Bump the actions group across 1 directory with 4 updates

Bumps the actions group with 4 updates in the / directory: [helm/chart-testing-action](https://github.com/helm/chart-testing-action), [helm/kind-action](https://github.com/helm/kind-action), [docker/setup-qemu-action](https://github.com/docker/setup-qemu-action) and [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action).


Updates `helm/chart-testing-action` from 2.7.0 to 2.8.0
- [Release notes](https://github.com/helm/chart-testing-action/releases)
- [Commits](0d28d3144d...6ec842c01d)

Updates `helm/kind-action` from 1.12.0 to 1.13.0
- [Release notes](https://github.com/helm/kind-action/releases)
- [Commits](a1b0e39133...92086f6be0)

Updates `docker/setup-qemu-action` from 3.6.0 to 3.7.0
- [Release notes](https://github.com/docker/setup-qemu-action/releases)
- [Commits](29109295f8...c7c5346462)

Updates `golangci/golangci-lint-action` from 8.0.0 to 9.0.0
- [Release notes](https://github.com/golangci/golangci-lint-action/releases)
- [Commits](4afd733a84...0a35821d5c)

---
updated-dependencies:
- dependency-name: helm/chart-testing-action
  dependency-version: 2.8.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions
- dependency-name: helm/kind-action
  dependency-version: 1.13.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions
- dependency-name: docker/setup-qemu-action
  dependency-version: 3.7.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions
- dependency-name: golangci/golangci-lint-action
  dependency-version: 9.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions
...

Signed-off-by: dependabot[bot] <support@github.com>

.github/workflows/arc-publish-chart.yaml

@@ -63,7 +63,7 @@ jobs:
           python-version: "3.11"
 
       - name: Set up chart-testing
-        uses: helm/chart-testing-action@0d28d3144d3a25ea2cc349d6e59901c4ff469b3b
+        uses: helm/chart-testing-action@6ec842c01de15ebb84c8627d2744a0c2f2755c9f
 
       - name: Run chart-testing (list-changed)
         id: list-changed
@@ -79,7 +79,7 @@ jobs:
 
       - name: Create kind cluster
         if: steps.list-changed.outputs.changed == 'true'
-        uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3
+        uses: helm/kind-action@92086f6be054225fa813e0a4b13787fc9088faab
 
       # We need cert-manager already installed in the cluster because we assume the CRDs exist
       - name: Install cert-manager

.github/workflows/arc-release-runners.yaml

@@ -19,7 +19,7 @@ env:
   PUSH_TO_REGISTRIES: true
   TARGET_ORG: actions-runner-controller
   TARGET_WORKFLOW: release-runners.yaml
-  DOCKER_VERSION: 24.0.7
+  DOCKER_VERSION: 28.0.4
 
 concurrency:
   group: ${{ github.workflow }}

.github/workflows/arc-validate-chart.yaml

@@ -55,7 +55,7 @@ jobs:
           python-version: "3.11"
 
       - name: Set up chart-testing
-        uses: helm/chart-testing-action@0d28d3144d3a25ea2cc349d6e59901c4ff469b3b
+        uses: helm/chart-testing-action@6ec842c01de15ebb84c8627d2744a0c2f2755c9f
 
       - name: Run chart-testing (list-changed)
         id: list-changed
@@ -70,7 +70,7 @@ jobs:
           ct lint --config charts/.ci/ct-config.yaml
 
       - name: Create kind cluster
-        uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3
+        uses: helm/kind-action@92086f6be054225fa813e0a4b13787fc9088faab
         if: steps.list-changed.outputs.changed == 'true'
 
       # We need cert-manager already installed in the cluster because we assume the CRDs exist

.github/workflows/gha-e2e-tests.yaml

@@ -984,7 +984,7 @@ jobs:
               echo "5 pods are up!"
               break
             fi
-            if [[ "$count" -ge 12 ]]; then
+            if [[ "$count" -ge 30 ]]; then
               echo "Timeout waiting for 5 pods to be created"
               exit 1
             fi

.github/workflows/gha-publish-chart.yaml

@@ -72,7 +72,7 @@ jobs:
           echo "repository_owner=$(echo ${{ github.repository_owner }} | tr '[:upper:]' '[:lower:]')" >> $GITHUB_OUTPUT
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435

.github/workflows/gha-validate-chart.yaml

@@ -51,7 +51,7 @@ jobs:
           python-version: "3.11"
 
       - name: Set up chart-testing
-        uses: helm/chart-testing-action@0d28d3144d3a25ea2cc349d6e59901c4ff469b3b
+        uses: helm/chart-testing-action@6ec842c01de15ebb84c8627d2744a0c2f2755c9f
 
       - name: Run chart-testing (list-changed)
         id: list-changed
@@ -88,7 +88,7 @@ jobs:
           cache-to: type=gha,mode=max
 
       - name: Create kind cluster
-        uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3
+        uses: helm/kind-action@92086f6be054225fa813e0a4b13787fc9088faab
         if: steps.list-changed.outputs.changed == 'true'
         with:
           cluster_name: chart-testing

.github/workflows/global-publish-canary.yaml

@@ -110,7 +110,7 @@ jobs:
           echo "repository_owner=$(echo ${{ github.repository_owner }} | tr '[:upper:]' '[:lower:]')" >> $GITHUB_OUTPUT
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435

.github/workflows/go.yaml

@@ -48,7 +48,7 @@ jobs:
           go-version-file: "go.mod"
           cache: false
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9
+        uses: golangci/golangci-lint-action@0a35821d5c230e903fcfe077583637dea1b27b47
         with:
           only-new-issues: true
           version: v2.5.0
@@ -78,7 +78,7 @@ jobs:
         run: git diff --exit-code
       - name: Install kubebuilder
         run: |
-          curl -D headers.txt -fsL "https://storage.googleapis.com/kubebuilder-tools/kubebuilder-tools-1.26.1-linux-amd64.tar.gz" -o kubebuilder-tools
+          curl -D headers.txt -fsL "https://storage.googleapis.com/kubebuilder-tools/kubebuilder-tools-1.30.0-linux-amd64.tar.gz" -o kubebuilder-tools
           echo "$(grep -i etag headers.txt -m 1 | cut -d'"' -f2) kubebuilder-tools" > sum
           md5sum -c sum
           tar -zvxf kubebuilder-tools

charts/dev/Chart.yaml

@@ -1,33 +0,0 @@
-apiVersion: v2
-name: gha-runner-scale-set
-description: A Helm chart for deploying an AutoScalingRunnerSet
-
-# A chart can be either an 'application' or a 'library' chart.
-#
-# Application charts are a collection of templates that can be packaged into versioned archives
-# to be deployed.
-#
-# Library charts provide useful utilities or functions for the chart developer. They're included as
-# a dependency of application charts to inject those utilities and functions into the rendering
-# pipeline. Library charts do not define any templates and therefore cannot be deployed.
-type: application
-
-# This is the chart version. This version number should be incremented each time you make changes
-# to the chart and its templates, including the app version.
-# Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: "0.13.0"
-
-# This is the version number of the application being deployed. This version number should be
-# incremented each time you make changes to the application. Versions are not expected to
-# follow Semantic Versioning. They should reflect the version the application is using.
-# It is recommended to use it with quotes.
-appVersion: "0.13.0"
-
-home: https://github.com/actions/actions-runner-controller
-
-sources:
-  - "https://github.com/actions/actions-runner-controller"
-
-maintainers:
-  - name: actions
-    url: https://github.com/actions

charts/dev/templates/_helpers.tpl

@@ -1,20 +0,0 @@
-{{- define "autoscaling-runner-set.name" -}}
-{{- $name := .Values.runnerScaleSetName | default .Release.Name | replace "_" "-" | trimSuffix "-" }}
-{{- if or (empty $name) (gt (len $name) 45) }}
-{{ fail "Autoscaling runner set name must have up to 45 characters" }}
-{{- end }}
-{{- $name }}
-{{- end }}
-
-{{- define "autoscaling-runner-set.namespace" -}}
-{{- .Values.namespaceOverride | default .Release.Namespace -}}
-{{- end }}
-
-
-{{- define "githubsecret.name" -}}
-{{- if not (empty .Values.auth.secretName) }}
-{{- quote .Values.auth.secretName }}
-{{- else }}
-{{- include "autoscaling-runner-set.name" . }}-github-secret
-{{- end }}
-{{- end }}

charts/dev/templates/autoscalingrunnserset.yaml

@@ -1,94 +0,0 @@
-apiVersion: actions.github.com/v1alpha1
-kind: AutoscalingRunnerSet
-metadata:
-  name: {{ include "autoscaling-runner-set.name" . | quote }}
-  namespace: {{ include "autoscaling-runner-set.namespace" . | quote }}
-spec:
-  githubConfigUrl: {{ required ".Values.auth.url is required" (trimSuffix "/" .Values.auth.url) | quote }}
-  githubConfigSecret: {{ include "githubsecret.name" . | quote }}
-  runnerGroup: {{ .Values.scaleset.runnerGroup | quote }}
-
-  {{- if .Values.githubServerTLS }}
-  githubServerTLS:
-    {{- with .Values.githubServerTLS.certificateFrom }}
-    certificateFrom:
-      configMapKeyRef:
-        name: {{ .configMapKeyRef.name }}
-        key: {{ .configMapKeyRef.key }}
-    {{- end }}
-  {{- end }}
-
-  {{- if and .Values.keyVault .Values.keyVault.type }}
-  vaultConfig:
-    type: {{ .Values.keyVault.type }}
-    {{- if .Values.keyVault.proxy }}
-    proxy: {{- toYaml .Values.keyVault.proxy | nindent 6 }}
-    {{- end }}
-    {{- if eq .Values.keyVault.type "azure_key_vault" }}
-    azureKeyVault:
-      url: {{ .Values.keyVault.azureKeyVault.url }}
-      tenantId: {{ .Values.keyVault.azureKeyVault.tenantId }}
-      clientId: {{ .Values.keyVault.azureKeyVault.clientId }}
-      certificatePath: {{ .Values.keyVault.azureKeyVault.certificatePath }}
-      secretKey: {{ .Values.keyVault.azureKeyVault.secretKey }}
-    {{- else }}
-    {{- fail "Unsupported keyVault type: " .Values.keyVault.type }}
-    {{- end }}
-  {{- end }}
-
-  {{- if .Values.proxy }}
-  proxy:
-    {{- if .Values.proxy.http }}
-    http:
-      url: {{ .Values.proxy.http.url }}
-      {{- if .Values.proxy.http.credentialSecretRef }}
-      credentialSecretRef: {{ .Values.proxy.http.credentialSecretRef }}
-      {{- end }}
-    {{- end }}
-    {{- if .Values.proxy.https }}
-    https:
-      url: {{ .Values.proxy.https.url }}
-      {{- if .Values.proxy.https.credentialSecretRef }}
-      credentialSecretRef: {{ .Values.proxy.https.credentialSecretRef }}
-      {{- end }}
-    {{- end }}
-    {{- if and .Values.proxy.noProxy (kindIs "slice" .Values.proxy.noProxy) }}
-    noProxy: {{ .Values.proxy.noProxy | toYaml | nindent 6}}
-    {{- end }}
-  {{- end }}
-
-  {{- if and (or (kindIs "int64" .Values.scaleset.minRunners) (kindIs "float64" .Values.scaleset.minRunners)) (or (kindIs "int64" .Values.scaleset.maxRunners) (kindIs "float64" .Values.scaleset.maxRunners)) }}
-    {{- if gt .Values.scaleset.minRunners .Values.scaleset.maxRunners }}
-      {{- fail "maxRunners has to be greater or equal to minRunners" }}
-    {{- end }}
-  {{- end }}
-
-  {{- if or (kindIs "int64" .Values.scaleset.maxRunners) (kindIs "float64" .Values.scaleset.maxRunners)}}
-    {{- if lt (.Values.scaleset.maxRunners | int) 0 }}
-      {{- fail "maxRunners has to be greater or equal to 0" }}
-    {{- end }}
-  maxRunners: {{ .Values.scaleset.maxRunners | int }}
-  {{- end }}
-
-  {{- if or (kindIs "int64" .Values.scaleset.minRunners) (kindIs "float64" .Values.scaleset.minRunners) }}
-    {{- if lt (.Values.scaleset.minRunners | int) 0 }}
-      {{- fail "minRunners has to be greater or equal to 0" }}
-    {{- end }}
-  minRunners: {{ .Values.scaleset.minRunners | int }}
-  {{- end }}
-
-  {{- with .Values.listenerPodTemplate }}
-  listenerTemplate:
-    {{- toYaml . | nindent 4}}
-  {{- end }}
-
-  {{- with .Values.listenerMetrics }}
-  listenerMetrics:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-
-  template:
-    spec:
-      containers:
-        - name: runner
-          {{- include "runner-container-spec" . | nindent 10 }}

charts/dev/values.yaml

@@ -1,276 +0,0 @@
-## By default .Release.namespace is used
-namespaceOverride: ""
-# Name of the scaleset
-scaleset:
-  name: ""
-  runnerGroup: "default"
-  ## minRunners is the min number of idle runners. The target number of runners created will be
-  ## calculated as a sum of minRunners and the number of jobs assigned to the scale set.
-  # min_runners: 0
-  ## maxRunners is the max number of runners the autoscaling runner set will scale up to.
-  # max_runners: 5
-
-# Auth object provides authorization parameters.
-# You should apply either:
-# 1) secretName referencing the secret containing authorization parameters in the same namespace where the scale set is being installed in
-# 2) app object parameters
-# 3) github_tokne
-#
-# If multiple of them are set, only single one will be applied based on the above mentioned order.
-auth:
-  url: "" # Required
-  githubToken: ""
-  secretName: ""
-  app:
-    clientId: ""
-    installationId: ""
-    privateKey: ""
-#
-## proxy can be used to define proxy settings that will be used by the
-## controller, the listener and the runner of this scale set.
-#
-# proxy:
-#   http:
-#     url: http://proxy.com:1234
-#     credentialSecretRef: proxy-auth # a secret with `username` and `password` keys
-#   https:
-#     url: http://proxy.com:1234
-#     credentialSecretRef: proxy-auth # a secret with `username` and `password` keys
-#   noProxy:
-#     - example.com
-#     - example.org
-
-## listenerTemplate is the PodSpec for each listener Pod
-## For reference: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#PodSpec
-# listenerPodTemplate:
-#   spec:
-#     containers:
-#     # Use this section to append additional configuration to the listener container.
-#     # If you change the name of the container, the configuration will not be applied to the listener,
-#     # and it will be treated as a side-car container.
-#     - name: listener
-#       securityContext:
-#         runAsUser: 1000
-#     # Use this section to add the configuration of a side-car container.
-#     # Comment it out or remove it if you don't need it.
-#     # Spec for this container will be applied as is without any modifications.
-#     - name: side-car
-#       image: example-sidecar
-
-# Template applied for the runner container
-runner:
-  # metadata:
-  #   labels: []
-  #   annotations: []
-
-  # container field is applied to the container named "runner". You cannot override the name of the runner container
-  container:
-    image: "ghcr.io/actions/actions-runner:latest"
-    command: ["/home/runner/run.sh"]
-
-  dind:
-    # If default is set to true, we will expand the default spec for the `dind` container, and you can provide fields to override them
-    default: true
-
-  kubernetesMode:
-    default: true
-    serviceAccountName: ""
-    extension: {}
-## A self-signed CA certificate for communication with the GitHub server can be
-## provided using a config map key selector. If `runnerMountPath` is set, for
-## each runner pod ARC will:
-## - create a `github-server-tls-cert` volume containing the certificate
-##   specified in `certificateFrom`
-## - mount that volume on path `runnerMountPath`/{certificate name}
-## - set NODE_EXTRA_CA_CERTS environment variable to that same path
-## - set RUNNER_UPDATE_CA_CERTS environment variable to "1" (as of version
-##   2.303.0 this will instruct the runner to reload certificates on the host)
-##
-## If any of the above had already been set by the user in the runner pod
-## template, ARC will observe those and not overwrite them.
-## Example configuration:
-#
-# githubServerTLS:
-#   certificateFrom:
-#     configMapKeyRef:
-#       name: config-map-name
-#       key: ca.crt
-#   runnerMountPath: /usr/local/share/ca-certificates/
-
-## keyVault object if applied switches from the kubernetes secrets to the vault provider defined in `keyVault.type`
-## Secret name is used to resolve the secret inside the vault
-# keyVault:
-# Available values: "azure_key_vault"
-# type: ""
-# Configuration related to azure key vault
-# azure_key_vault:
-#   url: ""
-#   client_id: ""
-#   tenant_id: ""
-#   certificate_path: ""
-# proxy:
-#   http:
-#     url: http://proxy.com:1234
-#     credentialSecretRef: proxy-auth # a secret with `username` and `password` keys
-#   https:
-#     url: http://proxy.com:1234
-#     credentialSecretRef: proxy-auth # a secret with `username` and `password` keys
-#   noProxy:
-#     - example.com
-#     - example.org
-
-## listenerMetrics are configurable metrics applied to the listener.
-## In order to avoid helm merging these fields, we left the metrics commented out.
-## When configuring metrics, please uncomment the listenerMetrics object below.
-## You can modify the configuration to remove the label or specify custom buckets for histogram.
-##
-## If the buckets field is not specified, the default buckets will be applied. Default buckets are
-## provided here for documentation purposes
-# listenerMetrics:
-#   counters:
-#     gha_started_jobs_total:
-#       labels:
-#         ["repository", "organization", "enterprise", "job_name", "event_name", "job_workflow_ref", "job_workflow_name", "job_workflow_target"]
-#     gha_completed_jobs_total:
-#       labels:
-#         [
-#           "repository",
-#           "organization",
-#           "enterprise",
-#           "job_name",
-#           "event_name",
-#           "job_result",
-#           "job_workflow_ref",
-#           "job_workflow_name",
-#           "job_workflow_target",
-#         ]
-#   gauges:
-#     gha_assigned_jobs:
-#       labels: ["name", "namespace", "repository", "organization", "enterprise"]
-#     gha_running_jobs:
-#       labels: ["name", "namespace", "repository", "organization", "enterprise"]
-#     gha_registered_runners:
-#       labels: ["name", "namespace", "repository", "organization", "enterprise"]
-#     gha_busy_runners:
-#       labels: ["name", "namespace", "repository", "organization", "enterprise"]
-#     gha_min_runners:
-#       labels: ["name", "namespace", "repository", "organization", "enterprise"]
-#     gha_max_runners:
-#       labels: ["name", "namespace", "repository", "organization", "enterprise"]
-#     gha_desired_runners:
-#       labels: ["name", "namespace", "repository", "organization", "enterprise"]
-#     gha_idle_runners:
-#       labels: ["name", "namespace", "repository", "organization", "enterprise"]
-#   histograms:
-#     gha_job_startup_duration_seconds:
-#       labels:
-#         ["repository", "organization", "enterprise", "job_name", "event_name","job_workflow_ref", "job_workflow_name", "job_workflow_target"]
-#       buckets:
-#         [
-#           0.01,
-#           0.05,
-#           0.1,
-#           0.5,
-#           1.0,
-#           2.0,
-#           3.0,
-#           4.0,
-#           5.0,
-#           6.0,
-#           7.0,
-#           8.0,
-#           9.0,
-#           10.0,
-#           12.0,
-#           15.0,
-#           18.0,
-#           20.0,
-#           25.0,
-#           30.0,
-#           40.0,
-#           50.0,
-#           60.0,
-#           70.0,
-#           80.0,
-#           90.0,
-#           100.0,
-#           110.0,
-#           120.0,
-#           150.0,
-#           180.0,
-#           210.0,
-#           240.0,
-#           300.0,
-#           360.0,
-#           420.0,
-#           480.0,
-#           540.0,
-#           600.0,
-#           900.0,
-#           1200.0,
-#           1800.0,
-#           2400.0,
-#           3000.0,
-#           3600.0,
-#         ]
-#     gha_job_execution_duration_seconds:
-#       labels:
-#         [
-#           "repository",
-#           "organization",
-#           "enterprise",
-#           "job_name",
-#           "event_name",
-#           "job_result",
-#           "job_workflow_ref",
-#           "job_workflow_name",
-#           "job_workflow_target"
-#         ]
-#       buckets:
-#         [
-#           0.01,
-#           0.05,
-#           0.1,
-#           0.5,
-#           1.0,
-#           2.0,
-#           3.0,
-#           4.0,
-#           5.0,
-#           6.0,
-#           7.0,
-#           8.0,
-#           9.0,
-#           10.0,
-#           12.0,
-#           15.0,
-#           18.0,
-#           20.0,
-#           25.0,
-#           30.0,
-#           40.0,
-#           50.0,
-#           60.0,
-#           70.0,
-#           80.0,
-#           90.0,
-#           100.0,
-#           110.0,
-#           120.0,
-#           150.0,
-#           180.0,
-#           210.0,
-#           240.0,
-#           300.0,
-#           360.0,
-#           420.0,
-#           480.0,
-#           540.0,
-#           600.0,
-#           900.0,
-#           1200.0,
-#           1800.0,
-#           2400.0,
-#           3000.0,
-#           3600.0,
-#         ]

controllers/actions.github.com/ephemeralrunner_controller.go

@@ -22,6 +22,7 @@ import (
 	"fmt"
 	"net/http"
 	"strconv"
+	"strings"
 	"time"
 
 	"github.com/actions/actions-runner-controller/apis/actions.github.com/v1alpha1"
@@ -282,7 +283,34 @@ func (r *EphemeralRunnerReconciler) Reconcile(ctx context.Context, req ctrl.Requ
 		case kerrors.IsAlreadyExists(err):
 			log.Info("Runner pod already exists. Waiting for the pod event to be received")
 			return ctrl.Result{Requeue: true, RequeueAfter: 5 * time.Second}, nil
-		case kerrors.IsInvalid(err) || kerrors.IsForbidden(err):
+		case kerrors.IsInvalid(err):
+			log.Error(err, "Failed to create a pod due to unrecoverable failure")
+			errMessage := fmt.Sprintf("Failed to create the pod: %v", err)
+			if err := r.markAsFailed(ctx, ephemeralRunner, errMessage, ReasonInvalidPodFailure, log); err != nil {
+				log.Error(err, "Failed to set ephemeral runner to phase Failed")
+				return ctrl.Result{}, err
+			}
+			return ctrl.Result{}, nil
+		case kerrors.IsForbidden(err):
+			if status, ok := err.(kerrors.APIStatus); ok || errors.As(err, &status) {
+				isResourceQuotaExceeded := strings.Contains(status.Status().Message, "exceeded quota:")
+				isAboutToExpire := ephemeralRunner.CreationTimestamp.Time.Add(10 * time.Minute).Before(time.Now())
+				switch {
+				case isResourceQuotaExceeded && isAboutToExpire:
+					log.Error(err, "Failed to create a pod due to resource quota exceeded and the ephemeral runner is about to expire; re-creating the ephemeral runner")
+					if err := r.Delete(ctx, ephemeralRunner); err != nil {
+						log.Error(err, "Failed to delete the ephemeral runner")
+						return ctrl.Result{}, err
+					}
+					return ctrl.Result{}, nil
+				case isResourceQuotaExceeded:
+					log.Error(err, "Resource quota is exceeded; requeue in 30s to retry pod creation")
+					return ctrl.Result{RequeueAfter: 30 * time.Second}, nil
+				default:
+					// other forbidden errors
+					// fallthrough to the default handling below
+				}
+			}
 			log.Error(err, "Failed to create a pod due to unrecoverable failure")
 			errMessage := fmt.Sprintf("Failed to create the pod: %v", err)
 			if err := r.markAsFailed(ctx, ephemeralRunner, errMessage, ReasonInvalidPodFailure, log); err != nil {

controllers/actions.github.com/resourcebuilder.go

@@ -690,20 +690,28 @@ func scaleSetListenerConfigName(autoscalingListener *v1alpha1.AutoscalingListene
 	return fmt.Sprintf("%s-config", autoscalingListener.Name)
 }
 
-func scaleSetListenerName(autoscalingRunnerSet *v1alpha1.AutoscalingRunnerSet) string {
-	namespaceHash := hash.FNVHashString(autoscalingRunnerSet.Namespace)
+func hashSuffix(namespace, runnerGroup, configURL string) string {
+	namespaceHash := hash.FNVHashString(namespace + "@" + runnerGroup + "@" + configURL)
 	if len(namespaceHash) > 8 {
 		namespaceHash = namespaceHash[:8]
 	}
-	return fmt.Sprintf("%v-%v-listener", autoscalingRunnerSet.Name, namespaceHash)
+	return namespaceHash
+}
+
+func scaleSetListenerName(autoscalingRunnerSet *v1alpha1.AutoscalingRunnerSet) string {
+	return fmt.Sprintf(
+		"%v-%v-listener",
+		autoscalingRunnerSet.Name,
+		hashSuffix(
+			autoscalingRunnerSet.Namespace,
+			autoscalingRunnerSet.Spec.RunnerGroup,
+			autoscalingRunnerSet.Spec.GitHubConfigUrl,
+		),
+	)
 }
 
 func proxyListenerSecretName(autoscalingListener *v1alpha1.AutoscalingListener) string {
-	namespaceHash := hash.FNVHashString(autoscalingListener.Spec.AutoscalingRunnerSetNamespace)
-	if len(namespaceHash) > 8 {
-		namespaceHash = namespaceHash[:8]
-	}
-	return fmt.Sprintf("%v-%v-listener-proxy", autoscalingListener.Spec.AutoscalingRunnerSetName, namespaceHash)
+	return autoscalingListener.Name + "-proxy"
 }
 
 func proxyEphemeralRunnerSetSecretName(ephemeralRunnerSet *v1alpha1.EphemeralRunnerSet) string {

runner/Makefile

@@ -8,7 +8,7 @@ TARGETPLATFORM ?= $(shell arch)
 
 RUNNER_VERSION ?= 2.329.0
 RUNNER_CONTAINER_HOOKS_VERSION ?= 0.8.0
-DOCKER_VERSION ?= 24.0.7
+DOCKER_VERSION ?= 28.0.4
 
 # default list of platforms for which multiarch image is built
 ifeq (${PLATFORMS}, )

runner/actions-runner-dind-rootless.ubuntu-20.04.dockerfile

@@ -5,7 +5,7 @@ ARG RUNNER_VERSION
 ARG RUNNER_CONTAINER_HOOKS_VERSION
 # Docker and Docker Compose arguments
 ENV CHANNEL=stable
-ARG DOCKER_COMPOSE_VERSION=v2.23.0
+ARG DOCKER_COMPOSE_VERSION=v2.38.2
 ARG DUMB_INIT_VERSION=1.2.5
 
 # Other arguments

runner/actions-runner-dind-rootless.ubuntu-22.04.dockerfile

@@ -5,7 +5,7 @@ ARG RUNNER_VERSION
 ARG RUNNER_CONTAINER_HOOKS_VERSION
 # Docker and Docker Compose arguments
 ENV CHANNEL=stable
-ARG DOCKER_COMPOSE_VERSION=v2.23.0
+ARG DOCKER_COMPOSE_VERSION=v2.38.2
 ARG DUMB_INIT_VERSION=1.2.5
 ARG RUNNER_USER_UID=1001
 

runner/actions-runner-dind-rootless.ubuntu-24.04.dockerfile

@@ -5,7 +5,7 @@ ARG RUNNER_VERSION
 ARG RUNNER_CONTAINER_HOOKS_VERSION
 # Docker and Docker Compose arguments
 ENV CHANNEL=stable
-ARG DOCKER_COMPOSE_VERSION=v2.23.0
+ARG DOCKER_COMPOSE_VERSION=v2.38.2
 ARG DUMB_INIT_VERSION=1.2.5
 ARG RUNNER_USER_UID=1001
 

runner/actions-runner-dind.ubuntu-20.04.dockerfile

@@ -5,8 +5,8 @@ ARG RUNNER_VERSION
 ARG RUNNER_CONTAINER_HOOKS_VERSION
 # Docker and Docker Compose arguments
 ARG CHANNEL=stable
-ARG DOCKER_VERSION=24.0.7
-ARG DOCKER_COMPOSE_VERSION=v2.23.0
+ARG DOCKER_VERSION=28.0.4
+ARG DOCKER_COMPOSE_VERSION=v2.38.2
 ARG DUMB_INIT_VERSION=1.2.5
 
 # Use 1001 and 121 for compatibility with GitHub-hosted runners

runner/actions-runner-dind.ubuntu-22.04.dockerfile

@@ -5,8 +5,8 @@ ARG RUNNER_VERSION
 ARG RUNNER_CONTAINER_HOOKS_VERSION
 # Docker and Docker Compose arguments
 ARG CHANNEL=stable
-ARG DOCKER_VERSION=24.0.7
-ARG DOCKER_COMPOSE_VERSION=v2.23.0
+ARG DOCKER_VERSION=28.0.4
+ARG DOCKER_COMPOSE_VERSION=v2.38.2
 ARG DUMB_INIT_VERSION=1.2.5
 ARG RUNNER_USER_UID=1001
 ARG DOCKER_GROUP_GID=121

runner/actions-runner-dind.ubuntu-24.04.dockerfile

@@ -5,8 +5,8 @@ ARG RUNNER_VERSION
 ARG RUNNER_CONTAINER_HOOKS_VERSION
 # Docker and Docker Compose arguments
 ARG CHANNEL=stable
-ARG DOCKER_VERSION=24.0.7
-ARG DOCKER_COMPOSE_VERSION=v2.23.0
+ARG DOCKER_VERSION=28.0.4
+ARG DOCKER_COMPOSE_VERSION=v2.38.2
 ARG DUMB_INIT_VERSION=1.2.5
 ARG RUNNER_USER_UID=1001
 ARG DOCKER_GROUP_GID=121

runner/actions-runner.ubuntu-20.04.dockerfile

@@ -5,8 +5,8 @@ ARG RUNNER_VERSION
 ARG RUNNER_CONTAINER_HOOKS_VERSION
 # Docker and Docker Compose arguments
 ARG CHANNEL=stable
-ARG DOCKER_VERSION=24.0.7
-ARG DOCKER_COMPOSE_VERSION=v2.23.0
+ARG DOCKER_VERSION=28.0.4
+ARG DOCKER_COMPOSE_VERSION=v2.38.2
 ARG DUMB_INIT_VERSION=1.2.5
 
 # Use 1001 and 121 for compatibility with GitHub-hosted runners

runner/actions-runner.ubuntu-22.04.dockerfile

@@ -5,8 +5,8 @@ ARG RUNNER_VERSION
 ARG RUNNER_CONTAINER_HOOKS_VERSION
 # Docker and Docker Compose arguments
 ARG CHANNEL=stable
-ARG DOCKER_VERSION=24.0.7
-ARG DOCKER_COMPOSE_VERSION=v2.23.0
+ARG DOCKER_VERSION=28.0.4
+ARG DOCKER_COMPOSE_VERSION=v2.38.2
 ARG DUMB_INIT_VERSION=1.2.5
 ARG RUNNER_USER_UID=1001
 ARG DOCKER_GROUP_GID=121

runner/actions-runner.ubuntu-24.04.dockerfile

@@ -5,8 +5,8 @@ ARG RUNNER_VERSION
 ARG RUNNER_CONTAINER_HOOKS_VERSION
 # Docker and Docker Compose arguments
 ARG CHANNEL=stable
-ARG DOCKER_VERSION=24.0.7
-ARG DOCKER_COMPOSE_VERSION=v2.23.0
+ARG DOCKER_VERSION=28.0.4
+ARG DOCKER_COMPOSE_VERSION=v2.38.2
 ARG DUMB_INIT_VERSION=1.2.5
 ARG RUNNER_USER_UID=1001
 ARG DOCKER_GROUP_GID=121

test/e2e/e2e_test.go

@@ -455,7 +455,7 @@ func buildVars(repo, ubuntuVer string) vars {
 		runnerRootlessDindImage     = testing.Img(runnerRootlessDindImageRepo, runnerImageTag)
 
 		dindSidecarImageRepo = "docker"
-		dindSidecarImageTag  = "24.0.7-dind"
+		dindSidecarImageTag  = "28.0.4-dind"
 		dindSidecarImage     = testing.Img(dindSidecarImageRepo, dindSidecarImageTag)
 	)