type HistogramMetric struct {
 	Labels  []string  `json:"labels"`
 	Buckets []float64 `json:"buckets,omitempty"`
 }
 // AutoscalingRunnerSetStatus defines the observed state of AutoscalingRunnerSet
 type AutoscalingRunnerSetStatus struct {
 	// +optional
-	CurrentRunners int `json:"currentRunners,omitempty"`
+	CurrentRunners int `json:"currentRunners"`
 	// +optional
-	State string `json:"state,omitempty"`
+	State string `json:"state"`
 	// EphemeralRunner counts separated by the stage ephemeral runners are in, taken from the EphemeralRunnerSet
 	// +optional
 	PendingEphemeralRunners int `json:"pendingEphemeralRunners"`
 	// +optional
 	RunningEphemeralRunners int `json:"runningEphemeralRunners"`
 	// +optional
 	FailedEphemeralRunners int `json:"failedEphemeralRunners"`
 }
 func (ars *AutoscalingRunnerSet) ListenerSpecHash() string {
 	type listenerSpec = AutoscalingRunnerSetSpec
 	arsSpec := ars.Spec.DeepCopy()
 	spec := arsSpec
 	return hash.ComputeTemplateHash(&spec)
 }
 func (ars *AutoscalingRunnerSet) GitHubConfigSecret() string {
 	return ars.Spec.GitHubConfigSecret
 }
 func (ars *AutoscalingRunnerSet) GitHubConfigUrl() string {
 	return ars.Spec.GitHubConfigUrl
 }
 func (ars *AutoscalingRunnerSet) GitHubProxy() *ProxyConfig {
 	return ars.Spec.Proxy
 }
 func (ars *AutoscalingRunnerSet) GitHubServerTLS() *TLSConfig {
 	return ars.Spec.GitHubServerTLS
 }
 func (ars *AutoscalingRunnerSet) VaultConfig() *VaultConfig {
 	return ars.Spec.VaultConfig
 }
 func (ars *AutoscalingRunnerSet) VaultProxy() *ProxyConfig {
 	if ars.Spec.VaultConfig != nil {
 		return ars.Spec.VaultConfig.Proxy
 	}
 	return nil
 }
 func (ars *AutoscalingRunnerSet) RunnerSetSpecHash() string {
 	type runnerSetSpec struct {
 		GitHubConfigUrl    string
@@ -248,7 +343,7 @@ func (ars *AutoscalingRunnerSet) RunnerSetSpecHash() string {
 		RunnerGroup        string
 		RunnerScaleSetName string
 		Proxy              *ProxyConfig
-		GitHubServerTLS    *GitHubServerTLSConfig
+		GitHubServerTLS    *TLSConfig
 		Template           corev1.PodTemplateSpec
 	}
 	spec := &runnerSetSpec{
@@ -263,7 +358,7 @@ func (ars *AutoscalingRunnerSet) RunnerSetSpecHash() string {
 	return hash.ComputeTemplateHash(&spec)
 }
-//+kubebuilder:object:root=true
+// +kubebuilder:object:root=true
 // AutoscalingRunnerSetList contains a list of AutoscalingRunnerSet
 type AutoscalingRunnerSetList struct {
--- a/apis/actions.github.com/v1alpha1/ephemeralrunner_types.go
+++ b/apis/actions.github.com/v1alpha1/ephemeralrunner_types.go
@@ -21,8 +21,12 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
-//+kubebuilder:object:root=true
+// EphemeralRunnerContainerName is the name of the runner container.
-//+kubebuilder:subresource:status
+// It represents the name of the container running the self-hosted runner image.
 const EphemeralRunnerContainerName = "runner"
 // +kubebuilder:object:root=true
 // +kubebuilder:subresource:status
 // +kubebuilder:printcolumn:JSONPath=".spec.githubConfigUrl",name="GitHub Config URL",type=string
 // +kubebuilder:printcolumn:JSONPath=".status.runnerId",name=RunnerId,type=number
 // +kubebuilder:printcolumn:JSONPath=".status.phase",name=Status,type=string
@@ -30,6 +34,7 @@ import (
 // +kubebuilder:printcolumn:JSONPath=".status.jobWorkflowRef",name=JobWorkflowRef,type=string
 // +kubebuilder:printcolumn:JSONPath=".status.workflowRunId",name=WorkflowRunId,type=number
 // +kubebuilder:printcolumn:JSONPath=".status.jobDisplayName",name=JobDisplayName,type=string
 // +kubebuilder:printcolumn:JSONPath=".status.jobId",name=JobId,type=string
 // +kubebuilder:printcolumn:JSONPath=".status.message",name=Message,type=string
 // +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp"
@@ -42,17 +47,69 @@ type EphemeralRunner struct {
 	Status EphemeralRunnerStatus `json:"status,omitempty"`
 }
 func (er *EphemeralRunner) IsDone() bool {
 	return er.Status.Phase == corev1.PodSucceeded || er.Status.Phase == corev1.PodFailed
 }
 func (er *EphemeralRunner) HasJob() bool {
 	return len(er.Status.JobID) > 0
 }
 func (er *EphemeralRunner) HasContainerHookConfigured() bool {
 	for i := range er.Spec.Spec.Containers {
 		if er.Spec.Spec.Containers[i].Name != EphemeralRunnerContainerName {
 			continue
 		}
 		for _, env := range er.Spec.Spec.Containers[i].Env {
 			if env.Name == "ACTIONS_RUNNER_CONTAINER_HOOKS" {
 				return true
 			}
 		}
 		return false
 	}
 	return false
 }
 func (er *EphemeralRunner) GitHubConfigSecret() string {
 	return er.Spec.GitHubConfigSecret
 }
 func (er *EphemeralRunner) GitHubConfigUrl() string {
 	return er.Spec.GitHubConfigUrl
 }
 func (er *EphemeralRunner) GitHubProxy() *ProxyConfig {
 	return er.Spec.Proxy
 }
 func (er *EphemeralRunner) GitHubServerTLS() *TLSConfig {
 	return er.Spec.GitHubServerTLS
 }
 func (er *EphemeralRunner) VaultConfig() *VaultConfig {
 	return er.Spec.VaultConfig
 }
 func (er *EphemeralRunner) VaultProxy() *ProxyConfig {
 	if er.Spec.VaultConfig != nil {
 		return er.Spec.VaultConfig.Proxy
 	}
 	return nil
 }
 // EphemeralRunnerSpec defines the desired state of EphemeralRunner
 type EphemeralRunnerSpec struct {
 	// INSERT ADDITIONAL SPEC FIELDS - desired state of cluster
 	// Important: Run "make" to regenerate code after modifying this file
 	// +required
 	GitHubConfigUrl string `json:"githubConfigUrl,omitempty"`
 	// +required
 	GitHubConfigSecret string `json:"githubConfigSecret,omitempty"`
 	// +optional
 	GitHubServerTLS *TLSConfig `json:"githubServerTLS,omitempty"`
 	// +required
 	RunnerScaleSetId int `json:"runnerScaleSetId,omitempty"`
@@ -63,17 +120,13 @@ type EphemeralRunnerSpec struct {
 	ProxySecretRef string `json:"proxySecretRef,omitempty"`
 	// +optional
-	GitHubServerTLS *GitHubServerTLSConfig `json:"githubServerTLS,omitempty"`
+	VaultConfig *VaultConfig `json:"vaultConfig,omitempty"`
 	// +required
 	corev1.PodTemplateSpec `json:",inline"`
 }
 // EphemeralRunnerStatus defines the observed state of EphemeralRunner
 type EphemeralRunnerStatus struct {
 	// INSERT ADDITIONAL STATUS FIELD - define observed state of cluster
 	// Important: Run "make" to regenerate code after modifying this file
 	// Turns true only if the runner is online.
 	// +optional
 	Ready bool `json:"ready"`
@@ -97,15 +150,16 @@ type EphemeralRunnerStatus struct {
 	RunnerId int `json:"runnerId,omitempty"`
 	// +optional
 	RunnerName string `json:"runnerName,omitempty"`
 	// +optional
 	RunnerJITConfig string `json:"runnerJITConfig,omitempty"`
 	// +optional
-	Failures map[string]bool `json:"failures,omitempty"`
+	Failures map[string]metav1.Time `json:"failures,omitempty"`
 	// +optional
 	JobRequestId int64 `json:"jobRequestId,omitempty"`
 	// +optional
 	JobID string `json:"jobId,omitempty"`
 	// +optional
 	JobRepositoryName string `json:"jobRepositoryName,omitempty"`
@@ -119,7 +173,21 @@ type EphemeralRunnerStatus struct {
 	JobDisplayName string `json:"jobDisplayName,omitempty"`
 }
-//+kubebuilder:object:root=true
+func (s *EphemeralRunnerStatus) LastFailure() metav1.Time {
 	var maxTime metav1.Time
 	if len(s.Failures) == 0 {
 		return maxTime
 	}
 	for _, ts := range s.Failures {
 		if ts.After(maxTime.Time) {
 			maxTime = ts
 		}
 	}
 	return maxTime
 }
 // +kubebuilder:object:root=true
 // EphemeralRunnerList contains a list of EphemeralRunner
 type EphemeralRunnerList struct {
--- a/apis/actions.github.com/v1alpha1/ephemeralrunnerset_types.go
+++ b/apis/actions.github.com/v1alpha1/ephemeralrunnerset_types.go
@@ -24,20 +24,33 @@ import (
 type EphemeralRunnerSetSpec struct {
 	// Replicas is the number of desired EphemeralRunner resources in the k8s namespace.
 	Replicas int `json:"replicas,omitempty"`
-
+	// PatchID is the unique identifier for the patch issued by the listener app
 	PatchID int `json:"patchID"`
 	// EphemeralRunnerSpec is the spec of the ephemeral runner
 	EphemeralRunnerSpec EphemeralRunnerSpec `json:"ephemeralRunnerSpec,omitempty"`
 }
 // EphemeralRunnerSetStatus defines the observed state of EphemeralRunnerSet
 type EphemeralRunnerSetStatus struct {
 	// CurrentReplicas is the number of currently running EphemeralRunner resources being managed by this EphemeralRunnerSet.
-	CurrentReplicas int `json:"currentReplicas,omitempty"`
+	CurrentReplicas int `json:"currentReplicas"`
 	// +optional
 	PendingEphemeralRunners int `json:"pendingEphemeralRunners"`
 	// +optional
 	RunningEphemeralRunners int `json:"runningEphemeralRunners"`
 	// +optional
 	FailedEphemeralRunners int `json:"failedEphemeralRunners"`
 }
 // +kubebuilder:object:root=true
 // +kubebuilder:subresource:status
 // +kubebuilder:printcolumn:JSONPath=".spec.replicas",name="DesiredReplicas",type="integer"
 // +kubebuilder:printcolumn:JSONPath=".status.currentReplicas", name="CurrentReplicas",type="integer"
 // +kubebuilder:printcolumn:JSONPath=".status.pendingEphemeralRunners",name=Pending Runners,type=integer
 // +kubebuilder:printcolumn:JSONPath=".status.runningEphemeralRunners",name=Running Runners,type=integer
 // +kubebuilder:printcolumn:JSONPath=".status.finishedEphemeralRunners",name=Finished Runners,type=integer
 // +kubebuilder:printcolumn:JSONPath=".status.deletingEphemeralRunners",name=Deleting Runners,type=integer
 // EphemeralRunnerSet is the Schema for the ephemeralrunnersets API
 type EphemeralRunnerSet struct {
 	metav1.TypeMeta   `json:",inline"`
@@ -47,9 +60,35 @@ type EphemeralRunnerSet struct {
 	Status EphemeralRunnerSetStatus `json:"status,omitempty"`
 }
-//+kubebuilder:object:root=true
+func (ers *EphemeralRunnerSet) GitHubConfigSecret() string {
 	return ers.Spec.EphemeralRunnerSpec.GitHubConfigSecret
 }
 func (ers *EphemeralRunnerSet) GitHubConfigUrl() string {
 	return ers.Spec.EphemeralRunnerSpec.GitHubConfigUrl
 }
 func (ers *EphemeralRunnerSet) GitHubProxy() *ProxyConfig {
 	return ers.Spec.EphemeralRunnerSpec.Proxy
 }
 func (ers *EphemeralRunnerSet) GitHubServerTLS() *TLSConfig {
 	return ers.Spec.EphemeralRunnerSpec.GitHubServerTLS
 }
 func (ers *EphemeralRunnerSet) VaultConfig() *VaultConfig {
 	return ers.Spec.EphemeralRunnerSpec.VaultConfig
 }
 func (ers *EphemeralRunnerSet) VaultProxy() *ProxyConfig {
 	if ers.Spec.EphemeralRunnerSpec.VaultConfig != nil {
 		return ers.Spec.EphemeralRunnerSpec.VaultConfig.Proxy
 	}
 	return nil
 }
 // EphemeralRunnerSetList contains a list of EphemeralRunnerSet
 // +kubebuilder:object:root=true
 type EphemeralRunnerSetList struct {
 	metav1.TypeMeta `json:",inline"`
 	metav1.ListMeta `json:"metadata,omitempty"`
--- a/apis/actions.github.com/v1alpha1/tls_config_test.go
+++ b/apis/actions.github.com/v1alpha1/tls_config_test.go
@@ -17,7 +17,7 @@ import (
 func TestGitHubServerTLSConfig_ToCertPool(t *testing.T) {
 	t.Run("returns an error if CertificateFrom not specified", func(t *testing.T) {
-		c := &v1alpha1.GitHubServerTLSConfig{
+		c := &v1alpha1.TLSConfig{
 			CertificateFrom: nil,
 		}
@@ -29,7 +29,7 @@ func TestGitHubServerTLSConfig_ToCertPool(t *testing.T) {
 	})
 	t.Run("returns an error if CertificateFrom.ConfigMapKeyRef not specified", func(t *testing.T) {
-		c := &v1alpha1.GitHubServerTLSConfig{
+		c := &v1alpha1.TLSConfig{
 			CertificateFrom: &v1alpha1.TLSCertificateSource{},
 		}
@@ -41,7 +41,7 @@ func TestGitHubServerTLSConfig_ToCertPool(t *testing.T) {
 	})
 	t.Run("returns a valid cert pool with correct configuration", func(t *testing.T) {
-		c := &v1alpha1.GitHubServerTLSConfig{
+		c := &v1alpha1.TLSConfig{
 			CertificateFrom: &v1alpha1.TLSCertificateSource{
 				ConfigMapKeyRef: &v1.ConfigMapKeySelector{
 					LocalObjectReference: v1.LocalObjectReference{
--- a/apis/actions.github.com/v1alpha1/version.go
+++ b/apis/actions.github.com/v1alpha1/version.go
@@ -0,0 +1,72 @@
 package v1alpha1
 import "strings"
 func IsVersionAllowed(resourceVersion, buildVersion string) bool {
 	if buildVersion == "dev" || resourceVersion == buildVersion || strings.HasPrefix(buildVersion, "canary-") {
 		return true
 	}
 	rv, ok := parseSemver(resourceVersion)
 	if !ok {
 		return false
 	}
 	bv, ok := parseSemver(buildVersion)
 	if !ok {
 		return false
 	}
 	return rv.major == bv.major && rv.minor == bv.minor
 }
 type semver struct {
 	major string
 	minor string
 }
 func parseSemver(v string) (p semver, ok bool) {
 	if v == "" {
 		return
 	}
 	p.major, v, ok = parseInt(v)
 	if !ok {
 		return p, false
 	}
 	if v == "" {
 		p.minor = "0"
 		return p, true
 	}
 	if v[0] != '.' {
 		return p, false
 	}
 	p.minor, v, ok = parseInt(v[1:])
 	if !ok {
 		return p, false
 	}
 	if v == "" {
 		return p, true
 	}
 	if v[0] != '.' {
 		return p, false
 	}
 	if _, _, ok = parseInt(v[1:]); !ok {
 		return p, false
 	}
 	return p, true
 }
 func parseInt(v string) (t, rest string, ok bool) {
 	if v == "" {
 		return
 	}
 	if v[0] < '0' || '9' < v[0] {
 		return
 	}
 	i := 1
 	for i < len(v) && '0' <= v[i] && v[i] <= '9' {
 		i++
 	}
 	if v[0] == '0' && i != 1 {
 		return
 	}
 	return v[:i], v[i:], true
 }
--- a/apis/actions.github.com/v1alpha1/version_test.go
+++ b/apis/actions.github.com/v1alpha1/version_test.go
@@ -0,0 +1,60 @@
 package v1alpha1_test
 import (
 	"testing"
 	"github.com/actions/actions-runner-controller/apis/actions.github.com/v1alpha1"
 	"github.com/stretchr/testify/assert"
 )
 func TestIsVersionAllowed(t *testing.T) {
 	t.Parallel()
 	tt := map[string]struct {
 		resourceVersion string
 		buildVersion    string
 		want            bool
 	}{
 		"dev should always be allowed": {
 			resourceVersion: "0.11.0",
 			buildVersion:    "dev",
 			want:            true,
 		},
 		"resourceVersion is not semver": {
 			resourceVersion: "dev",
 			buildVersion:    "0.11.0",
 			want:            false,
 		},
 		"buildVersion is not semver": {
 			resourceVersion: "0.11.0",
 			buildVersion:    "NA",
 			want:            false,
 		},
 		"major version mismatch": {
 			resourceVersion: "0.11.0",
 			buildVersion:    "1.11.0",
 			want:            false,
 		},
 		"minor version mismatch": {
 			resourceVersion: "0.11.0",
 			buildVersion:    "0.10.0",
 			want:            false,
 		},
 		"patch version mismatch": {
 			resourceVersion: "0.11.1",
 			buildVersion:    "0.11.0",
 			want:            true,
 		},
 		"arbitrary version match": {
 			resourceVersion: "abc",
 			buildVersion:    "abc",
 			want:            true,
 		},
 	}
 	for name, tc := range tt {
 		t.Run(name, func(t *testing.T) {
 			got := v1alpha1.IsVersionAllowed(tc.resourceVersion, tc.buildVersion)
 			assert.Equal(t, tc.want, got)
 		})
 	}
 }
--- a/apis/actions.github.com/v1alpha1/zz_generated.deepcopy.go
+++ b/apis/actions.github.com/v1alpha1/zz_generated.deepcopy.go
@@ -1,5 +1,4 @@
 //go:build !ignore_autogenerated
 // +build !ignore_autogenerated
 /*
 Copyright 2020 The actions-runner-controller authors.
@@ -23,6 +22,7 @@ package v1alpha1
 import (
 	"k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	runtime "k8s.io/apimachinery/pkg/runtime"
 )
@@ -100,7 +100,22 @@ func (in *AutoscalingListenerSpec) DeepCopyInto(out *AutoscalingListenerSpec) {
 	}
 	if in.GitHubServerTLS != nil {
 		in, out := &in.GitHubServerTLS, &out.GitHubServerTLS
-		*out = new(GitHubServerTLSConfig)
+		*out = new(TLSConfig)
 		(*in).DeepCopyInto(*out)
 	}
 	if in.VaultConfig != nil {
 		in, out := &in.VaultConfig, &out.VaultConfig
 		*out = new(VaultConfig)
 		(*in).DeepCopyInto(*out)
 	}
 	if in.Metrics != nil {
 		in, out := &in.Metrics, &out.Metrics
 		*out = new(MetricsConfig)
 		(*in).DeepCopyInto(*out)
 	}
 	if in.Template != nil {
 		in, out := &in.Template, &out.Template
 		*out = new(v1.PodTemplateSpec)
 		(*in).DeepCopyInto(*out)
 	}
 }
@@ -199,10 +214,25 @@ func (in *AutoscalingRunnerSetSpec) DeepCopyInto(out *AutoscalingRunnerSetSpec)
 	}
 	if in.GitHubServerTLS != nil {
 		in, out := &in.GitHubServerTLS, &out.GitHubServerTLS
-		*out = new(GitHubServerTLSConfig)
+		*out = new(TLSConfig)
 		(*in).DeepCopyInto(*out)
 	}
 	if in.VaultConfig != nil {
 		in, out := &in.VaultConfig, &out.VaultConfig
 		*out = new(VaultConfig)
 		(*in).DeepCopyInto(*out)
 	}
 	in.Template.DeepCopyInto(&out.Template)
 	if in.ListenerMetrics != nil {
 		in, out := &in.ListenerMetrics, &out.ListenerMetrics
 		*out = new(MetricsConfig)
 		(*in).DeepCopyInto(*out)
 	}
 	if in.ListenerTemplate != nil {
 		in, out := &in.ListenerTemplate, &out.ListenerTemplate
 		*out = new(v1.PodTemplateSpec)
 		(*in).DeepCopyInto(*out)
 	}
 	if in.MaxRunners != nil {
 		in, out := &in.MaxRunners, &out.MaxRunners
 		*out = new(int)
@@ -240,6 +270,41 @@ func (in *AutoscalingRunnerSetStatus) DeepCopy() *AutoscalingRunnerSetStatus {
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AzureKeyVaultConfig) DeepCopyInto(out *AzureKeyVaultConfig) {
 	*out = *in
 }
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AzureKeyVaultConfig.
 func (in *AzureKeyVaultConfig) DeepCopy() *AzureKeyVaultConfig {
 	if in == nil {
 		return nil
 	}
 	out := new(AzureKeyVaultConfig)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CounterMetric) DeepCopyInto(out *CounterMetric) {
 	*out = *in
 	if in.Labels != nil {
 		in, out := &in.Labels, &out.Labels
 		*out = make([]string, len(*in))
 		copy(*out, *in)
 	}
 }
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CounterMetric.
 func (in *CounterMetric) DeepCopy() *CounterMetric {
 	if in == nil {
 		return nil
 	}
 	out := new(CounterMetric)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EphemeralRunner) DeepCopyInto(out *EphemeralRunner) {
 	*out = *in
@@ -392,14 +457,19 @@ func (in *EphemeralRunnerSetStatus) DeepCopy() *EphemeralRunnerSetStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EphemeralRunnerSpec) DeepCopyInto(out *EphemeralRunnerSpec) {
 	*out = *in
 	if in.GitHubServerTLS != nil {
 		in, out := &in.GitHubServerTLS, &out.GitHubServerTLS
 		*out = new(TLSConfig)
 		(*in).DeepCopyInto(*out)
 	}
 	if in.Proxy != nil {
 		in, out := &in.Proxy, &out.Proxy
 		*out = new(ProxyConfig)
 		(*in).DeepCopyInto(*out)
 	}
-	if in.GitHubServerTLS != nil {
+	if in.VaultConfig != nil {
-		in, out := &in.GitHubServerTLS, &out.GitHubServerTLS
+		in, out := &in.VaultConfig, &out.VaultConfig
-		*out = new(GitHubServerTLSConfig)
+		*out = new(VaultConfig)
 		(*in).DeepCopyInto(*out)
 	}
 	in.PodTemplateSpec.DeepCopyInto(&out.PodTemplateSpec)
@@ -420,9 +490,9 @@ func (in *EphemeralRunnerStatus) DeepCopyInto(out *EphemeralRunnerStatus) {
 	*out = *in
 	if in.Failures != nil {
 		in, out := &in.Failures, &out.Failures
-		*out = make(map[string]bool, len(*in))
+		*out = make(map[string]metav1.Time, len(*in))
 		for key, val := range *in {
-			(*out)[key] = val
+			(*out)[key] = *val.DeepCopy()
 		}
 	}
 }
@@ -438,21 +508,109 @@ func (in *EphemeralRunnerStatus) DeepCopy() *EphemeralRunnerStatus {
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *GitHubServerTLSConfig) DeepCopyInto(out *GitHubServerTLSConfig) {
+func (in *GaugeMetric) DeepCopyInto(out *GaugeMetric) {
 	*out = *in
-	if in.CertificateFrom != nil {
+	if in.Labels != nil {
-		in, out := &in.CertificateFrom, &out.CertificateFrom
+		in, out := &in.Labels, &out.Labels
-		*out = new(TLSCertificateSource)
+		*out = make([]string, len(*in))
-		(*in).DeepCopyInto(*out)
+		copy(*out, *in)
 	}
 }
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubServerTLSConfig.
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GaugeMetric.
-func (in *GitHubServerTLSConfig) DeepCopy() *GitHubServerTLSConfig {
+func (in *GaugeMetric) DeepCopy() *GaugeMetric {
 	if in == nil {
 		return nil
 	}
-	out := new(GitHubServerTLSConfig)
+	out := new(GaugeMetric)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *HistogramMetric) DeepCopyInto(out *HistogramMetric) {
 	*out = *in
 	if in.Labels != nil {
 		in, out := &in.Labels, &out.Labels
 		*out = make([]string, len(*in))
 		copy(*out, *in)
 	}
 	if in.Buckets != nil {
 		in, out := &in.Buckets, &out.Buckets
 		*out = make([]float64, len(*in))
 		copy(*out, *in)
 	}
 }
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HistogramMetric.
 func (in *HistogramMetric) DeepCopy() *HistogramMetric {
 	if in == nil {
 		return nil
 	}
 	out := new(HistogramMetric)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MetricsConfig) DeepCopyInto(out *MetricsConfig) {
 	*out = *in
 	if in.Counters != nil {
 		in, out := &in.Counters, &out.Counters
 		*out = make(map[string]*CounterMetric, len(*in))
 		for key, val := range *in {
 			var outVal *CounterMetric
 			if val == nil {
 				(*out)[key] = nil
 			} else {
 				inVal := (*in)[key]
 				in, out := &inVal, &outVal
 				*out = new(CounterMetric)
 				(*in).DeepCopyInto(*out)
 			}
 			(*out)[key] = outVal
 		}
 	}
 	if in.Gauges != nil {
 		in, out := &in.Gauges, &out.Gauges
 		*out = make(map[string]*GaugeMetric, len(*in))
 		for key, val := range *in {
 			var outVal *GaugeMetric
 			if val == nil {
 				(*out)[key] = nil
 			} else {
 				inVal := (*in)[key]
 				in, out := &inVal, &outVal
 				*out = new(GaugeMetric)
 				(*in).DeepCopyInto(*out)
 			}
 			(*out)[key] = outVal
 		}
 	}
 	if in.Histograms != nil {
 		in, out := &in.Histograms, &out.Histograms
 		*out = make(map[string]*HistogramMetric, len(*in))
 		for key, val := range *in {
 			var outVal *HistogramMetric
 			if val == nil {
 				(*out)[key] = nil
 			} else {
 				inVal := (*in)[key]
 				in, out := &inVal, &outVal
 				*out = new(HistogramMetric)
 				(*in).DeepCopyInto(*out)
 			}
 			(*out)[key] = outVal
 		}
 	}
 }
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MetricsConfig.
 func (in *MetricsConfig) DeepCopy() *MetricsConfig {
 	if in == nil {
 		return nil
 	}
 	out := new(MetricsConfig)
 	in.DeepCopyInto(out)
 	return out
 }
@@ -521,3 +679,48 @@ func (in *TLSCertificateSource) DeepCopy() *TLSCertificateSource {
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TLSConfig) DeepCopyInto(out *TLSConfig) {
 	*out = *in
 	if in.CertificateFrom != nil {
 		in, out := &in.CertificateFrom, &out.CertificateFrom
 		*out = new(TLSCertificateSource)
 		(*in).DeepCopyInto(*out)
 	}
 }
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLSConfig.
 func (in *TLSConfig) DeepCopy() *TLSConfig {
 	if in == nil {
 		return nil
 	}
 	out := new(TLSConfig)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *VaultConfig) DeepCopyInto(out *VaultConfig) {
 	*out = *in
 	if in.AzureKeyVault != nil {
 		in, out := &in.AzureKeyVault, &out.AzureKeyVault
 		*out = new(AzureKeyVaultConfig)
 		**out = **in
 	}
 	if in.Proxy != nil {
 		in, out := &in.Proxy, &out.Proxy
 		*out = new(ProxyConfig)
 		(*in).DeepCopyInto(*out)
 	}
 }
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultConfig.
 func (in *VaultConfig) DeepCopy() *VaultConfig {
 	if in == nil {
 		return nil
 	}
 	out := new(VaultConfig)
 	in.DeepCopyInto(out)
 	return out
 }
--- a/apis/actions.summerwind.net/v1alpha1/horizontalrunnerautoscaler_types.go
+++ b/apis/actions.summerwind.net/v1alpha1/horizontalrunnerautoscaler_types.go
@@ -22,7 +22,7 @@ import (
 // HorizontalRunnerAutoscalerSpec defines the desired state of HorizontalRunnerAutoscaler
 type HorizontalRunnerAutoscalerSpec struct {
-	// ScaleTargetRef sis the reference to scaled resource like RunnerDeployment
+	// ScaleTargetRef is the reference to scaled resource like RunnerDeployment
 	ScaleTargetRef ScaleTargetRef `json:"scaleTargetRef,omitempty"`
 	// MinReplicas is the minimum number of replicas the deployment is allowed to scale
--- a/apis/actions.summerwind.net/v1alpha1/runner_types.go
+++ b/apis/actions.summerwind.net/v1alpha1/runner_types.go
@@ -70,6 +70,8 @@ type RunnerConfig struct {
 	// +optional
 	DockerRegistryMirror *string `json:"dockerRegistryMirror,omitempty"`
 	// +optional
 	DockerVarRunVolumeSizeLimit *resource.Quantity `json:"dockerVarRunVolumeSizeLimit,omitempty"`
 	// +optional
 	VolumeSizeLimit *resource.Quantity `json:"volumeSizeLimit,omitempty"`
 	// +optional
 	VolumeStorageMedium *string `json:"volumeStorageMedium,omitempty"`
@@ -213,10 +215,10 @@ func (rs *RunnerSpec) validateRepository() error {
 		foundCount += 1
 	}
 	if foundCount == 0 {
-		return errors.New("Spec needs enterprise, organization or repository")
+		return errors.New("spec needs enterprise, organization or repository")
 	}
 	if foundCount > 1 {
-		return errors.New("Spec cannot have many fields defined enterprise, organization and repository")
+		return errors.New("spec cannot have many fields defined enterprise, organization and repository")
 	}
 	return nil
@@ -315,19 +317,19 @@ type RunnerStatusRegistration struct {
 type WorkVolumeClaimTemplate struct {
 	StorageClassName string                              `json:"storageClassName"`
 	AccessModes      []corev1.PersistentVolumeAccessMode `json:"accessModes"`
-	Resources        corev1.ResourceRequirements         `json:"resources"`
+	Resources        corev1.VolumeResourceRequirements   `json:"resources"`
 }
 func (w *WorkVolumeClaimTemplate) validate() error {
-	if w.AccessModes == nil || len(w.AccessModes) == 0 {
+	if len(w.AccessModes) == 0 {
-		return errors.New("Access mode should have at least one mode specified")
+		return errors.New("access mode should have at least one mode specified")
 	}
 	for _, accessMode := range w.AccessModes {
 		switch accessMode {
 		case corev1.ReadWriteOnce, corev1.ReadWriteMany:
 		default:
-			return fmt.Errorf("Access mode %v is not supported", accessMode)
+			return fmt.Errorf("access mode %v is not supported", accessMode)
 		}
 	}
 	return nil
--- a/apis/actions.summerwind.net/v1alpha1/runner_webhook.go
+++ b/apis/actions.summerwind.net/v1alpha1/runner_webhook.go
@@ -17,12 +17,16 @@ limitations under the License.
 package v1alpha1
 import (
 	"context"
 	"fmt"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	ctrl "sigs.k8s.io/controller-runtime"
 	logf "sigs.k8s.io/controller-runtime/pkg/log"
 	"sigs.k8s.io/controller-runtime/pkg/webhook"
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 )
 // log is for logging in this package.
@@ -31,37 +35,52 @@ var runnerLog = logf.Log.WithName("runner-resource")
 func (r *Runner) SetupWebhookWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewWebhookManagedBy(mgr).
 		For(r).
 		WithDefaulter(&RunnerDefaulter{}).
 		WithValidator(&RunnerValidator{}).
 		Complete()
 }
 // +kubebuilder:webhook:path=/mutate-actions-summerwind-dev-v1alpha1-runner,verbs=create;update,mutating=true,failurePolicy=fail,groups=actions.summerwind.dev,resources=runners,versions=v1alpha1,name=mutate.runner.actions.summerwind.dev,sideEffects=None,admissionReviewVersions=v1beta1
-var _ webhook.Defaulter = &Runner{}
+var _ webhook.CustomDefaulter = &RunnerDefaulter{}
 type RunnerDefaulter struct{}
 // Default implements webhook.Defaulter so a webhook will be registered for the type
-func (r *Runner) Default() {
+func (*RunnerDefaulter) Default(ctx context.Context, obj runtime.Object) error {
 	// Nothing to do.
 	return nil
 }
 // +kubebuilder:webhook:path=/validate-actions-summerwind-dev-v1alpha1-runner,verbs=create;update,mutating=false,failurePolicy=fail,groups=actions.summerwind.dev,resources=runners,versions=v1alpha1,name=validate.runner.actions.summerwind.dev,sideEffects=None,admissionReviewVersions=v1beta1
-var _ webhook.Validator = &Runner{}
+var _ webhook.CustomValidator = &RunnerValidator{}
 type RunnerValidator struct{}
 // ValidateCreate implements webhook.Validator so a webhook will be registered for the type
-func (r *Runner) ValidateCreate() error {
+func (*RunnerValidator) ValidateCreate(ctx context.Context, obj runtime.Object) (admission.Warnings, error) {
 	r, ok := obj.(*Runner)
 	if !ok {
 		return nil, fmt.Errorf("expected Runner object, got %T", obj)
 	}
 	runnerLog.Info("validate resource to be created", "name", r.Name)
-	return r.Validate()
+	return nil, r.Validate()
 }
 // ValidateUpdate implements webhook.Validator so a webhook will be registered for the type
-func (r *Runner) ValidateUpdate(old runtime.Object) error {
+func (*RunnerValidator) ValidateUpdate(ctx context.Context, old, obj runtime.Object) (admission.Warnings, error) {
 	r, ok := obj.(*Runner)
 	if !ok {
 		return nil, fmt.Errorf("expected Runner object, got %T", obj)
 	}
 	runnerLog.Info("validate resource to be updated", "name", r.Name)
-	return r.Validate()
+	return nil, r.Validate()
 }
 // ValidateDelete implements webhook.Validator so a webhook will be registered for the type
-func (r *Runner) ValidateDelete() error {
+func (*RunnerValidator) ValidateDelete(ctx context.Context, obj runtime.Object) (admission.Warnings, error) {
-	return nil
+	return nil, nil
 }
 // Validate validates resource spec.
--- a/apis/actions.summerwind.net/v1alpha1/runnerdeployment_types.go
+++ b/apis/actions.summerwind.net/v1alpha1/runnerdeployment_types.go
@@ -77,6 +77,11 @@ type RunnerDeploymentStatus struct {
 // +kubebuilder:object:root=true
 // +kubebuilder:resource:shortName=rdeploy
 // +kubebuilder:subresource:status
 // +kubebuilder:printcolumn:JSONPath=".spec.template.spec.enterprise",name=Enterprise,type=string
 // +kubebuilder:printcolumn:JSONPath=".spec.template.spec.organization",name=Organization,type=string
 // +kubebuilder:printcolumn:JSONPath=".spec.template.spec.repository",name=Repository,type=string
 // +kubebuilder:printcolumn:JSONPath=".spec.template.spec.group",name=Group,type=string
 // +kubebuilder:printcolumn:JSONPath=".spec.template.spec.labels",name=Labels,type=string
 // +kubebuilder:printcolumn:JSONPath=".spec.replicas",name=Desired,type=number
 // +kubebuilder:printcolumn:JSONPath=".status.replicas",name=Current,type=number
 // +kubebuilder:printcolumn:JSONPath=".status.updatedReplicas",name=Up-To-Date,type=number
--- a/apis/actions.summerwind.net/v1alpha1/runnerdeployment_webhook.go
+++ b/apis/actions.summerwind.net/v1alpha1/runnerdeployment_webhook.go
@@ -17,12 +17,16 @@ limitations under the License.
 package v1alpha1
 import (
 	"context"
 	"fmt"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	ctrl "sigs.k8s.io/controller-runtime"
 	logf "sigs.k8s.io/controller-runtime/pkg/log"
 	"sigs.k8s.io/controller-runtime/pkg/webhook"
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 )
 // log is for logging in this package.
@@ -31,37 +35,52 @@ var runnerDeploymentLog = logf.Log.WithName("runnerdeployment-resource")
 func (r *RunnerDeployment) SetupWebhookWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewWebhookManagedBy(mgr).
 		For(r).
 		WithDefaulter(&RunnerDeploymentDefaulter{}).
 		WithValidator(&RunnerDeploymentValidator{}).
 		Complete()
 }
 // +kubebuilder:webhook:path=/mutate-actions-summerwind-dev-v1alpha1-runnerdeployment,verbs=create;update,mutating=true,failurePolicy=fail,groups=actions.summerwind.dev,resources=runnerdeployments,versions=v1alpha1,name=mutate.runnerdeployment.actions.summerwind.dev,sideEffects=None,admissionReviewVersions=v1beta1
-var _ webhook.Defaulter = &RunnerDeployment{}
+var _ webhook.CustomDefaulter = &RunnerDeploymentDefaulter{}
 type RunnerDeploymentDefaulter struct{}
 // Default implements webhook.Defaulter so a webhook will be registered for the type
-func (r *RunnerDeployment) Default() {
+func (*RunnerDeploymentDefaulter) Default(context.Context, runtime.Object) error {
 	// Nothing to do.
 	return nil
 }
 // +kubebuilder:webhook:path=/validate-actions-summerwind-dev-v1alpha1-runnerdeployment,verbs=create;update,mutating=false,failurePolicy=fail,groups=actions.summerwind.dev,resources=runnerdeployments,versions=v1alpha1,name=validate.runnerdeployment.actions.summerwind.dev,sideEffects=None,admissionReviewVersions=v1beta1
-var _ webhook.Validator = &RunnerDeployment{}
+var _ webhook.CustomValidator = &RunnerDeploymentValidator{}
 type RunnerDeploymentValidator struct{}
 // ValidateCreate implements webhook.Validator so a webhook will be registered for the type
-func (r *RunnerDeployment) ValidateCreate() error {
+func (*RunnerDeploymentValidator) ValidateCreate(ctx context.Context, obj runtime.Object) (admission.Warnings, error) {
 	r, ok := obj.(*RunnerDeployment)
 	if !ok {
 		return nil, fmt.Errorf("expected RunnerDeployment object, got %T", obj)
 	}
 	runnerDeploymentLog.Info("validate resource to be created", "name", r.Name)
-	return r.Validate()
+	return nil, r.Validate()
 }
 // ValidateUpdate implements webhook.Validator so a webhook will be registered for the type
-func (r *RunnerDeployment) ValidateUpdate(old runtime.Object) error {
+func (*RunnerDeploymentValidator) ValidateUpdate(ctx context.Context, old, obj runtime.Object) (admission.Warnings, error) {
 	r, ok := obj.(*RunnerDeployment)
 	if !ok {
 		return nil, fmt.Errorf("expected RunnerDeployment object, got %T", obj)
 	}
 	runnerDeploymentLog.Info("validate resource to be updated", "name", r.Name)
-	return r.Validate()
+	return nil, r.Validate()
 }
 // ValidateDelete implements webhook.Validator so a webhook will be registered for the type
-func (r *RunnerDeployment) ValidateDelete() error {
+func (*RunnerDeploymentValidator) ValidateDelete(context.Context, runtime.Object) (admission.Warnings, error) {
-	return nil
+	return nil, nil
 }
 // Validate validates resource spec.
--- a/apis/actions.summerwind.net/v1alpha1/runnerreplicaset_webhook.go
+++ b/apis/actions.summerwind.net/v1alpha1/runnerreplicaset_webhook.go
@@ -17,12 +17,16 @@ limitations under the License.
 package v1alpha1
 import (
 	"context"
 	"fmt"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	ctrl "sigs.k8s.io/controller-runtime"
 	logf "sigs.k8s.io/controller-runtime/pkg/log"
 	"sigs.k8s.io/controller-runtime/pkg/webhook"
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 )
 // log is for logging in this package.
@@ -31,37 +35,52 @@ var runnerReplicaSetLog = logf.Log.WithName("runnerreplicaset-resource")
 func (r *RunnerReplicaSet) SetupWebhookWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewWebhookManagedBy(mgr).
 		For(r).
 		WithDefaulter(&RunnerReplicaSetDefaulter{}).
 		WithValidator(&RunnerReplicaSetValidator{}).
 		Complete()
 }
 // +kubebuilder:webhook:path=/mutate-actions-summerwind-dev-v1alpha1-runnerreplicaset,verbs=create;update,mutating=true,failurePolicy=fail,groups=actions.summerwind.dev,resources=runnerreplicasets,versions=v1alpha1,name=mutate.runnerreplicaset.actions.summerwind.dev,sideEffects=None,admissionReviewVersions=v1beta1
-var _ webhook.Defaulter = &RunnerReplicaSet{}
+var _ webhook.CustomDefaulter = &RunnerReplicaSetDefaulter{}
 type RunnerReplicaSetDefaulter struct{}
 // Default implements webhook.Defaulter so a webhook will be registered for the type
-func (r *RunnerReplicaSet) Default() {
+func (*RunnerReplicaSetDefaulter) Default(context.Context, runtime.Object) error {
 	// Nothing to do.
 	return nil
 }
 // +kubebuilder:webhook:path=/validate-actions-summerwind-dev-v1alpha1-runnerreplicaset,verbs=create;update,mutating=false,failurePolicy=fail,groups=actions.summerwind.dev,resources=runnerreplicasets,versions=v1alpha1,name=validate.runnerreplicaset.actions.summerwind.dev,sideEffects=None,admissionReviewVersions=v1beta1
-var _ webhook.Validator = &RunnerReplicaSet{}
+var _ webhook.CustomValidator = &RunnerReplicaSetValidator{}
 type RunnerReplicaSetValidator struct{}
 // ValidateCreate implements webhook.Validator so a webhook will be registered for the type
-func (r *RunnerReplicaSet) ValidateCreate() error {
+func (*RunnerReplicaSetValidator) ValidateCreate(ctx context.Context, obj runtime.Object) (admission.Warnings, error) {
 	r, ok := obj.(*RunnerReplicaSet)
 	if !ok {
 		return nil, fmt.Errorf("expected RunnerReplicaSet object, got %T", obj)
 	}
 	runnerReplicaSetLog.Info("validate resource to be created", "name", r.Name)
-	return r.Validate()
+	return nil, r.Validate()
 }
 // ValidateUpdate implements webhook.Validator so a webhook will be registered for the type
-func (r *RunnerReplicaSet) ValidateUpdate(old runtime.Object) error {
+func (*RunnerReplicaSetValidator) ValidateUpdate(ctx context.Context, old, obj runtime.Object) (admission.Warnings, error) {
 	r, ok := obj.(*RunnerReplicaSet)
 	if !ok {
 		return nil, fmt.Errorf("expected RunnerReplicaSet object, got %T", obj)
 	}
 	runnerReplicaSetLog.Info("validate resource to be updated", "name", r.Name)
-	return r.Validate()
+	return nil, r.Validate()
 }
 // ValidateDelete implements webhook.Validator so a webhook will be registered for the type
-func (r *RunnerReplicaSet) ValidateDelete() error {
+func (*RunnerReplicaSetValidator) ValidateDelete(context.Context, runtime.Object) (admission.Warnings, error) {
-	return nil
+	return nil, nil
 }
 // Validate validates resource spec.
--- a/apis/actions.summerwind.net/v1alpha1/zz_generated.deepcopy.go
+++ b/apis/actions.summerwind.net/v1alpha1/zz_generated.deepcopy.go
@@ -1,5 +1,4 @@
 //go:build !ignore_autogenerated
 // +build !ignore_autogenerated
 /*
 Copyright 2020 The actions-runner-controller authors.
@@ -436,6 +435,11 @@ func (in *RunnerConfig) DeepCopyInto(out *RunnerConfig) {
 		*out = new(string)
 		**out = **in
 	}
 	if in.DockerVarRunVolumeSizeLimit != nil {
 		in, out := &in.DockerVarRunVolumeSizeLimit, &out.DockerVarRunVolumeSizeLimit
 		x := (*in).DeepCopy()
 		*out = &x
 	}
 	if in.VolumeSizeLimit != nil {
 		in, out := &in.VolumeSizeLimit, &out.VolumeSizeLimit
 		x := (*in).DeepCopy()
@@ -463,6 +467,21 @@ func (in *RunnerConfig) DeepCopy() *RunnerConfig {
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RunnerDefaulter) DeepCopyInto(out *RunnerDefaulter) {
 	*out = *in
 }
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RunnerDefaulter.
 func (in *RunnerDefaulter) DeepCopy() *RunnerDefaulter {
 	if in == nil {
 		return nil
 	}
 	out := new(RunnerDefaulter)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RunnerDeployment) DeepCopyInto(out *RunnerDeployment) {
 	*out = *in
@@ -490,6 +509,21 @@ func (in *RunnerDeployment) DeepCopyObject() runtime.Object {
 	return nil
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RunnerDeploymentDefaulter) DeepCopyInto(out *RunnerDeploymentDefaulter) {
 	*out = *in
 }
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RunnerDeploymentDefaulter.
 func (in *RunnerDeploymentDefaulter) DeepCopy() *RunnerDeploymentDefaulter {
 	if in == nil {
 		return nil
 	}
 	out := new(RunnerDeploymentDefaulter)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RunnerDeploymentList) DeepCopyInto(out *RunnerDeploymentList) {
 	*out = *in
@@ -592,6 +626,21 @@ func (in *RunnerDeploymentStatus) DeepCopy() *RunnerDeploymentStatus {
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RunnerDeploymentValidator) DeepCopyInto(out *RunnerDeploymentValidator) {
 	*out = *in
 }
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RunnerDeploymentValidator.
 func (in *RunnerDeploymentValidator) DeepCopy() *RunnerDeploymentValidator {
 	if in == nil {
 		return nil
 	}
 	out := new(RunnerDeploymentValidator)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RunnerList) DeepCopyInto(out *RunnerList) {
 	*out = *in
@@ -811,6 +860,21 @@ func (in *RunnerReplicaSet) DeepCopyObject() runtime.Object {
 	return nil
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RunnerReplicaSetDefaulter) DeepCopyInto(out *RunnerReplicaSetDefaulter) {
 	*out = *in
 }
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RunnerReplicaSetDefaulter.
 func (in *RunnerReplicaSetDefaulter) DeepCopy() *RunnerReplicaSetDefaulter {
 	if in == nil {
 		return nil
 	}
 	out := new(RunnerReplicaSetDefaulter)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RunnerReplicaSetList) DeepCopyInto(out *RunnerReplicaSetList) {
 	*out = *in
@@ -903,6 +967,21 @@ func (in *RunnerReplicaSetStatus) DeepCopy() *RunnerReplicaSetStatus {
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RunnerReplicaSetValidator) DeepCopyInto(out *RunnerReplicaSetValidator) {
 	*out = *in
 }
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RunnerReplicaSetValidator.
 func (in *RunnerReplicaSetValidator) DeepCopy() *RunnerReplicaSetValidator {
 	if in == nil {
 		return nil
 	}
 	out := new(RunnerReplicaSetValidator)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RunnerSet) DeepCopyInto(out *RunnerSet) {
 	*out = *in
@@ -1108,6 +1187,21 @@ func (in *RunnerTemplate) DeepCopy() *RunnerTemplate {
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RunnerValidator) DeepCopyInto(out *RunnerValidator) {
 	*out = *in
 }
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RunnerValidator.
 func (in *RunnerValidator) DeepCopy() *RunnerValidator {
 	if in == nil {
 		return nil
 	}
 	out := new(RunnerValidator)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ScaleTargetRef) DeepCopyInto(out *ScaleTargetRef) {
 	*out = *in
--- a/build/version.go
+++ b/build/version.go
@@ -2,3 +2,5 @@ package build
 // This is overridden at build-time using go-build ldflags. dev is the fallback value
 var Version = "NA"
 var CommitSHA = "NA"
--- a/charts/.ci/ct-config-gha.yaml
+++ b/charts/.ci/ct-config-gha.yaml
@@ -0,0 +1,11 @@
 # This file defines the config for "ct" (chart tester) used by the helm linting GitHub workflow
 remote: origin
 target-branch: master
 lint-conf: charts/.ci/lint-config.yaml
 chart-repos:
  - jetstack=https://charts.jetstack.io
 check-version-increment: false # Disable checking that the chart version has been bumped
 charts:
  - charts/gha-runner-scale-set-controller
  - charts/gha-runner-scale-set
 skip-clean-up: true
--- a/charts/.ci/ct-config.yaml
+++ b/charts/.ci/ct-config.yaml
@@ -1,9 +1,9 @@
 # This file defines the config for "ct" (chart tester) used by the helm linting GitHub workflow
 remote: origin
 target-branch: master
 lint-conf: charts/.ci/lint-config.yaml
 chart-repos:
  - jetstack=https://charts.jetstack.io
 check-version-increment: false # Disable checking that the chart version has been bumped
 charts:
- charts/actions-runner-controller
+  - charts/actions-runner-controller
 - charts/gha-runner-scale-set-controller
 - charts/gha-runner-scale-set
--- a/charts/.ci/scripts/local-kube-score.sh
+++ b/charts/.ci/scripts/local-kube-score.sh
@@ -1,6 +1,5 @@
 #!/bin/bash
 for chart in `ls charts`;
 do
 helm template --values charts/$chart/ci/ci-values.yaml charts/$chart | kube-score score - \
@@ -12,4 +11,4 @@ helm template --values charts/$chart/ci/ci-values.yaml charts/$chart | kube-scor
    --enable-optional-test container-security-context-privileged \
    --enable-optional-test container-security-context-readonlyrootfilesystem \
    --ignore-test container-security-context
-done
+done
--- a/charts/actions-runner-controller/Chart.yaml
+++ b/charts/actions-runner-controller/Chart.yaml
@@ -15,10 +15,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.22.0
+version: 0.23.7
 # Used as the default manager tag value when no tag property is provided in the values.yaml
-appVersion: 0.27.0
+appVersion: 0.27.6
 home: https://github.com/actions/actions-runner-controller
--- a/charts/actions-runner-controller/README.md
+++ b/charts/actions-runner-controller/README.md
@@ -8,144 +8,157 @@ All additional docs are kept in the `docs/` folder, this README is solely for do
 > _Default values are the defaults set in the charts `values.yaml`, some properties have default configurations in the code for when the property is omitted or invalid_
-| Key                                                      | Description                                                                                                                               | Default                                                                                         |
+| Key                                                       | Description                                                                                                                               | Default                                                                                         |
-|----------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------|
+|-----------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------|
-| `labels`                                                 | Set labels to apply to all resources in the chart                                                                                         |                                                                                                 |
+| `labels`                                                  | Set labels to apply to all resources in the chart                                                                                         |                                                                                                 |
-| `replicaCount`                                           | Set the number of controller pods                                                                                                         | 1                                                                                               |
+| `replicaCount`                                            | Set the number of controller pods                                                                                                         | 1                                                                                               |
-| `webhookPort`                                            | Set the containerPort for the webhook Pod                                                                                                 | 9443                                                                                            |
+| `webhookPort`                                             | Set the containerPort for the webhook Pod                                                                                                 | 9443                                                                                            |
-| `syncPeriod`                                             | Set the period in which the controller reconciles the desired runners count                                                               | 1m                                                                                              |
+| `syncPeriod`                                              | Set the period in which the controller reconciles the desired runners count                                                               | 1m                                                                                              |
-| `enableLeaderElection`                                   | Enable election configuration                                                                                                             | true                                                                                            |
+| `enableLeaderElection`                                    | Enable election configuration                                                                                                             | true                                                                                            |
-| `leaderElectionId`                                       | Set the election ID for the controller group                                                                                              |                                                                                                 |
+| `leaderElectionId`                                        | Set the election ID for the controller group                                                                                              |                                                                                                 |
-| `githubEnterpriseServerURL`                              | Set the URL for a self-hosted GitHub Enterprise Server                                                                                    |                                                                                                 |
+| `githubEnterpriseServerURL`                               | Set the URL for a self-hosted GitHub Enterprise Server                                                                                    |                                                                                                 |
-| `githubURL`                                              | Override GitHub URL to be used for GitHub API calls                                                                                       |                                                                                                 |
+| `githubURL`                                               | Override GitHub URL to be used for GitHub API calls                                                                                       |                                                                                                 |
-| `githubUploadURL`                                        | Override GitHub Upload URL to be used for GitHub API calls                                                                                |                                                                                                 |
+| `githubUploadURL`                                         | Override GitHub Upload URL to be used for GitHub API calls                                                                                |                                                                                                 |
-| `runnerGithubURL`                                        | Override GitHub URL to be used by runners during registration                                                                             |                                                                                                 |
+| `runnerGithubURL`                                         | Override GitHub URL to be used by runners during registration                                                                             |                                                                                                 |
-| `logLevel`                                               | Set the log level of the controller container                                                                                             |                                                                                                 |
+| `logLevel`                                                | Set the log level of the controller container                                                                                             |                                                                                                 |
-| `logFormat`                                              | Set the log format of the controller. Valid options are "text" and "json"                                                                 | text                                                                                            |
+| `logFormat`                                               | Set the log format of the controller. Valid options are "text" and "json"                                                                 | text                                                                                            |
-| `additionalVolumes`                                      | Set additional volumes to add to the manager container                                                                                    |                                                                                                 |
+| `additionalVolumes`                                       | Set additional volumes to add to the manager container                                                                                    |                                                                                                 |
-| `additionalVolumeMounts`                                 | Set additional volume mounts to add to the manager container                                                                              |                                                                                                 |
+| `additionalVolumeMounts`                                  | Set additional volume mounts to add to the manager container                                                                              |                                                                                                 |
-| `authSecret.create`                                      | Deploy the controller auth secret                                                                                                         | false                                                                                           |
+| `authSecret.create`                                       | Deploy the controller auth secret                                                                                                         | false                                                                                           |
-| `authSecret.name`                                        | Set the name of the auth secret                                                                                                           | controller-manager                                                                              |
+| `authSecret.name`                                         | Set the name of the auth secret                                                                                                           | controller-manager                                                                              |
-| `authSecret.annotations`                                 | Set annotations for the auth Secret                                                                                                       |                                                                                                 |
+| `authSecret.annotations`                                  | Set annotations for the auth Secret                                                                                                       |                                                                                                 |
-| `authSecret.github_app_id`                               | The ID of your GitHub App. **This can't be set at the same time as `authSecret.github_token`**                                            |                                                                                                 |
+| `authSecret.github_app_id`                                | The ID of your GitHub App. **This can't be set at the same time as `authSecret.github_token`**                                            |                                                                                                 |
-| `authSecret.github_app_installation_id`                  | The ID of your GitHub App installation. **This can't be set at the same time as `authSecret.github_token`**                               |                                                                                                 |
+| `authSecret.github_app_installation_id`                   | The ID of your GitHub App installation. **This can't be set at the same time as `authSecret.github_token`**                               |                                                                                                 |
-| `authSecret.github_app_private_key`                      | The multiline string of your GitHub App's private key. **This can't be set at the same time as `authSecret.github_token`**                |                                                                                                 |
+| `authSecret.github_app_private_key`                       | The multiline string of your GitHub App's private key. **This can't be set at the same time as `authSecret.github_token`**                |                                                                                                 |
-| `authSecret.github_token`                                | Your chosen GitHub PAT token. **This can't be set at the same time as the `authSecret.github_app_*`**                                     |                                                                                                 |
+| `authSecret.github_token`                                 | Your chosen GitHub PAT token. **This can't be set at the same time as the `authSecret.github_app_*`**                                     |                                                                                                 |
-| `authSecret.github_basicauth_username`                   | Username for GitHub basic auth to use instead of PAT or GitHub APP in case it's running behind a proxy API                                |                                                                                                 |
+| `authSecret.github_basicauth_username`                    | Username for GitHub basic auth to use instead of PAT or GitHub APP in case it's running behind a proxy API                                |                                                                                                 |
-| `authSecret.github_basicauth_password`                   | Password for GitHub basic auth to use instead of PAT or GitHub APP in case it's running behind a proxy API                                |                                                                                                 |
+| `authSecret.github_basicauth_password`                    | Password for GitHub basic auth to use instead of PAT or GitHub APP in case it's running behind a proxy API                                |                                                                                                 |
-| `dockerRegistryMirror`                                   | The default Docker Registry Mirror used by runners.                                                                                       |                                                                                                 |
+| `dockerRegistryMirror`                                    | The default Docker Registry Mirror used by runners.                                                                                       |                                                                                                 |
-| `hostNetwork`                                            | The "hostNetwork" of the controller container                                                                                             | false                                                                                           |
+| `hostNetwork`                                             | The "hostNetwork" of the controller container                                                                                             | false                                                                                           |
-| `image.repository`                                       | The "repository/image" of the controller container                                                                                        | summerwind/actions-runner-controller                                                            |
+| `dnsPolicy`                                               | The "dnsPolicy" of the controller container                                                                                               | ClusterFirst                                                                                    |
-| `image.tag`                                              | The tag of the controller container                                                                                                       |                                                                                                 |
+| `image.repository`                                        | The "repository/image" of the controller container                                                                                        | summerwind/actions-runner-controller                                                            |
-| `image.actionsRunnerRepositoryAndTag`                    | The "repository/image" of the actions runner container                                                                                    | summerwind/actions-runner:latest                                                                |
+| `image.tag`                                               | The tag of the controller container                                                                                                       |                                                                                                 |
-| `image.actionsRunnerImagePullSecrets`                    | Optional image pull secrets to be included in the runner pod's ImagePullSecrets                                                           |                                                                                                 |
+| `image.actionsRunnerRepositoryAndTag`                     | The "repository/image" of the actions runner container                                                                                    | summerwind/actions-runner:latest                                                                |
-| `image.dindSidecarRepositoryAndTag`                      | The "repository/image" of the dind sidecar container                                                                                      | docker:dind                                                                                     |
+| `image.actionsRunnerImagePullSecrets`                     | Optional image pull secrets to be included in the runner pod's ImagePullSecrets                                                           |                                                                                                 |
-| `image.pullPolicy`                                       | The pull policy of the controller image                                                                                                   | IfNotPresent                                                                                    |
+| `image.dindSidecarRepositoryAndTag`                       | The "repository/image" of the dind sidecar container                                                                                      | docker:dind                                                                                     |
-| `metrics.serviceMonitor`                                 | Deploy serviceMonitor kind for for use with prometheus-operator CRDs                                                                      | false                                                                                           |
+| `image.pullPolicy`                                        | The pull policy of the controller image                                                                                                   | IfNotPresent                                                                                    |
-| `metrics.serviceAnnotations`                             | Set annotations for the provisioned metrics service resource                                                                              |                                                                                                 |
+| `metrics.serviceMonitor.enable`                           | Deploy serviceMonitor kind for for use with prometheus-operator CRDs                                                                      | false                                                                                           |
-| `metrics.port`                                           | Set port of metrics service                                                                                                               | 8443                                                                                            |
+| `metrics.serviceMonitor.interval`                         | Configure the interval that Prometheus should scrap the controller's metrics                                                              | 1m                                                                                              |
-| `metrics.proxy.enabled`                                  | Deploy kube-rbac-proxy container in controller pod                                                                                        | true                                                                                            |
+| `metrics.serviceMonitor.namespace`                        | Namespace which Prometheus is running in                                                                                                  | `Release.Namespace` (the default namespace of the helm chart).                                  |
-| `metrics.proxy.image.repository`                         | The "repository/image" of the kube-proxy container                                                                                        | quay.io/brancz/kube-rbac-proxy                                                                  |
+| `metrics.serviceMonitor.timeout`                          | Configure the timeout the timeout of Prometheus scrapping.                                                                                | 30s                                                                                             |
-| `metrics.proxy.image.tag`                                | The tag of the kube-proxy image to use when pulling the container                                                                         | v0.10.0                                                                                         |
+| `metrics.serviceAnnotations`                              | Set annotations for the provisioned metrics service resource                                                                              |                                                                                                 |
-| `metrics.serviceMonitorLabels`                           | Set labels to apply to ServiceMonitor resources                                                                                           |                                                                                                 |
+| `metrics.port`                                            | Set port of metrics service                                                                                                               | 8443                                                                                            |
-| `imagePullSecrets`                                       | Specifies the secret to be used when pulling the controller pod containers                                                                |                                                                                                 |
+| `metrics.proxy.enabled`                                   | Deploy kube-rbac-proxy container in controller pod                                                                                        | true                                                                                            |
-| `fullnameOverride`                                       | Override the full resource names	                                                                                                       |                                                                                                 |
+| `metrics.proxy.image.repository`                          | The "repository/image" of the kube-proxy container                                                                                        | quay.io/brancz/kube-rbac-proxy                                                                  |
-| `nameOverride`                                           | Override the resource name prefix	                                                                                                       |                                                                                                 |
+| `metrics.proxy.image.tag`                                 | The tag of the kube-proxy image to use when pulling the container                                                                         | v0.13.1                                                                                         |
-| `serviceAccount.annotations`                             | Set annotations to the service account                                                                                                    |                                                                                                 |
+| `metrics.serviceMonitorLabels`                            | Set labels to apply to ServiceMonitor resources                                                                                           |                                                                                                 |
-| `serviceAccount.create`                                  | Deploy the controller pod under a service account                                                                                         | true                                                                                            |
+| `imagePullSecrets`                                        | Specifies the secret to be used when pulling the controller pod containers                                                                |                                                                                                 |
-| `podAnnotations`                                         | Set annotations for the controller pod                                                                                                    |                                                                                                 |
+| `fullnameOverride`                                        | Override the full resource names	                                                                                                        |                                                                                                 |
-| `podLabels`                                              | Set labels for the controller pod                                                                                                         |                                                                                                 |
+| `nameOverride`                                            | Override the resource name prefix	                                                                                                        |                                                                                                 |
-| `serviceAccount.name`                                    | Set the name of the service account                                                                                                       |                                                                                                 |
+| `serviceAccount.annotations`                              | Set annotations to the service account                                                                                                    |                                                                                                 |
-| `securityContext`                                        | Set the security context for each container in the controller pod                                                                         |                                                                                                 |
+| `serviceAccount.create`                                   | Deploy the controller pod under a service account                                                                                         | true                                                                                            |
-| `podSecurityContext`                                     | Set the security context to controller pod                                                                                                |                                                                                                 |
+| `podAnnotations`                                          | Set annotations for the controller pod                                                                                                    |                                                                                                 |
-| `service.annotations`                                    | Set annotations for the provisioned webhook service resource                                                                              |                                                                                                 |
+| `podLabels`                                               | Set labels for the controller pod                                                                                                         |                                                                                                 |
-| `service.port`                                           | Set controller service ports                                                                                                              |                                                                                                 |
+| `serviceAccount.name`                                     | Set the name of the service account                                                                                                       |                                                                                                 |
-| `service.type`                                           | Set controller service type                                                                                                               |                                                                                                 |
+| `securityContext`                                         | Set the security context for each container in the controller pod                                                                         |                                                                                                 |
-| `topologySpreadConstraints`                              | Set the controller pod topologySpreadConstraints                                                                                          |                                                                                                 |
+| `podSecurityContext`                                      | Set the security context to controller pod                                                                                                |                                                                                                 |
-| `nodeSelector`                                           | Set the controller pod nodeSelector                                                                                                       |                                                                                                 |
+| `service.annotations`                                     | Set annotations for the provisioned webhook service resource                                                                              |                                                                                                 |
-| `resources`                                              | Set the controller pod resources                                                                                                          |                                                                                                 |
+| `service.port`                                            | Set controller service ports                                                                                                              |                                                                                                 |
-| `affinity`                                               | Set the controller pod affinity rules                                                                                                     |                                                                                                 |
+| `service.type`                                            | Set controller service type                                                                                                               |                                                                                                 |
-| `podDisruptionBudget.enabled`                            | Enables a PDB to ensure HA of controller pods                                                                                             |      false                                                                                      |
+| `topologySpreadConstraints`                               | Set the controller pod topologySpreadConstraints                                                                                          |                                                                                                 |
-| `podDisruptionBudget.minAvailable`                       | Minimum number of pods that must be available after eviction                                                                              |                                                                                                 |
+| `nodeSelector`                                            | Set the controller pod nodeSelector                                                                                                       |                                                                                                 |
-| `podDisruptionBudget.maxUnavailable`                     | Maximum number of pods that can be unavailable after eviction. Kubernetes 1.7+ required.                                                  |                                                                                                 |
+| `resources`                                               | Set the controller pod resources                                                                                                          |                                                                                                 |
-| `tolerations`                                            | Set the controller pod tolerations                                                                                                        |                                                                                                 |
+| `affinity`                                                | Set the controller pod affinity rules                                                                                                     |                                                                                                 |
-| `env`                                                    | Set environment variables for the controller container                                                                                    |                                                                                                 |
+| `podDisruptionBudget.enabled`                             | Enables a PDB to ensure HA of controller pods                                                                                             | false                                                                                      |
-| `priorityClassName`                                      | Set the controller pod priorityClassName                                                                                                  |                                                                                                 |
+| `podDisruptionBudget.minAvailable`                        | Minimum number of pods that must be available after eviction                                                                              |                                                                                                 |
-| `scope.watchNamespace`                                   | Tells the controller and the github webhook server which namespace to watch if `scope.singleNamespace` is true                            | `Release.Namespace` (the default namespace of the helm chart).                                  |
+| `podDisruptionBudget.maxUnavailable`                      | Maximum number of pods that can be unavailable after eviction. Kubernetes 1.7+ required.                                                  |                                                                                                 |
-| `scope.singleNamespace`                                  | Limit the controller to watch a single namespace                                                                                          | false                                                                                           |
+| `tolerations`                                             | Set the controller pod tolerations                                                                                                        |                                                                                                 |
-| `certManagerEnabled`                                     | Enable cert-manager. If disabled you must set admissionWebHooks.caBundle and create TLS secrets manually                                  | true                                                                                            |
+| `env`                                                     | Set environment variables for the controller container                                                                                    |                                                                                                 |
-| `runner.statusUpdateHook.enabled`                        | Use custom RBAC for runners (role, role binding and service account), this will enable reporting runner statuses                          | false                                                                                           |
+| `priorityClassName`                                       | Set the controller pod priorityClassName                                                                                                  |                                                                                                 |
-| `admissionWebHooks.caBundle`                             | Base64-encoded PEM bundle containing the CA that signed the webhook's serving certificate                                                 |                                                                                                 |
+| `scope.watchNamespace`                                    | Tells the controller and the github webhook server which namespace to watch if `scope.singleNamespace` is true                            | `Release.Namespace` (the default namespace of the helm chart).                                  |
-| `githubWebhookServer.logLevel`                           | Set the log level of the githubWebhookServer container                                                                                    |                                                                                                 |
+| `scope.singleNamespace`                                   | Limit the controller to watch a single namespace                                                                                          | false                                                                                           |
-| `githubWebhookServer.logFormat`                          | Set the log format of the githubWebhookServer controller. Valid options are "text" and "json"                                             | text                                                                                            |
+| `certManagerEnabled`                                      | Enable cert-manager. If disabled you must set admissionWebHooks.caBundle and create TLS secrets manually                                  | true                                                                                            |
-| `githubWebhookServer.replicaCount`                       | Set the number of webhook server pods                                                                                                     | 1                                                                                               |
+| `runner.statusUpdateHook.enabled`                         | Use custom RBAC for runners (role, role binding and service account), this will enable reporting runner statuses                          | false                                                                                           |
-| `githubWebhookServer.useRunnerGroupsVisibility`          | Enable supporting runner groups with custom visibility, you also need to set `githubWebhookServer.secret.enabled` to enable this feature. | false                                                                                           |
+| `admissionWebHooks.caBundle`                              | Base64-encoded PEM bundle containing the CA that signed the webhook's serving certificate                                                 |                                                                                                 |
-| `githubWebhookServer.enabled`                            | Deploy the webhook server pod                                                                                                             | false                                                                                           |
+| `githubWebhookServer.logLevel`                            | Set the log level of the githubWebhookServer container                                                                                    |                                                                                                 |
-| `githubWebhookServer.queueLimit`                         | Set the queue size limit in the githubWebhookServer                                                                                       |                                                                                                 |
+| `githubWebhookServer.logFormat`                           | Set the log format of the githubWebhookServer controller. Valid options are "text" and "json"                                             | text                                                                                            |
-| `githubWebhookServer.secret.enabled`                     | Passes the webhook hook secret to the github-webhook-server                                                                               | false                                                                                           |
+| `githubWebhookServer.replicaCount`                        | Set the number of webhook server pods                                                                                                     | 1                                                                                               |
-| `githubWebhookServer.secret.create`                      | Deploy the webhook hook secret                                                                                                            | false                                                                                           |
+| `githubWebhookServer.useRunnerGroupsVisibility`           | Enable supporting runner groups with custom visibility, you also need to set `githubWebhookServer.secret.enabled` to enable this feature. | false                                                                                           |
-| `githubWebhookServer.secret.name`                        | Set the name of the webhook hook secret                                                                                                   | github-webhook-server                                                                           |
+| `githubWebhookServer.enabled`                             | Deploy the webhook server pod                                                                                                             | false                                                                                           |
-| `githubWebhookServer.secret.github_webhook_secret_token` | Set the webhook secret token value                                                                                                        |                                                                                                 |
+| `githubWebhookServer.queueLimit`                          | Set the queue size limit in the githubWebhookServer                                                                                       |                                                                                                 |
-| `githubWebhookServer.imagePullSecrets`                   | Specifies the secret to be used when pulling the githubWebhookServer pod containers                                                       |                                                                                                 |
+| `githubWebhookServer.secret.enabled`                      | Passes the webhook hook secret to the github-webhook-server                                                                               | false                                                                                           |
-| `githubWebhookServer.nameOverride`                       | Override the resource name prefix	                                                                                                       |                                                                                                 |
+| `githubWebhookServer.secret.create`                       | Deploy the webhook hook secret                                                                                                            | false                                                                                           |
-| `githubWebhookServer.fullnameOverride`                   | Override the full resource names	                                                                                                       |                                                                                                 |
+| `githubWebhookServer.secret.name`                         | Set the name of the webhook hook secret                                                                                                   | github-webhook-server                                                                           |
-| `githubWebhookServer.serviceAccount.create`              | Deploy the githubWebhookServer under a service account                                                                                    | true                                                                                            |
+| `githubWebhookServer.secret.github_webhook_secret_token`  | Set the webhook secret token value                                                                                                        |                                                                                                 |
-| `githubWebhookServer.serviceAccount.annotations`         | Set annotations for the service account                                                                                                   |                                                                                                 |
+| `githubWebhookServer.imagePullSecrets`                    | Specifies the secret to be used when pulling the githubWebhookServer pod containers                                                       |                                                                                                 |
-| `githubWebhookServer.serviceAccount.name`                | Set the service account name                                                                                                              |                                                                                                 |
+| `githubWebhookServer.nameOverride`                        | Override the resource name prefix	                                                                                                        |                                                                                                 |
-| `githubWebhookServer.podAnnotations`                     | Set annotations for the githubWebhookServer pod                                                                                           |                                                                                                 |
+| `githubWebhookServer.fullnameOverride`                    | Override the full resource names	                                                                                                        |                                                                                                 |
-| `githubWebhookServer.podLabels`                          | Set labels for the githubWebhookServer pod                                                                                                |                                                                                                 |
+| `githubWebhookServer.serviceAccount.create`               | Deploy the githubWebhookServer under a service account                                                                                    | true                                                                                            |
-| `githubWebhookServer.podSecurityContext`                 | Set the security context to githubWebhookServer pod                                                                                       |                                                                                                 |
+| `githubWebhookServer.serviceAccount.annotations`          | Set annotations for the service account                                                                                                   |                                                                                                 |
-| `githubWebhookServer.securityContext`                    | Set the security context for each container in the githubWebhookServer pod                                                                |                                                                                                 |
+| `githubWebhookServer.serviceAccount.name`                 | Set the service account name                                                                                                              |                                                                                                 |
-| `githubWebhookServer.resources`                          | Set the githubWebhookServer pod resources                                                                                                 |                                                                                                 |
+| `githubWebhookServer.podAnnotations`                      | Set annotations for the githubWebhookServer pod                                                                                           |                                                                                                 |
-| `githubWebhookServer.topologySpreadConstraints`          | Set the githubWebhookServer pod topologySpreadConstraints                                                                                 |                                                                                                 |
+| `githubWebhookServer.podLabels`                           | Set labels for the githubWebhookServer pod                                                                                                |                                                                                                 |
-| `githubWebhookServer.nodeSelector`                       | Set the githubWebhookServer pod nodeSelector                                                                                              |                                                                                                 |
+| `githubWebhookServer.podSecurityContext`                  | Set the security context to githubWebhookServer pod                                                                                       |                                                                                                 |
-| `githubWebhookServer.tolerations`                        | Set the githubWebhookServer pod tolerations                                                                                               |                                                                                                 |
+| `githubWebhookServer.securityContext`                     | Set the security context for each container in the githubWebhookServer pod                                                                |                                                                                                 |
-| `githubWebhookServer.affinity`                           | Set the githubWebhookServer pod affinity rules                                                                                            |                                                                                                 |
+| `githubWebhookServer.resources`                           | Set the githubWebhookServer pod resources                                                                                                 |                                                                                                 |
-| `githubWebhookServer.priorityClassName`                  | Set the githubWebhookServer pod priorityClassName                                                                                         |                                                                                                 |
+| `githubWebhookServer.topologySpreadConstraints`           | Set the githubWebhookServer pod topologySpreadConstraints                                                                                 |                                                                                                 |
-| `githubWebhookServer.service.type`                       | Set githubWebhookServer service type                                                                                                      |                                                                                                 |
+| `githubWebhookServer.nodeSelector`                        | Set the githubWebhookServer pod nodeSelector                                                                                              |                                                                                                 |
-| `githubWebhookServer.service.ports`                      | Set githubWebhookServer service ports                                                                                                     | `[{"port":80, "targetPort:"http", "protocol":"TCP", "name":"http"}]`                            |
+| `githubWebhookServer.tolerations`                         | Set the githubWebhookServer pod tolerations                                                                                               |                                                                                                 |
-| `githubWebhookServer.ingress.enabled`                    | Deploy an ingress kind for the githubWebhookServer                                                                                        | false                                                                                           |
+| `githubWebhookServer.affinity`                            | Set the githubWebhookServer pod affinity rules                                                                                            |                                                                                                 |
-| `githubWebhookServer.ingress.annotations`                | Set annotations for the ingress kind                                                                                                      |                                                                                                 |
+| `githubWebhookServer.priorityClassName`                   | Set the githubWebhookServer pod priorityClassName                                                                                         |                                                                                                 |
-| `githubWebhookServer.ingress.hosts`                      | Set hosts configuration for ingress                                                                                                       | `[{"host": "chart-example.local", "paths": []}]`                                                |
+| `githubWebhookServer.terminationGracePeriodSeconds`       | Set the githubWebhookServer pod terminationGracePeriodSeconds. Useful when using preStop hooks to drain/sleep.                            | `10`                                                                                            |
-| `githubWebhookServer.ingress.tls`                        | Set tls configuration for ingress                                                                                                         |                                                                                                 |
+| `githubWebhookServer.lifecycle`                           | Set the githubWebhookServer pod lifecycle hooks                                                                                           | `{}`                                                                                            |
-| `githubWebhookServer.ingress.ingressClassName`           | Set ingress class name                                                                                                                    |                                                                                                 |
+| `githubWebhookServer.service.type`                        | Set githubWebhookServer service type                                                                                                      |                                                                                                 |
-| `githubWebhookServer.podDisruptionBudget.enabled`        | Enables a PDB to ensure HA of githubwebhook pods                                                                                          | false                                                                                           |
+| `githubWebhookServer.service.ports`                       | Set githubWebhookServer service ports                                                                                                     | `[{"port":80, "targetPort:"http", "protocol":"TCP", "name":"http"}]`                            |
-| `githubWebhookServer.podDisruptionBudget.minAvailable`   | Minimum number of pods that must be available after eviction                                                                              |                                                                                                 |
+| `githubWebhookServer.service.loadBalancerSourceRanges`    | Set githubWebhookServer loadBalancerSourceRanges for restricting loadBalancer type services                                               | `[]`                                                                                            |
-| `githubWebhookServer.podDisruptionBudget.maxUnavailable` | Maximum number of pods that can be unavailable after eviction. Kubernetes 1.7+ required.                                                  |                                                                                                 |
+| `githubWebhookServer.ingress.enabled`                     | Deploy an ingress kind for the githubWebhookServer                                                                                        | false                                                                                           |
-| `actionsMetricsServer.logLevel`                           | Set the log level of the actionsMetricsServer container                                                                                    |                                                                                                 |
+| `githubWebhookServer.ingress.annotations`                 | Set annotations for the ingress kind                                                                                                      |                                                                                                 |
-| `actionsMetricsServer.logFormat`                          | Set the log format of the actionsMetricsServer controller. Valid options are "text" and "json"                                             | text                                                                                            |
+| `githubWebhookServer.ingress.hosts`                       | Set hosts configuration for ingress                                                                                                       | `[{"host": "chart-example.local", "paths": []}]`                                                |
-| `actionsMetricsServer.enabled`                            | Deploy the actions metrics server pod                                                                                                             | false                                                                                           |
+| `githubWebhookServer.ingress.tls`                         | Set tls configuration for ingress                                                                                                         |                                                                                                 |
-| `actionsMetricsServer.secret.enabled`                     | Passes the webhook hook secret to the github-webhook-server                                                                               | false                                                                                           |
+| `githubWebhookServer.ingress.ingressClassName`            | Set ingress class name                                                                                                                    |                                                                                                 |
 | `githubWebhookServer.podDisruptionBudget.enabled`         | Enables a PDB to ensure HA of githubwebhook pods                                                                                          | false                                                                                           |
 | `githubWebhookServer.podDisruptionBudget.minAvailable`    | Minimum number of pods that must be available after eviction                                                                              |                                                                                                 |
 | `githubWebhookServer.podDisruptionBudget.maxUnavailable`  | Maximum number of pods that can be unavailable after eviction. Kubernetes 1.7+ required.                                                  |                                                                                                 |
 | `actionsMetricsServer.logLevel`                           | Set the log level of the actionsMetricsServer container                                                                                   |                                                                                                 |
 | `actionsMetricsServer.logFormat`                          | Set the log format of the actionsMetricsServer controller. Valid options are "text" and "json"                                            | text                                                                                            |
 | `actionsMetricsServer.enabled`                            | Deploy the actions metrics server pod                                                                                                     | false                                                                                           |
 | `actionsMetricsServer.secret.enabled`                     | Passes the webhook hook secret to the actions-metrics-server                                                                              | false                                                                                           |
 | `actionsMetricsServer.secret.create`                      | Deploy the webhook hook secret                                                                                                            | false                                                                                           |
-| `actionsMetricsServer.secret.name`                        | Set the name of the webhook hook secret                                                                                                   | github-webhook-server                                                                           |
+| `actionsMetricsServer.secret.name`                        | Set the name of the webhook hook secret                                                                                                   | actions-metrics-server                                                                          |
 | `actionsMetricsServer.secret.github_webhook_secret_token` | Set the webhook secret token value                                                                                                        |                                                                                                 |
-| `actionsMetricsServer.imagePullSecrets`                   | Specifies the secret to be used when pulling the actionsMetricsServer pod containers                                                       |                                                                                                 |
+| `actionsMetricsServer.imagePullSecrets`                   | Specifies the secret to be used when pulling the actionsMetricsServer pod containers                                                      |                                                                                                 |
-| `actionsMetricsServer.nameOverride`                       | Override the resource name prefix	                                                                                                       |                                                                                                 |
+| `actionsMetricsServer.nameOverride`                       | Override the resource name prefix	                                                                                                        |                                                                                                 |
-| `actionsMetricsServer.fullnameOverride`                   | Override the full resource names	                                                                                                       |                                                                                                 |
+| `actionsMetricsServer.fullnameOverride`                   | Override the full resource names	                                                                                                        |                                                                                                 |
-| `actionsMetricsServer.serviceAccount.create`              | Deploy the actionsMetricsServer under a service account                                                                                    | true                                                                                            |
+| `actionsMetricsServer.serviceAccount.create`              | Deploy the actionsMetricsServer under a service account                                                                                   | true                                                                                            |
 | `actionsMetricsServer.serviceAccount.annotations`         | Set annotations for the service account                                                                                                   |                                                                                                 |
 | `actionsMetricsServer.serviceAccount.name`                | Set the service account name                                                                                                              |                                                                                                 |
-| `actionsMetricsServer.podAnnotations`                     | Set annotations for the actionsMetricsServer pod                                                                                           |                                                                                                 |
+| `actionsMetricsServer.podAnnotations`                     | Set annotations for the actionsMetricsServer pod                                                                                          |                                                                                                 |
-| `actionsMetricsServer.podLabels`                          | Set labels for the actionsMetricsServer pod                                                                                                |                                                                                                 |
+| `actionsMetricsServer.podLabels`                          | Set labels for the actionsMetricsServer pod                                                                                               |                                                                                                 |
-| `actionsMetricsServer.podSecurityContext`                 | Set the security context to actionsMetricsServer pod                                                                                       |                                                                                                 |
+| `actionsMetricsServer.podSecurityContext`                 | Set the security context to actionsMetricsServer pod                                                                                      |                                                                                                 |
-| `actionsMetricsServer.securityContext`                    | Set the security context for each container in the actionsMetricsServer pod                                                                |                                                                                                 |
+| `actionsMetricsServer.securityContext`                    | Set the security context for each container in the actionsMetricsServer pod                                                               |                                                                                                 |
-| `actionsMetricsServer.resources`                          | Set the actionsMetricsServer pod resources                                                                                                 |                                                                                                 |
+| `actionsMetricsServer.resources`                          | Set the actionsMetricsServer pod resources                                                                                                |                                                                                                 |
-| `actionsMetricsServer.topologySpreadConstraints`          | Set the actionsMetricsServer pod topologySpreadConstraints                                                                                 |                                                                                                 |
+| `actionsMetricsServer.topologySpreadConstraints`          | Set the actionsMetricsServer pod topologySpreadConstraints                                                                                |                                                                                                 |
-| `actionsMetricsServer.nodeSelector`                       | Set the actionsMetricsServer pod nodeSelector                                                                                              |                                                                                                 |
+| `actionsMetricsServer.nodeSelector`                       | Set the actionsMetricsServer pod nodeSelector                                                                                             |                                                                                                 |
-| `actionsMetricsServer.tolerations`                        | Set the actionsMetricsServer pod tolerations                                                                                               |                                                                                                 |
+| `actionsMetricsServer.tolerations`                        | Set the actionsMetricsServer pod tolerations                                                                                              |                                                                                                 |
-| `actionsMetricsServer.affinity`                           | Set the actionsMetricsServer pod affinity rules                                                                                            |                                                                                                 |
+| `actionsMetricsServer.affinity`                           | Set the actionsMetricsServer pod affinity rules                                                                                           |                                                                                                 |
-| `actionsMetricsServer.priorityClassName`                  | Set the actionsMetricsServer pod priorityClassName                                                                                         |                                                                                                 |
+| `actionsMetricsServer.priorityClassName`                  | Set the actionsMetricsServer pod priorityClassName                                                                                        |                                                                                                 |
-| `actionsMetricsServer.service.type`                       | Set actionsMetricsServer service type                                                                                                      |                                                                                                 |
+| `actionsMetricsServer.terminationGracePeriodSeconds`      | Set the actionsMetricsServer pod terminationGracePeriodSeconds. Useful when using preStop hooks to drain/sleep.                           | `10`                                                                                            |
-| `actionsMetricsServer.service.ports`                      | Set actionsMetricsServer service ports                                                                                                     | `[{"port":80, "targetPort:"http", "protocol":"TCP", "name":"http"}]`                            |
+| `actionsMetricsServer.lifecycle`                          | Set the actionsMetricsServer pod lifecycle hooks                                                                                          | `{}`                                                                                            |
-| `actionsMetricsServer.ingress.enabled`                    | Deploy an ingress kind for the actionsMetricsServer                                                                                        | false                                                                                           |
+| `actionsMetricsServer.service.type`                       | Set actionsMetricsServer service type                                                                                                     |                                                                                                 |
 | `actionsMetricsServer.service.ports`                      | Set actionsMetricsServer service ports                                                                                                    | `[{"port":80, "targetPort:"http", "protocol":"TCP", "name":"http"}]`                            |
 | `actionsMetricsServer.service.loadBalancerSourceRanges`   | Set actionsMetricsServer loadBalancerSourceRanges for restricting loadBalancer type services                                              | `[]`                                                                                            |
 | `actionsMetricsServer.ingress.enabled`                    | Deploy an ingress kind for the actionsMetricsServer                                                                                       | false                                                                                           |
 | `actionsMetricsServer.ingress.annotations`                | Set annotations for the ingress kind                                                                                                      |                                                                                                 |
 | `actionsMetricsServer.ingress.hosts`                      | Set hosts configuration for ingress                                                                                                       | `[{"host": "chart-example.local", "paths": []}]`                                                |
 | `actionsMetricsServer.ingress.tls`                        | Set tls configuration for ingress                                                                                                         |                                                                                                 |
 | `actionsMetricsServer.ingress.ingressClassName`           | Set ingress class name                                                                                                                    |                                                                                                 |
-| `actionsMetrics.serviceMonitor`                                 | Deploy serviceMonitor kind for for use with prometheus-operator CRDs                                                                      | false                                                                                           |
+| `actionsMetrics.serviceMonitor.enable`                    | Deploy serviceMonitor kind for for use with prometheus-operator CRDs                                                                      | false                                                                                           |
-| `actionsMetrics.serviceAnnotations`                             | Set annotations for the provisioned actions metrics service resource                                                                              |                                                                                                 |
+| `actionsMetrics.serviceMonitor.interval`                  | Configure the interval that Prometheus should scrap the controller's metrics                                                              | 1m                                                                                              |
-| `actionsMetrics.port`                                           | Set port of actions metrics service                                                                                                               | 8443                                                                                            |
+| `actionsMetrics.serviceMonitor.namespace`                 | Namespace which Prometheus is running in.                                                                                                 | `Release.Namespace` (the default namespace of the helm chart).                                  |
-| `actionsMetrics.proxy.enabled`                                  | Deploy kube-rbac-proxy container in controller pod                                                                                        | true                                                                                            |
+| `actionsMetrics.serviceMonitor.timeout`                   | Configure the timeout the timeout of Prometheus scrapping.                                                                                | 30s                                                                                             |
-| `actionsMetrics.proxy.image.repository`                         | The "repository/image" of the kube-proxy container                                                                                        | quay.io/brancz/kube-rbac-proxy                                                                  |
+| `actionsMetrics.serviceAnnotations`                       | Set annotations for the provisioned actions metrics service resource                                                                      |                                                                                                 |
-| `actionsMetrics.proxy.image.tag`                                | The tag of the kube-proxy image to use when pulling the container                                                                         | v0.10.0                                                                                         |
+| `actionsMetrics.port`                                     | Set port of actions metrics service                                                                                                       | 8443                                                                                            |
-| `actionsMetrics.serviceMonitorLabels`                           | Set labels to apply to ServiceMonitor resources                                                                                           |                                                                                                 |
+| `actionsMetrics.proxy.enabled`                            | Deploy kube-rbac-proxy container in controller pod                                                                                        | true                                                                                            |
 | `actionsMetrics.proxy.image.repository`                   | The "repository/image" of the kube-proxy container                                                                                        | quay.io/brancz/kube-rbac-proxy                                                                  |
 | `actionsMetrics.proxy.image.tag`                          | The tag of the kube-proxy image to use when pulling the container                                                                         | v0.13.1                                                                                         |
 | `actionsMetrics.serviceMonitorLabels`                     | Set labels to apply to ServiceMonitor resources                                                                                           |                                                                                                 |
--- a/charts/actions-runner-controller/crds/actions.summerwind.dev_horizontalrunnerautoscalers.yaml
+++ b/charts/actions-runner-controller/crds/actions.summerwind.dev_horizontalrunnerautoscalers.yaml
@@ -1,9 +1,9 @@
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.7.0
+    controller-gen.kubebuilder.io/version: v0.19.0
  creationTimestamp: null
  name: horizontalrunnerautoscalers.actions.summerwind.dev
 spec:
  group: actions.summerwind.dev
@@ -12,248 +12,313 @@ spec:
    listKind: HorizontalRunnerAutoscalerList
    plural: horizontalrunnerautoscalers
    shortNames:
-      - hra
+    - hra
    singular: horizontalrunnerautoscaler
  scope: Namespaced
  versions:
-    - additionalPrinterColumns:
+  - additionalPrinterColumns:
-        - jsonPath: .spec.minReplicas
+    - jsonPath: .spec.minReplicas
-          name: Min
+      name: Min
-          type: number
+      type: number
-        - jsonPath: .spec.maxReplicas
+    - jsonPath: .spec.maxReplicas
-          name: Max
+      name: Max
-          type: number
+      type: number
-        - jsonPath: .status.desiredReplicas
+    - jsonPath: .status.desiredReplicas
-          name: Desired
+      name: Desired
-          type: number
+      type: number
-        - jsonPath: .status.scheduledOverridesSummary
+    - jsonPath: .status.scheduledOverridesSummary
-          name: Schedule
+      name: Schedule
-          type: string
+      type: string
-      name: v1alpha1
+    name: v1alpha1
-      schema:
+    schema:
-        openAPIV3Schema:
+      openAPIV3Schema:
-          description: HorizontalRunnerAutoscaler is the Schema for the horizontalrunnerautoscaler API
+        description: HorizontalRunnerAutoscaler is the Schema for the horizontalrunnerautoscaler
-          properties:
+          API
-            apiVersion:
+        properties:
-              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+          apiVersion:
-              type: string
+            description: |-
-            kind:
+              APIVersion defines the versioned schema of this representation of an object.
-              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+              Servers should convert recognized schemas to the latest internal value, and
-              type: string
+              may reject unrecognized values.
-            metadata:
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-              type: object
+            type: string
-            spec:
+          kind:
-              description: HorizontalRunnerAutoscalerSpec defines the desired state of HorizontalRunnerAutoscaler
+            description: |-
-              properties:
+              Kind is a string value representing the REST resource this object represents.
-                capacityReservations:
+              Servers may infer this from the endpoint the client submits requests to.
-                  items:
+              Cannot be updated.
-                    description: CapacityReservation specifies the number of replicas temporarily added to the scale target until ExpirationTime.
+              In CamelCase.
-                    properties:
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-                      effectiveTime:
+            type: string
-                        format: date-time
+          metadata:
-                        type: string
+            type: object
-                      expirationTime:
+          spec:
-                        format: date-time
+            description: HorizontalRunnerAutoscalerSpec defines the desired state
-                        type: string
+              of HorizontalRunnerAutoscaler
-                      name:
+            properties:
-                        type: string
+              capacityReservations:
-                      replicas:
+                items:
-                        type: integer
+                  description: |-
-                    type: object
+                    CapacityReservation specifies the number of replicas temporarily added
-                  type: array
+                    to the scale target until ExpirationTime.
                githubAPICredentialsFrom:
                  properties:
-                    secretRef:
+                    effectiveTime:
-                      properties:
+                      format: date-time
-                        name:
+                      type: string
-                          type: string
+                    expirationTime:
-                      required:
+                      format: date-time
                        - name
                      type: object
                  type: object
                maxReplicas:
                  description: MaxReplicas is the maximum number of replicas the deployment is allowed to scale
                  type: integer
                metrics:
                  description: Metrics is the collection of various metric targets to calculate desired number of runners
                  items:
                    properties:
                      repositoryNames:
                        description: RepositoryNames is the list of repository names to be used for calculating the metric. For example, a repository name is the REPO part of `github.com/USER/REPO`.
                        items:
                          type: string
                        type: array
                      scaleDownAdjustment:
                        description: ScaleDownAdjustment is the number of runners removed on scale-down. You can only specify either ScaleDownFactor or ScaleDownAdjustment.
                        type: integer
                      scaleDownFactor:
                        description: ScaleDownFactor is the multiplicative factor applied to the current number of runners used to determine how many pods should be removed.
                        type: string
                      scaleDownThreshold:
                        description: ScaleDownThreshold is the percentage of busy runners less than which will trigger the hpa to scale the runners down.
                        type: string
                      scaleUpAdjustment:
                        description: ScaleUpAdjustment is the number of runners added on scale-up. You can only specify either ScaleUpFactor or ScaleUpAdjustment.
                        type: integer
                      scaleUpFactor:
                        description: ScaleUpFactor is the multiplicative factor applied to the current number of runners used to determine how many pods should be added.
                        type: string
                      scaleUpThreshold:
                        description: ScaleUpThreshold is the percentage of busy runners greater than which will trigger the hpa to scale runners up.
                        type: string
                      type:
                        description: Type is the type of metric to be used for autoscaling. It can be TotalNumberOfQueuedAndInProgressWorkflowRuns or PercentageRunnersBusy.
                        type: string
                    type: object
                  type: array
                minReplicas:
                  description: MinReplicas is the minimum number of replicas the deployment is allowed to scale
                  type: integer
                scaleDownDelaySecondsAfterScaleOut:
                  description: ScaleDownDelaySecondsAfterScaleUp is the approximate delay for a scale down followed by a scale up Used to prevent flapping (down->up->down->... loop)
                  type: integer
                scaleTargetRef:
                  description: ScaleTargetRef sis the reference to scaled resource like RunnerDeployment
                  properties:
                    kind:
                      description: Kind is the type of resource being referenced
                      enum:
                        - RunnerDeployment
                        - RunnerSet
                      type: string
                    name:
                      description: Name is the name of resource being referenced
                      type: string
                    replicas:
                      type: integer
                  type: object
-                scaleUpTriggers:
+                type: array
-                  description: "ScaleUpTriggers is an experimental feature to increase the desired replicas by 1 on each webhook requested received by the webhookBasedAutoscaler. \n This feature requires you to also enable and deploy the webhookBasedAutoscaler onto your cluster. \n Note that the added runners remain until the next sync period at least, and they may or may not be used by GitHub Actions depending on the timing. They are intended to be used to gain \"resource slack\" immediately after you receive a webhook from GitHub, so that you can loosely expect MinReplicas runners to be always available."
+              githubAPICredentialsFrom:
-                  items:
+                properties:
                  secretRef:
                    properties:
-                      amount:
+                      name:
                        type: integer
                      duration:
                        type: string
                      githubEvent:
                        properties:
                          checkRun:
                            description: https://docs.github.com/en/actions/reference/events-that-trigger-workflows#check_run
                            properties:
                              names:
                                description: Names is a list of GitHub Actions glob patterns. Any check_run event whose name matches one of patterns in the list can trigger autoscaling. Note that check_run name seem to equal to the job name you've defined in your actions workflow yaml file. So it is very likely that you can utilize this to trigger depending on the job.
                                items:
                                  type: string
                                type: array
                              repositories:
                                description: Repositories is a list of GitHub repositories. Any check_run event whose repository matches one of repositories in the list can trigger autoscaling.
                                items:
                                  type: string
                                type: array
                              status:
                                type: string
                              types:
                                description: 'One of: created, rerequested, or completed'
                                items:
                                  type: string
                                type: array
                            type: object
                          pullRequest:
                            description: https://docs.github.com/en/actions/reference/events-that-trigger-workflows#pull_request
                            properties:
                              branches:
                                items:
                                  type: string
                                type: array
                              types:
                                items:
                                  type: string
                                type: array
                            type: object
                          push:
                            description: PushSpec is the condition for triggering scale-up on push event Also see https://docs.github.com/en/actions/reference/events-that-trigger-workflows#push
                            type: object
                          workflowJob:
                            description: https://docs.github.com/en/developers/webhooks-and-events/webhooks/webhook-events-and-payloads#workflow_job
                            type: object
                        type: object
                    type: object
                  type: array
                scheduledOverrides:
                  description: ScheduledOverrides is the list of ScheduledOverride. It can be used to override a few fields of HorizontalRunnerAutoscalerSpec on schedule. The earlier a scheduled override is, the higher it is prioritized.
                  items:
                    description: ScheduledOverride can be used to override a few fields of HorizontalRunnerAutoscalerSpec on schedule. A schedule can optionally be recurring, so that the corresponding override happens every day, week, month, or year.
                    properties:
                      endTime:
                        description: EndTime is the time at which the first override ends.
                        format: date-time
                        type: string
                      minReplicas:
                        description: MinReplicas is the number of runners while overriding. If omitted, it doesn't override minReplicas.
                        minimum: 0
                        nullable: true
                        type: integer
                      recurrenceRule:
                        properties:
                          frequency:
                            description: Frequency is the name of a predefined interval of each recurrence. The valid values are "Daily", "Weekly", "Monthly", and "Yearly". If empty, the corresponding override happens only once.
                            enum:
                              - Daily
                              - Weekly
                              - Monthly
                              - Yearly
                            type: string
                          untilTime:
                            description: UntilTime is the time of the final recurrence. If empty, the schedule recurs forever.
                            format: date-time
                            type: string
                        type: object
                      startTime:
                        description: StartTime is the time at which the first override starts.
                        format: date-time
                        type: string
                    required:
-                      - endTime
+                    - name
                      - startTime
                    type: object
-                  type: array
+                type: object
-              type: object
+              maxReplicas:
-            status:
+                description: MaxReplicas is the maximum number of replicas the deployment
-              properties:
+                  is allowed to scale
-                cacheEntries:
+                type: integer
-                  items:
+              metrics:
-                    properties:
+                description: Metrics is the collection of various metric targets to
-                      expirationTime:
+                  calculate desired number of runners
-                        format: date-time
+                items:
                  properties:
                    repositoryNames:
                      description: |-
                        RepositoryNames is the list of repository names to be used for calculating the metric.
                        For example, a repository name is the REPO part of `github.com/USER/REPO`.
                      items:
                        type: string
-                      key:
+                      type: array
-                        type: string
+                    scaleDownAdjustment:
-                      value:
+                      description: |-
-                        type: integer
+                        ScaleDownAdjustment is the number of runners removed on scale-down.
-                    type: object
+                        You can only specify either ScaleDownFactor or ScaleDownAdjustment.
-                  type: array
+                      type: integer
-                desiredReplicas:
+                    scaleDownFactor:
-                  description: DesiredReplicas is the total number of desired, non-terminated and latest pods to be set for the primary RunnerSet This doesn't include outdated pods while upgrading the deployment and replacing the runnerset.
+                      description: |-
-                  type: integer
+                        ScaleDownFactor is the multiplicative factor applied to the current number of runners used
-                lastSuccessfulScaleOutTime:
+                        to determine how many pods should be removed.
-                  format: date-time
+                      type: string
-                  nullable: true
+                    scaleDownThreshold:
-                  type: string
+                      description: |-
-                observedGeneration:
+                        ScaleDownThreshold is the percentage of busy runners less than which will
-                  description: ObservedGeneration is the most recent generation observed for the target. It corresponds to e.g. RunnerDeployment's generation, which is updated on mutation by the API Server.
+                        trigger the hpa to scale the runners down.
-                  format: int64
+                      type: string
-                  type: integer
+                    scaleUpAdjustment:
-                scheduledOverridesSummary:
+                      description: |-
-                  description: ScheduledOverridesSummary is the summary of active and upcoming scheduled overrides to be shown in e.g. a column of a `kubectl get hra` output for observability.
+                        ScaleUpAdjustment is the number of runners added on scale-up.
-                  type: string
+                        You can only specify either ScaleUpFactor or ScaleUpAdjustment.
-              type: object
+                      type: integer
-          type: object
+                    scaleUpFactor:
-      served: true
+                      description: |-
-      storage: true
+                        ScaleUpFactor is the multiplicative factor applied to the current number of runners used
-      subresources:
+                        to determine how many pods should be added.
-        status: {}
+                      type: string
-  preserveUnknownFields: false
+                    scaleUpThreshold:
-status:
+                      description: |-
-  acceptedNames:
+                        ScaleUpThreshold is the percentage of busy runners greater than which will
-    kind: ""
+                        trigger the hpa to scale runners up.
-    plural: ""
+                      type: string
-  conditions: []
+                    type:
-  storedVersions: []
+                      description: |-
                        Type is the type of metric to be used for autoscaling.
                        It can be TotalNumberOfQueuedAndInProgressWorkflowRuns or PercentageRunnersBusy.
                      type: string
                  type: object
                type: array
              minReplicas:
                description: MinReplicas is the minimum number of replicas the deployment
                  is allowed to scale
                type: integer
              scaleDownDelaySecondsAfterScaleOut:
                description: |-
                  ScaleDownDelaySecondsAfterScaleUp is the approximate delay for a scale down followed by a scale up
                  Used to prevent flapping (down->up->down->... loop)
                type: integer
              scaleTargetRef:
                description: ScaleTargetRef is the reference to scaled resource like
                  RunnerDeployment
                properties:
                  kind:
                    description: Kind is the type of resource being referenced
                    enum:
                    - RunnerDeployment
                    - RunnerSet
                    type: string
                  name:
                    description: Name is the name of resource being referenced
                    type: string
                type: object
              scaleUpTriggers:
                description: |-
                  ScaleUpTriggers is an experimental feature to increase the desired replicas by 1
                  on each webhook requested received by the webhookBasedAutoscaler.
                  This feature requires you to also enable and deploy the webhookBasedAutoscaler onto your cluster.
                  Note that the added runners remain until the next sync period at least,
                  and they may or may not be used by GitHub Actions depending on the timing.
                  They are intended to be used to gain "resource slack" immediately after you
                  receive a webhook from GitHub, so that you can loosely expect MinReplicas runners to be always available.
                items:
                  properties:
                    amount:
                      type: integer
                    duration:
                      type: string
                    githubEvent:
                      properties:
                        checkRun:
                          description: https://docs.github.com/en/actions/reference/events-that-trigger-workflows#check_run
                          properties:
                            names:
                              description: |-
                                Names is a list of GitHub Actions glob patterns.
                                Any check_run event whose name matches one of patterns in the list can trigger autoscaling.
                                Note that check_run name seem to equal to the job name you've defined in your actions workflow yaml file.
                                So it is very likely that you can utilize this to trigger depending on the job.
                              items:
                                type: string
                              type: array
                            repositories:
                              description: |-
                                Repositories is a list of GitHub repositories.
                                Any check_run event whose repository matches one of repositories in the list can trigger autoscaling.
                              items:
                                type: string
                              type: array
                            status:
                              type: string
                            types:
                              description: 'One of: created, rerequested, or completed'
                              items:
                                type: string
                              type: array
                          type: object
                        pullRequest:
                          description: https://docs.github.com/en/actions/reference/events-that-trigger-workflows#pull_request
                          properties:
                            branches:
                              items:
                                type: string
                              type: array
                            types:
                              items:
                                type: string
                              type: array
                          type: object
                        push:
                          description: |-
                            PushSpec is the condition for triggering scale-up on push event
                            Also see https://docs.github.com/en/actions/reference/events-that-trigger-workflows#push
                          type: object
                        workflowJob:
                          description: https://docs.github.com/en/developers/webhooks-and-events/webhooks/webhook-events-and-payloads#workflow_job
                          type: object
                      type: object
                  type: object
                type: array
              scheduledOverrides:
                description: |-
                  ScheduledOverrides is the list of ScheduledOverride.
                  It can be used to override a few fields of HorizontalRunnerAutoscalerSpec on schedule.
                  The earlier a scheduled override is, the higher it is prioritized.
                items:
                  description: |-
                    ScheduledOverride can be used to override a few fields of HorizontalRunnerAutoscalerSpec on schedule.
                    A schedule can optionally be recurring, so that the corresponding override happens every day, week, month, or year.
                  properties:
                    endTime:
                      description: EndTime is the time at which the first override
                        ends.
                      format: date-time
                      type: string
                    minReplicas:
                      description: |-
                        MinReplicas is the number of runners while overriding.
                        If omitted, it doesn't override minReplicas.
                      minimum: 0
                      nullable: true
                      type: integer
                    recurrenceRule:
                      properties:
                        frequency:
                          description: |-
                            Frequency is the name of a predefined interval of each recurrence.
                            The valid values are "Daily", "Weekly", "Monthly", and "Yearly".
                            If empty, the corresponding override happens only once.
                          enum:
                          - Daily
                          - Weekly
                          - Monthly
                          - Yearly
                          type: string
                        untilTime:
                          description: |-
                            UntilTime is the time of the final recurrence.
                            If empty, the schedule recurs forever.
                          format: date-time
                          type: string
                      type: object
                    startTime:
                      description: StartTime is the time at which the first override
                        starts.
                      format: date-time
                      type: string
                  required:
                  - endTime
                  - startTime
                  type: object
                type: array
            type: object
          status:
            properties:
              cacheEntries:
                items:
                  properties:
                    expirationTime:
                      format: date-time
                      type: string
                    key:
                      type: string
                    value:
                      type: integer
                  type: object
                type: array
              desiredReplicas:
                description: |-
                  DesiredReplicas is the total number of desired, non-terminated and latest pods to be set for the primary RunnerSet
                  This doesn't include outdated pods while upgrading the deployment and replacing the runnerset.
                type: integer
              lastSuccessfulScaleOutTime:
                format: date-time
                nullable: true
                type: string
              observedGeneration:
                description: |-
                  ObservedGeneration is the most recent generation observed for the target. It corresponds to e.g.
                  RunnerDeployment's generation, which is updated on mutation by the API Server.
                format: int64
                type: integer
              scheduledOverridesSummary:
                description: |-
                  ScheduledOverridesSummary is the summary of active and upcoming scheduled overrides to be shown in e.g. a column of a `kubectl get hra` output
                  for observability.
                type: string
            type: object
        type: object
    served: true
    storage: true
    subresources:
      status: {}
--- a/charts/actions-runner-controller/crds/actions.summerwind.dev_runnerdeployments.yaml
+++ b/charts/actions-runner-controller/crds/actions.summerwind.dev_runnerdeployments.yaml
--- a/charts/actions-runner-controller/crds/actions.summerwind.dev_runnerreplicasets.yaml
+++ b/charts/actions-runner-controller/crds/actions.summerwind.dev_runnerreplicasets.yaml
--- a/charts/actions-runner-controller/crds/actions.summerwind.dev_runners.yaml
+++ b/charts/actions-runner-controller/crds/actions.summerwind.dev_runners.yaml
--- a/charts/actions-runner-controller/crds/actions.summerwind.dev_runnersets.yaml
+++ b/charts/actions-runner-controller/crds/actions.summerwind.dev_runnersets.yaml
--- a/charts/actions-runner-controller/templates/NOTES.txt
+++ b/charts/actions-runner-controller/templates/NOTES.txt
@@ -6,17 +6,17 @@
  {{- end }}
 {{- end }}
 {{- else if contains "NodePort" .Values.service.type }}
-  export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "actions-runner-controller.fullname" . }})
+  export NODE_PORT=$(kubectl get --namespace {{ include "actions-runner-controller.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "actions-runner-controller.fullname" . }})
-  export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
+  export NODE_IP=$(kubectl get nodes --namespace {{ include "actions-runner-controller.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}")
  echo http://$NODE_IP:$NODE_PORT
 {{- else if contains "LoadBalancer" .Values.service.type }}
     NOTE: It may take a few minutes for the LoadBalancer IP to be available.
-           You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "actions-runner-controller.fullname" . }}'
+           You can watch the status of by running 'kubectl get --namespace {{ include "actions-runner-controller.namespace" . }} svc -w {{ include "actions-runner-controller.fullname" . }}'
-  export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "actions-runner-controller.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
+  export SERVICE_IP=$(kubectl get svc --namespace {{ include "actions-runner-controller.namespace" . }} {{ include "actions-runner-controller.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
  echo http://$SERVICE_IP:{{ .Values.service.port }}
 {{- else if contains "ClusterIP" .Values.service.type }}
-  export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "actions-runner-controller.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
+  export POD_NAME=$(kubectl get pods --namespace {{ include "actions-runner-controller.namespace" . }} -l "app.kubernetes.io/name={{ include "actions-runner-controller.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
-  export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
+  export CONTAINER_PORT=$(kubectl get pod --namespace {{ include "actions-runner-controller.namespace" . }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
  echo "Visit http://127.0.0.1:8080 to use your application"
-  kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT
+  kubectl --namespace {{ include "actions-runner-controller.namespace" . }} port-forward $POD_NAME 8080:$CONTAINER_PORT
 {{- end }}
--- a/charts/actions-runner-controller/templates/_helpers.tpl
+++ b/charts/actions-runner-controller/templates/_helpers.tpl
@@ -1,3 +1,14 @@
 {{/*
 Allow overriding the namespace for the resources.
 */}}
 {{- define "actions-runner-controller.namespace" -}}
 {{- if .Values.namespaceOverride }}
  {{- .Values.namespaceOverride }}
 {{- else }}
  {{- .Release.Namespace }}
 {{- end }}
 {{- end }}
 {{/*
 Expand the name of the chart.
 */}}
--- a/charts/actions-runner-controller/templates/actionsmetrics.deployment.yaml
+++ b/charts/actions-runner-controller/templates/actionsmetrics.deployment.yaml
@@ -3,7 +3,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: {{ include "actions-runner-controller-actions-metrics-server.fullname" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "actions-runner-controller.namespace" . }}
  labels:
    {{- include "actions-runner-controller.labels" . | nindent 4 }}
 spec:
@@ -36,8 +36,8 @@ spec:
      {{- end }}
      containers:
      - args:
-        {{- $metricsHost := .Values.metrics.proxy.enabled | ternary "127.0.0.1" "0.0.0.0" }}
+        {{- $metricsHost := .Values.actionsMetrics.proxy.enabled | ternary "127.0.0.1" "0.0.0.0" }}
-        {{- $metricsPort := .Values.metrics.proxy.enabled | ternary "8080" .Values.metrics.port }}
+        {{- $metricsPort := .Values.actionsMetrics.proxy.enabled | ternary "8080" .Values.actionsMetrics.port }}
        - "--metrics-addr={{ $metricsHost }}:{{ $metricsPort }}"
        {{- if .Values.actionsMetricsServer.logLevel }}
        - "--log-level={{ .Values.actionsMetricsServer.logLevel }}"
@@ -50,6 +50,12 @@ spec:
        {{- end }}
        command:
        - "/actions-metrics-server"
        {{- if .Values.actionsMetricsServer.lifecycle }}
        {{- with .Values.actionsMetricsServer.lifecycle }}
        lifecycle:
          {{- toYaml . | nindent 10 }}
        {{- end }}
        {{- end }}
        env:
        - name: GITHUB_WEBHOOK_SECRET_TOKEN
          valueFrom:
@@ -105,10 +111,14 @@ spec:
              name: {{ include "actions-runner-controller.secretName" . }}
              optional: true
        {{- end }}
        {{- if kindIs "slice" .Values.actionsMetricsServer.env }}
        {{- toYaml .Values.actionsMetricsServer.env | nindent 8 }}
        {{- else }}
        {{- range $key, $val := .Values.actionsMetricsServer.env }}
        - name: {{ $key }}
          value: {{ $val | quote }}
        {{- end }}
        {{- end }}
        image: "{{ .Values.image.repository }}:{{ .Values.image.tag  | default (cat "v" .Chart.AppVersion | replace " " "") }}"
        name: actions-metrics-server
        imagePullPolicy: {{ .Values.image.pullPolicy }}
@@ -116,8 +126,8 @@ spec:
        - containerPort: 8000
          name: http
          protocol: TCP
-        {{- if not .Values.metrics.proxy.enabled }}
+        {{- if not .Values.actionsMetrics.proxy.enabled }}
-        - containerPort: {{ .Values.metrics.port }}
+        - containerPort: {{ .Values.actionsMetrics.port }}
          name: metrics-port
          protocol: TCP
        {{- end }}
@@ -125,24 +135,24 @@ spec:
          {{- toYaml .Values.actionsMetricsServer.resources | nindent 12 }}
        securityContext:
          {{- toYaml .Values.actionsMetricsServer.securityContext | nindent 12 }}
-      {{- if .Values.metrics.proxy.enabled }}
+      {{- if .Values.actionsMetrics.proxy.enabled }}
      - args:
-        - "--secure-listen-address=0.0.0.0:{{ .Values.metrics.port }}"
+        - "--secure-listen-address=0.0.0.0:{{ .Values.actionsMetrics.port }}"
        - "--upstream=http://127.0.0.1:8080/"
        - "--logtostderr=true"
        - "--v=10"
-        image: "{{ .Values.metrics.proxy.image.repository }}:{{ .Values.metrics.proxy.image.tag }}"
+        image: "{{ .Values.actionsMetrics.proxy.image.repository }}:{{ .Values.actionsMetrics.proxy.image.tag }}"
        name: kube-rbac-proxy
        imagePullPolicy: {{ .Values.image.pullPolicy }}
        ports:
-        - containerPort: {{ .Values.metrics.port }}
+        - containerPort: {{ .Values.actionsMetrics.port }}
          name: metrics-port
        resources:
          {{- toYaml .Values.resources | nindent 12 }}
        securityContext:
          {{- toYaml .Values.securityContext | nindent 12 }}
      {{- end }}
-      terminationGracePeriodSeconds: 10
+      terminationGracePeriodSeconds: {{ .Values.actionsMetricsServer.terminationGracePeriodSeconds }}
      {{- with .Values.actionsMetricsServer.nodeSelector }}
      nodeSelector:
        {{- toYaml . | nindent 8 }}
--- a/charts/actions-runner-controller/templates/actionsmetrics.ingress.yaml.yml
+++ b/charts/actions-runner-controller/templates/actionsmetrics.ingress.yaml.yml
@@ -5,7 +5,7 @@ apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: {{ $fullName }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "actions-runner-controller.namespace" . }}
  labels:
    {{- include "actions-runner-controller.labels" . | nindent 4 }}
  {{- with .Values.actionsMetricsServer.ingress.annotations }}
--- a/charts/actions-runner-controller/templates/actionsmetrics.role.yaml
+++ b/charts/actions-runner-controller/templates/actionsmetrics.role.yaml
@@ -0,0 +1,90 @@
 {{- if .Values.actionsMetricsServer.enabled }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  creationTimestamp: null
  name: {{ include "actions-runner-controller-actions-metrics-server.roleName" . }}
 rules:
 - apiGroups: 
  - actions.summerwind.dev
  resources:
  - horizontalrunnerautoscalers
  verbs:
  - get
  - list
  - patch
  - update
  - watch
 - apiGroups:
  - actions.summerwind.dev
  resources:
  - horizontalrunnerautoscalers/finalizers
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
 - apiGroups:
  - actions.summerwind.dev
  resources:
  - horizontalrunnerautoscalers/status
  verbs:
  - get
  - patch
  - update
 - apiGroups:
  - actions.summerwind.dev
  resources:
  - runnersets
  verbs:
  - get
  - list
  - watch
 - apiGroups:
  - actions.summerwind.dev
  resources:
  - runnerdeployments
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
 - apiGroups:
  - actions.summerwind.dev
  resources:
  - runnerdeployments/finalizers
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
 - apiGroups:
  - actions.summerwind.dev
  resources:
  - runnerdeployments/status
  verbs:
  - get
  - patch
  - update
 - apiGroups:
  - authentication.k8s.io
  resources:
  - tokenreviews
  verbs:
  - create
 - apiGroups:
  - authorization.k8s.io
  resources:
  - subjectaccessreviews
  verbs:
  - create
 {{- end }}
--- a/charts/actions-runner-controller/templates/actionsmetrics.role_binding.yaml
+++ b/charts/actions-runner-controller/templates/actionsmetrics.role_binding.yaml
@@ -0,0 +1,14 @@
 {{- if .Values.actionsMetricsServer.enabled }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: {{ include "actions-runner-controller-actions-metrics-server.roleName" . }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: {{ include "actions-runner-controller-actions-metrics-server.roleName" . }}
 subjects:
  - kind: ServiceAccount
    name: {{ include "actions-runner-controller-actions-metrics-server.serviceAccountName" . }}
    namespace: {{ include "actions-runner-controller.namespace" . }}
 {{- end }}
--- a/charts/actions-runner-controller/templates/actionsmetrics.secrets.yaml
+++ b/charts/actions-runner-controller/templates/actionsmetrics.secrets.yaml
@@ -4,7 +4,7 @@ apiVersion: v1
 kind: Secret
 metadata:
  name: {{ include "actions-runner-controller-actions-metrics-server.secretName" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "actions-runner-controller.namespace" . }}
  labels:
    {{- include "actions-runner-controller.labels" . | nindent 4 }}
 type: Opaque
--- a/charts/actions-runner-controller/templates/actionsmetrics.service.yaml
+++ b/charts/actions-runner-controller/templates/actionsmetrics.service.yaml
@@ -3,9 +3,9 @@ apiVersion: v1
 kind: Service
 metadata:
  name: {{ include "actions-runner-controller-actions-metrics-server.fullname" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "actions-runner-controller.namespace" . }}
  labels:
-    {{- include "actions-runner-controller.labels" . | nindent 4 }}
+    {{- include "actions-runner-controller-actions-metrics-server.selectorLabels" . | nindent 4 }}
 {{- if .Values.actionsMetricsServer.service.annotations }}
  annotations:
    {{ toYaml .Values.actionsMetricsServer.service.annotations | nindent 4 }}
@@ -16,11 +16,17 @@ spec:
    {{ range $_, $port := .Values.actionsMetricsServer.service.ports -}}
    - {{ $port | toYaml | nindent 6 }}
    {{- end }}
-    {{- if .Values.metrics.serviceMonitor }}
+    {{- if .Values.actionsMetrics.serviceMonitor.enable }}
    - name: metrics-port
-      port: {{ .Values.metrics.port }}
+      port: {{ .Values.actionsMetrics.port }}
      targetPort: metrics-port
    {{- end }}
  selector:
    {{- include "actions-runner-controller-actions-metrics-server.selectorLabels" . | nindent 4 }}
  {{- if .Values.actionsMetricsServer.service.loadBalancerSourceRanges }}
  loadBalancerSourceRanges:
    {{- range $ip := .Values.actionsMetricsServer.service.loadBalancerSourceRanges }}
    - {{ $ip -}}
    {{- end }}
  {{- end }}
 {{- end }}
--- a/charts/actions-runner-controller/templates/actionsmetrics.serviceaccount.yaml.yml
+++ b/charts/actions-runner-controller/templates/actionsmetrics.serviceaccount.yaml.yml
@@ -4,7 +4,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: {{ include "actions-runner-controller-actions-metrics-server.serviceAccountName" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "actions-runner-controller.namespace" . }}
  labels:
    {{- include "actions-runner-controller.labels" . | nindent 4 }}
  {{- with .Values.actionsMetricsServer.serviceAccount.annotations }}
--- a/charts/actions-runner-controller/templates/actionsmetrics.servicemonitor.yaml.yml
+++ b/charts/actions-runner-controller/templates/actionsmetrics.servicemonitor.yaml.yml
@@ -1,14 +1,15 @@
-{{- if and .Values.actionsMetricsServer.enabled .Values.actionsMetrics.serviceMonitor }}
+{{- if and .Values.actionsMetricsServer.enabled .Values.actionsMetrics.serviceMonitor.enable }}
 {{- $servicemonitornamespace := .Values.actionsMetrics.serviceMonitor.namespace | default (include "actions-runner-controller.namespace" .) }}
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
  labels:
    {{- include "actions-runner-controller.labels" . | nindent 4 }}
-  {{- with .Values.actionsMetricsServer.serviceMonitorLabels }}
+  {{- with .Values.actionsMetrics.serviceMonitorLabels }}
    {{- toYaml . | nindent 4 }}
  {{- end }}
  name: {{ include "actions-runner-controller-actions-metrics-server.serviceMonitorName" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ $servicemonitornamespace }}
 spec:
  endpoints:
    - path: /metrics
@@ -19,6 +20,8 @@ spec:
      tlsConfig:
        insecureSkipVerify: true
      {{- end }}
      interval: {{ .Values.actionsMetrics.serviceMonitor.interval }}
      scrapeTimeout: {{ .Values.actionsMetrics.serviceMonitor.timeout }}
  selector:
    matchLabels:
      {{- include "actions-runner-controller-actions-metrics-server.selectorLabels" . | nindent 6 }}
--- a/charts/actions-runner-controller/templates/auth_proxy_role_binding.yaml
+++ b/charts/actions-runner-controller/templates/auth_proxy_role_binding.yaml
@@ -10,5 +10,5 @@ roleRef:
 subjects:
 - kind: ServiceAccount
  name: {{ include "actions-runner-controller.serviceAccountName" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "actions-runner-controller.namespace" . }}
 {{- end }}
--- a/charts/actions-runner-controller/templates/certificate.yaml
+++ b/charts/actions-runner-controller/templates/certificate.yaml
@@ -6,7 +6,7 @@ apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:
  name: {{ include "actions-runner-controller.selfsignedIssuerName" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "actions-runner-controller.namespace" . }}
 spec:
  selfSigned: {}
 ---
@@ -14,11 +14,11 @@ apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: {{ include "actions-runner-controller.servingCertName" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "actions-runner-controller.namespace" . }}
 spec:
  dnsNames:
-  - {{ include "actions-runner-controller.webhookServiceName" . }}.{{ .Release.Namespace }}.svc
+  - {{ include "actions-runner-controller.webhookServiceName" . }}.{{ include "actions-runner-controller.namespace" . }}.svc
-  - {{ include "actions-runner-controller.webhookServiceName" . }}.{{ .Release.Namespace }}.svc.cluster.local
+  - {{ include "actions-runner-controller.webhookServiceName" . }}.{{ include "actions-runner-controller.namespace" . }}.svc.cluster.local
  issuerRef:
    kind: Issuer
    name: {{ include "actions-runner-controller.selfsignedIssuerName" . }}
--- a/charts/actions-runner-controller/templates/controller.metrics.service.yaml
+++ b/charts/actions-runner-controller/templates/controller.metrics.service.yaml
@@ -4,7 +4,7 @@ metadata:
  labels:
    {{- include "actions-runner-controller.labels" . | nindent 4 }}
  name: {{ include "actions-runner-controller.metricsServiceName" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "actions-runner-controller.namespace" . }}
  {{- with .Values.metrics.serviceAnnotations }}
  annotations:
    {{- toYaml . | nindent 4 }}
--- a/charts/actions-runner-controller/templates/controller.metrics.serviceMonitor.yaml
+++ b/charts/actions-runner-controller/templates/controller.metrics.serviceMonitor.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.metrics.serviceMonitor }}
+{{- if .Values.metrics.serviceMonitor.enable }}
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
@@ -8,7 +8,7 @@ metadata:
    {{- toYaml . | nindent 4 }}
  {{- end }}
  name: {{ include "actions-runner-controller.serviceMonitorName" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "actions-runner-controller.namespace" . }}
 spec:
  endpoints:
    - path: /metrics
@@ -19,6 +19,8 @@ spec:
      tlsConfig:
        insecureSkipVerify: true
      {{- end }}
      interval: {{ .Values.metrics.serviceMonitor.interval }}
      scrapeTimeout: {{ .Values.metrics.serviceMonitor.timeout }}
  selector:
    matchLabels:
      {{- include "actions-runner-controller.selectorLabels" . | nindent 6 }}
--- a/charts/actions-runner-controller/templates/controller.pdb.yaml
+++ b/charts/actions-runner-controller/templates/controller.pdb.yaml
@@ -5,7 +5,7 @@ metadata:
  labels:
    {{- include "actions-runner-controller.labels" . | nindent 4 }}
  name: {{ include "actions-runner-controller.pdbName" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "actions-runner-controller.namespace" . }}
 spec:
  {{- if .Values.podDisruptionBudget.minAvailable }}
  minAvailable: {{ .Values.podDisruptionBudget.minAvailable }}
--- a/charts/actions-runner-controller/templates/deployment.yaml
+++ b/charts/actions-runner-controller/templates/deployment.yaml
@@ -2,7 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: {{ include "actions-runner-controller.fullname" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "actions-runner-controller.namespace" . }}
  labels:
    {{- include "actions-runner-controller.labels" . | nindent 4 }}
 spec:
@@ -56,7 +56,7 @@ spec:
        - "--docker-registry-mirror={{ .Values.dockerRegistryMirror }}"
        {{- end }}
        {{- if .Values.scope.singleNamespace }}
-        - "--watch-namespace={{ default .Release.Namespace .Values.scope.watchNamespace }}"
+        - "--watch-namespace={{ default (include "actions-runner-controller.namespace" .) .Values.scope.watchNamespace }}"
        {{- end }}
        {{- if .Values.logLevel }}
        - "--log-level={{ .Values.logLevel }}"
@@ -70,6 +70,9 @@ spec:
        {{- if .Values.logFormat  }}  
        - "--log-format={{ .Values.logFormat }}"
        {{- end }}
        {{- if .Values.dockerGID  }}
        - "--docker-gid={{ .Values.dockerGID }}"
        {{- end }}
        command:
        - "/manager"
        env:
@@ -211,3 +214,6 @@ spec:
      {{- if .Values.hostNetwork }}
      hostNetwork: {{ .Values.hostNetwork }}
      {{- end }}
      {{- if .Values.dnsPolicy }}
      dnsPolicy: {{ .Values.dnsPolicy }}
      {{- end }}
--- a/charts/actions-runner-controller/templates/githubwebhook.deployment.yaml
+++ b/charts/actions-runner-controller/templates/githubwebhook.deployment.yaml
@@ -3,7 +3,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: {{ include "actions-runner-controller-github-webhook-server.fullname" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "actions-runner-controller.namespace" . }}
  labels:
    {{- include "actions-runner-controller.labels" . | nindent 4 }}
 spec:
@@ -43,7 +43,7 @@ spec:
        - "--log-level={{ .Values.githubWebhookServer.logLevel }}"
        {{- end }}
        {{- if .Values.scope.singleNamespace }}
-        - "--watch-namespace={{ default .Release.Namespace .Values.scope.watchNamespace }}"
+        - "--watch-namespace={{ default (include "actions-runner-controller.namespace" .) .Values.scope.watchNamespace }}"
        {{- end }}
        {{- if .Values.runnerGithubURL  }}
        - "--runner-github-url={{ .Values.runnerGithubURL }}"
@@ -117,10 +117,14 @@ spec:
              name: {{ include "actions-runner-controller.secretName" . }}
              optional: true
        {{- end }}
        {{- if kindIs "slice" .Values.githubWebhookServer.env }}
        {{- toYaml .Values.githubWebhookServer.env | nindent 8 }}
        {{- else }}
        {{- range $key, $val := .Values.githubWebhookServer.env }}
        - name: {{ $key }}
          value: {{ $val | quote }}
        {{- end }}
        {{- end }}
        image: "{{ .Values.image.repository }}:{{ .Values.image.tag  | default (cat "v" .Chart.AppVersion | replace " " "") }}"
        name: github-webhook-server
        imagePullPolicy: {{ .Values.image.pullPolicy }}
--- a/charts/actions-runner-controller/templates/githubwebhook.ingress.yaml
+++ b/charts/actions-runner-controller/templates/githubwebhook.ingress.yaml
@@ -5,7 +5,7 @@ apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: {{ $fullName }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "actions-runner-controller.namespace" . }}
  labels:
    {{- include "actions-runner-controller.labels" . | nindent 4 }}
  {{- with .Values.githubWebhookServer.ingress.annotations }}
--- a/charts/actions-runner-controller/templates/githubwebhook.pdb.yaml
+++ b/charts/actions-runner-controller/templates/githubwebhook.pdb.yaml
@@ -5,7 +5,7 @@ metadata:
  labels:
    {{- include "actions-runner-controller.labels" . | nindent 4 }}
  name: {{ include "actions-runner-controller-github-webhook-server.pdbName" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "actions-runner-controller.namespace" . }}
 spec:
  {{- if .Values.githubWebhookServer.podDisruptionBudget.minAvailable }}
  minAvailable: {{ .Values.githubWebhookServer.podDisruptionBudget.minAvailable }}
--- a/charts/actions-runner-controller/templates/githubwebhook.role_binding.yaml
+++ b/charts/actions-runner-controller/templates/githubwebhook.role_binding.yaml
@@ -10,5 +10,5 @@ roleRef:
 subjects:
  - kind: ServiceAccount
    name: {{ include "actions-runner-controller-github-webhook-server.serviceAccountName" . }}
-    namespace: {{ .Release.Namespace }}
+    namespace: {{ include "actions-runner-controller.namespace" . }}
 {{- end }}
--- a/charts/actions-runner-controller/templates/githubwebhook.secrets.yaml
+++ b/charts/actions-runner-controller/templates/githubwebhook.secrets.yaml
@@ -4,7 +4,7 @@ apiVersion: v1
 kind: Secret
 metadata:
  name: {{ include "actions-runner-controller-github-webhook-server.secretName" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "actions-runner-controller.namespace" . }}
  labels:
    {{- include "actions-runner-controller.labels" . | nindent 4 }}
 type: Opaque
--- a/charts/actions-runner-controller/templates/githubwebhook.service.yaml
+++ b/charts/actions-runner-controller/templates/githubwebhook.service.yaml
@@ -3,9 +3,9 @@ apiVersion: v1
 kind: Service
 metadata:
  name: {{ include "actions-runner-controller-github-webhook-server.fullname" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "actions-runner-controller.namespace" . }}
  labels:
-    {{- include "actions-runner-controller.labels" . | nindent 4 }}
+    {{- include "actions-runner-controller-github-webhook-server.selectorLabels" . | nindent 4 }}
 {{- if .Values.githubWebhookServer.service.annotations }}
  annotations:
    {{ toYaml .Values.githubWebhookServer.service.annotations | nindent 4 }}
@@ -16,7 +16,7 @@ spec:
    {{ range $_, $port := .Values.githubWebhookServer.service.ports -}}
    - {{ $port | toYaml | nindent 6 }}
    {{- end }}
-    {{- if .Values.metrics.serviceMonitor }}
+    {{- if .Values.metrics.serviceMonitor.enable }}
    - name: metrics-port
      port: {{ .Values.metrics.port }}
      targetPort: metrics-port
--- a/charts/actions-runner-controller/templates/githubwebhook.serviceMonitor.yaml
+++ b/charts/actions-runner-controller/templates/githubwebhook.serviceMonitor.yaml
@@ -1,4 +1,5 @@
-{{- if and .Values.githubWebhookServer.enabled .Values.metrics.serviceMonitor }}
+{{- if and .Values.githubWebhookServer.enabled .Values.metrics.serviceMonitor.enable }}
 {{- $servicemonitornamespace := .Values.actionsMetrics.serviceMonitor.namespace | default (include "actions-runner-controller.namespace" .) }}
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
@@ -8,7 +9,7 @@ metadata:
    {{- toYaml . | nindent 4 }}
  {{- end }}
  name: {{ include "actions-runner-controller-github-webhook-server.serviceMonitorName" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ $servicemonitornamespace }}
 spec:
  endpoints:
    - path: /metrics
@@ -19,6 +20,8 @@ spec:
      tlsConfig:
        insecureSkipVerify: true
      {{- end }}
      interval: {{ .Values.metrics.serviceMonitor.interval }}
      scrapeTimeout: {{ .Values.metrics.serviceMonitor.timeout }}
  selector:
    matchLabels:
      {{- include "actions-runner-controller-github-webhook-server.selectorLabels" . | nindent 6 }}
--- a/charts/actions-runner-controller/templates/githubwebhook.serviceaccount.yaml
+++ b/charts/actions-runner-controller/templates/githubwebhook.serviceaccount.yaml
@@ -4,7 +4,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: {{ include "actions-runner-controller-github-webhook-server.serviceAccountName" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "actions-runner-controller.namespace" . }}
  labels:
    {{- include "actions-runner-controller.labels" . | nindent 4 }}
  {{- with .Values.githubWebhookServer.serviceAccount.annotations }}
--- a/charts/actions-runner-controller/templates/leader_election_role.yaml
+++ b/charts/actions-runner-controller/templates/leader_election_role.yaml
@@ -3,7 +3,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: {{ include "actions-runner-controller.leaderElectionRoleName" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "actions-runner-controller.namespace" . }}
 rules:
 - apiGroups:
  - ""
--- a/charts/actions-runner-controller/templates/leader_election_role_binding.yaml
+++ b/charts/actions-runner-controller/templates/leader_election_role_binding.yaml
@@ -2,7 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: {{ include "actions-runner-controller.leaderElectionRoleName" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "actions-runner-controller.namespace" . }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
@@ -10,4 +10,4 @@ roleRef:
 subjects:
 - kind: ServiceAccount
  name: {{ include "actions-runner-controller.serviceAccountName" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "actions-runner-controller.namespace" . }}
--- a/charts/actions-runner-controller/templates/manager_role.yaml
+++ b/charts/actions-runner-controller/templates/manager_role.yaml
@@ -250,14 +250,6 @@ rules:
  - patch
  - update
  - watch
 - apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  - get
  - list
  - watch
 {{- if .Values.runner.statusUpdateHook.enabled }}
 - apiGroups:
  - ""
@@ -311,11 +303,4 @@ rules:
  - list
  - create
  - delete
 - apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  - create
  - delete
 {{- end }}
--- a/Show More
+++ b/Show More
`@@ -1,2 +1,2 @@`
	`# actions-runner-controller maintainers`	`# actions-runner-controller maintainers`
	`* @mumoshu @toast-gear @actions/actions-runtime @nikola-jokic`	`* @mumoshu @toast-gear @actions/actions-launch @actions/actions-compute @nikola-jokic @rentziass`