Bump the actions group across 1 directory with 5 updates

Bumps the actions group with 5 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [actions/checkout](https://github.com/actions/checkout) | `5` | `6` |
| [helm/kind-action](https://github.com/helm/kind-action) | `1.13.0` | `1.14.0` |
| [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) | `3.11.1` | `3.12.0` |
| [docker/login-action](https://github.com/docker/login-action) | `3.6.0` | `3.7.0` |
| [docker/build-push-action](https://github.com/docker/build-push-action) | `6.18.0` | `6.19.2` |



Updates `actions/checkout` from 5 to 6
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v5...v6)

Updates `helm/kind-action` from 1.13.0 to 1.14.0
- [Release notes](https://github.com/helm/kind-action/releases)
- [Commits](92086f6be0...ef37e7f390)

Updates `docker/setup-buildx-action` from 3.11.1 to 3.12.0
- [Release notes](https://github.com/docker/setup-buildx-action/releases)
- [Commits](e468171a9d...8d2750c68a)

Updates `docker/login-action` from 3.6.0 to 3.7.0
- [Release notes](https://github.com/docker/login-action/releases)
- [Commits](5e57cd1181...c94ce9fb46)

Updates `docker/build-push-action` from 6.18.0 to 6.19.2
- [Release notes](https://github.com/docker/build-push-action/releases)
- [Commits](263435318d...10e90e3645)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions
- dependency-name: helm/kind-action
  dependency-version: 1.14.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions
- dependency-name: docker/setup-buildx-action
  dependency-version: 3.12.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions
- dependency-name: docker/login-action
  dependency-version: 3.7.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions
- dependency-name: docker/build-push-action
  dependency-version: 6.19.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions
...

Signed-off-by: dependabot[bot] <support@github.com>

.github/actions/execute-assert-arc-e2e/action.yaml

@@ -1,215 +0,0 @@
-name: 'Execute and Assert ARC E2E Test Action'
-description: 'Queue E2E test workflow and assert workflow run result to be succeed'
-
-inputs:
-  auth-token:
-    description: 'GitHub access token to queue workflow run'
-    required: true
-  repo-owner:
-    description: "The repository owner name that has the test workflow file, ex: actions"
-    required: true
-  repo-name:
-    description: "The repository name that has the test workflow file, ex: test"
-    required: true
-  workflow-file:
-    description: 'The file name of the workflow yaml, ex: test.yml'
-    required: true
-  arc-name:
-    description: 'The name of the configured gha-runner-scale-set'
-    required: true
-  arc-namespace:
-    description: 'The namespace of the configured gha-runner-scale-set'
-    required: true
-  arc-controller-namespace:
-    description: 'The namespace of the configured gha-runner-scale-set-controller'
-    required: true
-  wait-to-finish:
-    description: 'Wait for the workflow run to finish'
-    required: true
-    default: "true"
-  wait-to-running:
-    description: 'Wait for the workflow run to start running'
-    required: true
-    default: "false"
-
-runs:
-  using: "composite"
-  steps:
-    - name: Queue test workflow
-      shell: bash
-      id: queue_workflow
-      run: |
-        queue_time=`date +%FT%TZ`
-        echo "queue_time=$queue_time" >> $GITHUB_OUTPUT
-        curl -X POST https://api.github.com/repos/${{inputs.repo-owner}}/${{inputs.repo-name}}/actions/workflows/${{inputs.workflow-file}}/dispatches \
-        -H "Accept: application/vnd.github.v3+json" \
-        -H "Authorization: token ${{inputs.auth-token}}" \
-        -d '{"ref": "main", "inputs": { "arc_name": "${{inputs.arc-name}}" } }'
-
-    - name: Fetch workflow run & job ids
-      uses: actions/github-script@v7
-      id: query_workflow
-      with:
-        script: |
-          // Try to find the workflow run triggered by the previous step using the workflow_dispatch event.
-          // - Find recently create workflow runs in the test repository
-          // - For each workflow run, list its workflow job and see if the job's labels contain `inputs.arc-name`
-          // - Since the inputs.arc-name should be unique per e2e workflow run, once we find the job with the label, we find the workflow that we just triggered.
-          function sleep(ms) {
-            return new Promise(resolve => setTimeout(resolve, ms))
-          }
-          const owner = '${{inputs.repo-owner}}'
-          const repo = '${{inputs.repo-name}}'
-          const workflow_id = '${{inputs.workflow-file}}'
-          let workflow_run_id = 0
-          let workflow_job_id = 0
-          let workflow_run_html_url = ""
-          let count = 0
-          while (count++<12) {
-            await sleep(10 * 1000);
-            let listRunResponse = await github.rest.actions.listWorkflowRuns({
-              owner: owner,
-              repo: repo,
-              workflow_id: workflow_id,
-              created: '>${{steps.queue_workflow.outputs.queue_time}}'
-            })
-            if (listRunResponse.data.total_count > 0) {
-              console.log(`Found some new workflow runs for ${workflow_id}`)
-              for (let i = 0; i<listRunResponse.data.total_count; i++) {
-                let workflowRun = listRunResponse.data.workflow_runs[i]
-                console.log(`Check if workflow run ${workflowRun.id} is triggered by us.`)
-                let listJobResponse = await github.rest.actions.listJobsForWorkflowRun({
-                  owner: owner,
-                  repo: repo,
-                  run_id: workflowRun.id
-                })
-                console.log(`Workflow run ${workflowRun.id} has ${listJobResponse.data.total_count} jobs.`)
-                if (listJobResponse.data.total_count > 0) {
-                  for (let j = 0; j<listJobResponse.data.total_count; j++) {
-                    let workflowJob = listJobResponse.data.jobs[j]
-                    console.log(`Check if workflow job ${workflowJob.id} is triggered by us.`)
-                    console.log(JSON.stringify(workflowJob.labels));
-                    if (workflowJob.labels.includes('${{inputs.arc-name}}')) {
-                      console.log(`Workflow job ${workflowJob.id} (Run id: ${workflowJob.run_id}) is triggered by us.`)
-                      workflow_run_id = workflowJob.run_id
-                      workflow_job_id = workflowJob.id
-                      workflow_run_html_url = workflowRun.html_url
-                      break
-                    }
-                  }
-                }
-
-                if (workflow_job_id > 0) {
-                  break;
-                }
-              }
-            }
-
-            if (workflow_job_id > 0) {
-              break;
-            }
-          }
-          if (workflow_job_id == 0) {
-            core.setFailed(`Can't find workflow run and workflow job triggered to 'runs-on ${{inputs.arc-name}}'`)
-          } else {
-            core.setOutput('workflow_run', workflow_run_id);
-            core.setOutput('workflow_job', workflow_job_id);
-            core.setOutput('workflow_run_url', workflow_run_html_url);
-          }
-
-    - name: Generate summary about the triggered workflow run
-      shell: bash
-      run: |
-        cat <<-EOF > $GITHUB_STEP_SUMMARY
-        | **Triggered workflow run** |
-        |:--------------------------:|
-        | ${{steps.query_workflow.outputs.workflow_run_url}} |
-        EOF
-
-    - name: Wait for workflow to start running
-      if: inputs.wait-to-running == 'true' && inputs.wait-to-finish == 'false'
-      uses: actions/github-script@v7
-      with:
-        script: |
-          function sleep(ms) {
-            return new Promise(resolve => setTimeout(resolve, ms))
-          }
-          const owner = '${{inputs.repo-owner}}'
-          const repo = '${{inputs.repo-name}}'
-          const workflow_run_id = ${{steps.query_workflow.outputs.workflow_run}}
-          const workflow_job_id = ${{steps.query_workflow.outputs.workflow_job}}
-          let count = 0
-          while (count++<10) {
-            await sleep(30 * 1000);
-            let getRunResponse = await github.rest.actions.getWorkflowRun({
-              owner: owner,
-              repo: repo,
-              run_id: workflow_run_id
-            })
-            console.log(`${getRunResponse.data.html_url}: ${getRunResponse.data.status} (${getRunResponse.data.conclusion})`);
-            if (getRunResponse.data.status == 'in_progress') {
-              console.log(`Workflow run is in progress.`)
-              return
-            }
-          }
-          core.setFailed(`The triggered workflow run didn't start properly using ${{inputs.arc-name}}`)
-
-    - name: Wait for workflow to finish successfully
-      if: inputs.wait-to-finish == 'true'
-      uses: actions/github-script@v7
-      with:
-        script: |
-          // Wait 5 minutes and make sure the workflow run we triggered completed with result 'success'
-          function sleep(ms) {
-            return new Promise(resolve => setTimeout(resolve, ms))
-          }
-          const owner = '${{inputs.repo-owner}}'
-          const repo = '${{inputs.repo-name}}'
-          const workflow_run_id = ${{steps.query_workflow.outputs.workflow_run}}
-          const workflow_job_id = ${{steps.query_workflow.outputs.workflow_job}}
-          let count = 0
-          while (count++<10) {
-            await sleep(30 * 1000);
-            let getRunResponse = await github.rest.actions.getWorkflowRun({
-              owner: owner,
-              repo: repo,
-              run_id: workflow_run_id
-            })
-            console.log(`${getRunResponse.data.html_url}: ${getRunResponse.data.status} (${getRunResponse.data.conclusion})`);
-            if (getRunResponse.data.status == 'completed') {
-              if ( getRunResponse.data.conclusion == 'success') {
-                console.log(`Workflow run finished properly.`)
-                return
-              } else {
-                core.setFailed(`The triggered workflow run finish with result ${getRunResponse.data.conclusion}`)
-                return
-              }
-            }
-          }
-          core.setFailed(`The triggered workflow run didn't finish properly using ${{inputs.arc-name}}`)
-
-    - name: Gather listener logs
-      shell: bash
-      if: always()
-      run: |
-        LISTENER_POD="$(kubectl get autoscalinglisteners.actions.github.com -n arc-systems -o jsonpath='{.items[*].metadata.name}')"
-        kubectl logs $LISTENER_POD -n ${{inputs.arc-controller-namespace}}
-    
-    - name: Gather coredns logs
-      shell: bash
-      if: always()
-      run: |
-        kubectl logs deployments/coredns -n kube-system 
-
-    - name: cleanup
-      if: inputs.wait-to-finish == 'true'
-      shell: bash
-      run: |
-        helm uninstall ${{ inputs.arc-name }} --namespace ${{inputs.arc-namespace}} --debug
-        kubectl wait --timeout=30s --for=delete AutoScalingRunnerSet -n ${{inputs.arc-namespace}} -l app.kubernetes.io/instance=${{ inputs.arc-name }}
-
-    - name: Gather controller logs
-      shell: bash
-      if: always()
-      run: |
-        kubectl logs deployment/arc-gha-rs-controller -n ${{inputs.arc-controller-namespace}}

.github/actions/setup-arc-e2e/action.yaml

@@ -1,65 +0,0 @@
-name: "Setup ARC E2E Test Action"
-description: "Build controller image, create kind cluster, load the image, and exchange ARC configure token."
-
-inputs:
-  app-id:
-    description: "GitHub App Id for exchange access token"
-    required: true
-  app-pk:
-    description: "GitHub App private key for exchange access token"
-    required: true
-  image-name:
-    description: "Local docker image name for building"
-    required: true
-  image-tag:
-    description: "Tag of ARC Docker image for building"
-    required: true
-  target-org:
-    description: "The test organization for ARC e2e test"
-    required: true
-
-outputs:
-  token:
-    description: "Token to use for configure ARC"
-    value: ${{steps.config-token.outputs.token}}
-
-runs:
-  using: "composite"
-  steps:
-    - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2
-      with:
-        # Pinning v0.9.1 for Buildx and BuildKit v0.10.6
-        # BuildKit v0.11 which has a bug causing intermittent
-        # failures pushing images to GHCR
-        version: v0.9.1
-        driver-opts: image=moby/buildkit:v0.10.6
-
-    - name: Build controller image
-      # https://github.com/docker/build-push-action/releases/tag/v6.15.0
-      uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4
-      with:
-        file: Dockerfile
-        platforms: linux/amd64
-        load: true
-        build-args: |
-          DOCKER_IMAGE_NAME=${{inputs.image-name}}
-          VERSION=${{inputs.image-tag}}
-        tags: |
-          ${{inputs.image-name}}:${{inputs.image-tag}}
-        no-cache: true
-
-    - name: Create minikube cluster and load image
-      shell: bash
-      run: |
-        minikube start
-        minikube image load ${{inputs.image-name}}:${{inputs.image-tag}}
-
-    - name: Get configure token
-      id: config-token
-      # https://github.com/peter-murray/workflow-application-token-action/releases/tag/v3.0.0
-      uses: peter-murray/workflow-application-token-action@dc0413987a085fa17d19df9e47d4677cf81ffef3
-      with:
-        application_id: ${{ inputs.app-id }}
-        application_private_key: ${{ inputs.app-pk }}
-        organization: ${{ inputs.target-org}}

.github/actions/setup-docker-environment/action.yaml

@@ -1,51 +0,0 @@
-name: "Setup Docker"
-
-inputs:
-  username:
-    description: "Username"
-    required: true
-  password:
-    description: "Password"
-    required: true
-  ghcr_username:
-    description: "GHCR username. Usually set from the github.actor variable"
-    required: true
-  ghcr_password:
-    description: "GHCR password. Usually set from the secrets.GITHUB_TOKEN variable"
-    required: true
-
-runs:
-  using: "composite"
-  steps:
-    - name: Get Short SHA
-      id: vars
-      run: |
-        echo "sha_short=${GITHUB_SHA::7}" >> $GITHUB_ENV
-      shell: bash
-
-    - name: Set up QEMU
-      # https://github.com/docker/setup-qemu-action/releases/tag/v3.6.0
-      uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392
-
-    - name: Set up Docker Buildx
-      # https://github.com/docker/setup-buildx-action/releases/tag/v3.10.0
-      uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2
-      with:
-        version: latest
-
-    - name: Login to DockerHub
-      if: ${{ github.event_name == 'release' || github.event_name == 'push' && github.ref == 'refs/heads/master' && inputs.password != ''  }}
-      # https://github.com/docker/login-action/releases/tag/v3.4.0
-      uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772
-      with:
-        username: ${{ inputs.username }}
-        password: ${{ inputs.password }}
-
-    - name: Login to GitHub Container Registry
-      if: ${{ github.event_name == 'release' || github.event_name == 'push' && github.ref == 'refs/heads/master' && inputs.ghcr_password != ''  }}
-      # https://github.com/docker/login-action/releases/tag/v3.4.0
-      uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772
-      with:
-        registry: ghcr.io
-        username: ${{ inputs.ghcr_username }}
-        password: ${{ inputs.ghcr_password }}

.github/workflows/arc-publish-chart.yaml

@@ -40,13 +40,12 @@ jobs:
       publish-chart: ${{ steps.publish-chart-step.outputs.publish }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0
 
       - name: Set up Helm
-        # Using https://github.com/Azure/setup-helm/releases/tag/v4.2.0
-        uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814
+        uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4
         with:
           version: ${{ env.HELM_VERSION }}
 
@@ -59,13 +58,12 @@ jobs:
         run: helm template  --values charts/.ci/values-kube-score.yaml charts/* | ./kube-score score - --ignore-test pod-networkpolicy --ignore-test deployment-has-poddisruptionbudget --ignore-test deployment-has-host-podantiaffinity --ignore-test container-security-context --ignore-test pod-probes --ignore-test container-image-tag --enable-optional-test container-security-context-privileged --enable-optional-test container-security-context-readonlyrootfilesystem
 
       # python is a requirement for the chart-testing action below (supports yamllint among other tests)
-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@v6
         with:
           python-version: "3.11"
 
       - name: Set up chart-testing
-        # https://github.com/helm/chart-testing-action/releases/tag/v2.7.0
-        uses: helm/chart-testing-action@0d28d3144d3a25ea2cc349d6e59901c4ff469b3b
+        uses: helm/chart-testing-action@6ec842c01de15ebb84c8627d2744a0c2f2755c9f
 
       - name: Run chart-testing (list-changed)
         id: list-changed
@@ -81,8 +79,7 @@ jobs:
 
       - name: Create kind cluster
         if: steps.list-changed.outputs.changed == 'true'
-        # https://github.com/helm/kind-action/releases/tag/v1.12.0
-        uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3
+        uses: helm/kind-action@ef37e7f390d99f746eb8b610417061a60e82a6cc
 
       # We need cert-manager already installed in the cluster because we assume the CRDs exist
       - name: Install cert-manager
@@ -137,7 +134,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0
 
@@ -148,8 +145,7 @@ jobs:
 
       - name: Get Token
         id: get_workflow_token
-        # https://github.com/peter-murray/workflow-application-token-action/releases/tag/v3.0.0
-        uses: peter-murray/workflow-application-token-action@dc0413987a085fa17d19df9e47d4677cf81ffef3
+        uses: peter-murray/workflow-application-token-action@d17e3a9a36850ea89f35db16c1067dd2b68ee343
         with:
           application_id: ${{ secrets.ACTIONS_ACCESS_APP_ID }}
           application_private_key: ${{ secrets.ACTIONS_ACCESS_PK }}
@@ -188,7 +184,7 @@ jobs:
       # this workaround is intended to move the index.yaml to the target repo
       # where the github pages are hosted
       - name: Checkout target repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
         with:
           repository: ${{ env.CHART_TARGET_ORG }}/${{ env.CHART_TARGET_REPO }}
           path: ${{ env.CHART_TARGET_REPO }}

.github/workflows/arc-publish.yaml

@@ -39,17 +39,15 @@ jobs:
     if: ${{ !startsWith(github.event.inputs.release_tag_name, 'gha-runner-scale-set-') }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
-      - uses: actions/setup-go@v5
+      - uses: actions/setup-go@v6
         with:
           go-version-file: "go.mod"
 
       - name: Install tools
         run: |
-          curl -L -O https://github.com/kubernetes-sigs/kubebuilder/releases/download/v2.2.0/kubebuilder_2.2.0_linux_amd64.tar.gz
-          tar zxvf kubebuilder_2.2.0_linux_amd64.tar.gz
-          sudo mv kubebuilder_2.2.0_linux_amd64 /usr/local/kubebuilder
+
           curl -s https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh | bash
           sudo mv kustomize /usr/local/bin
           curl -L -O https://github.com/tcnksm/ghr/releases/download/v0.13.0/ghr_v0.13.0_linux_amd64.tar.gz
@@ -73,8 +71,7 @@ jobs:
 
       - name: Get Token
         id: get_workflow_token
-        # https://github.com/peter-murray/workflow-application-token-action/releases/tag/v3.0.0
-        uses: peter-murray/workflow-application-token-action@dc0413987a085fa17d19df9e47d4677cf81ffef3
+        uses: peter-murray/workflow-application-token-action@d17e3a9a36850ea89f35db16c1067dd2b68ee343
         with:
           application_id: ${{ secrets.ACTIONS_ACCESS_APP_ID }}
           application_private_key: ${{ secrets.ACTIONS_ACCESS_PK }}

.github/workflows/arc-release-runners.yaml

@@ -1,4 +1,6 @@
 name: Release ARC Runner Images
+permissions:
+  contents: read
 
 # Revert to https://github.com/actions-runner-controller/releases#releases
 # for details on why we use this approach
@@ -17,7 +19,7 @@ env:
   PUSH_TO_REGISTRIES: true
   TARGET_ORG: actions-runner-controller
   TARGET_WORKFLOW: release-runners.yaml
-  DOCKER_VERSION: 24.0.7
+  DOCKER_VERSION: 28.0.4
 
 concurrency:
   group: ${{ github.workflow }}
@@ -28,7 +30,7 @@ jobs:
     name: Trigger Build and Push of Runner Images
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
       - name: Get runner version
         id: versions
         run: |
@@ -39,8 +41,7 @@ jobs:
 
       - name: Get Token
         id: get_workflow_token
-        # https://github.com/peter-murray/workflow-application-token-action/releases/tag/v3.0.0
-        uses: peter-murray/workflow-application-token-action@dc0413987a085fa17d19df9e47d4677cf81ffef3
+        uses: peter-murray/workflow-application-token-action@d17e3a9a36850ea89f35db16c1067dd2b68ee343
         with:
           application_id: ${{ secrets.ACTIONS_ACCESS_APP_ID }}
           application_private_key: ${{ secrets.ACTIONS_ACCESS_PK }}

.github/workflows/arc-update-runners-scheduled.yaml

@@ -1,6 +1,9 @@
 # This workflows polls releases from actions/runner and in case of a new one it
 # updates files containing runner version and opens a pull request.
 name: Runner Updates Check (Scheduled Job)
+permissions:
+  pull-requests: write
+  contents: write
 
 on:
   schedule:
@@ -21,7 +24,7 @@ jobs:
       container_hooks_current_version: ${{ steps.container_hooks_versions.outputs.container_hooks_current_version }}
       container_hooks_latest_version: ${{ steps.container_hooks_versions.outputs.container_hooks_latest_version }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
 
       - name: Get runner current and latest versions
         id: runner_versions
@@ -50,6 +53,8 @@ jobs:
   # it sets a PR name as output.
   check_pr:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     needs: check_versions
     if: needs.check_versions.outputs.runner_current_version != needs.check_versions.outputs.runner_latest_version || needs.check_versions.outputs.container_hooks_current_version != needs.check_versions.outputs.container_hooks_latest_version
     outputs:
@@ -64,7 +69,7 @@ jobs:
           echo "CONTAINER_HOOKS_CURRENT_VERSION=${{ needs.check_versions.outputs.container_hooks_current_version }}"
           echo "CONTAINER_HOOKS_LATEST_VERSION=${{ needs.check_versions.outputs.container_hooks_latest_version }}"
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
 
       - name: PR Name
         id: pr_name
@@ -119,7 +124,7 @@ jobs:
       PR_NAME: ${{ needs.check_pr.outputs.pr_name }}
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
 
       - name: New branch
         run: git checkout -b update-runner-"$(date +%Y-%m-%d)"

.github/workflows/arc-validate-chart.yaml

@@ -40,24 +40,22 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0
 
       - name: Set up Helm
-        # Using https://github.com/Azure/setup-helm/releases/tag/v4.2.0
-        uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814
+        uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4
         with:
           version: ${{ env.HELM_VERSION }}
 
       # python is a requirement for the chart-testing action below (supports yamllint among other tests)
-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@v6
         with:
           python-version: "3.11"
 
       - name: Set up chart-testing
-        # https://github.com/helm/chart-testing-action/releases/tag/v2.7.0
-        uses: helm/chart-testing-action@0d28d3144d3a25ea2cc349d6e59901c4ff469b3b
+        uses: helm/chart-testing-action@6ec842c01de15ebb84c8627d2744a0c2f2755c9f
 
       - name: Run chart-testing (list-changed)
         id: list-changed
@@ -72,8 +70,7 @@ jobs:
           ct lint --config charts/.ci/ct-config.yaml
 
       - name: Create kind cluster
-        # https://github.com/helm/kind-action/releases/tag/v1.12.0
-        uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3
+        uses: helm/kind-action@ef37e7f390d99f746eb8b610417061a60e82a6cc
         if: steps.list-changed.outputs.changed == 'true'
 
       # We need cert-manager already installed in the cluster because we assume the CRDs exist

.github/workflows/arc-validate-runners.yaml

@@ -24,7 +24,7 @@ jobs:
     name: runner / shellcheck
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
       - name: "Run shellcheck"
         run: make shellcheck
 
@@ -33,7 +33,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Run tests
         run: |

.github/workflows/gha-publish-chart.yaml

@@ -45,7 +45,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
         with:
           # If inputs.ref is empty, it'll resolve to the default branch
           ref: ${{ inputs.ref }}
@@ -72,11 +72,10 @@ jobs:
           echo "repository_owner=$(echo ${{ github.repository_owner }} | tr '[:upper:]' '[:lower:]')" >> $GITHUB_OUTPUT
 
       - name: Set up QEMU
-        # https://github.com/docker/setup-qemu-action/releases/tag/v3.6.0
-        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f
         with:
           # Pinning v0.9.1 for Buildx and BuildKit v0.10.6
           # BuildKit v0.11 which has a bug causing intermittent
@@ -85,16 +84,14 @@ jobs:
           driver-opts: image=moby/buildkit:v0.10.6
 
       - name: Login to GitHub Container Registry
-        # https://github.com/docker/login-action/releases/tag/v3.4.0
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Build & push controller image
-        # https://github.com/docker/build-push-action/releases/tag/v6.15.0
-        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4
+        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8
         with:
           file: Dockerfile
           platforms: linux/amd64,linux/arm64
@@ -103,8 +100,6 @@ jobs:
           tags: |
             ghcr.io/${{ steps.resolve_parameters.outputs.repository_owner }}/gha-runner-scale-set-controller:${{ inputs.release_tag_name }}
             ghcr.io/${{ steps.resolve_parameters.outputs.repository_owner }}/gha-runner-scale-set-controller:${{ inputs.release_tag_name }}-${{ steps.resolve_parameters.outputs.short_sha }}
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
 
       - name: Job summary
         run: |
@@ -124,7 +119,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
         with:
           # If inputs.ref is empty, it'll resolve to the default branch
           ref: ${{ inputs.ref }}
@@ -143,8 +138,7 @@ jobs:
           echo "repository_owner=$(echo ${{ github.repository_owner }} | tr '[:upper:]' '[:lower:]')" >> $GITHUB_OUTPUT
 
       - name: Set up Helm
-        # Using https://github.com/Azure/setup-helm/releases/tag/v4.2.0
-        uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814
+        uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4
         with:
           version: ${{ env.HELM_VERSION }}
 
@@ -172,7 +166,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
         with:
           # If inputs.ref is empty, it'll resolve to the default branch
           ref: ${{ inputs.ref }}
@@ -191,8 +185,7 @@ jobs:
           echo "repository_owner=$(echo ${{ github.repository_owner }} | tr '[:upper:]' '[:lower:]')" >> $GITHUB_OUTPUT
 
       - name: Set up Helm
-        # Using https://github.com/Azure/setup-helm/releases/tag/v4.2.0
-        uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814
+        uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4
         with:
           version: ${{ env.HELM_VERSION }}
 

.github/workflows/gha-validate-chart.yaml

@@ -36,24 +36,22 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0
 
       - name: Set up Helm
-        # Using https://github.com/Azure/setup-helm/releases/tag/v4.2.0
-        uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814
+        uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4
         with:
           version: ${{ env.HELM_VERSION }}
 
       # python is a requirement for the chart-testing action below (supports yamllint among other tests)
-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@v6
         with:
           python-version: "3.11"
 
       - name: Set up chart-testing
-        # https://github.com/helm/chart-testing-action/releases/tag/v2.7.0
-        uses: helm/chart-testing-action@0d28d3144d3a25ea2cc349d6e59901c4ff469b3b
+        uses: helm/chart-testing-action@6ec842c01de15ebb84c8627d2744a0c2f2755c9f
 
       - name: Run chart-testing (list-changed)
         id: list-changed
@@ -69,14 +67,13 @@ jobs:
           ct lint --config charts/.ci/ct-config-gha.yaml
 
       - name: Set up docker buildx
-        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f
         if: steps.list-changed.outputs.changed == 'true'
         with:
           version: latest
 
       - name: Build controller image
-        # https://github.com/docker/build-push-action/releases/tag/v6.15.0
-        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4
+        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8
         if: steps.list-changed.outputs.changed == 'true'
         with:
           file: Dockerfile
@@ -91,8 +88,7 @@ jobs:
           cache-to: type=gha,mode=max
 
       - name: Create kind cluster
-        # https://github.com/helm/kind-action/releases/tag/v1.12.0
-        uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3
+        uses: helm/kind-action@ef37e7f390d99f746eb8b610417061a60e82a6cc
         if: steps.list-changed.outputs.changed == 'true'
         with:
           cluster_name: chart-testing
@@ -115,8 +111,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+        uses: actions/checkout@v6
+      - uses: actions/setup-go@v6
         with:
           go-version-file: "go.mod"
           cache: false

.github/workflows/global-publish-canary.yaml

@@ -55,12 +55,11 @@ jobs:
       TARGET_REPO: actions-runner-controller
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Get Token
         id: get_workflow_token
-        # https://github.com/peter-murray/workflow-application-token-action/releases/tag/v3.0.0
-        uses: peter-murray/workflow-application-token-action@dc0413987a085fa17d19df9e47d4677cf81ffef3
+        uses: peter-murray/workflow-application-token-action@d17e3a9a36850ea89f35db16c1067dd2b68ee343
         with:
           application_id: ${{ secrets.ACTIONS_ACCESS_APP_ID }}
           application_private_key: ${{ secrets.ACTIONS_ACCESS_PK }}
@@ -91,11 +90,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Login to GitHub Container Registry
-        # https://github.com/docker/login-action/releases/tag/v3.4.0
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
@@ -112,19 +110,16 @@ jobs:
           echo "repository_owner=$(echo ${{ github.repository_owner }} | tr '[:upper:]' '[:lower:]')" >> $GITHUB_OUTPUT
 
       - name: Set up QEMU
-        # https://github.com/docker/setup-qemu-action/releases/tag/v3.6.0
-        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130
 
       - name: Set up Docker Buildx
-        # https://github.com/docker/setup-buildx-action/releases/tag/v3.10.0
-        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f
         with:
           version: latest
 
       # Unstable builds - run at your own risk
       - name: Build and Push
-        # https://github.com/docker/build-push-action/releases/tag/v6.15.0
-        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4
+        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8
         with:
           context: .
           file: ./Dockerfile

.github/workflows/global-run-codeql.yaml

@@ -25,20 +25,20 @@ jobs:
       security-events: write
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v6
         with:
           go-version-file: go.mod
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v2
+        uses: github/codeql-action/init@v4
         with:
-          languages: go
+          languages: go, actions
 
       - name: Autobuild
-        uses: github/codeql-action/autobuild@v2
+        uses: github/codeql-action/autobuild@v4
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v2
+        uses: github/codeql-action/analyze@v4

.github/workflows/global-run-first-interaction.yaml

@@ -1,5 +1,10 @@
 name: First Interaction
 
+permissions:
+  contents: read
+  issues: write
+  pull-requests: write
+
 on:
   issues:
     types: [opened]
@@ -11,19 +16,19 @@ jobs:
   check_for_first_interaction:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/first-interaction@main
+      - uses: actions/checkout@v6
+      - uses: actions/first-interaction@v3
         with:
-          repo-token: ${{ secrets.GITHUB_TOKEN }}
-          issue-message: |
+          repo_token: ${{ secrets.GITHUB_TOKEN }}
+          issue_message: |
             Hello! Thank you for filing an issue.
 
             The maintainers will triage your issue shortly.
 
             In the meantime, please take a look at the [troubleshooting guide](https://github.com/actions/actions-runner-controller/blob/master/TROUBLESHOOTING.md) for bug reports.
-            
+
             If this is a feature request, please review our [contribution guidelines](https://github.com/actions/actions-runner-controller/blob/master/CONTRIBUTING.md).
-          pr-message: |
+          pr_message: |
             Hello! Thank you for your contribution.
 
             Please review our [contribution guidelines](https://github.com/actions/actions-runner-controller/blob/master/CONTRIBUTING.md) to understand the project's testing and code conventions.

.github/workflows/global-run-stale.yaml

@@ -14,7 +14,7 @@ jobs:
       issues: write         # for actions/stale to close stale issues
       pull-requests: write  # for actions/stale to close stale PRs
     steps:
-      - uses: actions/stale@v6
+      - uses: actions/stale@v10
         with:
           stale-issue-message: 'This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.'
           # turn off stale for both issues and PRs

.github/workflows/go.yaml

@@ -29,8 +29,8 @@ jobs:
   fmt:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/checkout@v6
+      - uses: actions/setup-go@v6
         with:
           go-version-file: "go.mod"
           cache: false
@@ -42,23 +42,22 @@ jobs:
   lint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/checkout@v6
+      - uses: actions/setup-go@v6
         with:
           go-version-file: "go.mod"
           cache: false
       - name: golangci-lint
-        # https://github.com/golangci/golangci-lint-action/releases/tag/v7.0.0
-        uses: golangci/golangci-lint-action@1481404843c368bc19ca9406f87d6e0fc97bdcfd
+        uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20
         with:
           only-new-issues: true
-          version: v2.1.2
+          version: v2.5.0
 
   generate:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/checkout@v6
+      - uses: actions/setup-go@v6
         with:
           go-version-file: "go.mod"
           cache: false
@@ -67,23 +66,34 @@ jobs:
       - name: Check diff
         run: git diff --exit-code
 
+  mocks:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+      - uses: actions/setup-go@v6
+        with:
+          go-version-file: "go.mod"
+          cache: false
+      - name: "Run mockery"
+        run: go tool github.com/vektra/mockery/v3
+      - name: Check diff
+        run: git diff --exit-code
+
   test:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/checkout@v6
+      - uses: actions/setup-go@v6
         with:
           go-version-file: "go.mod"
       - run: make manifests
       - name: Check diff
         run: git diff --exit-code
-      - name: Install kubebuilder
+      - name: Setup envtest
         run: |
-          curl -D headers.txt -fsL "https://storage.googleapis.com/kubebuilder-tools/kubebuilder-tools-1.26.1-linux-amd64.tar.gz" -o kubebuilder-tools
-          echo "$(grep -i etag headers.txt -m 1 | cut -d'"' -f2) kubebuilder-tools" > sum
-          md5sum -c sum
-          tar -zvxf kubebuilder-tools
-          sudo mv kubebuilder /usr/local/
+          go install sigs.k8s.io/controller-runtime/tools/setup-envtest@$(go list -m -f '{{ .Version }}' sigs.k8s.io/controller-runtime | awk -F'[v.]' '{printf "release-%d.%d", $2, $3}')
+          ENVTEST_K8S_VERSION=$(go list -m -f '{{ .Version }}' k8s.io/api | awk -F'[v.]' '{printf "1.%d", $3}')
+          echo "KUBEBUILDER_ASSETS=$(setup-envtest use ${ENVTEST_K8S_VERSION} -p path)" >> $GITHUB_ENV
       - name: Run go tests
         run: |
           go test -short `go list ./... | grep -v ./test_e2e_arc`

.gitignore

@@ -34,5 +34,5 @@ bin
 # OS
 .DS_STORE
 
-/test-assets
+
 /.tools

.golangci.yaml

@@ -12,3 +12,7 @@ linters:
   exclusions:
     presets:
       - std-error-handling
+    rules:
+      - linters:
+          - staticcheck
+        text: "QF1008:"

.mockery.yaml

@@ -0,0 +1,20 @@
+packages:
+  github.com/actions/actions-runner-controller/github/actions:
+    config:
+      inpackage: true
+      dir: "{{.InterfaceDir}}"
+      filename: "mocks_test.go"
+      pkgname: "actions"
+    interfaces:
+      ActionsService:
+      SessionService:
+
+  github.com/actions/actions-runner-controller/cmd/ghalistener/metrics:
+    config:
+      inpackage: true
+      dir: "{{.InterfaceDir}}"
+      filename: "mocks_test.go"
+      pkgname: "metrics"
+    interfaces:
+      Recorder:
+      ServerExporter:

CODEOWNERS

@@ -1,2 +1,2 @@
 # actions-runner-controller maintainers
-* @mumoshu @toast-gear @actions/actions-launch @nikola-jokic @rentziass
+* @mumoshu @toast-gear @actions/actions-launch @actions/actions-compute @nikola-jokic @rentziass

CONTRIBUTING.md

@@ -102,22 +102,19 @@ A set of example pipelines (./acceptance/pipelines) are provided in this reposit
 When raising a PR please run the relevant suites to prove your change hasn't broken anything.
 
 #### Running Ginkgo Tests
-
 You can run the integration test suite that is written in Ginkgo with:
 
 ```shell
 make test-with-deps
 ```
 
-This will firstly install a few binaries required to setup the integration test environment and then runs `go test` to start the Ginkgo test.
+This will install `setup-envtest`, download the required envtest binaries (etcd, kube-apiserver, kubectl), and then run `go test`.
 
-If you don't want to use `make`, like when you're running tests from your IDE, install required binaries to `/usr/local/kubebuilder/bin`.
-That's the directory in which controller-runtime's `envtest` framework locates the binaries.
+If you don't want to use `make`, install the envtest binaries using `setup-envtest`:
 
 ```shell
-sudo mkdir -p /usr/local/kubebuilder/bin
-make kube-apiserver etcd
-sudo mv test-assets/{etcd,kube-apiserver} /usr/local/kubebuilder/bin/
+go install sigs.k8s.io/controller-runtime/tools/setup-envtest@latest
+export KUBEBUILDER_ASSETS=$(setup-envtest use -p path)
 go test -v -run TestAPIs github.com/actions/actions-runner-controller/controllers/actions.summerwind.net
 ```
 

Dockerfile

@@ -1,5 +1,5 @@
 # Build the manager binary
-FROM --platform=$BUILDPLATFORM golang:1.24.0 as builder
+FROM --platform=$BUILDPLATFORM golang:1.25.3 AS builder
 
 WORKDIR /workspace
 
@@ -30,7 +30,7 @@ ARG TARGETPLATFORM TARGETOS TARGETARCH TARGETVARIANT VERSION=dev COMMIT_SHA=dev
 # to avoid https://github.com/moby/buildkit/issues/2334
 # We can use docker layer cache so the build is fast enogh anyway
 # We also use per-platform GOCACHE for the same reason.
-ENV GOCACHE /build/${TARGETPLATFORM}/root/.cache/go-build
+ENV GOCACHE="/build/${TARGETPLATFORM}/root/.cache/go-build"
 
 # Build
 RUN --mount=target=. \

Makefile

@@ -6,7 +6,7 @@ endif
 DOCKER_USER ?= $(shell echo ${DOCKER_IMAGE_NAME} | cut -d / -f1)
 VERSION ?= dev
 COMMIT_SHA = $(shell git rev-parse HEAD)
-RUNNER_VERSION ?= 2.323.0
+RUNNER_VERSION ?= 2.331.0
 TARGETPLATFORM ?= $(shell arch)
 RUNNER_NAME ?= ${DOCKER_USER}/actions-runner
 RUNNER_TAG  ?= ${VERSION}
@@ -32,21 +32,15 @@ else
 GOBIN=$(shell go env GOBIN)
 endif
 
-TEST_ASSETS=$(PWD)/test-assets
 TOOLS_PATH=$(PWD)/.tools
 
 OS_NAME := $(shell uname -s | tr A-Z a-z)
 
-# The etcd packages that coreos maintain use different extensions for each *nix OS on their github release page.
-# ETCD_EXTENSION: the storage format file extension listed on the release page.
-# EXTRACT_COMMAND: the  appropriate CLI command for extracting this file format.
-ifeq ($(OS_NAME), darwin)
-ETCD_EXTENSION:=zip
-EXTRACT_COMMAND:=unzip
-else
-ETCD_EXTENSION:=tar.gz
-EXTRACT_COMMAND:=tar -xzf
-endif
+# ENVTEST_VERSION is the version of controller-runtime release branch to fetch the envtest setup script
+ENVTEST_VERSION ?= $(shell go list -m -f "{{ .Version }}" sigs.k8s.io/controller-runtime | awk -F'[v.]' '{printf "release-%d.%d", $$2, $$3}')
+# ENVTEST_K8S_VERSION is the version of Kubernetes to use for setting up ENVTEST binaries
+ENVTEST_K8S_VERSION ?= $(shell go list -m -f "{{ .Version }}" k8s.io/api | awk -F'[v.]' '{printf "1.%d", $$3}')
+ENVTEST ?= $(GOBIN)/setup-envtest
 
 # default list of platforms for which multiarch image is built
 ifeq (${PLATFORMS}, )
@@ -68,22 +62,23 @@ endif
 all: manager
 
 lint:
-	docker run --rm -v $(PWD):/app -w /app golangci/golangci-lint:v2.1.2 golangci-lint run
+	docker run --rm -v $(PWD):/app -w /app golangci/golangci-lint:v2.5.0 golangci-lint run
 
 GO_TEST_ARGS ?= -short
 
-# Run tests
-test: generate fmt vet manifests shellcheck
-	go test $(GO_TEST_ARGS) `go list ./... | grep -v ./test_e2e_arc` -coverprofile cover.out
-	go test -fuzz=Fuzz -fuzztime=10s -run=Fuzz* ./controllers/actions.summerwind.net
 
-test-with-deps: kube-apiserver etcd kubectl
-	# See https://pkg.go.dev/sigs.k8s.io/controller-runtime/pkg/envtest#pkg-constants
-	TEST_ASSET_KUBE_APISERVER=$(KUBE_APISERVER_BIN) \
-	TEST_ASSET_ETCD=$(ETCD_BIN) \
-	TEST_ASSET_KUBECTL=$(KUBECTL_BIN) \
+# Run tests
+test: generate fmt vet manifests shellcheck setup-envtest
+	KUBEBUILDER_ASSETS="$$($(ENVTEST) use $(ENVTEST_K8S_VERSION) --bin-dir $(GOBIN) -p path)" \
+	  go test $(GO_TEST_ARGS) `go list ./... | grep -v ./test_e2e_arc` -coverprofile cover.out
+	KUBEBUILDER_ASSETS="$$($(ENVTEST) use $(ENVTEST_K8S_VERSION) --bin-dir $(GOBIN) -p path)" \
+	  go test -fuzz=Fuzz -fuzztime=10s -run=Fuzz* ./controllers/actions.summerwind.net
+
+test-with-deps: setup-envtest
+	KUBEBUILDER_ASSETS="$$($(ENVTEST) use $(ENVTEST_K8S_VERSION) --bin-dir $(GOBIN) -p path)" \
 	  make test
 
+
 # Build manager binary
 manager: generate fmt vet
 	go build -o bin/manager main.go
@@ -117,9 +112,6 @@ manifests: manifests-gen-crds chart-crds
 
 manifests-gen-crds: controller-gen yq
 	$(CONTROLLER_GEN) $(CRD_OPTIONS) rbac:roleName=manager-role webhook paths="./..." output:crd:artifacts:config=config/crd/bases
-	for YAMLFILE in config/crd/bases/actions*.yaml; do \
-		$(YQ) '.spec.preserveUnknownFields = false' --inplace "$$YAMLFILE" ; \
-	done
 	make manifests-gen-crds-fix DELETE_KEY=x-kubernetes-list-type
 	make manifests-gen-crds-fix DELETE_KEY=x-kubernetes-list-map-keys
 
@@ -213,8 +205,6 @@ docker-buildx:
 		docker buildx create --platform ${PLATFORMS} --name container-builder --use;\
 	fi
 	docker buildx build --platform ${PLATFORMS} \
-		--build-arg RUNNER_VERSION=${RUNNER_VERSION} \
-		--build-arg DOCKER_VERSION=${DOCKER_VERSION} \
 		--build-arg VERSION=${VERSION} \
 		--build-arg COMMIT_SHA=${COMMIT_SHA} \
 		-t "${DOCKER_IMAGE_NAME}:${VERSION}" \
@@ -300,6 +290,10 @@ acceptance/runner/startup:
 e2e:
 	go test -count=1 -v -timeout 600s -run '^TestE2E$$' ./test/e2e
 
+.PHONY: gha-e2e
+gha-e2e:
+	bash hack/e2e-test.sh
+
 # Upload release file to GitHub.
 github-release: release
 	ghr ${VERSION} release/
@@ -310,7 +304,7 @@ github-release: release
 # Otherwise we get errors like the below:
 #   Error: failed to install CRD crds/actions.summerwind.dev_runnersets.yaml: CustomResourceDefinition.apiextensions.k8s.io "runnersets.actions.summerwind.dev" is invalid: [spec.validation.openAPIV3Schema.properties[spec].properties[template].properties[spec].properties[containers].items.properties[ports].items.properties[protocol].default: Required value: this property is in x-kubernetes-list-map-keys, so it must have a default or be a required property, spec.validation.openAPIV3Schema.properties[spec].properties[template].properties[spec].properties[initContainers].items.properties[ports].items.properties[protocol].default: Required value: this property is in x-kubernetes-list-map-keys, so it must have a default or be a required property]
 #
-# Note that controller-gen newer than 0.6.2 is needed due to https://github.com/kubernetes-sigs/controller-tools/issues/448
+# Note that controller-gen newer than 0.8.0 is needed due to https://github.com/kubernetes-sigs/controller-tools/issues/448
 # Otherwise ObjectMeta embedded in Spec results in empty on the storage.
 controller-gen:
 ifeq (, $(shell which controller-gen))
@@ -320,7 +314,7 @@ ifeq (, $(wildcard $(GOBIN)/controller-gen))
 	CONTROLLER_GEN_TMP_DIR=$$(mktemp -d) ;\
 	cd $$CONTROLLER_GEN_TMP_DIR ;\
 	go mod init tmp ;\
-	go install sigs.k8s.io/controller-tools/cmd/controller-gen@v0.17.2 ;\
+	go install sigs.k8s.io/controller-tools/cmd/controller-gen@v0.19.0 ;\
 	rm -rf $$CONTROLLER_GEN_TMP_DIR ;\
 	}
 endif
@@ -365,68 +359,29 @@ ifeq (, $(wildcard $(TOOLS_PATH)/shellcheck))
 endif
 SHELLCHECK=$(TOOLS_PATH)/shellcheck
 
-# find or download etcd
-etcd:
-ifeq (, $(shell which etcd))
-ifeq (, $(wildcard $(TEST_ASSETS)/etcd))
+# find or download envtest
+envtest:
+ifeq (, $(shell which setup-envtest))
+ifeq (, $(wildcard $(GOBIN)/setup-envtest))
 	@{ \
-	set -xe ;\
-	INSTALL_TMP_DIR=$$(mktemp -d) ;\
-	cd $$INSTALL_TMP_DIR ;\
-	wget https://github.com/coreos/etcd/releases/download/v3.4.22/etcd-v3.4.22-$(OS_NAME)-amd64.$(ETCD_EXTENSION);\
-	mkdir -p $(TEST_ASSETS) ;\
-	$(EXTRACT_COMMAND) etcd-v3.4.22-$(OS_NAME)-amd64.$(ETCD_EXTENSION) ;\
-	mv etcd-v3.4.22-$(OS_NAME)-amd64/etcd $(TEST_ASSETS)/etcd ;\
-	rm -rf $$INSTALL_TMP_DIR ;\
+	set -e ;\
+	ENVTEST_TMP_DIR=$$(mktemp -d) ;\
+	cd $$ENVTEST_TMP_DIR ;\
+	go mod init tmp ;\
+	go install sigs.k8s.io/controller-runtime/tools/setup-envtest@$(ENVTEST_VERSION) ;\
+	rm -rf $$ENVTEST_TMP_DIR ;\
 	}
-ETCD_BIN=$(TEST_ASSETS)/etcd
-else
-ETCD_BIN=$(TEST_ASSETS)/etcd
 endif
+ENVTEST=$(GOBIN)/setup-envtest
 else
-ETCD_BIN=$(shell which etcd)
+ENVTEST=$(shell which setup-envtest)
 endif
 
-# find or download kube-apiserver
-kube-apiserver:
-ifeq (, $(shell which kube-apiserver))
-ifeq (, $(wildcard $(TEST_ASSETS)/kube-apiserver))
-	@{ \
-	set -xe ;\
-	INSTALL_TMP_DIR=$$(mktemp -d) ;\
-	cd $$INSTALL_TMP_DIR ;\
-	wget https://github.com/kubernetes-sigs/kubebuilder/releases/download/v2.3.2/kubebuilder_2.3.2_$(OS_NAME)_amd64.tar.gz ;\
-	mkdir -p $(TEST_ASSETS) ;\
-	tar zxvf kubebuilder_2.3.2_$(OS_NAME)_amd64.tar.gz ;\
-	mv kubebuilder_2.3.2_$(OS_NAME)_amd64/bin/kube-apiserver $(TEST_ASSETS)/kube-apiserver ;\
-	rm -rf $$INSTALL_TMP_DIR ;\
+.PHONY: setup-envtest
+setup-envtest: envtest
+	@echo "Setting up envtest binaries for Kubernetes version $(ENVTEST_K8S_VERSION)..."
+	@$(ENVTEST) use $(ENVTEST_K8S_VERSION) --bin-dir $(GOBIN) -p path || { \
+		echo "Error: Failed to set up envtest binaries for version $(ENVTEST_K8S_VERSION)."; \
+		exit 1; \
 	}
-KUBE_APISERVER_BIN=$(TEST_ASSETS)/kube-apiserver
-else
-KUBE_APISERVER_BIN=$(TEST_ASSETS)/kube-apiserver
-endif
-else
-KUBE_APISERVER_BIN=$(shell which kube-apiserver)
-endif
 
-# find or download kubectl
-kubectl:
-ifeq (, $(shell which kubectl))
-ifeq (, $(wildcard $(TEST_ASSETS)/kubectl))
-	@{ \
-	set -xe ;\
-	INSTALL_TMP_DIR=$$(mktemp -d) ;\
-	cd $$INSTALL_TMP_DIR ;\
-	wget https://github.com/kubernetes-sigs/kubebuilder/releases/download/v2.3.2/kubebuilder_2.3.2_$(OS_NAME)_amd64.tar.gz ;\
-	mkdir -p $(TEST_ASSETS) ;\
-	tar zxvf kubebuilder_2.3.2_$(OS_NAME)_amd64.tar.gz ;\
-	mv kubebuilder_2.3.2_$(OS_NAME)_amd64/bin/kubectl $(TEST_ASSETS)/kubectl ;\
-	rm -rf $$INSTALL_TMP_DIR ;\
-	}
-KUBECTL_BIN=$(TEST_ASSETS)/kubectl
-else
-KUBECTL_BIN=$(TEST_ASSETS)/kubectl
-endif
-else
-KUBECTL_BIN=$(shell which kubectl)
-endif

apis/actions.github.com/v1alpha1/appconfig/appconfig.go

@@ -0,0 +1,89 @@
+package appconfig
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"strconv"
+
+	corev1 "k8s.io/api/core/v1"
+)
+
+type AppConfig struct {
+	AppID             string `json:"github_app_id"`
+	AppInstallationID int64  `json:"github_app_installation_id"`
+	AppPrivateKey     string `json:"github_app_private_key"`
+
+	Token string `json:"github_token"`
+}
+
+func (c *AppConfig) tidy() *AppConfig {
+	if len(c.Token) > 0 {
+		return &AppConfig{
+			Token: c.Token,
+		}
+	}
+
+	return &AppConfig{
+		AppID:             c.AppID,
+		AppInstallationID: c.AppInstallationID,
+		AppPrivateKey:     c.AppPrivateKey,
+	}
+}
+
+func (c *AppConfig) Validate() error {
+	if c == nil {
+		return fmt.Errorf("missing app config")
+	}
+	hasToken := len(c.Token) > 0
+	hasGitHubAppAuth := c.hasGitHubAppAuth()
+	if hasToken && hasGitHubAppAuth {
+		return fmt.Errorf("both PAT and GitHub App credentials provided. should only provide one")
+	}
+	if !hasToken && !hasGitHubAppAuth {
+		return fmt.Errorf("no credentials provided: either a PAT or GitHub App credentials should be provided")
+	}
+
+	return nil
+}
+
+func (c *AppConfig) hasGitHubAppAuth() bool {
+	return len(c.AppID) > 0 && c.AppInstallationID > 0 && len(c.AppPrivateKey) > 0
+}
+
+func FromSecret(secret *corev1.Secret) (*AppConfig, error) {
+	var appInstallationID int64
+	if v := string(secret.Data["github_app_installation_id"]); v != "" {
+		val, err := strconv.ParseInt(v, 10, 64)
+		if err != nil {
+			return nil, err
+		}
+		appInstallationID = val
+	}
+
+	cfg := &AppConfig{
+		Token:             string(secret.Data["github_token"]),
+		AppID:             string(secret.Data["github_app_id"]),
+		AppInstallationID: appInstallationID,
+		AppPrivateKey:     string(secret.Data["github_app_private_key"]),
+	}
+
+	if err := cfg.Validate(); err != nil {
+		return nil, fmt.Errorf("failed to validate config: %v", err)
+	}
+
+	return cfg.tidy(), nil
+}
+
+func FromJSONString(v string) (*AppConfig, error) {
+	var appConfig AppConfig
+	if err := json.NewDecoder(bytes.NewBufferString(v)).Decode(&appConfig); err != nil {
+		return nil, err
+	}
+
+	if err := appConfig.Validate(); err != nil {
+		return nil, fmt.Errorf("failed to validate app config decoded from string: %w", err)
+	}
+
+	return appConfig.tidy(), nil
+}

apis/actions.github.com/v1alpha1/appconfig/appconfig_test.go

@@ -0,0 +1,152 @@
+package appconfig
+
+import (
+	"encoding/json"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	corev1 "k8s.io/api/core/v1"
+)
+
+func TestAppConfigValidate_invalid(t *testing.T) {
+	tt := map[string]*AppConfig{
+		"empty": {},
+		"token and app config": {
+			AppID:             "1",
+			AppInstallationID: 2,
+			AppPrivateKey:     "private key",
+			Token:             "token",
+		},
+		"app id not set": {
+			AppInstallationID: 2,
+			AppPrivateKey:     "private key",
+		},
+		"app installation id not set": {
+			AppID:         "2",
+			AppPrivateKey: "private key",
+		},
+		"private key empty": {
+			AppID:             "2",
+			AppInstallationID: 1,
+			AppPrivateKey:     "",
+		},
+	}
+
+	for name, cfg := range tt {
+		t.Run(name, func(t *testing.T) {
+			err := cfg.Validate()
+			require.Error(t, err)
+		})
+	}
+}
+
+func TestAppConfigValidate_valid(t *testing.T) {
+	tt := map[string]*AppConfig{
+		"token": {
+			Token: "token",
+		},
+		"app ID": {
+			AppID:             "1",
+			AppInstallationID: 2,
+			AppPrivateKey:     "private key",
+		},
+	}
+
+	for name, cfg := range tt {
+		t.Run(name, func(t *testing.T) {
+			err := cfg.Validate()
+			require.NoError(t, err)
+		})
+	}
+}
+
+func TestAppConfigFromSecret_invalid(t *testing.T) {
+	tt := map[string]map[string]string{
+		"empty": {},
+		"token and app provided": {
+			"github_token":              "token",
+			"github_app_id":             "2",
+			"githu_app_installation_id": "3",
+			"github_app_private_key":    "private key",
+		},
+		"invalid app id": {
+			"github_app_id":             "abc",
+			"githu_app_installation_id": "3",
+			"github_app_private_key":    "private key",
+		},
+		"invalid app installation_id": {
+			"github_app_id":             "1",
+			"githu_app_installation_id": "abc",
+			"github_app_private_key":    "private key",
+		},
+		"empty private key": {
+			"github_app_id":             "1",
+			"githu_app_installation_id": "2",
+			"github_app_private_key":    "",
+		},
+	}
+
+	for name, data := range tt {
+		t.Run(name, func(t *testing.T) {
+			secret := &corev1.Secret{
+				StringData: data,
+			}
+
+			appConfig, err := FromSecret(secret)
+			assert.Error(t, err)
+			assert.Nil(t, appConfig)
+		})
+	}
+}
+
+func TestAppConfigFromSecret_valid(t *testing.T) {
+	tt := map[string]map[string]string{
+		"with token": {
+			"github_token": "token",
+		},
+		"app config": {
+			"github_app_id":             "2",
+			"githu_app_installation_id": "3",
+			"github_app_private_key":    "private key",
+		},
+	}
+
+	for name, data := range tt {
+		t.Run(name, func(t *testing.T) {
+			secret := &corev1.Secret{
+				StringData: data,
+			}
+
+			appConfig, err := FromSecret(secret)
+			assert.Error(t, err)
+			assert.Nil(t, appConfig)
+		})
+	}
+}
+
+func TestAppConfigFromString_valid(t *testing.T) {
+	tt := map[string]*AppConfig{
+		"token": {
+			Token: "token",
+		},
+		"app ID": {
+			AppID:             "1",
+			AppInstallationID: 2,
+			AppPrivateKey:     "private key",
+		},
+	}
+
+	for name, cfg := range tt {
+		t.Run(name, func(t *testing.T) {
+			bytes, err := json.Marshal(cfg)
+			require.NoError(t, err)
+
+			got, err := FromJSONString(string(bytes))
+			require.NoError(t, err)
+
+			want := cfg.tidy()
+			assert.Equal(t, want, got)
+		})
+	}
+}

apis/actions.github.com/v1alpha1/autoscalinglistener_types.go

@@ -59,7 +59,10 @@ type AutoscalingListenerSpec struct {
 	Proxy *ProxyConfig `json:"proxy,omitempty"`
 
 	// +optional
-	GitHubServerTLS *GitHubServerTLSConfig `json:"githubServerTLS,omitempty"`
+	GitHubServerTLS *TLSConfig `json:"githubServerTLS,omitempty"`
+
+	// +optional
+	VaultConfig *VaultConfig `json:"vaultConfig,omitempty"`
 
 	// +optional
 	Metrics *MetricsConfig `json:"metrics,omitempty"`
@@ -87,7 +90,6 @@ type AutoscalingListener struct {
 }
 
 // +kubebuilder:object:root=true
-
 // AutoscalingListenerList contains a list of AutoscalingListener
 type AutoscalingListenerList struct {
 	metav1.TypeMeta `json:",inline"`

apis/actions.github.com/v1alpha1/autoscalingrunnerset_types.go

@@ -24,6 +24,7 @@ import (
 	"strings"
 
 	"github.com/actions/actions-runner-controller/hash"
+	"github.com/actions/actions-runner-controller/vault"
 	"golang.org/x/net/http/httpproxy"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -69,7 +70,10 @@ type AutoscalingRunnerSetSpec struct {
 	Proxy *ProxyConfig `json:"proxy,omitempty"`
 
 	// +optional
-	GitHubServerTLS *GitHubServerTLSConfig `json:"githubServerTLS,omitempty"`
+	GitHubServerTLS *TLSConfig `json:"githubServerTLS,omitempty"`
+
+	// +optional
+	VaultConfig *VaultConfig `json:"vaultConfig,omitempty"`
 
 	// Required
 	Template corev1.PodTemplateSpec `json:"template,omitempty"`
@@ -89,12 +93,12 @@ type AutoscalingRunnerSetSpec struct {
 	MinRunners *int `json:"minRunners,omitempty"`
 }
 
-type GitHubServerTLSConfig struct {
+type TLSConfig struct {
 	// Required
 	CertificateFrom *TLSCertificateSource `json:"certificateFrom,omitempty"`
 }
 
-func (c *GitHubServerTLSConfig) ToCertPool(keyFetcher func(name, key string) ([]byte, error)) (*x509.CertPool, error) {
+func (c *TLSConfig) ToCertPool(keyFetcher func(name, key string) ([]byte, error)) (*x509.CertPool, error) {
 	if c.CertificateFrom == nil {
 		return nil, fmt.Errorf("certificateFrom not specified")
 	}
@@ -142,7 +146,7 @@ type ProxyConfig struct {
 	NoProxy []string `json:"noProxy,omitempty"`
 }
 
-func (c *ProxyConfig) toHTTPProxyConfig(secretFetcher func(string) (*corev1.Secret, error)) (*httpproxy.Config, error) {
+func (c *ProxyConfig) ToHTTPProxyConfig(secretFetcher func(string) (*corev1.Secret, error)) (*httpproxy.Config, error) {
 	config := &httpproxy.Config{
 		NoProxy: strings.Join(c.NoProxy, ","),
 	}
@@ -201,7 +205,7 @@ func (c *ProxyConfig) toHTTPProxyConfig(secretFetcher func(string) (*corev1.Secr
 }
 
 func (c *ProxyConfig) ToSecretData(secretFetcher func(string) (*corev1.Secret, error)) (map[string][]byte, error) {
-	config, err := c.toHTTPProxyConfig(secretFetcher)
+	config, err := c.ToHTTPProxyConfig(secretFetcher)
 	if err != nil {
 		return nil, err
 	}
@@ -215,7 +219,7 @@ func (c *ProxyConfig) ToSecretData(secretFetcher func(string) (*corev1.Secret, e
 }
 
 func (c *ProxyConfig) ProxyFunc(secretFetcher func(string) (*corev1.Secret, error)) (func(*http.Request) (*url.URL, error), error) {
-	config, err := c.toHTTPProxyConfig(secretFetcher)
+	config, err := c.ToHTTPProxyConfig(secretFetcher)
 	if err != nil {
 		return nil, err
 	}
@@ -235,6 +239,26 @@ type ProxyServerConfig struct {
 	CredentialSecretRef string `json:"credentialSecretRef,omitempty"`
 }
 
+type VaultConfig struct {
+	// +optional
+	Type vault.VaultType `json:"type,omitempty"`
+	// +optional
+	AzureKeyVault *AzureKeyVaultConfig `json:"azureKeyVault,omitempty"`
+	// +optional
+	Proxy *ProxyConfig `json:"proxy,omitempty"`
+}
+
+type AzureKeyVaultConfig struct {
+	// +required
+	URL string `json:"url,omitempty"`
+	// +required
+	TenantID string `json:"tenantId,omitempty"`
+	// +required
+	ClientID string `json:"clientId,omitempty"`
+	// +required
+	CertificatePath string `json:"certificatePath,omitempty"`
+}
+
 // MetricsConfig holds configuration parameters for each metric type
 type MetricsConfig struct {
 	// +optional
@@ -285,6 +309,33 @@ func (ars *AutoscalingRunnerSet) ListenerSpecHash() string {
 	return hash.ComputeTemplateHash(&spec)
 }
 
+func (ars *AutoscalingRunnerSet) GitHubConfigSecret() string {
+	return ars.Spec.GitHubConfigSecret
+}
+
+func (ars *AutoscalingRunnerSet) GitHubConfigUrl() string {
+	return ars.Spec.GitHubConfigUrl
+}
+
+func (ars *AutoscalingRunnerSet) GitHubProxy() *ProxyConfig {
+	return ars.Spec.Proxy
+}
+
+func (ars *AutoscalingRunnerSet) GitHubServerTLS() *TLSConfig {
+	return ars.Spec.GitHubServerTLS
+}
+
+func (ars *AutoscalingRunnerSet) VaultConfig() *VaultConfig {
+	return ars.Spec.VaultConfig
+}
+
+func (ars *AutoscalingRunnerSet) VaultProxy() *ProxyConfig {
+	if ars.Spec.VaultConfig != nil {
+		return ars.Spec.VaultConfig.Proxy
+	}
+	return nil
+}
+
 func (ars *AutoscalingRunnerSet) RunnerSetSpecHash() string {
 	type runnerSetSpec struct {
 		GitHubConfigUrl    string
@@ -292,7 +343,7 @@ func (ars *AutoscalingRunnerSet) RunnerSetSpecHash() string {
 		RunnerGroup        string
 		RunnerScaleSetName string
 		Proxy              *ProxyConfig
-		GitHubServerTLS    *GitHubServerTLSConfig
+		GitHubServerTLS    *TLSConfig
 		Template           corev1.PodTemplateSpec
 	}
 	spec := &runnerSetSpec{

apis/actions.github.com/v1alpha1/ephemeralrunner_types.go

@@ -34,6 +34,7 @@ const EphemeralRunnerContainerName = "runner"
 // +kubebuilder:printcolumn:JSONPath=".status.jobWorkflowRef",name=JobWorkflowRef,type=string
 // +kubebuilder:printcolumn:JSONPath=".status.workflowRunId",name=WorkflowRunId,type=number
 // +kubebuilder:printcolumn:JSONPath=".status.jobDisplayName",name=JobDisplayName,type=string
+// +kubebuilder:printcolumn:JSONPath=".status.jobId",name=JobId,type=string
 // +kubebuilder:printcolumn:JSONPath=".status.message",name=Message,type=string
 // +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp"
 
@@ -50,6 +51,10 @@ func (er *EphemeralRunner) IsDone() bool {
 	return er.Status.Phase == corev1.PodSucceeded || er.Status.Phase == corev1.PodFailed
 }
 
+func (er *EphemeralRunner) HasJob() bool {
+	return len(er.Status.JobID) > 0
+}
+
 func (er *EphemeralRunner) HasContainerHookConfigured() bool {
 	for i := range er.Spec.Spec.Containers {
 		if er.Spec.Spec.Containers[i].Name != EphemeralRunnerContainerName {
@@ -67,6 +72,33 @@ func (er *EphemeralRunner) HasContainerHookConfigured() bool {
 	return false
 }
 
+func (er *EphemeralRunner) GitHubConfigSecret() string {
+	return er.Spec.GitHubConfigSecret
+}
+
+func (er *EphemeralRunner) GitHubConfigUrl() string {
+	return er.Spec.GitHubConfigUrl
+}
+
+func (er *EphemeralRunner) GitHubProxy() *ProxyConfig {
+	return er.Spec.Proxy
+}
+
+func (er *EphemeralRunner) GitHubServerTLS() *TLSConfig {
+	return er.Spec.GitHubServerTLS
+}
+
+func (er *EphemeralRunner) VaultConfig() *VaultConfig {
+	return er.Spec.VaultConfig
+}
+
+func (er *EphemeralRunner) VaultProxy() *ProxyConfig {
+	if er.Spec.VaultConfig != nil {
+		return er.Spec.VaultConfig.Proxy
+	}
+	return nil
+}
+
 // EphemeralRunnerSpec defines the desired state of EphemeralRunner
 type EphemeralRunnerSpec struct {
 	// +required
@@ -75,6 +107,9 @@ type EphemeralRunnerSpec struct {
 	// +required
 	GitHubConfigSecret string `json:"githubConfigSecret,omitempty"`
 
+	// +optional
+	GitHubServerTLS *TLSConfig `json:"githubServerTLS,omitempty"`
+
 	// +required
 	RunnerScaleSetId int `json:"runnerScaleSetId,omitempty"`
 
@@ -85,7 +120,7 @@ type EphemeralRunnerSpec struct {
 	ProxySecretRef string `json:"proxySecretRef,omitempty"`
 
 	// +optional
-	GitHubServerTLS *GitHubServerTLSConfig `json:"githubServerTLS,omitempty"`
+	VaultConfig *VaultConfig `json:"vaultConfig,omitempty"`
 
 	corev1.PodTemplateSpec `json:",inline"`
 }
@@ -115,15 +150,16 @@ type EphemeralRunnerStatus struct {
 	RunnerId int `json:"runnerId,omitempty"`
 	// +optional
 	RunnerName string `json:"runnerName,omitempty"`
-	// +optional
-	RunnerJITConfig string `json:"runnerJITConfig,omitempty"`
 
 	// +optional
-	Failures map[string]bool `json:"failures,omitempty"`
+	Failures map[string]metav1.Time `json:"failures,omitempty"`
 
 	// +optional
 	JobRequestId int64 `json:"jobRequestId,omitempty"`
 
+	// +optional
+	JobID string `json:"jobId,omitempty"`
+
 	// +optional
 	JobRepositoryName string `json:"jobRepositoryName,omitempty"`
 
@@ -137,6 +173,20 @@ type EphemeralRunnerStatus struct {
 	JobDisplayName string `json:"jobDisplayName,omitempty"`
 }
 
+func (s *EphemeralRunnerStatus) LastFailure() metav1.Time {
+	var maxTime metav1.Time
+	if len(s.Failures) == 0 {
+		return maxTime
+	}
+
+	for _, ts := range s.Failures {
+		if ts.After(maxTime.Time) {
+			maxTime = ts
+		}
+	}
+	return maxTime
+}
+
 // +kubebuilder:object:root=true
 
 // EphemeralRunnerList contains a list of EphemeralRunner

apis/actions.github.com/v1alpha1/ephemeralrunnerset_types.go

@@ -60,9 +60,35 @@ type EphemeralRunnerSet struct {
 	Status EphemeralRunnerSetStatus `json:"status,omitempty"`
 }
 
-// +kubebuilder:object:root=true
+func (ers *EphemeralRunnerSet) GitHubConfigSecret() string {
+	return ers.Spec.EphemeralRunnerSpec.GitHubConfigSecret
+}
+
+func (ers *EphemeralRunnerSet) GitHubConfigUrl() string {
+	return ers.Spec.EphemeralRunnerSpec.GitHubConfigUrl
+}
+
+func (ers *EphemeralRunnerSet) GitHubProxy() *ProxyConfig {
+	return ers.Spec.EphemeralRunnerSpec.Proxy
+}
+
+func (ers *EphemeralRunnerSet) GitHubServerTLS() *TLSConfig {
+	return ers.Spec.EphemeralRunnerSpec.GitHubServerTLS
+}
+
+func (ers *EphemeralRunnerSet) VaultConfig() *VaultConfig {
+	return ers.Spec.EphemeralRunnerSpec.VaultConfig
+}
+
+func (ers *EphemeralRunnerSet) VaultProxy() *ProxyConfig {
+	if ers.Spec.EphemeralRunnerSpec.VaultConfig != nil {
+		return ers.Spec.EphemeralRunnerSpec.VaultConfig.Proxy
+	}
+	return nil
+}
 
 // EphemeralRunnerSetList contains a list of EphemeralRunnerSet
+// +kubebuilder:object:root=true
 type EphemeralRunnerSetList struct {
 	metav1.TypeMeta `json:",inline"`
 	metav1.ListMeta `json:"metadata,omitempty"`

apis/actions.github.com/v1alpha1/tls_config_test.go

@@ -17,7 +17,7 @@ import (
 
 func TestGitHubServerTLSConfig_ToCertPool(t *testing.T) {
 	t.Run("returns an error if CertificateFrom not specified", func(t *testing.T) {
-		c := &v1alpha1.GitHubServerTLSConfig{
+		c := &v1alpha1.TLSConfig{
 			CertificateFrom: nil,
 		}
 
@@ -29,7 +29,7 @@ func TestGitHubServerTLSConfig_ToCertPool(t *testing.T) {
 	})
 
 	t.Run("returns an error if CertificateFrom.ConfigMapKeyRef not specified", func(t *testing.T) {
-		c := &v1alpha1.GitHubServerTLSConfig{
+		c := &v1alpha1.TLSConfig{
 			CertificateFrom: &v1alpha1.TLSCertificateSource{},
 		}
 
@@ -41,7 +41,7 @@ func TestGitHubServerTLSConfig_ToCertPool(t *testing.T) {
 	})
 
 	t.Run("returns a valid cert pool with correct configuration", func(t *testing.T) {
-		c := &v1alpha1.GitHubServerTLSConfig{
+		c := &v1alpha1.TLSConfig{
 			CertificateFrom: &v1alpha1.TLSCertificateSource{
 				ConfigMapKeyRef: &v1.ConfigMapKeySelector{
 					LocalObjectReference: v1.LocalObjectReference{

apis/actions.github.com/v1alpha1/version.go

@@ -0,0 +1,72 @@
+package v1alpha1
+
+import "strings"
+
+func IsVersionAllowed(resourceVersion, buildVersion string) bool {
+	if buildVersion == "dev" || resourceVersion == buildVersion || strings.HasPrefix(buildVersion, "canary-") {
+		return true
+	}
+
+	rv, ok := parseSemver(resourceVersion)
+	if !ok {
+		return false
+	}
+	bv, ok := parseSemver(buildVersion)
+	if !ok {
+		return false
+	}
+	return rv.major == bv.major && rv.minor == bv.minor
+}
+
+type semver struct {
+	major string
+	minor string
+}
+
+func parseSemver(v string) (p semver, ok bool) {
+	if v == "" {
+		return
+	}
+	p.major, v, ok = parseInt(v)
+	if !ok {
+		return p, false
+	}
+	if v == "" {
+		p.minor = "0"
+		return p, true
+	}
+	if v[0] != '.' {
+		return p, false
+	}
+	p.minor, v, ok = parseInt(v[1:])
+	if !ok {
+		return p, false
+	}
+	if v == "" {
+		return p, true
+	}
+	if v[0] != '.' {
+		return p, false
+	}
+	if _, _, ok = parseInt(v[1:]); !ok {
+		return p, false
+	}
+	return p, true
+}
+
+func parseInt(v string) (t, rest string, ok bool) {
+	if v == "" {
+		return
+	}
+	if v[0] < '0' || '9' < v[0] {
+		return
+	}
+	i := 1
+	for i < len(v) && '0' <= v[i] && v[i] <= '9' {
+		i++
+	}
+	if v[0] == '0' && i != 1 {
+		return
+	}
+	return v[:i], v[i:], true
+}

apis/actions.github.com/v1alpha1/version_test.go

@@ -0,0 +1,60 @@
+package v1alpha1_test
+
+import (
+	"testing"
+
+	"github.com/actions/actions-runner-controller/apis/actions.github.com/v1alpha1"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestIsVersionAllowed(t *testing.T) {
+	t.Parallel()
+	tt := map[string]struct {
+		resourceVersion string
+		buildVersion    string
+		want            bool
+	}{
+		"dev should always be allowed": {
+			resourceVersion: "0.11.0",
+			buildVersion:    "dev",
+			want:            true,
+		},
+		"resourceVersion is not semver": {
+			resourceVersion: "dev",
+			buildVersion:    "0.11.0",
+			want:            false,
+		},
+		"buildVersion is not semver": {
+			resourceVersion: "0.11.0",
+			buildVersion:    "NA",
+			want:            false,
+		},
+		"major version mismatch": {
+			resourceVersion: "0.11.0",
+			buildVersion:    "1.11.0",
+			want:            false,
+		},
+		"minor version mismatch": {
+			resourceVersion: "0.11.0",
+			buildVersion:    "0.10.0",
+			want:            false,
+		},
+		"patch version mismatch": {
+			resourceVersion: "0.11.1",
+			buildVersion:    "0.11.0",
+			want:            true,
+		},
+		"arbitrary version match": {
+			resourceVersion: "abc",
+			buildVersion:    "abc",
+			want:            true,
+		},
+	}
+
+	for name, tc := range tt {
+		t.Run(name, func(t *testing.T) {
+			got := v1alpha1.IsVersionAllowed(tc.resourceVersion, tc.buildVersion)
+			assert.Equal(t, tc.want, got)
+		})
+	}
+}

apis/actions.github.com/v1alpha1/zz_generated.deepcopy.go

@@ -22,6 +22,7 @@ package v1alpha1
 
 import (
 	"k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	runtime "k8s.io/apimachinery/pkg/runtime"
 )
 
@@ -99,7 +100,12 @@ func (in *AutoscalingListenerSpec) DeepCopyInto(out *AutoscalingListenerSpec) {
 	}
 	if in.GitHubServerTLS != nil {
 		in, out := &in.GitHubServerTLS, &out.GitHubServerTLS
-		*out = new(GitHubServerTLSConfig)
+		*out = new(TLSConfig)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.VaultConfig != nil {
+		in, out := &in.VaultConfig, &out.VaultConfig
+		*out = new(VaultConfig)
 		(*in).DeepCopyInto(*out)
 	}
 	if in.Metrics != nil {
@@ -208,7 +214,12 @@ func (in *AutoscalingRunnerSetSpec) DeepCopyInto(out *AutoscalingRunnerSetSpec)
 	}
 	if in.GitHubServerTLS != nil {
 		in, out := &in.GitHubServerTLS, &out.GitHubServerTLS
-		*out = new(GitHubServerTLSConfig)
+		*out = new(TLSConfig)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.VaultConfig != nil {
+		in, out := &in.VaultConfig, &out.VaultConfig
+		*out = new(VaultConfig)
 		(*in).DeepCopyInto(*out)
 	}
 	in.Template.DeepCopyInto(&out.Template)
@@ -259,6 +270,21 @@ func (in *AutoscalingRunnerSetStatus) DeepCopy() *AutoscalingRunnerSetStatus {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AzureKeyVaultConfig) DeepCopyInto(out *AzureKeyVaultConfig) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AzureKeyVaultConfig.
+func (in *AzureKeyVaultConfig) DeepCopy() *AzureKeyVaultConfig {
+	if in == nil {
+		return nil
+	}
+	out := new(AzureKeyVaultConfig)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CounterMetric) DeepCopyInto(out *CounterMetric) {
 	*out = *in
@@ -431,14 +457,19 @@ func (in *EphemeralRunnerSetStatus) DeepCopy() *EphemeralRunnerSetStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EphemeralRunnerSpec) DeepCopyInto(out *EphemeralRunnerSpec) {
 	*out = *in
+	if in.GitHubServerTLS != nil {
+		in, out := &in.GitHubServerTLS, &out.GitHubServerTLS
+		*out = new(TLSConfig)
+		(*in).DeepCopyInto(*out)
+	}
 	if in.Proxy != nil {
 		in, out := &in.Proxy, &out.Proxy
 		*out = new(ProxyConfig)
 		(*in).DeepCopyInto(*out)
 	}
-	if in.GitHubServerTLS != nil {
-		in, out := &in.GitHubServerTLS, &out.GitHubServerTLS
-		*out = new(GitHubServerTLSConfig)
+	if in.VaultConfig != nil {
+		in, out := &in.VaultConfig, &out.VaultConfig
+		*out = new(VaultConfig)
 		(*in).DeepCopyInto(*out)
 	}
 	in.PodTemplateSpec.DeepCopyInto(&out.PodTemplateSpec)
@@ -459,9 +490,9 @@ func (in *EphemeralRunnerStatus) DeepCopyInto(out *EphemeralRunnerStatus) {
 	*out = *in
 	if in.Failures != nil {
 		in, out := &in.Failures, &out.Failures
-		*out = make(map[string]bool, len(*in))
+		*out = make(map[string]metav1.Time, len(*in))
 		for key, val := range *in {
-			(*out)[key] = val
+			(*out)[key] = *val.DeepCopy()
 		}
 	}
 }
@@ -496,26 +527,6 @@ func (in *GaugeMetric) DeepCopy() *GaugeMetric {
 	return out
 }
 
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *GitHubServerTLSConfig) DeepCopyInto(out *GitHubServerTLSConfig) {
-	*out = *in
-	if in.CertificateFrom != nil {
-		in, out := &in.CertificateFrom, &out.CertificateFrom
-		*out = new(TLSCertificateSource)
-		(*in).DeepCopyInto(*out)
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubServerTLSConfig.
-func (in *GitHubServerTLSConfig) DeepCopy() *GitHubServerTLSConfig {
-	if in == nil {
-		return nil
-	}
-	out := new(GitHubServerTLSConfig)
-	in.DeepCopyInto(out)
-	return out
-}
-
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *HistogramMetric) DeepCopyInto(out *HistogramMetric) {
 	*out = *in
@@ -668,3 +679,48 @@ func (in *TLSCertificateSource) DeepCopy() *TLSCertificateSource {
 	in.DeepCopyInto(out)
 	return out
 }
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TLSConfig) DeepCopyInto(out *TLSConfig) {
+	*out = *in
+	if in.CertificateFrom != nil {
+		in, out := &in.CertificateFrom, &out.CertificateFrom
+		*out = new(TLSCertificateSource)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLSConfig.
+func (in *TLSConfig) DeepCopy() *TLSConfig {
+	if in == nil {
+		return nil
+	}
+	out := new(TLSConfig)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *VaultConfig) DeepCopyInto(out *VaultConfig) {
+	*out = *in
+	if in.AzureKeyVault != nil {
+		in, out := &in.AzureKeyVault, &out.AzureKeyVault
+		*out = new(AzureKeyVaultConfig)
+		**out = **in
+	}
+	if in.Proxy != nil {
+		in, out := &in.Proxy, &out.Proxy
+		*out = new(ProxyConfig)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultConfig.
+func (in *VaultConfig) DeepCopy() *VaultConfig {
+	if in == nil {
+		return nil
+	}
+	out := new(VaultConfig)
+	in.DeepCopyInto(out)
+	return out
+}

charts/actions-runner-controller/README.md

@@ -44,7 +44,7 @@ All additional docs are kept in the `docs/` folder, this README is solely for do
 | `image.pullPolicy`                                        | The pull policy of the controller image                                                                                                   | IfNotPresent                                                                                    |
 | `metrics.serviceMonitor.enable`                           | Deploy serviceMonitor kind for for use with prometheus-operator CRDs                                                                      | false                                                                                           |
 | `metrics.serviceMonitor.interval`                         | Configure the interval that Prometheus should scrap the controller's metrics                                                              | 1m                                                                                              |
-| `metrics.serviceMonitor.namespace                         | Namespace which Prometheus is running in                                                                                                  | `Release.Namespace` (the default namespace of the helm chart).                                  |
+| `metrics.serviceMonitor.namespace`                        | Namespace which Prometheus is running in                                                                                                  | `Release.Namespace` (the default namespace of the helm chart).                                  |
 | `metrics.serviceMonitor.timeout`                          | Configure the timeout the timeout of Prometheus scrapping.                                                                                | 30s                                                                                             |
 | `metrics.serviceAnnotations`                              | Set annotations for the provisioned metrics service resource                                                                              |                                                                                                 |
 | `metrics.port`                                            | Set port of metrics service                                                                                                               | 8443                                                                                            |

charts/actions-runner-controller/crds/actions.summerwind.dev_horizontalrunnerautoscalers.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.17.2
+    controller-gen.kubebuilder.io/version: v0.19.0
   name: horizontalrunnerautoscalers.actions.summerwind.dev
 spec:
   group: actions.summerwind.dev
@@ -12,306 +12,313 @@ spec:
     listKind: HorizontalRunnerAutoscalerList
     plural: horizontalrunnerautoscalers
     shortNames:
-      - hra
+    - hra
     singular: horizontalrunnerautoscaler
   scope: Namespaced
   versions:
-    - additionalPrinterColumns:
-        - jsonPath: .spec.minReplicas
-          name: Min
-          type: number
-        - jsonPath: .spec.maxReplicas
-          name: Max
-          type: number
-        - jsonPath: .status.desiredReplicas
-          name: Desired
-          type: number
-        - jsonPath: .status.scheduledOverridesSummary
-          name: Schedule
-          type: string
-      name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          description: HorizontalRunnerAutoscaler is the Schema for the horizontalrunnerautoscaler API
-          properties:
-            apiVersion:
-              description: |-
-                APIVersion defines the versioned schema of this representation of an object.
-                Servers should convert recognized schemas to the latest internal value, and
-                may reject unrecognized values.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-              type: string
-            kind:
-              description: |-
-                Kind is a string value representing the REST resource this object represents.
-                Servers may infer this from the endpoint the client submits requests to.
-                Cannot be updated.
-                In CamelCase.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: HorizontalRunnerAutoscalerSpec defines the desired state of HorizontalRunnerAutoscaler
-              properties:
-                capacityReservations:
-                  items:
-                    description: |-
-                      CapacityReservation specifies the number of replicas temporarily added
-                      to the scale target until ExpirationTime.
-                    properties:
-                      effectiveTime:
-                        format: date-time
-                        type: string
-                      expirationTime:
-                        format: date-time
-                        type: string
-                      name:
-                        type: string
-                      replicas:
-                        type: integer
-                    type: object
-                  type: array
-                githubAPICredentialsFrom:
-                  properties:
-                    secretRef:
-                      properties:
-                        name:
-                          type: string
-                      required:
-                        - name
-                      type: object
-                  type: object
-                maxReplicas:
-                  description: MaxReplicas is the maximum number of replicas the deployment is allowed to scale
-                  type: integer
-                metrics:
-                  description: Metrics is the collection of various metric targets to calculate desired number of runners
-                  items:
-                    properties:
-                      repositoryNames:
-                        description: |-
-                          RepositoryNames is the list of repository names to be used for calculating the metric.
-                          For example, a repository name is the REPO part of `github.com/USER/REPO`.
-                        items:
-                          type: string
-                        type: array
-                      scaleDownAdjustment:
-                        description: |-
-                          ScaleDownAdjustment is the number of runners removed on scale-down.
-                          You can only specify either ScaleDownFactor or ScaleDownAdjustment.
-                        type: integer
-                      scaleDownFactor:
-                        description: |-
-                          ScaleDownFactor is the multiplicative factor applied to the current number of runners used
-                          to determine how many pods should be removed.
-                        type: string
-                      scaleDownThreshold:
-                        description: |-
-                          ScaleDownThreshold is the percentage of busy runners less than which will
-                          trigger the hpa to scale the runners down.
-                        type: string
-                      scaleUpAdjustment:
-                        description: |-
-                          ScaleUpAdjustment is the number of runners added on scale-up.
-                          You can only specify either ScaleUpFactor or ScaleUpAdjustment.
-                        type: integer
-                      scaleUpFactor:
-                        description: |-
-                          ScaleUpFactor is the multiplicative factor applied to the current number of runners used
-                          to determine how many pods should be added.
-                        type: string
-                      scaleUpThreshold:
-                        description: |-
-                          ScaleUpThreshold is the percentage of busy runners greater than which will
-                          trigger the hpa to scale runners up.
-                        type: string
-                      type:
-                        description: |-
-                          Type is the type of metric to be used for autoscaling.
-                          It can be TotalNumberOfQueuedAndInProgressWorkflowRuns or PercentageRunnersBusy.
-                        type: string
-                    type: object
-                  type: array
-                minReplicas:
-                  description: MinReplicas is the minimum number of replicas the deployment is allowed to scale
-                  type: integer
-                scaleDownDelaySecondsAfterScaleOut:
+  - additionalPrinterColumns:
+    - jsonPath: .spec.minReplicas
+      name: Min
+      type: number
+    - jsonPath: .spec.maxReplicas
+      name: Max
+      type: number
+    - jsonPath: .status.desiredReplicas
+      name: Desired
+      type: number
+    - jsonPath: .status.scheduledOverridesSummary
+      name: Schedule
+      type: string
+    name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: HorizontalRunnerAutoscaler is the Schema for the horizontalrunnerautoscaler
+          API
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: HorizontalRunnerAutoscalerSpec defines the desired state
+              of HorizontalRunnerAutoscaler
+            properties:
+              capacityReservations:
+                items:
                   description: |-
-                    ScaleDownDelaySecondsAfterScaleUp is the approximate delay for a scale down followed by a scale up
-                    Used to prevent flapping (down->up->down->... loop)
-                  type: integer
-                scaleTargetRef:
-                  description: ScaleTargetRef is the reference to scaled resource like RunnerDeployment
+                    CapacityReservation specifies the number of replicas temporarily added
+                    to the scale target until ExpirationTime.
                   properties:
-                    kind:
-                      description: Kind is the type of resource being referenced
-                      enum:
-                        - RunnerDeployment
-                        - RunnerSet
+                    effectiveTime:
+                      format: date-time
+                      type: string
+                    expirationTime:
+                      format: date-time
                       type: string
                     name:
-                      description: Name is the name of resource being referenced
                       type: string
+                    replicas:
+                      type: integer
                   type: object
-                scaleUpTriggers:
-                  description: |-
-                    ScaleUpTriggers is an experimental feature to increase the desired replicas by 1
-                    on each webhook requested received by the webhookBasedAutoscaler.
-
-                    This feature requires you to also enable and deploy the webhookBasedAutoscaler onto your cluster.
-
-                    Note that the added runners remain until the next sync period at least,
-                    and they may or may not be used by GitHub Actions depending on the timing.
-                    They are intended to be used to gain "resource slack" immediately after you
-                    receive a webhook from GitHub, so that you can loosely expect MinReplicas runners to be always available.
-                  items:
+                type: array
+              githubAPICredentialsFrom:
+                properties:
+                  secretRef:
                     properties:
-                      amount:
-                        type: integer
-                      duration:
-                        type: string
-                      githubEvent:
-                        properties:
-                          checkRun:
-                            description: https://docs.github.com/en/actions/reference/events-that-trigger-workflows#check_run
-                            properties:
-                              names:
-                                description: |-
-                                  Names is a list of GitHub Actions glob patterns.
-                                  Any check_run event whose name matches one of patterns in the list can trigger autoscaling.
-                                  Note that check_run name seem to equal to the job name you've defined in your actions workflow yaml file.
-                                  So it is very likely that you can utilize this to trigger depending on the job.
-                                items:
-                                  type: string
-                                type: array
-                              repositories:
-                                description: |-
-                                  Repositories is a list of GitHub repositories.
-                                  Any check_run event whose repository matches one of repositories in the list can trigger autoscaling.
-                                items:
-                                  type: string
-                                type: array
-                              status:
-                                type: string
-                              types:
-                                description: 'One of: created, rerequested, or completed'
-                                items:
-                                  type: string
-                                type: array
-                            type: object
-                          pullRequest:
-                            description: https://docs.github.com/en/actions/reference/events-that-trigger-workflows#pull_request
-                            properties:
-                              branches:
-                                items:
-                                  type: string
-                                type: array
-                              types:
-                                items:
-                                  type: string
-                                type: array
-                            type: object
-                          push:
-                            description: |-
-                              PushSpec is the condition for triggering scale-up on push event
-                              Also see https://docs.github.com/en/actions/reference/events-that-trigger-workflows#push
-                            type: object
-                          workflowJob:
-                            description: https://docs.github.com/en/developers/webhooks-and-events/webhooks/webhook-events-and-payloads#workflow_job
-                            type: object
-                        type: object
-                    type: object
-                  type: array
-                scheduledOverrides:
-                  description: |-
-                    ScheduledOverrides is the list of ScheduledOverride.
-                    It can be used to override a few fields of HorizontalRunnerAutoscalerSpec on schedule.
-                    The earlier a scheduled override is, the higher it is prioritized.
-                  items:
-                    description: |-
-                      ScheduledOverride can be used to override a few fields of HorizontalRunnerAutoscalerSpec on schedule.
-                      A schedule can optionally be recurring, so that the corresponding override happens every day, week, month, or year.
-                    properties:
-                      endTime:
-                        description: EndTime is the time at which the first override ends.
-                        format: date-time
-                        type: string
-                      minReplicas:
-                        description: |-
-                          MinReplicas is the number of runners while overriding.
-                          If omitted, it doesn't override minReplicas.
-                        minimum: 0
-                        nullable: true
-                        type: integer
-                      recurrenceRule:
-                        properties:
-                          frequency:
-                            description: |-
-                              Frequency is the name of a predefined interval of each recurrence.
-                              The valid values are "Daily", "Weekly", "Monthly", and "Yearly".
-                              If empty, the corresponding override happens only once.
-                            enum:
-                              - Daily
-                              - Weekly
-                              - Monthly
-                              - Yearly
-                            type: string
-                          untilTime:
-                            description: |-
-                              UntilTime is the time of the final recurrence.
-                              If empty, the schedule recurs forever.
-                            format: date-time
-                            type: string
-                        type: object
-                      startTime:
-                        description: StartTime is the time at which the first override starts.
-                        format: date-time
+                      name:
                         type: string
                     required:
-                      - endTime
-                      - startTime
+                    - name
                     type: object
-                  type: array
-              type: object
-            status:
-              properties:
-                cacheEntries:
-                  items:
-                    properties:
-                      expirationTime:
-                        format: date-time
+                type: object
+              maxReplicas:
+                description: MaxReplicas is the maximum number of replicas the deployment
+                  is allowed to scale
+                type: integer
+              metrics:
+                description: Metrics is the collection of various metric targets to
+                  calculate desired number of runners
+                items:
+                  properties:
+                    repositoryNames:
+                      description: |-
+                        RepositoryNames is the list of repository names to be used for calculating the metric.
+                        For example, a repository name is the REPO part of `github.com/USER/REPO`.
+                      items:
                         type: string
-                      key:
-                        type: string
-                      value:
-                        type: integer
-                    type: object
-                  type: array
-                desiredReplicas:
+                      type: array
+                    scaleDownAdjustment:
+                      description: |-
+                        ScaleDownAdjustment is the number of runners removed on scale-down.
+                        You can only specify either ScaleDownFactor or ScaleDownAdjustment.
+                      type: integer
+                    scaleDownFactor:
+                      description: |-
+                        ScaleDownFactor is the multiplicative factor applied to the current number of runners used
+                        to determine how many pods should be removed.
+                      type: string
+                    scaleDownThreshold:
+                      description: |-
+                        ScaleDownThreshold is the percentage of busy runners less than which will
+                        trigger the hpa to scale the runners down.
+                      type: string
+                    scaleUpAdjustment:
+                      description: |-
+                        ScaleUpAdjustment is the number of runners added on scale-up.
+                        You can only specify either ScaleUpFactor or ScaleUpAdjustment.
+                      type: integer
+                    scaleUpFactor:
+                      description: |-
+                        ScaleUpFactor is the multiplicative factor applied to the current number of runners used
+                        to determine how many pods should be added.
+                      type: string
+                    scaleUpThreshold:
+                      description: |-
+                        ScaleUpThreshold is the percentage of busy runners greater than which will
+                        trigger the hpa to scale runners up.
+                      type: string
+                    type:
+                      description: |-
+                        Type is the type of metric to be used for autoscaling.
+                        It can be TotalNumberOfQueuedAndInProgressWorkflowRuns or PercentageRunnersBusy.
+                      type: string
+                  type: object
+                type: array
+              minReplicas:
+                description: MinReplicas is the minimum number of replicas the deployment
+                  is allowed to scale
+                type: integer
+              scaleDownDelaySecondsAfterScaleOut:
+                description: |-
+                  ScaleDownDelaySecondsAfterScaleUp is the approximate delay for a scale down followed by a scale up
+                  Used to prevent flapping (down->up->down->... loop)
+                type: integer
+              scaleTargetRef:
+                description: ScaleTargetRef is the reference to scaled resource like
+                  RunnerDeployment
+                properties:
+                  kind:
+                    description: Kind is the type of resource being referenced
+                    enum:
+                    - RunnerDeployment
+                    - RunnerSet
+                    type: string
+                  name:
+                    description: Name is the name of resource being referenced
+                    type: string
+                type: object
+              scaleUpTriggers:
+                description: |-
+                  ScaleUpTriggers is an experimental feature to increase the desired replicas by 1
+                  on each webhook requested received by the webhookBasedAutoscaler.
+
+                  This feature requires you to also enable and deploy the webhookBasedAutoscaler onto your cluster.
+
+                  Note that the added runners remain until the next sync period at least,
+                  and they may or may not be used by GitHub Actions depending on the timing.
+                  They are intended to be used to gain "resource slack" immediately after you
+                  receive a webhook from GitHub, so that you can loosely expect MinReplicas runners to be always available.
+                items:
+                  properties:
+                    amount:
+                      type: integer
+                    duration:
+                      type: string
+                    githubEvent:
+                      properties:
+                        checkRun:
+                          description: https://docs.github.com/en/actions/reference/events-that-trigger-workflows#check_run
+                          properties:
+                            names:
+                              description: |-
+                                Names is a list of GitHub Actions glob patterns.
+                                Any check_run event whose name matches one of patterns in the list can trigger autoscaling.
+                                Note that check_run name seem to equal to the job name you've defined in your actions workflow yaml file.
+                                So it is very likely that you can utilize this to trigger depending on the job.
+                              items:
+                                type: string
+                              type: array
+                            repositories:
+                              description: |-
+                                Repositories is a list of GitHub repositories.
+                                Any check_run event whose repository matches one of repositories in the list can trigger autoscaling.
+                              items:
+                                type: string
+                              type: array
+                            status:
+                              type: string
+                            types:
+                              description: 'One of: created, rerequested, or completed'
+                              items:
+                                type: string
+                              type: array
+                          type: object
+                        pullRequest:
+                          description: https://docs.github.com/en/actions/reference/events-that-trigger-workflows#pull_request
+                          properties:
+                            branches:
+                              items:
+                                type: string
+                              type: array
+                            types:
+                              items:
+                                type: string
+                              type: array
+                          type: object
+                        push:
+                          description: |-
+                            PushSpec is the condition for triggering scale-up on push event
+                            Also see https://docs.github.com/en/actions/reference/events-that-trigger-workflows#push
+                          type: object
+                        workflowJob:
+                          description: https://docs.github.com/en/developers/webhooks-and-events/webhooks/webhook-events-and-payloads#workflow_job
+                          type: object
+                      type: object
+                  type: object
+                type: array
+              scheduledOverrides:
+                description: |-
+                  ScheduledOverrides is the list of ScheduledOverride.
+                  It can be used to override a few fields of HorizontalRunnerAutoscalerSpec on schedule.
+                  The earlier a scheduled override is, the higher it is prioritized.
+                items:
                   description: |-
-                    DesiredReplicas is the total number of desired, non-terminated and latest pods to be set for the primary RunnerSet
-                    This doesn't include outdated pods while upgrading the deployment and replacing the runnerset.
-                  type: integer
-                lastSuccessfulScaleOutTime:
-                  format: date-time
-                  nullable: true
-                  type: string
-                observedGeneration:
-                  description: |-
-                    ObservedGeneration is the most recent generation observed for the target. It corresponds to e.g.
-                    RunnerDeployment's generation, which is updated on mutation by the API Server.
-                  format: int64
-                  type: integer
-                scheduledOverridesSummary:
-                  description: |-
-                    ScheduledOverridesSummary is the summary of active and upcoming scheduled overrides to be shown in e.g. a column of a `kubectl get hra` output
-                    for observability.
-                  type: string
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  preserveUnknownFields: false
+                    ScheduledOverride can be used to override a few fields of HorizontalRunnerAutoscalerSpec on schedule.
+                    A schedule can optionally be recurring, so that the corresponding override happens every day, week, month, or year.
+                  properties:
+                    endTime:
+                      description: EndTime is the time at which the first override
+                        ends.
+                      format: date-time
+                      type: string
+                    minReplicas:
+                      description: |-
+                        MinReplicas is the number of runners while overriding.
+                        If omitted, it doesn't override minReplicas.
+                      minimum: 0
+                      nullable: true
+                      type: integer
+                    recurrenceRule:
+                      properties:
+                        frequency:
+                          description: |-
+                            Frequency is the name of a predefined interval of each recurrence.
+                            The valid values are "Daily", "Weekly", "Monthly", and "Yearly".
+                            If empty, the corresponding override happens only once.
+                          enum:
+                          - Daily
+                          - Weekly
+                          - Monthly
+                          - Yearly
+                          type: string
+                        untilTime:
+                          description: |-
+                            UntilTime is the time of the final recurrence.
+                            If empty, the schedule recurs forever.
+                          format: date-time
+                          type: string
+                      type: object
+                    startTime:
+                      description: StartTime is the time at which the first override
+                        starts.
+                      format: date-time
+                      type: string
+                  required:
+                  - endTime
+                  - startTime
+                  type: object
+                type: array
+            type: object
+          status:
+            properties:
+              cacheEntries:
+                items:
+                  properties:
+                    expirationTime:
+                      format: date-time
+                      type: string
+                    key:
+                      type: string
+                    value:
+                      type: integer
+                  type: object
+                type: array
+              desiredReplicas:
+                description: |-
+                  DesiredReplicas is the total number of desired, non-terminated and latest pods to be set for the primary RunnerSet
+                  This doesn't include outdated pods while upgrading the deployment and replacing the runnerset.
+                type: integer
+              lastSuccessfulScaleOutTime:
+                format: date-time
+                nullable: true
+                type: string
+              observedGeneration:
+                description: |-
+                  ObservedGeneration is the most recent generation observed for the target. It corresponds to e.g.
+                  RunnerDeployment's generation, which is updated on mutation by the API Server.
+                format: int64
+                type: integer
+              scheduledOverridesSummary:
+                description: |-
+                  ScheduledOverridesSummary is the summary of active and upcoming scheduled overrides to be shown in e.g. a column of a `kubectl get hra` output
+                  for observability.
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}

charts/actions-runner-controller/crds/actions.summerwind.dev_runnersets.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.17.2
+    controller-gen.kubebuilder.io/version: v0.19.0
   name: runnersets.actions.summerwind.dev
 spec:
   group: actions.summerwind.dev
@@ -554,7 +554,6 @@ spec:
                                               pod labels will be ignored. The default value is empty.
                                               The same key is forbidden to exist in both matchLabelKeys and labelSelector.
                                               Also, matchLabelKeys cannot be set when labelSelector isn't set.
-                                              This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                             items:
                                               type: string
                                             type: array
@@ -569,7 +568,6 @@ spec:
                                               pod labels will be ignored. The default value is empty.
                                               The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
                                               Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
-                                              This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                             items:
                                               type: string
                                             type: array
@@ -730,7 +728,6 @@ spec:
                                           pod labels will be ignored. The default value is empty.
                                           The same key is forbidden to exist in both matchLabelKeys and labelSelector.
                                           Also, matchLabelKeys cannot be set when labelSelector isn't set.
-                                          This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                         items:
                                           type: string
                                         type: array
@@ -745,7 +742,6 @@ spec:
                                           pod labels will be ignored. The default value is empty.
                                           The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
                                           Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
-                                          This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                         items:
                                           type: string
                                         type: array
@@ -834,8 +830,8 @@ spec:
                                     most preferred is the one with the greatest sum of weights, i.e.
                                     for each node that meets all of the scheduling requirements (resource
                                     request, requiredDuringScheduling anti-affinity expressions, etc.),
-                                    compute a sum by iterating through the elements of this field and adding
-                                    "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+                                    compute a sum by iterating through the elements of this field and subtracting
+                                    "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the
                                     node(s) with the highest sum are the most preferred.
                                   items:
                                     description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
@@ -899,7 +895,6 @@ spec:
                                               pod labels will be ignored. The default value is empty.
                                               The same key is forbidden to exist in both matchLabelKeys and labelSelector.
                                               Also, matchLabelKeys cannot be set when labelSelector isn't set.
-                                              This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                             items:
                                               type: string
                                             type: array
@@ -914,7 +909,6 @@ spec:
                                               pod labels will be ignored. The default value is empty.
                                               The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
                                               Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
-                                              This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                             items:
                                               type: string
                                             type: array
@@ -1075,7 +1069,6 @@ spec:
                                           pod labels will be ignored. The default value is empty.
                                           The same key is forbidden to exist in both matchLabelKeys and labelSelector.
                                           Also, matchLabelKeys cannot be set when labelSelector isn't set.
-                                          This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                         items:
                                           type: string
                                         type: array
@@ -1090,7 +1083,6 @@ spec:
                                           pod labels will be ignored. The default value is empty.
                                           The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
                                           Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
-                                          This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                         items:
                                           type: string
                                         type: array
@@ -1217,7 +1209,9 @@ spec:
                                   description: EnvVar represents an environment variable present in a Container.
                                   properties:
                                     name:
-                                      description: Name of the environment variable. Must be a C_IDENTIFIER.
+                                      description: |-
+                                        Name of the environment variable.
+                                        May consist of any printable ASCII characters except '='.
                                       type: string
                                     value:
                                       description: |-
@@ -1271,6 +1265,42 @@ spec:
                                             - fieldPath
                                           type: object
                                           x-kubernetes-map-type: atomic
+                                        fileKeyRef:
+                                          description: |-
+                                            FileKeyRef selects a key of the env file.
+                                            Requires the EnvFiles feature gate to be enabled.
+                                          properties:
+                                            key:
+                                              description: |-
+                                                The key within the env file. An invalid key will prevent the pod from starting.
+                                                The keys defined within a source may consist of any printable ASCII characters except '='.
+                                                During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters.
+                                              type: string
+                                            optional:
+                                              default: false
+                                              description: |-
+                                                Specify whether the file or its key must be defined. If the file or key
+                                                does not exist, then the env var is not published.
+                                                If optional is set to true and the specified key does not exist,
+                                                the environment variable will not be set in the Pod's containers.
+
+                                                If optional is set to false and the specified key does not exist,
+                                                an error will be returned during Pod creation.
+                                              type: boolean
+                                            path:
+                                              description: |-
+                                                The path within the volume from which to select the file.
+                                                Must be relative and may not contain the '..' path or start with '..'.
+                                              type: string
+                                            volumeName:
+                                              description: The name of the volume mount containing the env file.
+                                              type: string
+                                          required:
+                                            - key
+                                            - path
+                                            - volumeName
+                                          type: object
+                                          x-kubernetes-map-type: atomic
                                         resourceFieldRef:
                                           description: |-
                                             Selects a resource of the container: only resources limits and requests
@@ -1326,13 +1356,13 @@ spec:
                               envFrom:
                                 description: |-
                                   List of sources to populate environment variables in the container.
-                                  The keys defined within a source must be a C_IDENTIFIER. All invalid keys
-                                  will be reported as an event when the container is starting. When a key exists in multiple
+                                  The keys defined within a source may consist of any printable ASCII characters except '='.
+                                  When a key exists in multiple
                                   sources, the value associated with the last source will take precedence.
                                   Values defined by an Env with a duplicate key will take precedence.
                                   Cannot be updated.
                                 items:
-                                  description: EnvFromSource represents the source of a set of ConfigMaps
+                                  description: EnvFromSource represents the source of a set of ConfigMaps or Secrets
                                   properties:
                                     configMapRef:
                                       description: The ConfigMap to select from
@@ -1352,7 +1382,9 @@ spec:
                                       type: object
                                       x-kubernetes-map-type: atomic
                                     prefix:
-                                      description: An optional identifier to prepend to each key in the ConfigMap. Must be a C_IDENTIFIER.
+                                      description: |-
+                                        Optional text to prepend to the name of each environment variable.
+                                        May consist of any printable ASCII characters except '='.
                                       type: string
                                     secretRef:
                                       description: The Secret to select from
@@ -1601,6 +1633,12 @@ spec:
                                           - port
                                         type: object
                                     type: object
+                                  stopSignal:
+                                    description: |-
+                                      StopSignal defines which signal will be sent to a container when it is being stopped.
+                                      If not specified, the default is defined by the container runtime in use.
+                                      StopSignal can only be set for Pods with a non-empty .spec.os.name
+                                    type: string
                                 type: object
                               livenessProbe:
                                 description: |-
@@ -1991,7 +2029,7 @@ spec:
                                       Claims lists the names of resources, defined in spec.resourceClaims,
                                       that are used by this container.
 
-                                      This is an alpha field and requires enabling the
+                                      This field depends on the
                                       DynamicResourceAllocation feature gate.
 
                                       This field is immutable. It can only be set for containers.
@@ -2042,10 +2080,10 @@ spec:
                               restartPolicy:
                                 description: |-
                                   RestartPolicy defines the restart behavior of individual containers in a pod.
-                                  This field may only be set for init containers, and the only allowed value is "Always".
-                                  For non-init containers or when this field is not specified,
+                                  This overrides the pod-level restart policy. When this field is not specified,
                                   the restart behavior is defined by the Pod's restart policy and the container type.
-                                  Setting the RestartPolicy as "Always" for the init container will have the following effect:
+                                  Additionally, setting the RestartPolicy as "Always" for the init container will
+                                  have the following effect:
                                   this init container will be continually restarted on
                                   exit until all regular containers have terminated. Once all regular
                                   containers have completed, all init containers with restartPolicy "Always"
@@ -2057,6 +2095,57 @@ spec:
                                   init container is started, or after any startupProbe has successfully
                                   completed.
                                 type: string
+                              restartPolicyRules:
+                                description: |-
+                                  Represents a list of rules to be checked to determine if the
+                                  container should be restarted on exit. The rules are evaluated in
+                                  order. Once a rule matches a container exit condition, the remaining
+                                  rules are ignored. If no rule matches the container exit condition,
+                                  the Container-level restart policy determines the whether the container
+                                  is restarted or not. Constraints on the rules:
+                                  - At most 20 rules are allowed.
+                                  - Rules can have the same action.
+                                  - Identical rules are not forbidden in validations.
+                                  When rules are specified, container MUST set RestartPolicy explicitly
+                                  even it if matches the Pod's RestartPolicy.
+                                items:
+                                  description: ContainerRestartRule describes how a container exit is handled.
+                                  properties:
+                                    action:
+                                      description: |-
+                                        Specifies the action taken on a container exit if the requirements
+                                        are satisfied. The only possible value is "Restart" to restart the
+                                        container.
+                                      type: string
+                                    exitCodes:
+                                      description: Represents the exit codes to check on container exits.
+                                      properties:
+                                        operator:
+                                          description: |-
+                                            Represents the relationship between the container exit code(s) and the
+                                            specified values. Possible values are:
+                                            - In: the requirement is satisfied if the container exit code is in the
+                                              set of specified values.
+                                            - NotIn: the requirement is satisfied if the container exit code is
+                                              not in the set of specified values.
+                                          type: string
+                                        values:
+                                          description: |-
+                                            Specifies the set of values to check for container exit codes.
+                                            At most 255 elements are allowed.
+                                          items:
+                                            format: int32
+                                            type: integer
+                                          type: array
+                                          x-kubernetes-list-type: set
+                                      required:
+                                        - operator
+                                      type: object
+                                  required:
+                                    - action
+                                  type: object
+                                type: array
+                                x-kubernetes-list-type: atomic
                               securityContext:
                                 description: |-
                                   SecurityContext defines the security options the container should be run with.
@@ -2654,7 +2743,9 @@ spec:
                                   description: EnvVar represents an environment variable present in a Container.
                                   properties:
                                     name:
-                                      description: Name of the environment variable. Must be a C_IDENTIFIER.
+                                      description: |-
+                                        Name of the environment variable.
+                                        May consist of any printable ASCII characters except '='.
                                       type: string
                                     value:
                                       description: |-
@@ -2708,6 +2799,42 @@ spec:
                                             - fieldPath
                                           type: object
                                           x-kubernetes-map-type: atomic
+                                        fileKeyRef:
+                                          description: |-
+                                            FileKeyRef selects a key of the env file.
+                                            Requires the EnvFiles feature gate to be enabled.
+                                          properties:
+                                            key:
+                                              description: |-
+                                                The key within the env file. An invalid key will prevent the pod from starting.
+                                                The keys defined within a source may consist of any printable ASCII characters except '='.
+                                                During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters.
+                                              type: string
+                                            optional:
+                                              default: false
+                                              description: |-
+                                                Specify whether the file or its key must be defined. If the file or key
+                                                does not exist, then the env var is not published.
+                                                If optional is set to true and the specified key does not exist,
+                                                the environment variable will not be set in the Pod's containers.
+
+                                                If optional is set to false and the specified key does not exist,
+                                                an error will be returned during Pod creation.
+                                              type: boolean
+                                            path:
+                                              description: |-
+                                                The path within the volume from which to select the file.
+                                                Must be relative and may not contain the '..' path or start with '..'.
+                                              type: string
+                                            volumeName:
+                                              description: The name of the volume mount containing the env file.
+                                              type: string
+                                          required:
+                                            - key
+                                            - path
+                                            - volumeName
+                                          type: object
+                                          x-kubernetes-map-type: atomic
                                         resourceFieldRef:
                                           description: |-
                                             Selects a resource of the container: only resources limits and requests
@@ -2763,13 +2890,13 @@ spec:
                               envFrom:
                                 description: |-
                                   List of sources to populate environment variables in the container.
-                                  The keys defined within a source must be a C_IDENTIFIER. All invalid keys
-                                  will be reported as an event when the container is starting. When a key exists in multiple
+                                  The keys defined within a source may consist of any printable ASCII characters except '='.
+                                  When a key exists in multiple
                                   sources, the value associated with the last source will take precedence.
                                   Values defined by an Env with a duplicate key will take precedence.
                                   Cannot be updated.
                                 items:
-                                  description: EnvFromSource represents the source of a set of ConfigMaps
+                                  description: EnvFromSource represents the source of a set of ConfigMaps or Secrets
                                   properties:
                                     configMapRef:
                                       description: The ConfigMap to select from
@@ -2789,7 +2916,9 @@ spec:
                                       type: object
                                       x-kubernetes-map-type: atomic
                                     prefix:
-                                      description: An optional identifier to prepend to each key in the ConfigMap. Must be a C_IDENTIFIER.
+                                      description: |-
+                                        Optional text to prepend to the name of each environment variable.
+                                        May consist of any printable ASCII characters except '='.
                                       type: string
                                     secretRef:
                                       description: The Secret to select from
@@ -3034,6 +3163,12 @@ spec:
                                           - port
                                         type: object
                                     type: object
+                                  stopSignal:
+                                    description: |-
+                                      StopSignal defines which signal will be sent to a container when it is being stopped.
+                                      If not specified, the default is defined by the container runtime in use.
+                                      StopSignal can only be set for Pods with a non-empty .spec.os.name
+                                    type: string
                                 type: object
                               livenessProbe:
                                 description: Probes are not allowed for ephemeral containers.
@@ -3407,7 +3542,7 @@ spec:
                                       Claims lists the names of resources, defined in spec.resourceClaims,
                                       that are used by this container.
 
-                                      This is an alpha field and requires enabling the
+                                      This field depends on the
                                       DynamicResourceAllocation feature gate.
 
                                       This field is immutable. It can only be set for containers.
@@ -3459,9 +3594,51 @@ spec:
                                 description: |-
                                   Restart policy for the container to manage the restart behavior of each
                                   container within a pod.
-                                  This may only be set for init containers. You cannot set this field on
-                                  ephemeral containers.
+                                  You cannot set this field on ephemeral containers.
                                 type: string
+                              restartPolicyRules:
+                                description: |-
+                                  Represents a list of rules to be checked to determine if the
+                                  container should be restarted on exit. You cannot set this field on
+                                  ephemeral containers.
+                                items:
+                                  description: ContainerRestartRule describes how a container exit is handled.
+                                  properties:
+                                    action:
+                                      description: |-
+                                        Specifies the action taken on a container exit if the requirements
+                                        are satisfied. The only possible value is "Restart" to restart the
+                                        container.
+                                      type: string
+                                    exitCodes:
+                                      description: Represents the exit codes to check on container exits.
+                                      properties:
+                                        operator:
+                                          description: |-
+                                            Represents the relationship between the container exit code(s) and the
+                                            specified values. Possible values are:
+                                            - In: the requirement is satisfied if the container exit code is in the
+                                              set of specified values.
+                                            - NotIn: the requirement is satisfied if the container exit code is
+                                              not in the set of specified values.
+                                          type: string
+                                        values:
+                                          description: |-
+                                            Specifies the set of values to check for container exit codes.
+                                            At most 255 elements are allowed.
+                                          items:
+                                            format: int32
+                                            type: integer
+                                          type: array
+                                          x-kubernetes-list-type: set
+                                      required:
+                                        - operator
+                                      type: object
+                                  required:
+                                    - action
+                                  type: object
+                                type: array
+                                x-kubernetes-list-type: atomic
                               securityContext:
                                 description: |-
                                   Optional: SecurityContext defines the security options the ephemeral container should be run with.
@@ -3980,7 +4157,9 @@ spec:
                         hostNetwork:
                           description: |-
                             Host networking requested for this pod. Use the host's network namespace.
-                            If this option is set, the ports that will be used must be specified.
+                            When using HostNetwork you should specify ports so the scheduler is aware.
+                            When `hostNetwork` is true, specified `hostPort` fields in port definitions must match `containerPort`,
+                            and unspecified `hostPort` fields in port definitions are defaulted to match `containerPort`.
                             Default to false.
                           type: boolean
                         hostPID:
@@ -4005,6 +4184,19 @@ spec:
                             Specifies the hostname of the Pod
                             If not specified, the pod's hostname will be set to a system-defined value.
                           type: string
+                        hostnameOverride:
+                          description: |-
+                            HostnameOverride specifies an explicit override for the pod's hostname as perceived by the pod.
+                            This field only specifies the pod's hostname and does not affect its DNS records.
+                            When this field is set to a non-empty string:
+                            - It takes precedence over the values set in `hostname` and `subdomain`.
+                            - The Pod's hostname will be set to this value.
+                            - `setHostnameAsFQDN` must be nil or set to false.
+                            - `hostNetwork` must be set to false.
+
+                            This field must be a valid DNS subdomain as defined in RFC 1123 and contain at most 64 characters.
+                            Requires the HostnameOverride feature gate to be enabled.
+                          type: string
                         imagePullSecrets:
                           description: |-
                             ImagePullSecrets is an optional list of references to secrets in the same namespace to use for pulling any of the images used by this PodSpec.
@@ -4040,7 +4232,7 @@ spec:
                             Init containers may not have Lifecycle actions, Readiness probes, Liveness probes, or Startup probes.
                             The resourceRequirements of an init container are taken into account during scheduling
                             by finding the highest request/limit for each resource type, and then using the max of
-                            of that value or the sum of the normal containers. Limits are applied to init containers
+                            that value or the sum of the normal containers. Limits are applied to init containers
                             in a similar fashion.
                             Init containers cannot currently be added or removed.
                             Cannot be updated.
@@ -4084,7 +4276,9 @@ spec:
                                   description: EnvVar represents an environment variable present in a Container.
                                   properties:
                                     name:
-                                      description: Name of the environment variable. Must be a C_IDENTIFIER.
+                                      description: |-
+                                        Name of the environment variable.
+                                        May consist of any printable ASCII characters except '='.
                                       type: string
                                     value:
                                       description: |-
@@ -4138,6 +4332,42 @@ spec:
                                             - fieldPath
                                           type: object
                                           x-kubernetes-map-type: atomic
+                                        fileKeyRef:
+                                          description: |-
+                                            FileKeyRef selects a key of the env file.
+                                            Requires the EnvFiles feature gate to be enabled.
+                                          properties:
+                                            key:
+                                              description: |-
+                                                The key within the env file. An invalid key will prevent the pod from starting.
+                                                The keys defined within a source may consist of any printable ASCII characters except '='.
+                                                During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters.
+                                              type: string
+                                            optional:
+                                              default: false
+                                              description: |-
+                                                Specify whether the file or its key must be defined. If the file or key
+                                                does not exist, then the env var is not published.
+                                                If optional is set to true and the specified key does not exist,
+                                                the environment variable will not be set in the Pod's containers.
+
+                                                If optional is set to false and the specified key does not exist,
+                                                an error will be returned during Pod creation.
+                                              type: boolean
+                                            path:
+                                              description: |-
+                                                The path within the volume from which to select the file.
+                                                Must be relative and may not contain the '..' path or start with '..'.
+                                              type: string
+                                            volumeName:
+                                              description: The name of the volume mount containing the env file.
+                                              type: string
+                                          required:
+                                            - key
+                                            - path
+                                            - volumeName
+                                          type: object
+                                          x-kubernetes-map-type: atomic
                                         resourceFieldRef:
                                           description: |-
                                             Selects a resource of the container: only resources limits and requests
@@ -4193,13 +4423,13 @@ spec:
                               envFrom:
                                 description: |-
                                   List of sources to populate environment variables in the container.
-                                  The keys defined within a source must be a C_IDENTIFIER. All invalid keys
-                                  will be reported as an event when the container is starting. When a key exists in multiple
+                                  The keys defined within a source may consist of any printable ASCII characters except '='.
+                                  When a key exists in multiple
                                   sources, the value associated with the last source will take precedence.
                                   Values defined by an Env with a duplicate key will take precedence.
                                   Cannot be updated.
                                 items:
-                                  description: EnvFromSource represents the source of a set of ConfigMaps
+                                  description: EnvFromSource represents the source of a set of ConfigMaps or Secrets
                                   properties:
                                     configMapRef:
                                       description: The ConfigMap to select from
@@ -4219,7 +4449,9 @@ spec:
                                       type: object
                                       x-kubernetes-map-type: atomic
                                     prefix:
-                                      description: An optional identifier to prepend to each key in the ConfigMap. Must be a C_IDENTIFIER.
+                                      description: |-
+                                        Optional text to prepend to the name of each environment variable.
+                                        May consist of any printable ASCII characters except '='.
                                       type: string
                                     secretRef:
                                       description: The Secret to select from
@@ -4468,6 +4700,12 @@ spec:
                                           - port
                                         type: object
                                     type: object
+                                  stopSignal:
+                                    description: |-
+                                      StopSignal defines which signal will be sent to a container when it is being stopped.
+                                      If not specified, the default is defined by the container runtime in use.
+                                      StopSignal can only be set for Pods with a non-empty .spec.os.name
+                                    type: string
                                 type: object
                               livenessProbe:
                                 description: |-
@@ -4858,7 +5096,7 @@ spec:
                                       Claims lists the names of resources, defined in spec.resourceClaims,
                                       that are used by this container.
 
-                                      This is an alpha field and requires enabling the
+                                      This field depends on the
                                       DynamicResourceAllocation feature gate.
 
                                       This field is immutable. It can only be set for containers.
@@ -4909,10 +5147,10 @@ spec:
                               restartPolicy:
                                 description: |-
                                   RestartPolicy defines the restart behavior of individual containers in a pod.
-                                  This field may only be set for init containers, and the only allowed value is "Always".
-                                  For non-init containers or when this field is not specified,
+                                  This overrides the pod-level restart policy. When this field is not specified,
                                   the restart behavior is defined by the Pod's restart policy and the container type.
-                                  Setting the RestartPolicy as "Always" for the init container will have the following effect:
+                                  Additionally, setting the RestartPolicy as "Always" for the init container will
+                                  have the following effect:
                                   this init container will be continually restarted on
                                   exit until all regular containers have terminated. Once all regular
                                   containers have completed, all init containers with restartPolicy "Always"
@@ -4924,6 +5162,57 @@ spec:
                                   init container is started, or after any startupProbe has successfully
                                   completed.
                                 type: string
+                              restartPolicyRules:
+                                description: |-
+                                  Represents a list of rules to be checked to determine if the
+                                  container should be restarted on exit. The rules are evaluated in
+                                  order. Once a rule matches a container exit condition, the remaining
+                                  rules are ignored. If no rule matches the container exit condition,
+                                  the Container-level restart policy determines the whether the container
+                                  is restarted or not. Constraints on the rules:
+                                  - At most 20 rules are allowed.
+                                  - Rules can have the same action.
+                                  - Identical rules are not forbidden in validations.
+                                  When rules are specified, container MUST set RestartPolicy explicitly
+                                  even it if matches the Pod's RestartPolicy.
+                                items:
+                                  description: ContainerRestartRule describes how a container exit is handled.
+                                  properties:
+                                    action:
+                                      description: |-
+                                        Specifies the action taken on a container exit if the requirements
+                                        are satisfied. The only possible value is "Restart" to restart the
+                                        container.
+                                      type: string
+                                    exitCodes:
+                                      description: Represents the exit codes to check on container exits.
+                                      properties:
+                                        operator:
+                                          description: |-
+                                            Represents the relationship between the container exit code(s) and the
+                                            specified values. Possible values are:
+                                            - In: the requirement is satisfied if the container exit code is in the
+                                              set of specified values.
+                                            - NotIn: the requirement is satisfied if the container exit code is
+                                              not in the set of specified values.
+                                          type: string
+                                        values:
+                                          description: |-
+                                            Specifies the set of values to check for container exit codes.
+                                            At most 255 elements are allowed.
+                                          items:
+                                            format: int32
+                                            type: integer
+                                          type: array
+                                          x-kubernetes-list-type: set
+                                      required:
+                                        - operator
+                                      type: object
+                                  required:
+                                    - action
+                                  type: object
+                                type: array
+                                x-kubernetes-list-type: atomic
                               securityContext:
                                 description: |-
                                   SecurityContext defines the security options the container should be run with.
@@ -5437,6 +5726,7 @@ spec:
                             - spec.hostPID
                             - spec.hostIPC
                             - spec.hostUsers
+                            - spec.resources
                             - spec.securityContext.appArmorProfile
                             - spec.securityContext.seLinuxOptions
                             - spec.securityContext.seccompProfile
@@ -5588,7 +5878,7 @@ spec:
                           description: |-
                             Resources is the total amount of CPU and Memory resources required by all
                             containers in the pod. It supports specifying Requests and Limits for
-                            "cpu" and "memory" resource names only. ResourceClaims are not supported.
+                            "cpu", "memory" and "hugepages-" resource names only. ResourceClaims are not supported.
 
                             This field enables fine-grained control over resource allocation for the
                             entire pod, allowing resource sharing among containers in a pod.
@@ -5601,7 +5891,7 @@ spec:
                                 Claims lists the names of resources, defined in spec.resourceClaims,
                                 that are used by this container.
 
-                                This is an alpha field and requires enabling the
+                                This field depends on the
                                 DynamicResourceAllocation feature gate.
 
                                 This field is immutable. It can only be set for containers.
@@ -6126,7 +6416,6 @@ spec:
                                   - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.
 
                                   If this value is nil, the behavior is equivalent to the Honor policy.
-                                  This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
                                 type: string
                               nodeTaintsPolicy:
                                 description: |-
@@ -6137,7 +6426,6 @@ spec:
                                   - Ignore: node taints are ignored. All nodes are included.
 
                                   If this value is nil, the behavior is equivalent to the Ignore policy.
-                                  This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
                                 type: string
                               topologyKey:
                                 description: |-
@@ -6843,15 +7131,13 @@ spec:
                                               volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim.
                                               If specified, the CSI driver will create or update the volume with the attributes defined
                                               in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName,
-                                              it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass
-                                              will be applied to the claim but it's not allowed to reset this field to empty string once it is set.
-                                              If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass
-                                              will be set by the persistentvolume controller if it exists.
+                                              it can be changed after the claim is created. An empty string or nil value indicates that no
+                                              VolumeAttributesClass will be applied to the claim. If the claim enters an Infeasible error state,
+                                              this field can be reset to its previous value (including nil) to cancel the modification.
                                               If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be
                                               set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource
                                               exists.
                                               More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/
-                                              (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default).
                                             type: string
                                           volumeMode:
                                             description: |-
@@ -7025,12 +7311,9 @@ spec:
                                 description: |-
                                   glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime.
                                   Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported.
-                                  More info: https://examples.k8s.io/volumes/glusterfs/README.md
                                 properties:
                                   endpoints:
-                                    description: |-
-                                      endpoints is the endpoint name that details Glusterfs topology.
-                                      More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
+                                    description: endpoints is the endpoint name that details Glusterfs topology.
                                     type: string
                                   path:
                                     description: |-
@@ -7084,7 +7367,7 @@ spec:
                                   The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field.
                                   The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images.
                                   The volume will be mounted read-only (ro) and non-executable files (noexec).
-                                  Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath).
+                                  Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath) before 1.33.
                                   The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type.
                                 properties:
                                   pullPolicy:
@@ -7109,7 +7392,7 @@ spec:
                                 description: |-
                                   iscsi represents an ISCSI Disk resource that is attached to a
                                   kubelet's host machine and then exposed to the pod.
-                                  More info: https://examples.k8s.io/volumes/iscsi/README.md
+                                  More info: https://kubernetes.io/docs/concepts/storage/volumes/#iscsi
                                 properties:
                                   chapAuthDiscovery:
                                     description: chapAuthDiscovery defines whether support iSCSI Discovery CHAP authentication
@@ -7499,6 +7782,110 @@ spec:
                                               type: array
                                               x-kubernetes-list-type: atomic
                                           type: object
+                                        podCertificate:
+                                          description: |-
+                                            Projects an auto-rotating credential bundle (private key and certificate
+                                            chain) that the pod can use either as a TLS client or server.
+
+                                            Kubelet generates a private key and uses it to send a
+                                            PodCertificateRequest to the named signer.  Once the signer approves the
+                                            request and issues a certificate chain, Kubelet writes the key and
+                                            certificate chain to the pod filesystem.  The pod does not start until
+                                            certificates have been issued for each podCertificate projected volume
+                                            source in its spec.
+
+                                            Kubelet will begin trying to rotate the certificate at the time indicated
+                                            by the signer using the PodCertificateRequest.Status.BeginRefreshAt
+                                            timestamp.
+
+                                            Kubelet can write a single file, indicated by the credentialBundlePath
+                                            field, or separate files, indicated by the keyPath and
+                                            certificateChainPath fields.
+
+                                            The credential bundle is a single file in PEM format.  The first PEM
+                                            entry is the private key (in PKCS#8 format), and the remaining PEM
+                                            entries are the certificate chain issued by the signer (typically,
+                                            signers will return their certificate chain in leaf-to-root order).
+
+                                            Prefer using the credential bundle format, since your application code
+                                            can read it atomically.  If you use keyPath and certificateChainPath,
+                                            your application must make two separate file reads. If these coincide
+                                            with a certificate rotation, it is possible that the private key and leaf
+                                            certificate you read may not correspond to each other.  Your application
+                                            will need to check for this condition, and re-read until they are
+                                            consistent.
+
+                                            The named signer controls chooses the format of the certificate it
+                                            issues; consult the signer implementation's documentation to learn how to
+                                            use the certificates it issues.
+                                          properties:
+                                            certificateChainPath:
+                                              description: |-
+                                                Write the certificate chain at this path in the projected volume.
+
+                                                Most applications should use credentialBundlePath.  When using keyPath
+                                                and certificateChainPath, your application needs to check that the key
+                                                and leaf certificate are consistent, because it is possible to read the
+                                                files mid-rotation.
+                                              type: string
+                                            credentialBundlePath:
+                                              description: |-
+                                                Write the credential bundle at this path in the projected volume.
+
+                                                The credential bundle is a single file that contains multiple PEM blocks.
+                                                The first PEM block is a PRIVATE KEY block, containing a PKCS#8 private
+                                                key.
+
+                                                The remaining blocks are CERTIFICATE blocks, containing the issued
+                                                certificate chain from the signer (leaf and any intermediates).
+
+                                                Using credentialBundlePath lets your Pod's application code make a single
+                                                atomic read that retrieves a consistent key and certificate chain.  If you
+                                                project them to separate files, your application code will need to
+                                                additionally check that the leaf certificate was issued to the key.
+                                              type: string
+                                            keyPath:
+                                              description: |-
+                                                Write the key at this path in the projected volume.
+
+                                                Most applications should use credentialBundlePath.  When using keyPath
+                                                and certificateChainPath, your application needs to check that the key
+                                                and leaf certificate are consistent, because it is possible to read the
+                                                files mid-rotation.
+                                              type: string
+                                            keyType:
+                                              description: |-
+                                                The type of keypair Kubelet will generate for the pod.
+
+                                                Valid values are "RSA3072", "RSA4096", "ECDSAP256", "ECDSAP384",
+                                                "ECDSAP521", and "ED25519".
+                                              type: string
+                                            maxExpirationSeconds:
+                                              description: |-
+                                                maxExpirationSeconds is the maximum lifetime permitted for the
+                                                certificate.
+
+                                                Kubelet copies this value verbatim into the PodCertificateRequests it
+                                                generates for this projection.
+
+                                                If omitted, kube-apiserver will set it to 86400(24 hours). kube-apiserver
+                                                will reject values shorter than 3600 (1 hour).  The maximum allowable
+                                                value is 7862400 (91 days).
+
+                                                The signer implementation is then free to issue a certificate with any
+                                                lifetime *shorter* than MaxExpirationSeconds, but no shorter than 3600
+                                                seconds (1 hour).  This constraint is enforced by kube-apiserver.
+                                                `kubernetes.io` signers will never issue certificates with a lifetime
+                                                longer than 24 hours.
+                                              format: int32
+                                              type: integer
+                                            signerName:
+                                              description: Kubelet's generated CSRs will be addressed to this signer.
+                                              type: string
+                                          required:
+                                            - keyType
+                                            - signerName
+                                          type: object
                                         secret:
                                           description: secret information about the secret data to project
                                           properties:
@@ -7628,7 +8015,6 @@ spec:
                                 description: |-
                                   rbd represents a Rados Block Device mount on the host that shares a pod's lifetime.
                                   Deprecated: RBD is deprecated and the in-tree rbd type is no longer supported.
-                                  More info: https://examples.k8s.io/volumes/rbd/README.md
                                 properties:
                                   fsType:
                                     description: |-
@@ -8170,15 +8556,13 @@ spec:
                               volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim.
                               If specified, the CSI driver will create or update the volume with the attributes defined
                               in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName,
-                              it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass
-                              will be applied to the claim but it's not allowed to reset this field to empty string once it is set.
-                              If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass
-                              will be set by the persistentvolume controller if it exists.
+                              it can be changed after the claim is created. An empty string or nil value indicates that no
+                              VolumeAttributesClass will be applied to the claim. If the claim enters an Infeasible error state,
+                              this field can be reset to its previous value (including nil) to cancel the modification.
                               If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be
                               set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource
                               exists.
                               More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/
-                              (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default).
                             type: string
                           volumeMode:
                             description: |-
@@ -8278,13 +8662,11 @@ spec:
                             description: |-
                               currentVolumeAttributesClassName is the current name of the VolumeAttributesClass the PVC is using.
                               When unset, there is no VolumeAttributeClass applied to this PersistentVolumeClaim
-                              This is a beta field and requires enabling VolumeAttributesClass feature (off by default).
                             type: string
                           modifyVolumeStatus:
                             description: |-
                               ModifyVolumeStatus represents the status object of ControllerModifyVolume operation.
                               When this is unset, there is no ModifyVolume operation being attempted.
-                              This is a beta field and requires enabling VolumeAttributesClass feature (off by default).
                             properties:
                               status:
                                 description: "status is the status of the ControllerModifyVolume operation. It can be in any of following states:\n - Pending\n   Pending indicates that the PersistentVolumeClaim cannot be modified due to unmet requirements, such as\n   the specified VolumeAttributesClass not existing.\n - InProgress\n   InProgress indicates that the volume is being modified.\n - Infeasible\n  Infeasible indicates that the request has been rejected as invalid by the CSI driver. To\n\t  resolve the error, a valid VolumeAttributesClass needs to be specified.\nNote: New statuses can be added in the future. Consumers should check for unknown statuses and fail appropriately."
@@ -8355,7 +8737,6 @@ spec:
                   type: object
               required:
                 - selector
-                - serviceName
                 - template
               type: object
             status:
@@ -8389,4 +8770,3 @@ spec:
       storage: true
       subresources:
         status: {}
-  preserveUnknownFields: false

charts/gha-runner-scale-set-controller/Chart.yaml

@@ -15,13 +15,13 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.11.0
+version: 0.13.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "0.11.0"
+appVersion: "0.13.1"
 
 home: https://github.com/actions/actions-runner-controller
 

charts/gha-runner-scale-set-controller/crds/actions.github.com_ephemeralrunners.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.17.2
+    controller-gen.kubebuilder.io/version: v0.19.0
   name: ephemeralrunners.actions.github.com
 spec:
   group: actions.github.com
@@ -36,6 +36,9 @@ spec:
         - jsonPath: .status.jobDisplayName
           name: JobDisplayName
           type: string
+        - jsonPath: .status.jobId
+          name: JobId
+          type: string
         - jsonPath: .status.message
           name: Message
           type: string
@@ -427,7 +430,6 @@ spec:
                                           pod labels will be ignored. The default value is empty.
                                           The same key is forbidden to exist in both matchLabelKeys and labelSelector.
                                           Also, matchLabelKeys cannot be set when labelSelector isn't set.
-                                          This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                         items:
                                           type: string
                                         type: array
@@ -442,7 +444,6 @@ spec:
                                           pod labels will be ignored. The default value is empty.
                                           The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
                                           Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
-                                          This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                         items:
                                           type: string
                                         type: array
@@ -603,7 +604,6 @@ spec:
                                       pod labels will be ignored. The default value is empty.
                                       The same key is forbidden to exist in both matchLabelKeys and labelSelector.
                                       Also, matchLabelKeys cannot be set when labelSelector isn't set.
-                                      This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                     items:
                                       type: string
                                     type: array
@@ -618,7 +618,6 @@ spec:
                                       pod labels will be ignored. The default value is empty.
                                       The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
                                       Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
-                                      This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                     items:
                                       type: string
                                     type: array
@@ -707,8 +706,8 @@ spec:
                                 most preferred is the one with the greatest sum of weights, i.e.
                                 for each node that meets all of the scheduling requirements (resource
                                 request, requiredDuringScheduling anti-affinity expressions, etc.),
-                                compute a sum by iterating through the elements of this field and adding
-                                "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+                                compute a sum by iterating through the elements of this field and subtracting
+                                "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the
                                 node(s) with the highest sum are the most preferred.
                               items:
                                 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
@@ -772,7 +771,6 @@ spec:
                                           pod labels will be ignored. The default value is empty.
                                           The same key is forbidden to exist in both matchLabelKeys and labelSelector.
                                           Also, matchLabelKeys cannot be set when labelSelector isn't set.
-                                          This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                         items:
                                           type: string
                                         type: array
@@ -787,7 +785,6 @@ spec:
                                           pod labels will be ignored. The default value is empty.
                                           The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
                                           Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
-                                          This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                         items:
                                           type: string
                                         type: array
@@ -948,7 +945,6 @@ spec:
                                       pod labels will be ignored. The default value is empty.
                                       The same key is forbidden to exist in both matchLabelKeys and labelSelector.
                                       Also, matchLabelKeys cannot be set when labelSelector isn't set.
-                                      This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                     items:
                                       type: string
                                     type: array
@@ -963,7 +959,6 @@ spec:
                                       pod labels will be ignored. The default value is empty.
                                       The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
                                       Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
-                                      This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                     items:
                                       type: string
                                     type: array
@@ -1090,7 +1085,9 @@ spec:
                               description: EnvVar represents an environment variable present in a Container.
                               properties:
                                 name:
-                                  description: Name of the environment variable. Must be a C_IDENTIFIER.
+                                  description: |-
+                                    Name of the environment variable.
+                                    May consist of any printable ASCII characters except '='.
                                   type: string
                                 value:
                                   description: |-
@@ -1144,6 +1141,42 @@ spec:
                                         - fieldPath
                                       type: object
                                       x-kubernetes-map-type: atomic
+                                    fileKeyRef:
+                                      description: |-
+                                        FileKeyRef selects a key of the env file.
+                                        Requires the EnvFiles feature gate to be enabled.
+                                      properties:
+                                        key:
+                                          description: |-
+                                            The key within the env file. An invalid key will prevent the pod from starting.
+                                            The keys defined within a source may consist of any printable ASCII characters except '='.
+                                            During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters.
+                                          type: string
+                                        optional:
+                                          default: false
+                                          description: |-
+                                            Specify whether the file or its key must be defined. If the file or key
+                                            does not exist, then the env var is not published.
+                                            If optional is set to true and the specified key does not exist,
+                                            the environment variable will not be set in the Pod's containers.
+
+                                            If optional is set to false and the specified key does not exist,
+                                            an error will be returned during Pod creation.
+                                          type: boolean
+                                        path:
+                                          description: |-
+                                            The path within the volume from which to select the file.
+                                            Must be relative and may not contain the '..' path or start with '..'.
+                                          type: string
+                                        volumeName:
+                                          description: The name of the volume mount containing the env file.
+                                          type: string
+                                      required:
+                                        - key
+                                        - path
+                                        - volumeName
+                                      type: object
+                                      x-kubernetes-map-type: atomic
                                     resourceFieldRef:
                                       description: |-
                                         Selects a resource of the container: only resources limits and requests
@@ -1199,13 +1232,13 @@ spec:
                           envFrom:
                             description: |-
                               List of sources to populate environment variables in the container.
-                              The keys defined within a source must be a C_IDENTIFIER. All invalid keys
-                              will be reported as an event when the container is starting. When a key exists in multiple
+                              The keys defined within a source may consist of any printable ASCII characters except '='.
+                              When a key exists in multiple
                               sources, the value associated with the last source will take precedence.
                               Values defined by an Env with a duplicate key will take precedence.
                               Cannot be updated.
                             items:
-                              description: EnvFromSource represents the source of a set of ConfigMaps
+                              description: EnvFromSource represents the source of a set of ConfigMaps or Secrets
                               properties:
                                 configMapRef:
                                   description: The ConfigMap to select from
@@ -1225,7 +1258,9 @@ spec:
                                   type: object
                                   x-kubernetes-map-type: atomic
                                 prefix:
-                                  description: An optional identifier to prepend to each key in the ConfigMap. Must be a C_IDENTIFIER.
+                                  description: |-
+                                    Optional text to prepend to the name of each environment variable.
+                                    May consist of any printable ASCII characters except '='.
                                   type: string
                                 secretRef:
                                   description: The Secret to select from
@@ -1474,6 +1509,12 @@ spec:
                                       - port
                                     type: object
                                 type: object
+                              stopSignal:
+                                description: |-
+                                  StopSignal defines which signal will be sent to a container when it is being stopped.
+                                  If not specified, the default is defined by the container runtime in use.
+                                  StopSignal can only be set for Pods with a non-empty .spec.os.name
+                                type: string
                             type: object
                           livenessProbe:
                             description: |-
@@ -1864,7 +1905,7 @@ spec:
                                   Claims lists the names of resources, defined in spec.resourceClaims,
                                   that are used by this container.
 
-                                  This is an alpha field and requires enabling the
+                                  This field depends on the
                                   DynamicResourceAllocation feature gate.
 
                                   This field is immutable. It can only be set for containers.
@@ -1915,10 +1956,10 @@ spec:
                           restartPolicy:
                             description: |-
                               RestartPolicy defines the restart behavior of individual containers in a pod.
-                              This field may only be set for init containers, and the only allowed value is "Always".
-                              For non-init containers or when this field is not specified,
+                              This overrides the pod-level restart policy. When this field is not specified,
                               the restart behavior is defined by the Pod's restart policy and the container type.
-                              Setting the RestartPolicy as "Always" for the init container will have the following effect:
+                              Additionally, setting the RestartPolicy as "Always" for the init container will
+                              have the following effect:
                               this init container will be continually restarted on
                               exit until all regular containers have terminated. Once all regular
                               containers have completed, all init containers with restartPolicy "Always"
@@ -1930,6 +1971,57 @@ spec:
                               init container is started, or after any startupProbe has successfully
                               completed.
                             type: string
+                          restartPolicyRules:
+                            description: |-
+                              Represents a list of rules to be checked to determine if the
+                              container should be restarted on exit. The rules are evaluated in
+                              order. Once a rule matches a container exit condition, the remaining
+                              rules are ignored. If no rule matches the container exit condition,
+                              the Container-level restart policy determines the whether the container
+                              is restarted or not. Constraints on the rules:
+                              - At most 20 rules are allowed.
+                              - Rules can have the same action.
+                              - Identical rules are not forbidden in validations.
+                              When rules are specified, container MUST set RestartPolicy explicitly
+                              even it if matches the Pod's RestartPolicy.
+                            items:
+                              description: ContainerRestartRule describes how a container exit is handled.
+                              properties:
+                                action:
+                                  description: |-
+                                    Specifies the action taken on a container exit if the requirements
+                                    are satisfied. The only possible value is "Restart" to restart the
+                                    container.
+                                  type: string
+                                exitCodes:
+                                  description: Represents the exit codes to check on container exits.
+                                  properties:
+                                    operator:
+                                      description: |-
+                                        Represents the relationship between the container exit code(s) and the
+                                        specified values. Possible values are:
+                                        - In: the requirement is satisfied if the container exit code is in the
+                                          set of specified values.
+                                        - NotIn: the requirement is satisfied if the container exit code is
+                                          not in the set of specified values.
+                                      type: string
+                                    values:
+                                      description: |-
+                                        Specifies the set of values to check for container exit codes.
+                                        At most 255 elements are allowed.
+                                      items:
+                                        format: int32
+                                        type: integer
+                                      type: array
+                                      x-kubernetes-list-type: set
+                                  required:
+                                    - operator
+                                  type: object
+                              required:
+                                - action
+                              type: object
+                            type: array
+                            x-kubernetes-list-type: atomic
                           securityContext:
                             description: |-
                               SecurityContext defines the security options the container should be run with.
@@ -2527,7 +2619,9 @@ spec:
                               description: EnvVar represents an environment variable present in a Container.
                               properties:
                                 name:
-                                  description: Name of the environment variable. Must be a C_IDENTIFIER.
+                                  description: |-
+                                    Name of the environment variable.
+                                    May consist of any printable ASCII characters except '='.
                                   type: string
                                 value:
                                   description: |-
@@ -2581,6 +2675,42 @@ spec:
                                         - fieldPath
                                       type: object
                                       x-kubernetes-map-type: atomic
+                                    fileKeyRef:
+                                      description: |-
+                                        FileKeyRef selects a key of the env file.
+                                        Requires the EnvFiles feature gate to be enabled.
+                                      properties:
+                                        key:
+                                          description: |-
+                                            The key within the env file. An invalid key will prevent the pod from starting.
+                                            The keys defined within a source may consist of any printable ASCII characters except '='.
+                                            During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters.
+                                          type: string
+                                        optional:
+                                          default: false
+                                          description: |-
+                                            Specify whether the file or its key must be defined. If the file or key
+                                            does not exist, then the env var is not published.
+                                            If optional is set to true and the specified key does not exist,
+                                            the environment variable will not be set in the Pod's containers.
+
+                                            If optional is set to false and the specified key does not exist,
+                                            an error will be returned during Pod creation.
+                                          type: boolean
+                                        path:
+                                          description: |-
+                                            The path within the volume from which to select the file.
+                                            Must be relative and may not contain the '..' path or start with '..'.
+                                          type: string
+                                        volumeName:
+                                          description: The name of the volume mount containing the env file.
+                                          type: string
+                                      required:
+                                        - key
+                                        - path
+                                        - volumeName
+                                      type: object
+                                      x-kubernetes-map-type: atomic
                                     resourceFieldRef:
                                       description: |-
                                         Selects a resource of the container: only resources limits and requests
@@ -2636,13 +2766,13 @@ spec:
                           envFrom:
                             description: |-
                               List of sources to populate environment variables in the container.
-                              The keys defined within a source must be a C_IDENTIFIER. All invalid keys
-                              will be reported as an event when the container is starting. When a key exists in multiple
+                              The keys defined within a source may consist of any printable ASCII characters except '='.
+                              When a key exists in multiple
                               sources, the value associated with the last source will take precedence.
                               Values defined by an Env with a duplicate key will take precedence.
                               Cannot be updated.
                             items:
-                              description: EnvFromSource represents the source of a set of ConfigMaps
+                              description: EnvFromSource represents the source of a set of ConfigMaps or Secrets
                               properties:
                                 configMapRef:
                                   description: The ConfigMap to select from
@@ -2662,7 +2792,9 @@ spec:
                                   type: object
                                   x-kubernetes-map-type: atomic
                                 prefix:
-                                  description: An optional identifier to prepend to each key in the ConfigMap. Must be a C_IDENTIFIER.
+                                  description: |-
+                                    Optional text to prepend to the name of each environment variable.
+                                    May consist of any printable ASCII characters except '='.
                                   type: string
                                 secretRef:
                                   description: The Secret to select from
@@ -2907,6 +3039,12 @@ spec:
                                       - port
                                     type: object
                                 type: object
+                              stopSignal:
+                                description: |-
+                                  StopSignal defines which signal will be sent to a container when it is being stopped.
+                                  If not specified, the default is defined by the container runtime in use.
+                                  StopSignal can only be set for Pods with a non-empty .spec.os.name
+                                type: string
                             type: object
                           livenessProbe:
                             description: Probes are not allowed for ephemeral containers.
@@ -3280,7 +3418,7 @@ spec:
                                   Claims lists the names of resources, defined in spec.resourceClaims,
                                   that are used by this container.
 
-                                  This is an alpha field and requires enabling the
+                                  This field depends on the
                                   DynamicResourceAllocation feature gate.
 
                                   This field is immutable. It can only be set for containers.
@@ -3332,9 +3470,51 @@ spec:
                             description: |-
                               Restart policy for the container to manage the restart behavior of each
                               container within a pod.
-                              This may only be set for init containers. You cannot set this field on
-                              ephemeral containers.
+                              You cannot set this field on ephemeral containers.
                             type: string
+                          restartPolicyRules:
+                            description: |-
+                              Represents a list of rules to be checked to determine if the
+                              container should be restarted on exit. You cannot set this field on
+                              ephemeral containers.
+                            items:
+                              description: ContainerRestartRule describes how a container exit is handled.
+                              properties:
+                                action:
+                                  description: |-
+                                    Specifies the action taken on a container exit if the requirements
+                                    are satisfied. The only possible value is "Restart" to restart the
+                                    container.
+                                  type: string
+                                exitCodes:
+                                  description: Represents the exit codes to check on container exits.
+                                  properties:
+                                    operator:
+                                      description: |-
+                                        Represents the relationship between the container exit code(s) and the
+                                        specified values. Possible values are:
+                                        - In: the requirement is satisfied if the container exit code is in the
+                                          set of specified values.
+                                        - NotIn: the requirement is satisfied if the container exit code is
+                                          not in the set of specified values.
+                                      type: string
+                                    values:
+                                      description: |-
+                                        Specifies the set of values to check for container exit codes.
+                                        At most 255 elements are allowed.
+                                      items:
+                                        format: int32
+                                        type: integer
+                                      type: array
+                                      x-kubernetes-list-type: set
+                                  required:
+                                    - operator
+                                  type: object
+                              required:
+                                - action
+                              type: object
+                            type: array
+                            x-kubernetes-list-type: atomic
                           securityContext:
                             description: |-
                               Optional: SecurityContext defines the security options the ephemeral container should be run with.
@@ -3853,7 +4033,9 @@ spec:
                     hostNetwork:
                       description: |-
                         Host networking requested for this pod. Use the host's network namespace.
-                        If this option is set, the ports that will be used must be specified.
+                        When using HostNetwork you should specify ports so the scheduler is aware.
+                        When `hostNetwork` is true, specified `hostPort` fields in port definitions must match `containerPort`,
+                        and unspecified `hostPort` fields in port definitions are defaulted to match `containerPort`.
                         Default to false.
                       type: boolean
                     hostPID:
@@ -3878,6 +4060,19 @@ spec:
                         Specifies the hostname of the Pod
                         If not specified, the pod's hostname will be set to a system-defined value.
                       type: string
+                    hostnameOverride:
+                      description: |-
+                        HostnameOverride specifies an explicit override for the pod's hostname as perceived by the pod.
+                        This field only specifies the pod's hostname and does not affect its DNS records.
+                        When this field is set to a non-empty string:
+                        - It takes precedence over the values set in `hostname` and `subdomain`.
+                        - The Pod's hostname will be set to this value.
+                        - `setHostnameAsFQDN` must be nil or set to false.
+                        - `hostNetwork` must be set to false.
+
+                        This field must be a valid DNS subdomain as defined in RFC 1123 and contain at most 64 characters.
+                        Requires the HostnameOverride feature gate to be enabled.
+                      type: string
                     imagePullSecrets:
                       description: |-
                         ImagePullSecrets is an optional list of references to secrets in the same namespace to use for pulling any of the images used by this PodSpec.
@@ -3913,7 +4108,7 @@ spec:
                         Init containers may not have Lifecycle actions, Readiness probes, Liveness probes, or Startup probes.
                         The resourceRequirements of an init container are taken into account during scheduling
                         by finding the highest request/limit for each resource type, and then using the max of
-                        of that value or the sum of the normal containers. Limits are applied to init containers
+                        that value or the sum of the normal containers. Limits are applied to init containers
                         in a similar fashion.
                         Init containers cannot currently be added or removed.
                         Cannot be updated.
@@ -3957,7 +4152,9 @@ spec:
                               description: EnvVar represents an environment variable present in a Container.
                               properties:
                                 name:
-                                  description: Name of the environment variable. Must be a C_IDENTIFIER.
+                                  description: |-
+                                    Name of the environment variable.
+                                    May consist of any printable ASCII characters except '='.
                                   type: string
                                 value:
                                   description: |-
@@ -4011,6 +4208,42 @@ spec:
                                         - fieldPath
                                       type: object
                                       x-kubernetes-map-type: atomic
+                                    fileKeyRef:
+                                      description: |-
+                                        FileKeyRef selects a key of the env file.
+                                        Requires the EnvFiles feature gate to be enabled.
+                                      properties:
+                                        key:
+                                          description: |-
+                                            The key within the env file. An invalid key will prevent the pod from starting.
+                                            The keys defined within a source may consist of any printable ASCII characters except '='.
+                                            During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters.
+                                          type: string
+                                        optional:
+                                          default: false
+                                          description: |-
+                                            Specify whether the file or its key must be defined. If the file or key
+                                            does not exist, then the env var is not published.
+                                            If optional is set to true and the specified key does not exist,
+                                            the environment variable will not be set in the Pod's containers.
+
+                                            If optional is set to false and the specified key does not exist,
+                                            an error will be returned during Pod creation.
+                                          type: boolean
+                                        path:
+                                          description: |-
+                                            The path within the volume from which to select the file.
+                                            Must be relative and may not contain the '..' path or start with '..'.
+                                          type: string
+                                        volumeName:
+                                          description: The name of the volume mount containing the env file.
+                                          type: string
+                                      required:
+                                        - key
+                                        - path
+                                        - volumeName
+                                      type: object
+                                      x-kubernetes-map-type: atomic
                                     resourceFieldRef:
                                       description: |-
                                         Selects a resource of the container: only resources limits and requests
@@ -4066,13 +4299,13 @@ spec:
                           envFrom:
                             description: |-
                               List of sources to populate environment variables in the container.
-                              The keys defined within a source must be a C_IDENTIFIER. All invalid keys
-                              will be reported as an event when the container is starting. When a key exists in multiple
+                              The keys defined within a source may consist of any printable ASCII characters except '='.
+                              When a key exists in multiple
                               sources, the value associated with the last source will take precedence.
                               Values defined by an Env with a duplicate key will take precedence.
                               Cannot be updated.
                             items:
-                              description: EnvFromSource represents the source of a set of ConfigMaps
+                              description: EnvFromSource represents the source of a set of ConfigMaps or Secrets
                               properties:
                                 configMapRef:
                                   description: The ConfigMap to select from
@@ -4092,7 +4325,9 @@ spec:
                                   type: object
                                   x-kubernetes-map-type: atomic
                                 prefix:
-                                  description: An optional identifier to prepend to each key in the ConfigMap. Must be a C_IDENTIFIER.
+                                  description: |-
+                                    Optional text to prepend to the name of each environment variable.
+                                    May consist of any printable ASCII characters except '='.
                                   type: string
                                 secretRef:
                                   description: The Secret to select from
@@ -4341,6 +4576,12 @@ spec:
                                       - port
                                     type: object
                                 type: object
+                              stopSignal:
+                                description: |-
+                                  StopSignal defines which signal will be sent to a container when it is being stopped.
+                                  If not specified, the default is defined by the container runtime in use.
+                                  StopSignal can only be set for Pods with a non-empty .spec.os.name
+                                type: string
                             type: object
                           livenessProbe:
                             description: |-
@@ -4731,7 +4972,7 @@ spec:
                                   Claims lists the names of resources, defined in spec.resourceClaims,
                                   that are used by this container.
 
-                                  This is an alpha field and requires enabling the
+                                  This field depends on the
                                   DynamicResourceAllocation feature gate.
 
                                   This field is immutable. It can only be set for containers.
@@ -4782,10 +5023,10 @@ spec:
                           restartPolicy:
                             description: |-
                               RestartPolicy defines the restart behavior of individual containers in a pod.
-                              This field may only be set for init containers, and the only allowed value is "Always".
-                              For non-init containers or when this field is not specified,
+                              This overrides the pod-level restart policy. When this field is not specified,
                               the restart behavior is defined by the Pod's restart policy and the container type.
-                              Setting the RestartPolicy as "Always" for the init container will have the following effect:
+                              Additionally, setting the RestartPolicy as "Always" for the init container will
+                              have the following effect:
                               this init container will be continually restarted on
                               exit until all regular containers have terminated. Once all regular
                               containers have completed, all init containers with restartPolicy "Always"
@@ -4797,6 +5038,57 @@ spec:
                               init container is started, or after any startupProbe has successfully
                               completed.
                             type: string
+                          restartPolicyRules:
+                            description: |-
+                              Represents a list of rules to be checked to determine if the
+                              container should be restarted on exit. The rules are evaluated in
+                              order. Once a rule matches a container exit condition, the remaining
+                              rules are ignored. If no rule matches the container exit condition,
+                              the Container-level restart policy determines the whether the container
+                              is restarted or not. Constraints on the rules:
+                              - At most 20 rules are allowed.
+                              - Rules can have the same action.
+                              - Identical rules are not forbidden in validations.
+                              When rules are specified, container MUST set RestartPolicy explicitly
+                              even it if matches the Pod's RestartPolicy.
+                            items:
+                              description: ContainerRestartRule describes how a container exit is handled.
+                              properties:
+                                action:
+                                  description: |-
+                                    Specifies the action taken on a container exit if the requirements
+                                    are satisfied. The only possible value is "Restart" to restart the
+                                    container.
+                                  type: string
+                                exitCodes:
+                                  description: Represents the exit codes to check on container exits.
+                                  properties:
+                                    operator:
+                                      description: |-
+                                        Represents the relationship between the container exit code(s) and the
+                                        specified values. Possible values are:
+                                        - In: the requirement is satisfied if the container exit code is in the
+                                          set of specified values.
+                                        - NotIn: the requirement is satisfied if the container exit code is
+                                          not in the set of specified values.
+                                      type: string
+                                    values:
+                                      description: |-
+                                        Specifies the set of values to check for container exit codes.
+                                        At most 255 elements are allowed.
+                                      items:
+                                        format: int32
+                                        type: integer
+                                      type: array
+                                      x-kubernetes-list-type: set
+                                  required:
+                                    - operator
+                                  type: object
+                              required:
+                                - action
+                              type: object
+                            type: array
+                            x-kubernetes-list-type: atomic
                           securityContext:
                             description: |-
                               SecurityContext defines the security options the container should be run with.
@@ -5310,6 +5602,7 @@ spec:
                         - spec.hostPID
                         - spec.hostIPC
                         - spec.hostUsers
+                        - spec.resources
                         - spec.securityContext.appArmorProfile
                         - spec.securityContext.seLinuxOptions
                         - spec.securityContext.seccompProfile
@@ -5461,7 +5754,7 @@ spec:
                       description: |-
                         Resources is the total amount of CPU and Memory resources required by all
                         containers in the pod. It supports specifying Requests and Limits for
-                        "cpu" and "memory" resource names only. ResourceClaims are not supported.
+                        "cpu", "memory" and "hugepages-" resource names only. ResourceClaims are not supported.
 
                         This field enables fine-grained control over resource allocation for the
                         entire pod, allowing resource sharing among containers in a pod.
@@ -5474,7 +5767,7 @@ spec:
                             Claims lists the names of resources, defined in spec.resourceClaims,
                             that are used by this container.
 
-                            This is an alpha field and requires enabling the
+                            This field depends on the
                             DynamicResourceAllocation feature gate.
 
                             This field is immutable. It can only be set for containers.
@@ -6002,7 +6295,6 @@ spec:
                               - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.
 
                               If this value is nil, the behavior is equivalent to the Honor policy.
-                              This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
                             type: string
                           nodeTaintsPolicy:
                             description: |-
@@ -6013,7 +6305,6 @@ spec:
                               - Ignore: node taints are ignored. All nodes are included.
 
                               If this value is nil, the behavior is equivalent to the Ignore policy.
-                              This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
                             type: string
                           topologyKey:
                             description: |-
@@ -6719,15 +7010,13 @@ spec:
                                           volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim.
                                           If specified, the CSI driver will create or update the volume with the attributes defined
                                           in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName,
-                                          it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass
-                                          will be applied to the claim but it's not allowed to reset this field to empty string once it is set.
-                                          If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass
-                                          will be set by the persistentvolume controller if it exists.
+                                          it can be changed after the claim is created. An empty string or nil value indicates that no
+                                          VolumeAttributesClass will be applied to the claim. If the claim enters an Infeasible error state,
+                                          this field can be reset to its previous value (including nil) to cancel the modification.
                                           If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be
                                           set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource
                                           exists.
                                           More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/
-                                          (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default).
                                         type: string
                                       volumeMode:
                                         description: |-
@@ -6901,12 +7190,9 @@ spec:
                             description: |-
                               glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime.
                               Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported.
-                              More info: https://examples.k8s.io/volumes/glusterfs/README.md
                             properties:
                               endpoints:
-                                description: |-
-                                  endpoints is the endpoint name that details Glusterfs topology.
-                                  More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
+                                description: endpoints is the endpoint name that details Glusterfs topology.
                                 type: string
                               path:
                                 description: |-
@@ -6960,7 +7246,7 @@ spec:
                               The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field.
                               The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images.
                               The volume will be mounted read-only (ro) and non-executable files (noexec).
-                              Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath).
+                              Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath) before 1.33.
                               The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type.
                             properties:
                               pullPolicy:
@@ -6985,7 +7271,7 @@ spec:
                             description: |-
                               iscsi represents an ISCSI Disk resource that is attached to a
                               kubelet's host machine and then exposed to the pod.
-                              More info: https://examples.k8s.io/volumes/iscsi/README.md
+                              More info: https://kubernetes.io/docs/concepts/storage/volumes/#iscsi
                             properties:
                               chapAuthDiscovery:
                                 description: chapAuthDiscovery defines whether support iSCSI Discovery CHAP authentication
@@ -7375,6 +7661,110 @@ spec:
                                           type: array
                                           x-kubernetes-list-type: atomic
                                       type: object
+                                    podCertificate:
+                                      description: |-
+                                        Projects an auto-rotating credential bundle (private key and certificate
+                                        chain) that the pod can use either as a TLS client or server.
+
+                                        Kubelet generates a private key and uses it to send a
+                                        PodCertificateRequest to the named signer.  Once the signer approves the
+                                        request and issues a certificate chain, Kubelet writes the key and
+                                        certificate chain to the pod filesystem.  The pod does not start until
+                                        certificates have been issued for each podCertificate projected volume
+                                        source in its spec.
+
+                                        Kubelet will begin trying to rotate the certificate at the time indicated
+                                        by the signer using the PodCertificateRequest.Status.BeginRefreshAt
+                                        timestamp.
+
+                                        Kubelet can write a single file, indicated by the credentialBundlePath
+                                        field, or separate files, indicated by the keyPath and
+                                        certificateChainPath fields.
+
+                                        The credential bundle is a single file in PEM format.  The first PEM
+                                        entry is the private key (in PKCS#8 format), and the remaining PEM
+                                        entries are the certificate chain issued by the signer (typically,
+                                        signers will return their certificate chain in leaf-to-root order).
+
+                                        Prefer using the credential bundle format, since your application code
+                                        can read it atomically.  If you use keyPath and certificateChainPath,
+                                        your application must make two separate file reads. If these coincide
+                                        with a certificate rotation, it is possible that the private key and leaf
+                                        certificate you read may not correspond to each other.  Your application
+                                        will need to check for this condition, and re-read until they are
+                                        consistent.
+
+                                        The named signer controls chooses the format of the certificate it
+                                        issues; consult the signer implementation's documentation to learn how to
+                                        use the certificates it issues.
+                                      properties:
+                                        certificateChainPath:
+                                          description: |-
+                                            Write the certificate chain at this path in the projected volume.
+
+                                            Most applications should use credentialBundlePath.  When using keyPath
+                                            and certificateChainPath, your application needs to check that the key
+                                            and leaf certificate are consistent, because it is possible to read the
+                                            files mid-rotation.
+                                          type: string
+                                        credentialBundlePath:
+                                          description: |-
+                                            Write the credential bundle at this path in the projected volume.
+
+                                            The credential bundle is a single file that contains multiple PEM blocks.
+                                            The first PEM block is a PRIVATE KEY block, containing a PKCS#8 private
+                                            key.
+
+                                            The remaining blocks are CERTIFICATE blocks, containing the issued
+                                            certificate chain from the signer (leaf and any intermediates).
+
+                                            Using credentialBundlePath lets your Pod's application code make a single
+                                            atomic read that retrieves a consistent key and certificate chain.  If you
+                                            project them to separate files, your application code will need to
+                                            additionally check that the leaf certificate was issued to the key.
+                                          type: string
+                                        keyPath:
+                                          description: |-
+                                            Write the key at this path in the projected volume.
+
+                                            Most applications should use credentialBundlePath.  When using keyPath
+                                            and certificateChainPath, your application needs to check that the key
+                                            and leaf certificate are consistent, because it is possible to read the
+                                            files mid-rotation.
+                                          type: string
+                                        keyType:
+                                          description: |-
+                                            The type of keypair Kubelet will generate for the pod.
+
+                                            Valid values are "RSA3072", "RSA4096", "ECDSAP256", "ECDSAP384",
+                                            "ECDSAP521", and "ED25519".
+                                          type: string
+                                        maxExpirationSeconds:
+                                          description: |-
+                                            maxExpirationSeconds is the maximum lifetime permitted for the
+                                            certificate.
+
+                                            Kubelet copies this value verbatim into the PodCertificateRequests it
+                                            generates for this projection.
+
+                                            If omitted, kube-apiserver will set it to 86400(24 hours). kube-apiserver
+                                            will reject values shorter than 3600 (1 hour).  The maximum allowable
+                                            value is 7862400 (91 days).
+
+                                            The signer implementation is then free to issue a certificate with any
+                                            lifetime *shorter* than MaxExpirationSeconds, but no shorter than 3600
+                                            seconds (1 hour).  This constraint is enforced by kube-apiserver.
+                                            `kubernetes.io` signers will never issue certificates with a lifetime
+                                            longer than 24 hours.
+                                          format: int32
+                                          type: integer
+                                        signerName:
+                                          description: Kubelet's generated CSRs will be addressed to this signer.
+                                          type: string
+                                      required:
+                                        - keyType
+                                        - signerName
+                                      type: object
                                     secret:
                                       description: secret information about the secret data to project
                                       properties:
@@ -7504,7 +7894,6 @@ spec:
                             description: |-
                               rbd represents a Rados Block Device mount on the host that shares a pod's lifetime.
                               Deprecated: RBD is deprecated and the in-tree rbd type is no longer supported.
-                              More info: https://examples.k8s.io/volumes/rbd/README.md
                             properties:
                               fsType:
                                 description: |-
@@ -7784,6 +8173,53 @@ spec:
                   required:
                     - containers
                   type: object
+                vaultConfig:
+                  properties:
+                    azureKeyVault:
+                      properties:
+                        certificatePath:
+                          type: string
+                        clientId:
+                          type: string
+                        tenantId:
+                          type: string
+                        url:
+                          type: string
+                      required:
+                        - certificatePath
+                        - clientId
+                        - tenantId
+                        - url
+                      type: object
+                    proxy:
+                      properties:
+                        http:
+                          properties:
+                            credentialSecretRef:
+                              type: string
+                            url:
+                              description: Required
+                              type: string
+                          type: object
+                        https:
+                          properties:
+                            credentialSecretRef:
+                              type: string
+                            url:
+                              description: Required
+                              type: string
+                          type: object
+                        noProxy:
+                          items:
+                            type: string
+                          type: array
+                      type: object
+                    type:
+                      description: |-
+                        VaultType represents the type of vault that can be used in the application.
+                        It is used to identify which vault integration should be used to resolve secrets.
+                      type: string
+                  type: object
               required:
                 - githubConfigSecret
                 - githubConfigUrl
@@ -7794,10 +8230,13 @@ spec:
               properties:
                 failures:
                   additionalProperties:
-                    type: boolean
+                    format: date-time
+                    type: string
                   type: object
                 jobDisplayName:
                   type: string
+                jobId:
+                  type: string
                 jobRepositoryName:
                   type: string
                 jobRequestId:
@@ -7826,8 +8265,6 @@ spec:
                   type: string
                 runnerId:
                   type: integer
-                runnerJITConfig:
-                  type: string
                 runnerName:
                   type: string
                 workflowRunId:
@@ -7839,4 +8276,3 @@ spec:
       storage: true
       subresources:
         status: {}
-  preserveUnknownFields: false

charts/gha-runner-scale-set-controller/crds/actions.github.com_ephemeralrunnersets.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.17.2
+    controller-gen.kubebuilder.io/version: v0.19.0
   name: ephemeralrunnersets.actions.github.com
 spec:
   group: actions.github.com
@@ -421,7 +421,6 @@ spec:
                                               pod labels will be ignored. The default value is empty.
                                               The same key is forbidden to exist in both matchLabelKeys and labelSelector.
                                               Also, matchLabelKeys cannot be set when labelSelector isn't set.
-                                              This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                             items:
                                               type: string
                                             type: array
@@ -436,7 +435,6 @@ spec:
                                               pod labels will be ignored. The default value is empty.
                                               The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
                                               Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
-                                              This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                             items:
                                               type: string
                                             type: array
@@ -597,7 +595,6 @@ spec:
                                           pod labels will be ignored. The default value is empty.
                                           The same key is forbidden to exist in both matchLabelKeys and labelSelector.
                                           Also, matchLabelKeys cannot be set when labelSelector isn't set.
-                                          This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                         items:
                                           type: string
                                         type: array
@@ -612,7 +609,6 @@ spec:
                                           pod labels will be ignored. The default value is empty.
                                           The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
                                           Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
-                                          This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                         items:
                                           type: string
                                         type: array
@@ -701,8 +697,8 @@ spec:
                                     most preferred is the one with the greatest sum of weights, i.e.
                                     for each node that meets all of the scheduling requirements (resource
                                     request, requiredDuringScheduling anti-affinity expressions, etc.),
-                                    compute a sum by iterating through the elements of this field and adding
-                                    "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+                                    compute a sum by iterating through the elements of this field and subtracting
+                                    "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the
                                     node(s) with the highest sum are the most preferred.
                                   items:
                                     description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
@@ -766,7 +762,6 @@ spec:
                                               pod labels will be ignored. The default value is empty.
                                               The same key is forbidden to exist in both matchLabelKeys and labelSelector.
                                               Also, matchLabelKeys cannot be set when labelSelector isn't set.
-                                              This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                             items:
                                               type: string
                                             type: array
@@ -781,7 +776,6 @@ spec:
                                               pod labels will be ignored. The default value is empty.
                                               The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
                                               Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
-                                              This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                             items:
                                               type: string
                                             type: array
@@ -942,7 +936,6 @@ spec:
                                           pod labels will be ignored. The default value is empty.
                                           The same key is forbidden to exist in both matchLabelKeys and labelSelector.
                                           Also, matchLabelKeys cannot be set when labelSelector isn't set.
-                                          This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                         items:
                                           type: string
                                         type: array
@@ -957,7 +950,6 @@ spec:
                                           pod labels will be ignored. The default value is empty.
                                           The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
                                           Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
-                                          This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                         items:
                                           type: string
                                         type: array
@@ -1084,7 +1076,9 @@ spec:
                                   description: EnvVar represents an environment variable present in a Container.
                                   properties:
                                     name:
-                                      description: Name of the environment variable. Must be a C_IDENTIFIER.
+                                      description: |-
+                                        Name of the environment variable.
+                                        May consist of any printable ASCII characters except '='.
                                       type: string
                                     value:
                                       description: |-
@@ -1138,6 +1132,42 @@ spec:
                                             - fieldPath
                                           type: object
                                           x-kubernetes-map-type: atomic
+                                        fileKeyRef:
+                                          description: |-
+                                            FileKeyRef selects a key of the env file.
+                                            Requires the EnvFiles feature gate to be enabled.
+                                          properties:
+                                            key:
+                                              description: |-
+                                                The key within the env file. An invalid key will prevent the pod from starting.
+                                                The keys defined within a source may consist of any printable ASCII characters except '='.
+                                                During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters.
+                                              type: string
+                                            optional:
+                                              default: false
+                                              description: |-
+                                                Specify whether the file or its key must be defined. If the file or key
+                                                does not exist, then the env var is not published.
+                                                If optional is set to true and the specified key does not exist,
+                                                the environment variable will not be set in the Pod's containers.
+
+                                                If optional is set to false and the specified key does not exist,
+                                                an error will be returned during Pod creation.
+                                              type: boolean
+                                            path:
+                                              description: |-
+                                                The path within the volume from which to select the file.
+                                                Must be relative and may not contain the '..' path or start with '..'.
+                                              type: string
+                                            volumeName:
+                                              description: The name of the volume mount containing the env file.
+                                              type: string
+                                          required:
+                                            - key
+                                            - path
+                                            - volumeName
+                                          type: object
+                                          x-kubernetes-map-type: atomic
                                         resourceFieldRef:
                                           description: |-
                                             Selects a resource of the container: only resources limits and requests
@@ -1193,13 +1223,13 @@ spec:
                               envFrom:
                                 description: |-
                                   List of sources to populate environment variables in the container.
-                                  The keys defined within a source must be a C_IDENTIFIER. All invalid keys
-                                  will be reported as an event when the container is starting. When a key exists in multiple
+                                  The keys defined within a source may consist of any printable ASCII characters except '='.
+                                  When a key exists in multiple
                                   sources, the value associated with the last source will take precedence.
                                   Values defined by an Env with a duplicate key will take precedence.
                                   Cannot be updated.
                                 items:
-                                  description: EnvFromSource represents the source of a set of ConfigMaps
+                                  description: EnvFromSource represents the source of a set of ConfigMaps or Secrets
                                   properties:
                                     configMapRef:
                                       description: The ConfigMap to select from
@@ -1219,7 +1249,9 @@ spec:
                                       type: object
                                       x-kubernetes-map-type: atomic
                                     prefix:
-                                      description: An optional identifier to prepend to each key in the ConfigMap. Must be a C_IDENTIFIER.
+                                      description: |-
+                                        Optional text to prepend to the name of each environment variable.
+                                        May consist of any printable ASCII characters except '='.
                                       type: string
                                     secretRef:
                                       description: The Secret to select from
@@ -1468,6 +1500,12 @@ spec:
                                           - port
                                         type: object
                                     type: object
+                                  stopSignal:
+                                    description: |-
+                                      StopSignal defines which signal will be sent to a container when it is being stopped.
+                                      If not specified, the default is defined by the container runtime in use.
+                                      StopSignal can only be set for Pods with a non-empty .spec.os.name
+                                    type: string
                                 type: object
                               livenessProbe:
                                 description: |-
@@ -1858,7 +1896,7 @@ spec:
                                       Claims lists the names of resources, defined in spec.resourceClaims,
                                       that are used by this container.
 
-                                      This is an alpha field and requires enabling the
+                                      This field depends on the
                                       DynamicResourceAllocation feature gate.
 
                                       This field is immutable. It can only be set for containers.
@@ -1909,10 +1947,10 @@ spec:
                               restartPolicy:
                                 description: |-
                                   RestartPolicy defines the restart behavior of individual containers in a pod.
-                                  This field may only be set for init containers, and the only allowed value is "Always".
-                                  For non-init containers or when this field is not specified,
+                                  This overrides the pod-level restart policy. When this field is not specified,
                                   the restart behavior is defined by the Pod's restart policy and the container type.
-                                  Setting the RestartPolicy as "Always" for the init container will have the following effect:
+                                  Additionally, setting the RestartPolicy as "Always" for the init container will
+                                  have the following effect:
                                   this init container will be continually restarted on
                                   exit until all regular containers have terminated. Once all regular
                                   containers have completed, all init containers with restartPolicy "Always"
@@ -1924,6 +1962,57 @@ spec:
                                   init container is started, or after any startupProbe has successfully
                                   completed.
                                 type: string
+                              restartPolicyRules:
+                                description: |-
+                                  Represents a list of rules to be checked to determine if the
+                                  container should be restarted on exit. The rules are evaluated in
+                                  order. Once a rule matches a container exit condition, the remaining
+                                  rules are ignored. If no rule matches the container exit condition,
+                                  the Container-level restart policy determines the whether the container
+                                  is restarted or not. Constraints on the rules:
+                                  - At most 20 rules are allowed.
+                                  - Rules can have the same action.
+                                  - Identical rules are not forbidden in validations.
+                                  When rules are specified, container MUST set RestartPolicy explicitly
+                                  even it if matches the Pod's RestartPolicy.
+                                items:
+                                  description: ContainerRestartRule describes how a container exit is handled.
+                                  properties:
+                                    action:
+                                      description: |-
+                                        Specifies the action taken on a container exit if the requirements
+                                        are satisfied. The only possible value is "Restart" to restart the
+                                        container.
+                                      type: string
+                                    exitCodes:
+                                      description: Represents the exit codes to check on container exits.
+                                      properties:
+                                        operator:
+                                          description: |-
+                                            Represents the relationship between the container exit code(s) and the
+                                            specified values. Possible values are:
+                                            - In: the requirement is satisfied if the container exit code is in the
+                                              set of specified values.
+                                            - NotIn: the requirement is satisfied if the container exit code is
+                                              not in the set of specified values.
+                                          type: string
+                                        values:
+                                          description: |-
+                                            Specifies the set of values to check for container exit codes.
+                                            At most 255 elements are allowed.
+                                          items:
+                                            format: int32
+                                            type: integer
+                                          type: array
+                                          x-kubernetes-list-type: set
+                                      required:
+                                        - operator
+                                      type: object
+                                  required:
+                                    - action
+                                  type: object
+                                type: array
+                                x-kubernetes-list-type: atomic
                               securityContext:
                                 description: |-
                                   SecurityContext defines the security options the container should be run with.
@@ -2521,7 +2610,9 @@ spec:
                                   description: EnvVar represents an environment variable present in a Container.
                                   properties:
                                     name:
-                                      description: Name of the environment variable. Must be a C_IDENTIFIER.
+                                      description: |-
+                                        Name of the environment variable.
+                                        May consist of any printable ASCII characters except '='.
                                       type: string
                                     value:
                                       description: |-
@@ -2575,6 +2666,42 @@ spec:
                                             - fieldPath
                                           type: object
                                           x-kubernetes-map-type: atomic
+                                        fileKeyRef:
+                                          description: |-
+                                            FileKeyRef selects a key of the env file.
+                                            Requires the EnvFiles feature gate to be enabled.
+                                          properties:
+                                            key:
+                                              description: |-
+                                                The key within the env file. An invalid key will prevent the pod from starting.
+                                                The keys defined within a source may consist of any printable ASCII characters except '='.
+                                                During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters.
+                                              type: string
+                                            optional:
+                                              default: false
+                                              description: |-
+                                                Specify whether the file or its key must be defined. If the file or key
+                                                does not exist, then the env var is not published.
+                                                If optional is set to true and the specified key does not exist,
+                                                the environment variable will not be set in the Pod's containers.
+
+                                                If optional is set to false and the specified key does not exist,
+                                                an error will be returned during Pod creation.
+                                              type: boolean
+                                            path:
+                                              description: |-
+                                                The path within the volume from which to select the file.
+                                                Must be relative and may not contain the '..' path or start with '..'.
+                                              type: string
+                                            volumeName:
+                                              description: The name of the volume mount containing the env file.
+                                              type: string
+                                          required:
+                                            - key
+                                            - path
+                                            - volumeName
+                                          type: object
+                                          x-kubernetes-map-type: atomic
                                         resourceFieldRef:
                                           description: |-
                                             Selects a resource of the container: only resources limits and requests
@@ -2630,13 +2757,13 @@ spec:
                               envFrom:
                                 description: |-
                                   List of sources to populate environment variables in the container.
-                                  The keys defined within a source must be a C_IDENTIFIER. All invalid keys
-                                  will be reported as an event when the container is starting. When a key exists in multiple
+                                  The keys defined within a source may consist of any printable ASCII characters except '='.
+                                  When a key exists in multiple
                                   sources, the value associated with the last source will take precedence.
                                   Values defined by an Env with a duplicate key will take precedence.
                                   Cannot be updated.
                                 items:
-                                  description: EnvFromSource represents the source of a set of ConfigMaps
+                                  description: EnvFromSource represents the source of a set of ConfigMaps or Secrets
                                   properties:
                                     configMapRef:
                                       description: The ConfigMap to select from
@@ -2656,7 +2783,9 @@ spec:
                                       type: object
                                       x-kubernetes-map-type: atomic
                                     prefix:
-                                      description: An optional identifier to prepend to each key in the ConfigMap. Must be a C_IDENTIFIER.
+                                      description: |-
+                                        Optional text to prepend to the name of each environment variable.
+                                        May consist of any printable ASCII characters except '='.
                                       type: string
                                     secretRef:
                                       description: The Secret to select from
@@ -2901,6 +3030,12 @@ spec:
                                           - port
                                         type: object
                                     type: object
+                                  stopSignal:
+                                    description: |-
+                                      StopSignal defines which signal will be sent to a container when it is being stopped.
+                                      If not specified, the default is defined by the container runtime in use.
+                                      StopSignal can only be set for Pods with a non-empty .spec.os.name
+                                    type: string
                                 type: object
                               livenessProbe:
                                 description: Probes are not allowed for ephemeral containers.
@@ -3274,7 +3409,7 @@ spec:
                                       Claims lists the names of resources, defined in spec.resourceClaims,
                                       that are used by this container.
 
-                                      This is an alpha field and requires enabling the
+                                      This field depends on the
                                       DynamicResourceAllocation feature gate.
 
                                       This field is immutable. It can only be set for containers.
@@ -3326,9 +3461,51 @@ spec:
                                 description: |-
                                   Restart policy for the container to manage the restart behavior of each
                                   container within a pod.
-                                  This may only be set for init containers. You cannot set this field on
-                                  ephemeral containers.
+                                  You cannot set this field on ephemeral containers.
                                 type: string
+                              restartPolicyRules:
+                                description: |-
+                                  Represents a list of rules to be checked to determine if the
+                                  container should be restarted on exit. You cannot set this field on
+                                  ephemeral containers.
+                                items:
+                                  description: ContainerRestartRule describes how a container exit is handled.
+                                  properties:
+                                    action:
+                                      description: |-
+                                        Specifies the action taken on a container exit if the requirements
+                                        are satisfied. The only possible value is "Restart" to restart the
+                                        container.
+                                      type: string
+                                    exitCodes:
+                                      description: Represents the exit codes to check on container exits.
+                                      properties:
+                                        operator:
+                                          description: |-
+                                            Represents the relationship between the container exit code(s) and the
+                                            specified values. Possible values are:
+                                            - In: the requirement is satisfied if the container exit code is in the
+                                              set of specified values.
+                                            - NotIn: the requirement is satisfied if the container exit code is
+                                              not in the set of specified values.
+                                          type: string
+                                        values:
+                                          description: |-
+                                            Specifies the set of values to check for container exit codes.
+                                            At most 255 elements are allowed.
+                                          items:
+                                            format: int32
+                                            type: integer
+                                          type: array
+                                          x-kubernetes-list-type: set
+                                      required:
+                                        - operator
+                                      type: object
+                                  required:
+                                    - action
+                                  type: object
+                                type: array
+                                x-kubernetes-list-type: atomic
                               securityContext:
                                 description: |-
                                   Optional: SecurityContext defines the security options the ephemeral container should be run with.
@@ -3847,7 +4024,9 @@ spec:
                         hostNetwork:
                           description: |-
                             Host networking requested for this pod. Use the host's network namespace.
-                            If this option is set, the ports that will be used must be specified.
+                            When using HostNetwork you should specify ports so the scheduler is aware.
+                            When `hostNetwork` is true, specified `hostPort` fields in port definitions must match `containerPort`,
+                            and unspecified `hostPort` fields in port definitions are defaulted to match `containerPort`.
                             Default to false.
                           type: boolean
                         hostPID:
@@ -3872,6 +4051,19 @@ spec:
                             Specifies the hostname of the Pod
                             If not specified, the pod's hostname will be set to a system-defined value.
                           type: string
+                        hostnameOverride:
+                          description: |-
+                            HostnameOverride specifies an explicit override for the pod's hostname as perceived by the pod.
+                            This field only specifies the pod's hostname and does not affect its DNS records.
+                            When this field is set to a non-empty string:
+                            - It takes precedence over the values set in `hostname` and `subdomain`.
+                            - The Pod's hostname will be set to this value.
+                            - `setHostnameAsFQDN` must be nil or set to false.
+                            - `hostNetwork` must be set to false.
+
+                            This field must be a valid DNS subdomain as defined in RFC 1123 and contain at most 64 characters.
+                            Requires the HostnameOverride feature gate to be enabled.
+                          type: string
                         imagePullSecrets:
                           description: |-
                             ImagePullSecrets is an optional list of references to secrets in the same namespace to use for pulling any of the images used by this PodSpec.
@@ -3907,7 +4099,7 @@ spec:
                             Init containers may not have Lifecycle actions, Readiness probes, Liveness probes, or Startup probes.
                             The resourceRequirements of an init container are taken into account during scheduling
                             by finding the highest request/limit for each resource type, and then using the max of
-                            of that value or the sum of the normal containers. Limits are applied to init containers
+                            that value or the sum of the normal containers. Limits are applied to init containers
                             in a similar fashion.
                             Init containers cannot currently be added or removed.
                             Cannot be updated.
@@ -3951,7 +4143,9 @@ spec:
                                   description: EnvVar represents an environment variable present in a Container.
                                   properties:
                                     name:
-                                      description: Name of the environment variable. Must be a C_IDENTIFIER.
+                                      description: |-
+                                        Name of the environment variable.
+                                        May consist of any printable ASCII characters except '='.
                                       type: string
                                     value:
                                       description: |-
@@ -4005,6 +4199,42 @@ spec:
                                             - fieldPath
                                           type: object
                                           x-kubernetes-map-type: atomic
+                                        fileKeyRef:
+                                          description: |-
+                                            FileKeyRef selects a key of the env file.
+                                            Requires the EnvFiles feature gate to be enabled.
+                                          properties:
+                                            key:
+                                              description: |-
+                                                The key within the env file. An invalid key will prevent the pod from starting.
+                                                The keys defined within a source may consist of any printable ASCII characters except '='.
+                                                During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters.
+                                              type: string
+                                            optional:
+                                              default: false
+                                              description: |-
+                                                Specify whether the file or its key must be defined. If the file or key
+                                                does not exist, then the env var is not published.
+                                                If optional is set to true and the specified key does not exist,
+                                                the environment variable will not be set in the Pod's containers.
+
+                                                If optional is set to false and the specified key does not exist,
+                                                an error will be returned during Pod creation.
+                                              type: boolean
+                                            path:
+                                              description: |-
+                                                The path within the volume from which to select the file.
+                                                Must be relative and may not contain the '..' path or start with '..'.
+                                              type: string
+                                            volumeName:
+                                              description: The name of the volume mount containing the env file.
+                                              type: string
+                                          required:
+                                            - key
+                                            - path
+                                            - volumeName
+                                          type: object
+                                          x-kubernetes-map-type: atomic
                                         resourceFieldRef:
                                           description: |-
                                             Selects a resource of the container: only resources limits and requests
@@ -4060,13 +4290,13 @@ spec:
                               envFrom:
                                 description: |-
                                   List of sources to populate environment variables in the container.
-                                  The keys defined within a source must be a C_IDENTIFIER. All invalid keys
-                                  will be reported as an event when the container is starting. When a key exists in multiple
+                                  The keys defined within a source may consist of any printable ASCII characters except '='.
+                                  When a key exists in multiple
                                   sources, the value associated with the last source will take precedence.
                                   Values defined by an Env with a duplicate key will take precedence.
                                   Cannot be updated.
                                 items:
-                                  description: EnvFromSource represents the source of a set of ConfigMaps
+                                  description: EnvFromSource represents the source of a set of ConfigMaps or Secrets
                                   properties:
                                     configMapRef:
                                       description: The ConfigMap to select from
@@ -4086,7 +4316,9 @@ spec:
                                       type: object
                                       x-kubernetes-map-type: atomic
                                     prefix:
-                                      description: An optional identifier to prepend to each key in the ConfigMap. Must be a C_IDENTIFIER.
+                                      description: |-
+                                        Optional text to prepend to the name of each environment variable.
+                                        May consist of any printable ASCII characters except '='.
                                       type: string
                                     secretRef:
                                       description: The Secret to select from
@@ -4335,6 +4567,12 @@ spec:
                                           - port
                                         type: object
                                     type: object
+                                  stopSignal:
+                                    description: |-
+                                      StopSignal defines which signal will be sent to a container when it is being stopped.
+                                      If not specified, the default is defined by the container runtime in use.
+                                      StopSignal can only be set for Pods with a non-empty .spec.os.name
+                                    type: string
                                 type: object
                               livenessProbe:
                                 description: |-
@@ -4725,7 +4963,7 @@ spec:
                                       Claims lists the names of resources, defined in spec.resourceClaims,
                                       that are used by this container.
 
-                                      This is an alpha field and requires enabling the
+                                      This field depends on the
                                       DynamicResourceAllocation feature gate.
 
                                       This field is immutable. It can only be set for containers.
@@ -4776,10 +5014,10 @@ spec:
                               restartPolicy:
                                 description: |-
                                   RestartPolicy defines the restart behavior of individual containers in a pod.
-                                  This field may only be set for init containers, and the only allowed value is "Always".
-                                  For non-init containers or when this field is not specified,
+                                  This overrides the pod-level restart policy. When this field is not specified,
                                   the restart behavior is defined by the Pod's restart policy and the container type.
-                                  Setting the RestartPolicy as "Always" for the init container will have the following effect:
+                                  Additionally, setting the RestartPolicy as "Always" for the init container will
+                                  have the following effect:
                                   this init container will be continually restarted on
                                   exit until all regular containers have terminated. Once all regular
                                   containers have completed, all init containers with restartPolicy "Always"
@@ -4791,6 +5029,57 @@ spec:
                                   init container is started, or after any startupProbe has successfully
                                   completed.
                                 type: string
+                              restartPolicyRules:
+                                description: |-
+                                  Represents a list of rules to be checked to determine if the
+                                  container should be restarted on exit. The rules are evaluated in
+                                  order. Once a rule matches a container exit condition, the remaining
+                                  rules are ignored. If no rule matches the container exit condition,
+                                  the Container-level restart policy determines the whether the container
+                                  is restarted or not. Constraints on the rules:
+                                  - At most 20 rules are allowed.
+                                  - Rules can have the same action.
+                                  - Identical rules are not forbidden in validations.
+                                  When rules are specified, container MUST set RestartPolicy explicitly
+                                  even it if matches the Pod's RestartPolicy.
+                                items:
+                                  description: ContainerRestartRule describes how a container exit is handled.
+                                  properties:
+                                    action:
+                                      description: |-
+                                        Specifies the action taken on a container exit if the requirements
+                                        are satisfied. The only possible value is "Restart" to restart the
+                                        container.
+                                      type: string
+                                    exitCodes:
+                                      description: Represents the exit codes to check on container exits.
+                                      properties:
+                                        operator:
+                                          description: |-
+                                            Represents the relationship between the container exit code(s) and the
+                                            specified values. Possible values are:
+                                            - In: the requirement is satisfied if the container exit code is in the
+                                              set of specified values.
+                                            - NotIn: the requirement is satisfied if the container exit code is
+                                              not in the set of specified values.
+                                          type: string
+                                        values:
+                                          description: |-
+                                            Specifies the set of values to check for container exit codes.
+                                            At most 255 elements are allowed.
+                                          items:
+                                            format: int32
+                                            type: integer
+                                          type: array
+                                          x-kubernetes-list-type: set
+                                      required:
+                                        - operator
+                                      type: object
+                                  required:
+                                    - action
+                                  type: object
+                                type: array
+                                x-kubernetes-list-type: atomic
                               securityContext:
                                 description: |-
                                   SecurityContext defines the security options the container should be run with.
@@ -5304,6 +5593,7 @@ spec:
                             - spec.hostPID
                             - spec.hostIPC
                             - spec.hostUsers
+                            - spec.resources
                             - spec.securityContext.appArmorProfile
                             - spec.securityContext.seLinuxOptions
                             - spec.securityContext.seccompProfile
@@ -5455,7 +5745,7 @@ spec:
                           description: |-
                             Resources is the total amount of CPU and Memory resources required by all
                             containers in the pod. It supports specifying Requests and Limits for
-                            "cpu" and "memory" resource names only. ResourceClaims are not supported.
+                            "cpu", "memory" and "hugepages-" resource names only. ResourceClaims are not supported.
 
                             This field enables fine-grained control over resource allocation for the
                             entire pod, allowing resource sharing among containers in a pod.
@@ -5468,7 +5758,7 @@ spec:
                                 Claims lists the names of resources, defined in spec.resourceClaims,
                                 that are used by this container.
 
-                                This is an alpha field and requires enabling the
+                                This field depends on the
                                 DynamicResourceAllocation feature gate.
 
                                 This field is immutable. It can only be set for containers.
@@ -5996,7 +6286,6 @@ spec:
                                   - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.
 
                                   If this value is nil, the behavior is equivalent to the Honor policy.
-                                  This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
                                 type: string
                               nodeTaintsPolicy:
                                 description: |-
@@ -6007,7 +6296,6 @@ spec:
                                   - Ignore: node taints are ignored. All nodes are included.
 
                                   If this value is nil, the behavior is equivalent to the Ignore policy.
-                                  This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
                                 type: string
                               topologyKey:
                                 description: |-
@@ -6713,15 +7001,13 @@ spec:
                                               volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim.
                                               If specified, the CSI driver will create or update the volume with the attributes defined
                                               in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName,
-                                              it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass
-                                              will be applied to the claim but it's not allowed to reset this field to empty string once it is set.
-                                              If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass
-                                              will be set by the persistentvolume controller if it exists.
+                                              it can be changed after the claim is created. An empty string or nil value indicates that no
+                                              VolumeAttributesClass will be applied to the claim. If the claim enters an Infeasible error state,
+                                              this field can be reset to its previous value (including nil) to cancel the modification.
                                               If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be
                                               set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource
                                               exists.
                                               More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/
-                                              (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default).
                                             type: string
                                           volumeMode:
                                             description: |-
@@ -6895,12 +7181,9 @@ spec:
                                 description: |-
                                   glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime.
                                   Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported.
-                                  More info: https://examples.k8s.io/volumes/glusterfs/README.md
                                 properties:
                                   endpoints:
-                                    description: |-
-                                      endpoints is the endpoint name that details Glusterfs topology.
-                                      More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
+                                    description: endpoints is the endpoint name that details Glusterfs topology.
                                     type: string
                                   path:
                                     description: |-
@@ -6954,7 +7237,7 @@ spec:
                                   The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field.
                                   The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images.
                                   The volume will be mounted read-only (ro) and non-executable files (noexec).
-                                  Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath).
+                                  Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath) before 1.33.
                                   The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type.
                                 properties:
                                   pullPolicy:
@@ -6979,7 +7262,7 @@ spec:
                                 description: |-
                                   iscsi represents an ISCSI Disk resource that is attached to a
                                   kubelet's host machine and then exposed to the pod.
-                                  More info: https://examples.k8s.io/volumes/iscsi/README.md
+                                  More info: https://kubernetes.io/docs/concepts/storage/volumes/#iscsi
                                 properties:
                                   chapAuthDiscovery:
                                     description: chapAuthDiscovery defines whether support iSCSI Discovery CHAP authentication
@@ -7369,6 +7652,110 @@ spec:
                                               type: array
                                               x-kubernetes-list-type: atomic
                                           type: object
+                                        podCertificate:
+                                          description: |-
+                                            Projects an auto-rotating credential bundle (private key and certificate
+                                            chain) that the pod can use either as a TLS client or server.
+
+                                            Kubelet generates a private key and uses it to send a
+                                            PodCertificateRequest to the named signer.  Once the signer approves the
+                                            request and issues a certificate chain, Kubelet writes the key and
+                                            certificate chain to the pod filesystem.  The pod does not start until
+                                            certificates have been issued for each podCertificate projected volume
+                                            source in its spec.
+
+                                            Kubelet will begin trying to rotate the certificate at the time indicated
+                                            by the signer using the PodCertificateRequest.Status.BeginRefreshAt
+                                            timestamp.
+
+                                            Kubelet can write a single file, indicated by the credentialBundlePath
+                                            field, or separate files, indicated by the keyPath and
+                                            certificateChainPath fields.
+
+                                            The credential bundle is a single file in PEM format.  The first PEM
+                                            entry is the private key (in PKCS#8 format), and the remaining PEM
+                                            entries are the certificate chain issued by the signer (typically,
+                                            signers will return their certificate chain in leaf-to-root order).
+
+                                            Prefer using the credential bundle format, since your application code
+                                            can read it atomically.  If you use keyPath and certificateChainPath,
+                                            your application must make two separate file reads. If these coincide
+                                            with a certificate rotation, it is possible that the private key and leaf
+                                            certificate you read may not correspond to each other.  Your application
+                                            will need to check for this condition, and re-read until they are
+                                            consistent.
+
+                                            The named signer controls chooses the format of the certificate it
+                                            issues; consult the signer implementation's documentation to learn how to
+                                            use the certificates it issues.
+                                          properties:
+                                            certificateChainPath:
+                                              description: |-
+                                                Write the certificate chain at this path in the projected volume.
+
+                                                Most applications should use credentialBundlePath.  When using keyPath
+                                                and certificateChainPath, your application needs to check that the key
+                                                and leaf certificate are consistent, because it is possible to read the
+                                                files mid-rotation.
+                                              type: string
+                                            credentialBundlePath:
+                                              description: |-
+                                                Write the credential bundle at this path in the projected volume.
+
+                                                The credential bundle is a single file that contains multiple PEM blocks.
+                                                The first PEM block is a PRIVATE KEY block, containing a PKCS#8 private
+                                                key.
+
+                                                The remaining blocks are CERTIFICATE blocks, containing the issued
+                                                certificate chain from the signer (leaf and any intermediates).
+
+                                                Using credentialBundlePath lets your Pod's application code make a single
+                                                atomic read that retrieves a consistent key and certificate chain.  If you
+                                                project them to separate files, your application code will need to
+                                                additionally check that the leaf certificate was issued to the key.
+                                              type: string
+                                            keyPath:
+                                              description: |-
+                                                Write the key at this path in the projected volume.
+
+                                                Most applications should use credentialBundlePath.  When using keyPath
+                                                and certificateChainPath, your application needs to check that the key
+                                                and leaf certificate are consistent, because it is possible to read the
+                                                files mid-rotation.
+                                              type: string
+                                            keyType:
+                                              description: |-
+                                                The type of keypair Kubelet will generate for the pod.
+
+                                                Valid values are "RSA3072", "RSA4096", "ECDSAP256", "ECDSAP384",
+                                                "ECDSAP521", and "ED25519".
+                                              type: string
+                                            maxExpirationSeconds:
+                                              description: |-
+                                                maxExpirationSeconds is the maximum lifetime permitted for the
+                                                certificate.
+
+                                                Kubelet copies this value verbatim into the PodCertificateRequests it
+                                                generates for this projection.
+
+                                                If omitted, kube-apiserver will set it to 86400(24 hours). kube-apiserver
+                                                will reject values shorter than 3600 (1 hour).  The maximum allowable
+                                                value is 7862400 (91 days).
+
+                                                The signer implementation is then free to issue a certificate with any
+                                                lifetime *shorter* than MaxExpirationSeconds, but no shorter than 3600
+                                                seconds (1 hour).  This constraint is enforced by kube-apiserver.
+                                                `kubernetes.io` signers will never issue certificates with a lifetime
+                                                longer than 24 hours.
+                                              format: int32
+                                              type: integer
+                                            signerName:
+                                              description: Kubelet's generated CSRs will be addressed to this signer.
+                                              type: string
+                                          required:
+                                            - keyType
+                                            - signerName
+                                          type: object
                                         secret:
                                           description: secret information about the secret data to project
                                           properties:
@@ -7498,7 +7885,6 @@ spec:
                                 description: |-
                                   rbd represents a Rados Block Device mount on the host that shares a pod's lifetime.
                                   Deprecated: RBD is deprecated and the in-tree rbd type is no longer supported.
-                                  More info: https://examples.k8s.io/volumes/rbd/README.md
                                 properties:
                                   fsType:
                                     description: |-
@@ -7778,6 +8164,53 @@ spec:
                       required:
                         - containers
                       type: object
+                    vaultConfig:
+                      properties:
+                        azureKeyVault:
+                          properties:
+                            certificatePath:
+                              type: string
+                            clientId:
+                              type: string
+                            tenantId:
+                              type: string
+                            url:
+                              type: string
+                          required:
+                            - certificatePath
+                            - clientId
+                            - tenantId
+                            - url
+                          type: object
+                        proxy:
+                          properties:
+                            http:
+                              properties:
+                                credentialSecretRef:
+                                  type: string
+                                url:
+                                  description: Required
+                                  type: string
+                              type: object
+                            https:
+                              properties:
+                                credentialSecretRef:
+                                  type: string
+                                url:
+                                  description: Required
+                                  type: string
+                              type: object
+                            noProxy:
+                              items:
+                                type: string
+                              type: array
+                          type: object
+                        type:
+                          description: |-
+                            VaultType represents the type of vault that can be used in the application.
+                            It is used to identify which vault integration should be used to resolve secrets.
+                          type: string
+                      type: object
                   required:
                     - githubConfigSecret
                     - githubConfigUrl
@@ -7812,4 +8245,3 @@ spec:
       storage: true
       subresources:
         status: {}
-  preserveUnknownFields: false

charts/gha-runner-scale-set-controller/templates/_helpers.tpl

@@ -129,11 +129,3 @@ Create the name of the service account to use
 {{- define "gha-runner-scale-set-controller.leaderElectionRoleBinding" -}}
 {{- include "gha-runner-scale-set-controller.fullname" . }}-leader-election
 {{- end }}
-
-{{- define "gha-runner-scale-set-controller.imagePullSecretsNames" -}}
-{{- $names := list }}
-{{- range $k, $v := . }}
-  {{- $names = append $names $v.name }}
-{{- end }}
-{{- $names | join ","}}
-{{- end }}

charts/gha-runner-scale-set-controller/templates/deployment.yaml

@@ -54,7 +54,9 @@ spec:
         - "--leader-election-id={{ include "gha-runner-scale-set-controller.fullname" . }}"
         {{- end }}
         {{- with .Values.imagePullSecrets }}
-        - "--auto-scaler-image-pull-secrets={{ include "gha-runner-scale-set-controller.imagePullSecretsNames" . }}"
+        {{- range . }}
+        - "--auto-scaler-image-pull-secrets={{- .name -}}"
+        {{- end }}
         {{- end }}
         {{- with .Values.flags.logLevel }}
         - "--log-level={{ . }}"

charts/gha-runner-scale-set-controller/tests/template_test.go

@@ -683,7 +683,8 @@ func TestTemplate_ControllerDeployment_ForwardImagePullSecrets(t *testing.T) {
 
 	expectedArgs := []string{
 		"--auto-scaling-runner-set-only",
-		"--auto-scaler-image-pull-secrets=dockerhub,ghcr",
+		"--auto-scaler-image-pull-secrets=dockerhub",
+		"--auto-scaler-image-pull-secrets=ghcr",
 		"--log-level=debug",
 		"--log-format=text",
 		"--update-strategy=immediate",
@@ -1079,6 +1080,7 @@ func TestDeployment_excludeLabelPropagationPrefixes(t *testing.T) {
 	assert.Contains(t, container.Args, "--exclude-label-propagation-prefix=prefix.com/")
 	assert.Contains(t, container.Args, "--exclude-label-propagation-prefix=complete.io/label")
 }
+
 func TestNamespaceOverride(t *testing.T) {
 	t.Parallel()
 

charts/gha-runner-scale-set/Chart.yaml

@@ -15,13 +15,13 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.11.0
+version: 0.13.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "0.11.0"
+appVersion: "0.13.1"
 
 home: https://github.com/actions/actions-runner-controller
 

charts/gha-runner-scale-set/templates/_helpers.tpl

@@ -62,12 +62,12 @@ app.kubernetes.io/instance: {{ include "gha-runner-scale-set.scale-set-name" . }
 {{- fail "Values.githubConfigSecret is required for setting auth with GitHub server." }}
     {{- end }}
   {{- else }}
-{{- include "gha-runner-scale-set.fullname" . }}-github-secret
+{{- include "gha-runner-scale-set.fullname" . | replace "_" "-" }}-github-secret
   {{- end }}
 {{- end }}
 
 {{- define "gha-runner-scale-set.noPermissionServiceAccountName" -}}
-{{- include "gha-runner-scale-set.fullname" . }}-no-permission
+{{- include "gha-runner-scale-set.fullname" . | replace "_" "-" }}-no-permission
 {{- end }}
 
 {{- define "gha-runner-scale-set.kubeModeRoleName" -}}
@@ -79,7 +79,7 @@ app.kubernetes.io/instance: {{ include "gha-runner-scale-set.scale-set-name" . }
 {{- end }}
 
 {{- define "gha-runner-scale-set.kubeModeServiceAccountName" -}}
-{{- include "gha-runner-scale-set.fullname" . }}-kube-mode
+{{- include "gha-runner-scale-set.fullname" . | replace "_" "-" }}-kube-mode
 {{- end }}
 
 {{- define "gha-runner-scale-set.dind-init-container" -}}
@@ -106,6 +106,17 @@ env:
     value: "123"
 securityContext:
   privileged: true
+{{- if (ge (.Capabilities.KubeVersion.Minor | int) 29) }}
+restartPolicy: Always
+startupProbe:
+  exec:
+    command:
+      - docker
+      - info
+  initialDelaySeconds: 0
+  failureThreshold: 24
+  periodSeconds: 5
+{{- end }}
 volumeMounts:
   - name: work
     mountPath: /home/runner/_work
@@ -366,6 +377,101 @@ volumeMounts:
 {{- end }}
 {{- end }}
 
+{{- define "gha-runner-scale-set.kubernetes-novolume-mode-runner-container" -}}
+{{- $tlsConfig := (default (dict) .Values.githubServerTLS) }}
+{{- range $i, $container := .Values.template.spec.containers }}
+  {{- if eq $container.name "runner" }}
+    {{- $setRunnerImage := "" }}
+    {{- range $key, $val := $container }}
+      {{- if and (ne $key "env") (ne $key "volumeMounts") (ne $key "name") }}
+      {{- if eq $key "image" }}
+        {{- $setRunnerImage = $val }}
+      {{- end }}
+{{ $key }}: {{ $val | toYaml | nindent 2 }}
+      {{- end }}
+    {{- end }}
+    {{- $setContainerHooks := 1 }}
+    {{- $setPodName := 1 }}
+    {{- $setRequireJobContainer := 1 }}
+    {{- $setActionsRunnerImage := 1 }}
+    {{- $setNodeExtraCaCerts := 0 }}
+    {{- $setRunnerUpdateCaCerts := 0 }}
+    {{- if $tlsConfig.runnerMountPath }}
+      {{- $setNodeExtraCaCerts = 1 }}
+      {{- $setRunnerUpdateCaCerts = 1 }}
+    {{- end }}
+env:
+    {{- with $container.env }}
+      {{- range $i, $env := . }}
+        {{- if eq $env.name "ACTIONS_RUNNER_CONTAINER_HOOKS" }}
+          {{- $setContainerHooks = 0 }}
+        {{- end }}
+        {{- if eq $env.name "ACTIONS_RUNNER_IMAGE" }}
+          {{- $setActionsRunnerImage = 0 }}
+        {{- end }}
+        {{- if eq $env.name "ACTIONS_RUNNER_POD_NAME" }}
+          {{- $setPodName = 0 }}
+        {{- end }}
+        {{- if eq $env.name "ACTIONS_RUNNER_REQUIRE_JOB_CONTAINER" }}
+          {{- $setRequireJobContainer = 0 }}
+        {{- end }}
+        {{- if eq $env.name "NODE_EXTRA_CA_CERTS" }}
+          {{- $setNodeExtraCaCerts = 0 }}
+        {{- end }}
+        {{- if eq $env.name "RUNNER_UPDATE_CA_CERTS" }}
+          {{- $setRunnerUpdateCaCerts = 0 }}
+        {{- end }}
+  - {{ $env | toYaml | nindent 4 }}
+      {{- end }}
+    {{- end }}
+    {{- if $setContainerHooks }}
+  - name: ACTIONS_RUNNER_CONTAINER_HOOKS
+    value: /home/runner/k8s-novolume/index.js
+    {{- end }}
+    {{- if $setPodName }}
+  - name: ACTIONS_RUNNER_POD_NAME
+    valueFrom:
+      fieldRef:
+        fieldPath: metadata.name
+    {{- end }}
+    {{- if $setRequireJobContainer }}
+  - name: ACTIONS_RUNNER_REQUIRE_JOB_CONTAINER
+    value: "true"
+    {{- end }}
+    {{- if $setActionsRunnerImage }}
+  - name: ACTIONS_RUNNER_IMAGE
+    value: "{{- $setRunnerImage -}}"
+    {{- end }}
+    {{- if $setNodeExtraCaCerts }}
+  - name: NODE_EXTRA_CA_CERTS
+    value: {{ clean (print $tlsConfig.runnerMountPath "/" $tlsConfig.certificateFrom.configMapKeyRef.key) }}
+    {{- end }}
+    {{- if $setRunnerUpdateCaCerts }}
+  - name: RUNNER_UPDATE_CA_CERTS
+    value: "1"
+    {{- end }}
+    {{- $mountGitHubServerTLS := 0 }}
+    {{- if $tlsConfig.runnerMountPath }}
+      {{- $mountGitHubServerTLS = 1 }}
+    {{- end }}
+volumeMounts:
+    {{- with $container.volumeMounts }}
+      {{- range $i, $volMount := . }}
+        {{- if eq $volMount.name "github-server-tls-cert" }}
+          {{- $mountGitHubServerTLS = 0 }}
+        {{- end }}
+  - {{ $volMount | toYaml | nindent 4 }}
+      {{- end }}
+    {{- end }}
+    {{- if $mountGitHubServerTLS }}
+  - name: github-server-tls-cert
+    mountPath: {{ clean (print $tlsConfig.runnerMountPath "/" $tlsConfig.certificateFrom.configMapKeyRef.key) }}
+    subPath: {{ $tlsConfig.certificateFrom.configMapKeyRef.key }}
+    {{- end }}
+  {{- end }}
+{{- end }}
+{{- end }}
+
 {{- define "gha-runner-scale-set.default-mode-runner-containers" -}}
 {{- $tlsConfig := (default (dict) .Values.githubServerTLS) }}
 {{- range $i, $container := .Values.template.spec.containers }}

charts/gha-runner-scale-set/templates/autoscalingrunnerset.yaml

@@ -8,26 +8,45 @@ metadata:
   {{- if gt (len (include "gha-runner-scale-set.namespace" .)) 63 }}
   {{ fail "Namespace must have up to 63 characters" }}
   {{- end }}
-  name: {{ include "gha-runner-scale-set.scale-set-name" . }}
+  name: {{ include "gha-runner-scale-set.scale-set-name" . | replace "_" "-" }}
   namespace: {{ include "gha-runner-scale-set.namespace" . }}
   labels:
+    {{- $base := include "gha-runner-scale-set.labels" . | fromYaml }}
+    {{- $extra := dict "app.kubernetes.io/component" "" }}
+    {{- $reserved := merge $base $extra }}
     {{- with .Values.labels }}
-    {{- toYaml . | nindent 4 }}
+    {{- range $k, $v := . }}
+    {{- if not (or (hasKey $reserved $k) (hasPrefix "actions.github.com/" $k)) }}
+    {{ $k }}: {{ $v | quote }}
+    {{- end }}
+    {{- end }}
     {{- end }}
     {{- if $hasCustomResourceMeta }}
     {{- with .Values.resourceMeta.autoscalingRunnerSet.labels }}
-    {{- toYaml . | nindent 4 }}
+    {{- range $k, $v := . }}
+    {{- if not (or (hasKey $reserved $k) (hasPrefix "actions.github.com/" $k)) }}
+    {{ $k }}: {{ $v | quote }}
+    {{- end }}
+    {{- end }}
     {{- end }}
     {{- end }}
     app.kubernetes.io/component: "autoscaling-runner-set"
     {{- include "gha-runner-scale-set.labels" . | nindent 4 }}
   annotations:
     {{- with .Values.annotations }}
-    {{- toYaml . | nindent 4 }}
+    {{- range $k, $v := . }}
+    {{- if not (or (hasPrefix "actions.github.com/cleanup-" $k) (eq $k "actions.github.com/values-hash")) }}
+    {{ $k }}: {{ $v | quote }}
+    {{- end }}
+    {{- end }}
     {{- end }}
     {{- if $hasCustomResourceMeta }}
     {{- with .Values.resourceMeta.autoscalingRunnerSet.annotations }}
-    {{- toYaml . | nindent 4 }}
+    {{- range $k, $v := . }}
+    {{- if not (or (hasPrefix "actions.github.com/cleanup-" $k) (eq $k "actions.github.com/values-hash")) }}
+    {{ $k }}: {{ $v | quote }}
+    {{- end }}
+    {{- end }}
     {{- end }}
     {{- end }}
     actions.github.com/values-hash: {{ toJson .Values | sha256sum | trunc 63 }}
@@ -37,14 +56,15 @@ metadata:
     {{- end }}
     actions.github.com/cleanup-manager-role-binding: {{ include "gha-runner-scale-set.managerRoleBindingName" . }}
     actions.github.com/cleanup-manager-role-name: {{ include "gha-runner-scale-set.managerRoleName" . }}
-    {{- if and $containerMode (eq $containerMode.type "kubernetes") (not .Values.template.spec.serviceAccountName) }}
+    {{- if and (or (eq $containerMode.type "kubernetes") (eq $containerMode.type "kubernetes-novolume")) (not .Values.template.spec.serviceAccountName) }}
     actions.github.com/cleanup-kubernetes-mode-role-binding-name: {{ include "gha-runner-scale-set.kubeModeRoleBindingName" . }}
     actions.github.com/cleanup-kubernetes-mode-role-name: {{ include "gha-runner-scale-set.kubeModeRoleName" . }}
     actions.github.com/cleanup-kubernetes-mode-service-account-name: {{ include "gha-runner-scale-set.kubeModeServiceAccountName" . }}
     {{- end }}
-    {{- if and (ne $containerMode.type "kubernetes") (not .Values.template.spec.serviceAccountName) }}
+    {{- if and (ne $containerMode.type "kubernetes") (ne $containerMode.type "kubernetes-novolume") (not .Values.template.spec.serviceAccountName) }}
     actions.github.com/cleanup-no-permission-service-account-name: {{ include "gha-runner-scale-set.noPermissionServiceAccountName" . }}
     {{- end }}
+
 spec:
   githubConfigUrl: {{ required ".Values.githubConfigUrl is required" (trimSuffix "/" .Values.githubConfigUrl) }}
   githubConfigSecret: {{ include "gha-runner-scale-set.githubsecret" . }}
@@ -65,6 +85,24 @@ spec:
     {{- end }}
   {{- end }}
 
+  {{- if and .Values.keyVault .Values.keyVault.type }}
+  vaultConfig:
+    type: {{ .Values.keyVault.type }}
+    {{- if .Values.keyVault.proxy }}
+    proxy: {{- toYaml .Values.keyVault.proxy | nindent 6 }}
+    {{- end }}
+    {{- if eq .Values.keyVault.type "azure_key_vault" }}
+    azureKeyVault:
+      url: {{ .Values.keyVault.azureKeyVault.url }}
+      tenantId: {{ .Values.keyVault.azureKeyVault.tenantId }}
+      clientId: {{ .Values.keyVault.azureKeyVault.clientId }}
+      certificatePath: {{ .Values.keyVault.azureKeyVault.certificatePath }}
+      secretKey: {{ .Values.keyVault.azureKeyVault.secretKey }}
+    {{- else }}
+    {{- fail "Unsupported keyVault type: " .Values.keyVault.type }}
+    {{- end }}
+  {{- end }}
+
   {{- if .Values.proxy }}
   proxy:
     {{- if .Values.proxy.http }}
@@ -138,7 +176,7 @@ spec:
       restartPolicy: Never
       {{- end }}
       {{- $containerMode := .Values.containerMode }}
-      {{- if eq $containerMode.type "kubernetes" }}
+      {{- if or (eq $containerMode.type "kubernetes") (eq $containerMode.type "kubernetes-novolume") }}
       serviceAccountName: {{ default (include "gha-runner-scale-set.kubeModeServiceAccountName" .) .Values.template.spec.serviceAccountName }}
       {{- else }}
       serviceAccountName: {{ default (include "gha-runner-scale-set.noPermissionServiceAccountName" .) .Values.template.spec.serviceAccountName }}
@@ -147,7 +185,11 @@ spec:
       initContainers:
         {{- if eq $containerMode.type "dind" }}
       - name: init-dind-externals
-        {{- include "gha-runner-scale-set.dind-init-container" . | nindent 8 }}
+          {{- include "gha-runner-scale-set.dind-init-container" . | nindent 8 }}
+          {{- if (ge (.Capabilities.KubeVersion.Minor | int) 29) }}
+      - name: dind
+          {{- include "gha-runner-scale-set.dind-container" . | nindent 8 }}
+          {{- end }}
         {{- end }}
         {{- with .Values.template.spec.initContainers }}
       {{- toYaml . | nindent 6 }}
@@ -157,18 +199,24 @@ spec:
       {{- if eq $containerMode.type "dind" }}
       - name: runner
         {{- include "gha-runner-scale-set.dind-runner-container" . | nindent 8 }}
+        {{- if not (ge (.Capabilities.KubeVersion.Minor | int) 29) }}
       - name: dind
         {{- include "gha-runner-scale-set.dind-container" . | nindent 8 }}
+        {{- end }}
       {{- include "gha-runner-scale-set.non-runner-non-dind-containers" . | nindent 6 }}
       {{- else if eq $containerMode.type "kubernetes" }}
       - name: runner
         {{- include "gha-runner-scale-set.kubernetes-mode-runner-container" . | nindent 8 }}
       {{- include "gha-runner-scale-set.non-runner-containers" . | nindent 6 }}
+      {{- else if eq $containerMode.type "kubernetes-novolume" }}
+      - name: runner
+        {{- include "gha-runner-scale-set.kubernetes-novolume-mode-runner-container" . | nindent 8 }}
+      {{- include "gha-runner-scale-set.non-runner-containers" . | nindent 6 }}
       {{- else }}
       {{- include "gha-runner-scale-set.default-mode-runner-containers" . | nindent 6 }}
       {{- end }}
       {{- $tlsConfig := (default (dict) .Values.githubServerTLS) }}
-      {{- if or .Values.template.spec.volumes (eq $containerMode.type "dind") (eq $containerMode.type "kubernetes") $tlsConfig.runnerMountPath }}
+      {{- if or .Values.template.spec.volumes (eq $containerMode.type "dind") (eq $containerMode.type "kubernetes") (eq $containerMode.type "kubernetes-novolume") $tlsConfig.runnerMountPath }}
       volumes:
         {{- if $tlsConfig.runnerMountPath }}
           {{- include "gha-runner-scale-set.tls-volume" $tlsConfig | nindent 6 }}

charts/gha-runner-scale-set/templates/githubsecret.yaml

@@ -6,8 +6,15 @@ metadata:
   name: {{ include "gha-runner-scale-set.githubsecret" . }}
   namespace: {{ include "gha-runner-scale-set.namespace" . }}
   labels:
+    {{- $base := include "gha-runner-scale-set.labels" . | fromYaml }}
+    {{- $extra := dict "app.kubernetes.io/component" "" }}
+    {{- $reserved := merge $base $extra }}
     {{- with .Values.labels }}
-    {{- toYaml . | nindent 4 }}
+    {{- range $k, $v := . }}
+    {{- if not (or (hasKey $reserved $k) (hasPrefix "actions.github.com/" $k)) }}
+    {{ $k }}: {{ $v | quote }}
+    {{- end }}
+    {{- end }}
     {{- end }}
     {{- if $hasCustomResourceMeta }}
     {{- with .Values.resourceMeta.githubConfigSecret.labels }}

charts/gha-runner-scale-set/templates/kube_mode_role.yaml

@@ -1,6 +1,6 @@
 {{- $containerMode := .Values.containerMode }}
 {{- $hasCustomResourceMeta := (and .Values.resourceMeta .Values.resourceMeta.kubernetesModeRole) }}
-{{- if and (eq $containerMode.type "kubernetes") (not .Values.template.spec.serviceAccountName) }}
+{{- if and (or (eq $containerMode.type "kubernetes") (eq $containerMode.type "kubernetes-novolume")) (not .Values.template.spec.serviceAccountName) }}
 # default permission for runner pod service account in kubernetes mode (container hook)
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -8,8 +8,15 @@ metadata:
   name: {{ include "gha-runner-scale-set.kubeModeRoleName" . }}
   namespace: {{ include "gha-runner-scale-set.namespace" . }}
   labels:
+    {{- $base := include "gha-runner-scale-set.labels" . | fromYaml }}
+    {{- $extra := dict "app.kubernetes.io/component" "" }}
+    {{- $reserved := merge $base $extra }}
     {{- with .Values.labels }}
-    {{- toYaml . | nindent 4 }}
+    {{- range $k, $v := . }}
+    {{- if not (or (hasKey $reserved $k) (hasPrefix "actions.github.com/" $k)) }}
+    {{ $k }}: {{ $v | quote }}
+    {{- end }}
+    {{- end }}
     {{- end }}
     {{- if $hasCustomResourceMeta }}
     {{- with .Values.resourceMeta.kubernetesModeRole.labels }}
@@ -29,19 +36,24 @@ metadata:
   finalizers:
     - actions.github.com/cleanup-protection
 rules:
-- apiGroups: [""]
-  resources: ["pods"]
-  verbs: ["get", "list", "create", "delete"]
-- apiGroups: [""]
-  resources: ["pods/exec"]
-  verbs: ["get", "create"]
-- apiGroups: [""]
-  resources: ["pods/log"]
-  verbs: ["get", "list", "watch",]
-- apiGroups: ["batch"]
-  resources: ["jobs"]
-  verbs: ["get", "list", "create", "delete"]
-- apiGroups: [""]
-  resources: ["secrets"]
-  verbs: ["get", "list", "create", "delete"]
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["get", "list", "create", "delete"]
+  - apiGroups: [""]
+    resources: ["pods/exec"]
+    verbs: ["get", "create"]
+  - apiGroups: [""]
+    resources: ["pods/log"]
+    verbs: ["get", "list", "watch",]
+{{- if ne $containerMode.type "kubernetes-novolume" }}
+  - apiGroups: ["batch"]
+    resources: ["jobs"]
+    verbs: ["get", "list", "create", "delete"]
+{{- end }}
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "list", "create", "delete"]
+{{- with $containerMode.kubernetesModeAdditionalRoleRules}}
+{{- toYaml . | nindent 2}}
+{{- end }}
 {{- end }}

charts/gha-runner-scale-set/templates/kube_mode_role_binding.yaml

@@ -1,14 +1,21 @@
 {{- $containerMode := .Values.containerMode }}
 {{- $hasCustomResourceMeta := (and .Values.resourceMeta .Values.resourceMeta.kubernetesModeRoleBinding) }}
-{{- if and (eq $containerMode.type "kubernetes") (not .Values.template.spec.serviceAccountName) }}
+{{- if and (or (eq $containerMode.type "kubernetes") (eq $containerMode.type "kubernetes-novolume")) (not .Values.template.spec.serviceAccountName) }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: {{ include "gha-runner-scale-set.kubeModeRoleBindingName" . }}
   namespace: {{ include "gha-runner-scale-set.namespace" . }}
   labels:
+    {{- $base := include "gha-runner-scale-set.labels" . | fromYaml }}
+    {{- $extra := dict "app.kubernetes.io/component" "" }}
+    {{- $reserved := merge $base $extra }}
     {{- with .Values.labels }}
-    {{- toYaml . | nindent 4 }}
+    {{- range $k, $v := . }}
+    {{- if not (or (hasKey $reserved $k) (hasPrefix "actions.github.com/" $k)) }}
+    {{ $k }}: {{ $v | quote }}
+    {{- end }}
+    {{- end }}
     {{- end }}
     {{- if $hasCustomResourceMeta }}
     {{- with .Values.resourceMeta.kubernetesModeRoleBinding.labels }}

charts/gha-runner-scale-set/templates/kube_mode_serviceaccount.yaml

@@ -1,6 +1,6 @@
 {{- $containerMode := .Values.containerMode }}
 {{- $hasCustomResourceMeta := (and .Values.resourceMeta .Values.resourceMeta.kubernetesModeServiceAccount) }}
-{{- if and (eq $containerMode.type "kubernetes") (not .Values.template.spec.serviceAccountName) }}
+{{- if and (or (eq $containerMode.type "kubernetes") (eq $containerMode.type "kubernetes-novolume")) (not .Values.template.spec.serviceAccountName) }}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
@@ -18,8 +18,15 @@ metadata:
     {{- end }}
   {{- end }}
   labels:
+    {{- $base := include "gha-runner-scale-set.labels" . | fromYaml }}
+    {{- $extra := dict "app.kubernetes.io/component" "" }}
+    {{- $reserved := merge $base $extra }}
     {{- with .Values.labels }}
-    {{- toYaml . | nindent 4 }}
+    {{- range $k, $v := . }}
+    {{- if not (or (hasKey $reserved $k) (hasPrefix "actions.github.com/" $k)) }}
+    {{ $k }}: {{ $v | quote }}
+    {{- end }}
+    {{- end }}
     {{- end }}
     {{- if $hasCustomResourceMeta }}
     {{- with .Values.resourceMeta.kubernetesModeServiceAccount.labels }}

charts/gha-runner-scale-set/templates/manager_role.yaml

@@ -5,8 +5,15 @@ metadata:
   name: {{ include "gha-runner-scale-set.managerRoleName" . }}
   namespace: {{ include "gha-runner-scale-set.namespace" . }}
   labels:
+    {{- $base := include "gha-runner-scale-set.labels" . | fromYaml }}
+    {{- $extra := dict "app.kubernetes.io/component" "manager-role" }}
+    {{- $reserved := merge $base $extra }}
     {{- with .Values.labels }}
-    {{- toYaml . | nindent 4 }}
+    {{- range $k, $v := . }}
+    {{- if not (or (hasKey $reserved $k) (hasPrefix "actions.github.com/" $k)) }}
+    {{ $k }}: {{ $v | quote }}
+    {{- end }}
+    {{- end }}
     {{- end }}
     {{- if $hasCustomResourceMeta }}
     {{- with .Values.resourceMeta.managerRole.labels }}

charts/gha-runner-scale-set/templates/manager_role_binding.yaml

@@ -5,8 +5,15 @@ metadata:
   name: {{ include "gha-runner-scale-set.managerRoleBindingName" . }}
   namespace: {{ include "gha-runner-scale-set.namespace" . }}
   labels:
+    {{- $base := include "gha-runner-scale-set.labels" . | fromYaml }}
+    {{- $extra := dict "app.kubernetes.io/component" "manager-role-binding" }}
+    {{- $reserved := merge $base $extra }}
     {{- with .Values.labels }}
-    {{- toYaml . | nindent 4 }}
+    {{- range $k, $v := . }}
+    {{- if not (or (hasKey $reserved $k) (hasPrefix "actions.github.com/" $k)) }}
+    {{ $k }}: {{ $v | quote }}
+    {{- end }}
+    {{- end }}
     {{- end }}
     {{- if $hasCustomResourceMeta }}
     {{- with .Values.resourceMeta.managerRoleBinding.labels }}

charts/gha-runner-scale-set/templates/no_permission_serviceaccount.yaml

@@ -7,8 +7,15 @@ metadata:
   name: {{ include "gha-runner-scale-set.noPermissionServiceAccountName" . }}
   namespace: {{ include "gha-runner-scale-set.namespace" . }}
   labels:
+    {{- $base := include "gha-runner-scale-set.labels" . | fromYaml }}
+    {{- $extra := dict "app.kubernetes.io/component" "" }}
+    {{- $reserved := merge $base $extra }}
     {{- with .Values.labels }}
-    {{- toYaml . | nindent 4 }}
+    {{- range $k, $v := . }}
+    {{- if not (or (hasKey $reserved $k) (hasPrefix "actions.github.com/" $k)) }}
+    {{ $k }}: {{ $v | quote }}
+    {{- end }}
+    {{- end }}
     {{- end }}
     {{- if $hasCustomResourceMeta }}
     {{- with .Values.resourceMeta.noPermissionServiceAccount.labels }}

charts/gha-runner-scale-set/tests/template_test.go

@@ -204,7 +204,6 @@ func TestTemplateRenderedSetServiceAccountToNoPermission(t *testing.T) {
 
 func TestTemplateRenderedSetServiceAccountToKubeMode(t *testing.T) {
 	t.Parallel()
-
 	// Path to the helm chart we will test
 	helmChartPath, err := filepath.Abs("../../gha-runner-scale-set")
 	require.NoError(t, err)
@@ -270,6 +269,72 @@ func TestTemplateRenderedSetServiceAccountToKubeMode(t *testing.T) {
 	assert.Equal(t, expectedServiceAccountName, ars.Annotations[actionsgithubcom.AnnotationKeyKubernetesModeServiceAccountName])
 }
 
+func TestTemplateRenderedSetServiceAccountToKubeNoVolumeMode(t *testing.T) {
+	t.Parallel()
+	// Path to the helm chart we will test
+	helmChartPath, err := filepath.Abs("../../gha-runner-scale-set")
+	require.NoError(t, err)
+
+	releaseName := "test-runners"
+	namespaceName := "test-" + strings.ToLower(random.UniqueId())
+
+	options := &helm.Options{
+		Logger: logger.Discard,
+		SetValues: map[string]string{
+			"githubConfigUrl":                    "https://github.com/actions",
+			"githubConfigSecret.github_token":    "gh_token12345",
+			"containerMode.type":                 "kubernetes-novolume",
+			"controllerServiceAccount.name":      "arc",
+			"controllerServiceAccount.namespace": "arc-system",
+		},
+		KubectlOptions: k8s.NewKubectlOptions("", "", namespaceName),
+	}
+
+	output := helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"templates/kube_mode_serviceaccount.yaml"})
+	var serviceAccount corev1.ServiceAccount
+	helm.UnmarshalK8SYaml(t, output, &serviceAccount)
+
+	assert.Equal(t, namespaceName, serviceAccount.Namespace)
+	assert.Equal(t, "test-runners-gha-rs-kube-mode", serviceAccount.Name)
+	assert.Equal(t, "actions.github.com/cleanup-protection", serviceAccount.Finalizers[0])
+
+	output = helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"templates/kube_mode_role.yaml"})
+	var role rbacv1.Role
+	helm.UnmarshalK8SYaml(t, output, &role)
+
+	assert.Equal(t, namespaceName, role.Namespace)
+	assert.Equal(t, "test-runners-gha-rs-kube-mode", role.Name)
+
+	assert.Equal(t, "actions.github.com/cleanup-protection", role.Finalizers[0])
+
+	assert.Len(t, role.Rules, 4, "kube mode role should have 4 rules")
+	assert.Equal(t, "pods", role.Rules[0].Resources[0])
+	assert.Equal(t, "pods/exec", role.Rules[1].Resources[0])
+	assert.Equal(t, "pods/log", role.Rules[2].Resources[0])
+	assert.Equal(t, "secrets", role.Rules[3].Resources[0])
+
+	output = helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"templates/kube_mode_role_binding.yaml"})
+	var roleBinding rbacv1.RoleBinding
+	helm.UnmarshalK8SYaml(t, output, &roleBinding)
+
+	assert.Equal(t, namespaceName, roleBinding.Namespace)
+	assert.Equal(t, "test-runners-gha-rs-kube-mode", roleBinding.Name)
+	assert.Len(t, roleBinding.Subjects, 1)
+	assert.Equal(t, "test-runners-gha-rs-kube-mode", roleBinding.Subjects[0].Name)
+	assert.Equal(t, namespaceName, roleBinding.Subjects[0].Namespace)
+	assert.Equal(t, "test-runners-gha-rs-kube-mode", roleBinding.RoleRef.Name)
+	assert.Equal(t, "Role", roleBinding.RoleRef.Kind)
+	assert.Equal(t, "actions.github.com/cleanup-protection", serviceAccount.Finalizers[0])
+
+	output = helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"templates/autoscalingrunnerset.yaml"})
+	var ars v1alpha1.AutoscalingRunnerSet
+	helm.UnmarshalK8SYaml(t, output, &ars)
+
+	expectedServiceAccountName := "test-runners-gha-rs-kube-mode"
+	assert.Equal(t, expectedServiceAccountName, ars.Spec.Template.Spec.ServiceAccountName)
+	assert.Equal(t, expectedServiceAccountName, ars.Annotations[actionsgithubcom.AnnotationKeyKubernetesModeServiceAccountName])
+}
+
 func TestTemplateRenderedUserProvideSetServiceAccount(t *testing.T) {
 	t.Parallel()
 
@@ -728,20 +793,20 @@ func TestTemplateRenderedAutoScalingRunnerSet_DinD_ExtraInitContainers(t *testin
 	var ars v1alpha1.AutoscalingRunnerSet
 	helm.UnmarshalK8SYaml(t, output, &ars)
 
-	assert.Len(t, ars.Spec.Template.Spec.InitContainers, 3, "InitContainers should be 3")
-	assert.Equal(t, "kube-init", ars.Spec.Template.Spec.InitContainers[1].Name, "InitContainers[1] Name should be kube-init")
-	assert.Equal(t, "runner-image:latest", ars.Spec.Template.Spec.InitContainers[1].Image, "InitContainers[1] Image should be runner-image:latest")
-	assert.Equal(t, "sudo", ars.Spec.Template.Spec.InitContainers[1].Command[0], "InitContainers[1] Command[0] should be sudo")
-	assert.Equal(t, "chown", ars.Spec.Template.Spec.InitContainers[1].Command[1], "InitContainers[1] Command[1] should be chown")
-	assert.Equal(t, "-R", ars.Spec.Template.Spec.InitContainers[1].Command[2], "InitContainers[1] Command[2] should be -R")
-	assert.Equal(t, "1001:123", ars.Spec.Template.Spec.InitContainers[1].Command[3], "InitContainers[1] Command[3] should be 1001:123")
-	assert.Equal(t, "/home/runner/_work", ars.Spec.Template.Spec.InitContainers[1].Command[4], "InitContainers[1] Command[4] should be /home/runner/_work")
-	assert.Equal(t, "work", ars.Spec.Template.Spec.InitContainers[1].VolumeMounts[0].Name, "InitContainers[1] VolumeMounts[0] Name should be work")
-	assert.Equal(t, "/home/runner/_work", ars.Spec.Template.Spec.InitContainers[1].VolumeMounts[0].MountPath, "InitContainers[1] VolumeMounts[0] MountPath should be /home/runner/_work")
+	assert.Len(t, ars.Spec.Template.Spec.InitContainers, 4, "InitContainers should be 4")
+	assert.Equal(t, "kube-init", ars.Spec.Template.Spec.InitContainers[2].Name, "InitContainers[1] Name should be kube-init")
+	assert.Equal(t, "runner-image:latest", ars.Spec.Template.Spec.InitContainers[2].Image, "InitContainers[1] Image should be runner-image:latest")
+	assert.Equal(t, "sudo", ars.Spec.Template.Spec.InitContainers[2].Command[0], "InitContainers[1] Command[0] should be sudo")
+	assert.Equal(t, "chown", ars.Spec.Template.Spec.InitContainers[2].Command[1], "InitContainers[1] Command[1] should be chown")
+	assert.Equal(t, "-R", ars.Spec.Template.Spec.InitContainers[2].Command[2], "InitContainers[1] Command[2] should be -R")
+	assert.Equal(t, "1001:123", ars.Spec.Template.Spec.InitContainers[2].Command[3], "InitContainers[1] Command[3] should be 1001:123")
+	assert.Equal(t, "/home/runner/_work", ars.Spec.Template.Spec.InitContainers[2].Command[4], "InitContainers[1] Command[4] should be /home/runner/_work")
+	assert.Equal(t, "work", ars.Spec.Template.Spec.InitContainers[2].VolumeMounts[0].Name, "InitContainers[1] VolumeMounts[0] Name should be work")
+	assert.Equal(t, "/home/runner/_work", ars.Spec.Template.Spec.InitContainers[2].VolumeMounts[0].MountPath, "InitContainers[1] VolumeMounts[0] MountPath should be /home/runner/_work")
 
-	assert.Equal(t, "ls", ars.Spec.Template.Spec.InitContainers[2].Name, "InitContainers[2] Name should be ls")
-	assert.Equal(t, "ubuntu:latest", ars.Spec.Template.Spec.InitContainers[2].Image, "InitContainers[2] Image should be ubuntu:latest")
-	assert.Equal(t, "ls", ars.Spec.Template.Spec.InitContainers[2].Command[0], "InitContainers[2] Command[0] should be ls")
+	assert.Equal(t, "ls", ars.Spec.Template.Spec.InitContainers[3].Name, "InitContainers[2] Name should be ls")
+	assert.Equal(t, "ubuntu:latest", ars.Spec.Template.Spec.InitContainers[3].Image, "InitContainers[2] Image should be ubuntu:latest")
+	assert.Equal(t, "ls", ars.Spec.Template.Spec.InitContainers[3].Command[0], "InitContainers[2] Command[0] should be ls")
 }
 
 func TestTemplateRenderedAutoScalingRunnerSet_DinD_ExtraVolumes(t *testing.T) {
@@ -860,13 +925,26 @@ func TestTemplateRenderedAutoScalingRunnerSet_EnableDinD(t *testing.T) {
 
 	assert.NotNil(t, ars.Spec.Template.Spec, "Template.Spec should not be nil")
 
-	assert.Len(t, ars.Spec.Template.Spec.InitContainers, 1, "Template.Spec should have 1 init container")
+	assert.Len(t, ars.Spec.Template.Spec.InitContainers, 2, "Template.Spec should have 2 init container")
 	assert.Equal(t, "init-dind-externals", ars.Spec.Template.Spec.InitContainers[0].Name)
 	assert.Equal(t, "ghcr.io/actions/actions-runner:latest", ars.Spec.Template.Spec.InitContainers[0].Image)
 	assert.Equal(t, "cp", ars.Spec.Template.Spec.InitContainers[0].Command[0])
 	assert.Equal(t, "-r /home/runner/externals/. /home/runner/tmpDir/", strings.Join(ars.Spec.Template.Spec.InitContainers[0].Args, " "))
 
-	assert.Len(t, ars.Spec.Template.Spec.Containers, 2, "Template.Spec should have 2 container")
+	assert.Equal(t, "dind", ars.Spec.Template.Spec.InitContainers[1].Name)
+	assert.Equal(t, "docker:dind", ars.Spec.Template.Spec.InitContainers[1].Image)
+	assert.True(t, *ars.Spec.Template.Spec.InitContainers[1].SecurityContext.Privileged)
+	assert.Len(t, ars.Spec.Template.Spec.InitContainers[1].VolumeMounts, 3, "The dind container should have 3 volume mounts, dind-sock, work and externals")
+	assert.Equal(t, "work", ars.Spec.Template.Spec.InitContainers[1].VolumeMounts[0].Name)
+	assert.Equal(t, "/home/runner/_work", ars.Spec.Template.Spec.InitContainers[1].VolumeMounts[0].MountPath)
+
+	assert.Equal(t, "dind-sock", ars.Spec.Template.Spec.InitContainers[1].VolumeMounts[1].Name)
+	assert.Equal(t, "/var/run", ars.Spec.Template.Spec.InitContainers[1].VolumeMounts[1].MountPath)
+
+	assert.Equal(t, "dind-externals", ars.Spec.Template.Spec.InitContainers[1].VolumeMounts[2].Name)
+	assert.Equal(t, "/home/runner/externals", ars.Spec.Template.Spec.InitContainers[1].VolumeMounts[2].MountPath)
+
+	assert.Len(t, ars.Spec.Template.Spec.Containers, 1, "Template.Spec should have 1 container")
 	assert.Equal(t, "runner", ars.Spec.Template.Spec.Containers[0].Name)
 	assert.Equal(t, "ghcr.io/actions/actions-runner:latest", ars.Spec.Template.Spec.Containers[0].Image)
 	assert.Len(t, ars.Spec.Template.Spec.Containers[0].Env, 2, "The runner container should have 2 env vars, DOCKER_HOST and RUNNER_WAIT_FOR_DOCKER_IN_SECONDS")
@@ -883,19 +961,6 @@ func TestTemplateRenderedAutoScalingRunnerSet_EnableDinD(t *testing.T) {
 	assert.Equal(t, "dind-sock", ars.Spec.Template.Spec.Containers[0].VolumeMounts[1].Name)
 	assert.Equal(t, "/var/run", ars.Spec.Template.Spec.Containers[0].VolumeMounts[1].MountPath)
 
-	assert.Equal(t, "dind", ars.Spec.Template.Spec.Containers[1].Name)
-	assert.Equal(t, "docker:dind", ars.Spec.Template.Spec.Containers[1].Image)
-	assert.True(t, *ars.Spec.Template.Spec.Containers[1].SecurityContext.Privileged)
-	assert.Len(t, ars.Spec.Template.Spec.Containers[1].VolumeMounts, 3, "The dind container should have 3 volume mounts, dind-sock, work and externals")
-	assert.Equal(t, "work", ars.Spec.Template.Spec.Containers[1].VolumeMounts[0].Name)
-	assert.Equal(t, "/home/runner/_work", ars.Spec.Template.Spec.Containers[1].VolumeMounts[0].MountPath)
-
-	assert.Equal(t, "dind-sock", ars.Spec.Template.Spec.Containers[1].VolumeMounts[1].Name)
-	assert.Equal(t, "/var/run", ars.Spec.Template.Spec.Containers[1].VolumeMounts[1].MountPath)
-
-	assert.Equal(t, "dind-externals", ars.Spec.Template.Spec.Containers[1].VolumeMounts[2].Name)
-	assert.Equal(t, "/home/runner/externals", ars.Spec.Template.Spec.Containers[1].VolumeMounts[2].MountPath)
-
 	assert.Len(t, ars.Spec.Template.Spec.Volumes, 3, "Volumes should be 3")
 	assert.Equal(t, "dind-sock", ars.Spec.Template.Spec.Volumes[0].Name, "Volume name should be dind-sock")
 	assert.Equal(t, "dind-externals", ars.Spec.Template.Spec.Volumes[1].Name, "Volume name should be dind-externals")
@@ -961,6 +1026,65 @@ func TestTemplateRenderedAutoScalingRunnerSet_EnableKubernetesMode(t *testing.T)
 	assert.NotNil(t, ars.Spec.Template.Spec.Volumes[0].Ephemeral, "Template.Spec should have 1 ephemeral volume")
 }
 
+func TestTemplateRenderedAutoScalingRunnerSet_EnableKubernetesModeNoVolume(t *testing.T) {
+	t.Parallel()
+
+	// Path to the helm chart we will test
+	helmChartPath, err := filepath.Abs("../../gha-runner-scale-set")
+	require.NoError(t, err)
+
+	releaseName := "test-runners"
+	namespaceName := "test-" + strings.ToLower(random.UniqueId())
+
+	options := &helm.Options{
+		Logger: logger.Discard,
+		SetValues: map[string]string{
+			"githubConfigUrl":                    "https://github.com/actions",
+			"githubConfigSecret.github_token":    "gh_token12345",
+			"containerMode.type":                 "kubernetes-novolume",
+			"controllerServiceAccount.name":      "arc",
+			"controllerServiceAccount.namespace": "arc-system",
+		},
+		KubectlOptions: k8s.NewKubectlOptions("", "", namespaceName),
+	}
+
+	output := helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"templates/autoscalingrunnerset.yaml"})
+
+	var ars v1alpha1.AutoscalingRunnerSet
+	helm.UnmarshalK8SYaml(t, output, &ars)
+
+	assert.Equal(t, namespaceName, ars.Namespace)
+	assert.Equal(t, "test-runners", ars.Name)
+
+	assert.Equal(t, "test-runners", ars.Labels["app.kubernetes.io/name"])
+	assert.Equal(t, "test-runners", ars.Labels["app.kubernetes.io/instance"])
+	assert.Equal(t, "https://github.com/actions", ars.Spec.GitHubConfigUrl)
+	assert.Equal(t, "test-runners-gha-rs-github-secret", ars.Spec.GitHubConfigSecret)
+
+	assert.Empty(t, ars.Spec.RunnerGroup, "RunnerGroup should be empty")
+	assert.Nil(t, ars.Spec.MinRunners, "MinRunners should be nil")
+	assert.Nil(t, ars.Spec.MaxRunners, "MaxRunners should be nil")
+	assert.Nil(t, ars.Spec.Proxy, "Proxy should be nil")
+	assert.Nil(t, ars.Spec.GitHubServerTLS, "GitHubServerTLS should be nil")
+
+	assert.NotNil(t, ars.Spec.Template.Spec, "Template.Spec should not be nil")
+
+	assert.Len(t, ars.Spec.Template.Spec.Containers, 1, "Template.Spec should have 1 container")
+	assert.Equal(t, "runner", ars.Spec.Template.Spec.Containers[0].Name)
+	assert.Equal(t, "ghcr.io/actions/actions-runner:latest", ars.Spec.Template.Spec.Containers[0].Image)
+
+	require.Len(t, ars.Spec.Template.Spec.Containers[0].Env, 4, "The runner container should have 4 env vars")
+	assert.Equal(t, "ACTIONS_RUNNER_CONTAINER_HOOKS", ars.Spec.Template.Spec.Containers[0].Env[0].Name)
+	assert.Equal(t, "/home/runner/k8s-novolume/index.js", ars.Spec.Template.Spec.Containers[0].Env[0].Value)
+	assert.Equal(t, "ACTIONS_RUNNER_POD_NAME", ars.Spec.Template.Spec.Containers[0].Env[1].Name)
+	assert.Equal(t, "ACTIONS_RUNNER_REQUIRE_JOB_CONTAINER", ars.Spec.Template.Spec.Containers[0].Env[2].Name)
+	assert.Equal(t, "true", ars.Spec.Template.Spec.Containers[0].Env[2].Value)
+	assert.Equal(t, "ACTIONS_RUNNER_IMAGE", ars.Spec.Template.Spec.Containers[0].Env[3].Name)
+	assert.Equal(t, ars.Spec.Template.Spec.Containers[0].Image, ars.Spec.Template.Spec.Containers[0].Env[3].Value)
+
+	assert.Len(t, ars.Spec.Template.Spec.Volumes, 0, "Template.Spec should have 0 volumes")
+}
+
 func TestTemplateRenderedAutoscalingRunnerSet_ListenerPodTemplate(t *testing.T) {
 	t.Parallel()
 
@@ -1140,7 +1264,7 @@ func TestTemplateRenderedWithTLS(t *testing.T) {
 	}
 
 	t.Run("providing githubServerTLS.runnerMountPath", func(t *testing.T) {
-		t.Run("mode: default", func(t *testing.T) {
+		t.Run("mode default", func(t *testing.T) {
 			options := &helm.Options{
 				Logger: logger.Discard,
 				SetValues: map[string]string{
@@ -1158,7 +1282,7 @@ func TestTemplateRenderedWithTLS(t *testing.T) {
 			ars := render(t, options)
 
 			require.NotNil(t, ars.Spec.GitHubServerTLS)
-			expected := &v1alpha1.GitHubServerTLSConfig{
+			expected := &v1alpha1.TLSConfig{
 				CertificateFrom: &v1alpha1.TLSCertificateSource{
 					ConfigMapKeyRef: &corev1.ConfigMapKeySelector{
 						LocalObjectReference: corev1.LocalObjectReference{
@@ -1199,7 +1323,7 @@ func TestTemplateRenderedWithTLS(t *testing.T) {
 			})
 		})
 
-		t.Run("mode: dind", func(t *testing.T) {
+		t.Run("mode dind", func(t *testing.T) {
 			options := &helm.Options{
 				Logger: logger.Discard,
 				SetValues: map[string]string{
@@ -1218,7 +1342,7 @@ func TestTemplateRenderedWithTLS(t *testing.T) {
 			ars := render(t, options)
 
 			require.NotNil(t, ars.Spec.GitHubServerTLS)
-			expected := &v1alpha1.GitHubServerTLSConfig{
+			expected := &v1alpha1.TLSConfig{
 				CertificateFrom: &v1alpha1.TLSCertificateSource{
 					ConfigMapKeyRef: &corev1.ConfigMapKeySelector{
 						LocalObjectReference: corev1.LocalObjectReference{
@@ -1259,7 +1383,7 @@ func TestTemplateRenderedWithTLS(t *testing.T) {
 			})
 		})
 
-		t.Run("mode: kubernetes", func(t *testing.T) {
+		t.Run("mode kubernetes", func(t *testing.T) {
 			options := &helm.Options{
 				Logger: logger.Discard,
 				SetValues: map[string]string{
@@ -1278,7 +1402,67 @@ func TestTemplateRenderedWithTLS(t *testing.T) {
 			ars := render(t, options)
 
 			require.NotNil(t, ars.Spec.GitHubServerTLS)
-			expected := &v1alpha1.GitHubServerTLSConfig{
+			expected := &v1alpha1.TLSConfig{
+				CertificateFrom: &v1alpha1.TLSCertificateSource{
+					ConfigMapKeyRef: &corev1.ConfigMapKeySelector{
+						LocalObjectReference: corev1.LocalObjectReference{
+							Name: "certs-configmap",
+						},
+						Key: "cert.pem",
+					},
+				},
+			}
+			assert.Equal(t, expected, ars.Spec.GitHubServerTLS)
+
+			var volume *corev1.Volume
+			for _, v := range ars.Spec.Template.Spec.Volumes {
+				if v.Name == "github-server-tls-cert" {
+					volume = &v
+					break
+				}
+			}
+			require.NotNil(t, volume)
+			assert.Equal(t, "certs-configmap", volume.ConfigMap.Name)
+			assert.Equal(t, "cert.pem", volume.ConfigMap.Items[0].Key)
+			assert.Equal(t, "cert.pem", volume.ConfigMap.Items[0].Path)
+
+			assert.Contains(t, ars.Spec.Template.Spec.Containers[0].VolumeMounts, corev1.VolumeMount{
+				Name:      "github-server-tls-cert",
+				MountPath: "/runner/mount/path/cert.pem",
+				SubPath:   "cert.pem",
+			})
+
+			assert.Contains(t, ars.Spec.Template.Spec.Containers[0].Env, corev1.EnvVar{
+				Name:  "NODE_EXTRA_CA_CERTS",
+				Value: "/runner/mount/path/cert.pem",
+			})
+
+			assert.Contains(t, ars.Spec.Template.Spec.Containers[0].Env, corev1.EnvVar{
+				Name:  "RUNNER_UPDATE_CA_CERTS",
+				Value: "1",
+			})
+		})
+
+		t.Run("mode kubernetes-novolume", func(t *testing.T) {
+			options := &helm.Options{
+				Logger: logger.Discard,
+				SetValues: map[string]string{
+					"githubConfigUrl":    "https://github.com/actions",
+					"githubConfigSecret": "pre-defined-secrets",
+					"githubServerTLS.certificateFrom.configMapKeyRef.name": "certs-configmap",
+					"githubServerTLS.certificateFrom.configMapKeyRef.key":  "cert.pem",
+					"githubServerTLS.runnerMountPath":                      "/runner/mount/path",
+					"containerMode.type":                                   "kubernetes-novolume",
+					"controllerServiceAccount.name":                        "arc",
+					"controllerServiceAccount.namespace":                   "arc-system",
+				},
+				KubectlOptions: k8s.NewKubectlOptions("", "", namespaceName),
+			}
+
+			ars := render(t, options)
+
+			require.NotNil(t, ars.Spec.GitHubServerTLS)
+			expected := &v1alpha1.TLSConfig{
 				CertificateFrom: &v1alpha1.TLSCertificateSource{
 					ConfigMapKeyRef: &corev1.ConfigMapKeySelector{
 						LocalObjectReference: corev1.LocalObjectReference{
@@ -1321,7 +1505,7 @@ func TestTemplateRenderedWithTLS(t *testing.T) {
 	})
 
 	t.Run("without providing githubServerTLS.runnerMountPath", func(t *testing.T) {
-		t.Run("mode: default", func(t *testing.T) {
+		t.Run("mode default", func(t *testing.T) {
 			options := &helm.Options{
 				Logger: logger.Discard,
 				SetValues: map[string]string{
@@ -1338,7 +1522,7 @@ func TestTemplateRenderedWithTLS(t *testing.T) {
 			ars := render(t, options)
 
 			require.NotNil(t, ars.Spec.GitHubServerTLS)
-			expected := &v1alpha1.GitHubServerTLSConfig{
+			expected := &v1alpha1.TLSConfig{
 				CertificateFrom: &v1alpha1.TLSCertificateSource{
 					ConfigMapKeyRef: &corev1.ConfigMapKeySelector{
 						LocalObjectReference: corev1.LocalObjectReference{
@@ -1376,7 +1560,7 @@ func TestTemplateRenderedWithTLS(t *testing.T) {
 			})
 		})
 
-		t.Run("mode: dind", func(t *testing.T) {
+		t.Run("mode dind", func(t *testing.T) {
 			options := &helm.Options{
 				Logger: logger.Discard,
 				SetValues: map[string]string{
@@ -1394,7 +1578,7 @@ func TestTemplateRenderedWithTLS(t *testing.T) {
 			ars := render(t, options)
 
 			require.NotNil(t, ars.Spec.GitHubServerTLS)
-			expected := &v1alpha1.GitHubServerTLSConfig{
+			expected := &v1alpha1.TLSConfig{
 				CertificateFrom: &v1alpha1.TLSCertificateSource{
 					ConfigMapKeyRef: &corev1.ConfigMapKeySelector{
 						LocalObjectReference: corev1.LocalObjectReference{
@@ -1432,7 +1616,7 @@ func TestTemplateRenderedWithTLS(t *testing.T) {
 			})
 		})
 
-		t.Run("mode: kubernetes", func(t *testing.T) {
+		t.Run("mode kubernetes", func(t *testing.T) {
 			options := &helm.Options{
 				Logger: logger.Discard,
 				SetValues: map[string]string{
@@ -1450,7 +1634,63 @@ func TestTemplateRenderedWithTLS(t *testing.T) {
 			ars := render(t, options)
 
 			require.NotNil(t, ars.Spec.GitHubServerTLS)
-			expected := &v1alpha1.GitHubServerTLSConfig{
+			expected := &v1alpha1.TLSConfig{
+				CertificateFrom: &v1alpha1.TLSCertificateSource{
+					ConfigMapKeyRef: &corev1.ConfigMapKeySelector{
+						LocalObjectReference: corev1.LocalObjectReference{
+							Name: "certs-configmap",
+						},
+						Key: "cert.pem",
+					},
+				},
+			}
+			assert.Equal(t, expected, ars.Spec.GitHubServerTLS)
+
+			var volume *corev1.Volume
+			for _, v := range ars.Spec.Template.Spec.Volumes {
+				if v.Name == "github-server-tls-cert" {
+					volume = &v
+					break
+				}
+			}
+			assert.Nil(t, volume)
+
+			assert.NotContains(t, ars.Spec.Template.Spec.Containers[0].VolumeMounts, corev1.VolumeMount{
+				Name:      "github-server-tls-cert",
+				MountPath: "/runner/mount/path/cert.pem",
+				SubPath:   "cert.pem",
+			})
+
+			assert.NotContains(t, ars.Spec.Template.Spec.Containers[0].Env, corev1.EnvVar{
+				Name:  "NODE_EXTRA_CA_CERTS",
+				Value: "/runner/mount/path/cert.pem",
+			})
+
+			assert.NotContains(t, ars.Spec.Template.Spec.Containers[0].Env, corev1.EnvVar{
+				Name:  "RUNNER_UPDATE_CA_CERTS",
+				Value: "1",
+			})
+		})
+
+		t.Run("mode kubernetes-novolume", func(t *testing.T) {
+			options := &helm.Options{
+				Logger: logger.Discard,
+				SetValues: map[string]string{
+					"githubConfigUrl":    "https://github.com/actions",
+					"githubConfigSecret": "pre-defined-secrets",
+					"githubServerTLS.certificateFrom.configMapKeyRef.name": "certs-configmap",
+					"githubServerTLS.certificateFrom.configMapKeyRef.key":  "cert.pem",
+					"containerMode.type":                 "kubernetes-novolume",
+					"controllerServiceAccount.name":      "arc",
+					"controllerServiceAccount.namespace": "arc-system",
+				},
+				KubectlOptions: k8s.NewKubectlOptions("", "", namespaceName),
+			}
+
+			ars := render(t, options)
+
+			require.NotNil(t, ars.Spec.GitHubServerTLS)
+			expected := &v1alpha1.TLSConfig{
 				CertificateFrom: &v1alpha1.TLSCertificateSource{
 					ConfigMapKeyRef: &corev1.ConfigMapKeySelector{
 						LocalObjectReference: corev1.LocalObjectReference{
@@ -1826,7 +2066,7 @@ func TestTemplateRenderedAutoScalingRunnerSet_DinDMergePodSpec(t *testing.T) {
 	var ars v1alpha1.AutoscalingRunnerSet
 	helm.UnmarshalK8SYaml(t, output, &ars)
 
-	assert.Len(t, ars.Spec.Template.Spec.Containers, 2, "There should be 2 containers")
+	assert.Len(t, ars.Spec.Template.Spec.Containers, 1, "There should be 1 containers")
 	assert.Equal(t, "runner", ars.Spec.Template.Spec.Containers[0].Name, "Container name should be runner")
 	assert.Equal(t, "250m", ars.Spec.Template.Spec.Containers[0].Resources.Limits.Cpu().String(), "CPU Limit should be set")
 	assert.Equal(t, "64Mi", ars.Spec.Template.Spec.Containers[0].Resources.Limits.Memory().String(), "Memory Limit should be set")
@@ -1951,40 +2191,44 @@ func TestTemplateRenderedAutoscalingRunnerSetAnnotation_GitHubSecret(t *testing.
 func TestTemplateRenderedAutoscalingRunnerSetAnnotation_KubernetesModeCleanup(t *testing.T) {
 	t.Parallel()
 
-	// Path to the helm chart we will test
-	helmChartPath, err := filepath.Abs("../../gha-runner-scale-set")
-	require.NoError(t, err)
+	for _, mode := range []string{"kubernetes", "kubernetes-novolume"} {
+		t.Run("containerMode "+mode, func(t *testing.T) {
+			// Path to the helm chart we will test
+			helmChartPath, err := filepath.Abs("../../gha-runner-scale-set")
+			require.NoError(t, err)
 
-	releaseName := "test-runners"
-	namespaceName := "test-" + strings.ToLower(random.UniqueId())
+			releaseName := "test-runners"
+			namespaceName := "test-" + strings.ToLower(random.UniqueId())
 
-	options := &helm.Options{
-		Logger: logger.Discard,
-		SetValues: map[string]string{
-			"githubConfigUrl":                    "https://github.com/actions",
-			"githubConfigSecret.github_token":    "gh_token12345",
-			"controllerServiceAccount.name":      "arc",
-			"controllerServiceAccount.namespace": "arc-system",
-			"containerMode.type":                 "kubernetes",
-		},
-		KubectlOptions: k8s.NewKubectlOptions("", "", namespaceName),
-	}
+			options := &helm.Options{
+				Logger: logger.Discard,
+				SetValues: map[string]string{
+					"githubConfigUrl":                    "https://github.com/actions",
+					"githubConfigSecret.github_token":    "gh_token12345",
+					"controllerServiceAccount.name":      "arc",
+					"controllerServiceAccount.namespace": "arc-system",
+					"containerMode.type":                 mode,
+				},
+				KubectlOptions: k8s.NewKubectlOptions("", "", namespaceName),
+			}
 
-	output := helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"templates/autoscalingrunnerset.yaml"})
-	var autoscalingRunnerSet v1alpha1.AutoscalingRunnerSet
-	helm.UnmarshalK8SYaml(t, output, &autoscalingRunnerSet)
+			output := helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"templates/autoscalingrunnerset.yaml"})
+			var autoscalingRunnerSet v1alpha1.AutoscalingRunnerSet
+			helm.UnmarshalK8SYaml(t, output, &autoscalingRunnerSet)
 
-	annotationValues := map[string]string{
-		actionsgithubcom.AnnotationKeyGitHubSecretName:                 "test-runners-gha-rs-github-secret",
-		actionsgithubcom.AnnotationKeyManagerRoleName:                  "test-runners-gha-rs-manager",
-		actionsgithubcom.AnnotationKeyManagerRoleBindingName:           "test-runners-gha-rs-manager",
-		actionsgithubcom.AnnotationKeyKubernetesModeServiceAccountName: "test-runners-gha-rs-kube-mode",
-		actionsgithubcom.AnnotationKeyKubernetesModeRoleName:           "test-runners-gha-rs-kube-mode",
-		actionsgithubcom.AnnotationKeyKubernetesModeRoleBindingName:    "test-runners-gha-rs-kube-mode",
-	}
+			annotationValues := map[string]string{
+				actionsgithubcom.AnnotationKeyGitHubSecretName:                 "test-runners-gha-rs-github-secret",
+				actionsgithubcom.AnnotationKeyManagerRoleName:                  "test-runners-gha-rs-manager",
+				actionsgithubcom.AnnotationKeyManagerRoleBindingName:           "test-runners-gha-rs-manager",
+				actionsgithubcom.AnnotationKeyKubernetesModeServiceAccountName: "test-runners-gha-rs-kube-mode",
+				actionsgithubcom.AnnotationKeyKubernetesModeRoleName:           "test-runners-gha-rs-kube-mode",
+				actionsgithubcom.AnnotationKeyKubernetesModeRoleBindingName:    "test-runners-gha-rs-kube-mode",
+			}
 
-	for annotation, value := range annotationValues {
-		assert.Equal(t, value, autoscalingRunnerSet.Annotations[annotation], fmt.Sprintf("Annotation %q does not match the expected value", annotation))
+			for annotation, value := range annotationValues {
+				assert.Equal(t, value, autoscalingRunnerSet.Annotations[annotation], fmt.Sprintf("Annotation %q does not match the expected value", annotation))
+			}
+		})
 	}
 }
 
@@ -2416,6 +2660,21 @@ func TestNamespaceOverride(t *testing.T) {
 				KubectlOptions: k8s.NewKubectlOptions("", "", releaseNamespace),
 			},
 		},
+		"kube_novolume_mode_role": {
+			file: "kube_mode_role.yaml",
+			options: &helm.Options{
+				Logger: logger.Discard,
+				SetValues: map[string]string{
+					"namespaceOverride":                  namespaceOverride,
+					"containerMode.type":                 "kubernetes-novolume",
+					"controllerServiceAccount.name":      "foo",
+					"controllerServiceAccount.namespace": "bar",
+					"githubConfigSecret.github_token":    "gh_token12345",
+					"githubConfigUrl":                    "https://github.com",
+				},
+				KubectlOptions: k8s.NewKubectlOptions("", "", releaseNamespace),
+			},
+		},
 		"kube_mode_role_binding": {
 			file: "kube_mode_role_binding.yaml",
 			options: &helm.Options{
@@ -2431,6 +2690,21 @@ func TestNamespaceOverride(t *testing.T) {
 				KubectlOptions: k8s.NewKubectlOptions("", "", releaseNamespace),
 			},
 		},
+		"kube_novolume_mode_role_binding": {
+			file: "kube_mode_role_binding.yaml",
+			options: &helm.Options{
+				Logger: logger.Discard,
+				SetValues: map[string]string{
+					"namespaceOverride":                  namespaceOverride,
+					"containerMode.type":                 "kubernetes-novolume",
+					"controllerServiceAccount.name":      "foo",
+					"controllerServiceAccount.namespace": "bar",
+					"githubConfigSecret.github_token":    "gh_token12345",
+					"githubConfigUrl":                    "https://github.com",
+				},
+				KubectlOptions: k8s.NewKubectlOptions("", "", releaseNamespace),
+			},
+		},
 		"kube_mode_serviceaccount": {
 			file: "kube_mode_serviceaccount.yaml",
 			options: &helm.Options{
@@ -2446,6 +2720,21 @@ func TestNamespaceOverride(t *testing.T) {
 				KubectlOptions: k8s.NewKubectlOptions("", "", releaseNamespace),
 			},
 		},
+		"kube_novolume_mode_serviceaccount": {
+			file: "kube_mode_serviceaccount.yaml",
+			options: &helm.Options{
+				Logger: logger.Discard,
+				SetValues: map[string]string{
+					"namespaceOverride":                  namespaceOverride,
+					"containerMode.type":                 "kubernetes-novolume",
+					"controllerServiceAccount.name":      "foo",
+					"controllerServiceAccount.namespace": "bar",
+					"githubConfigSecret.github_token":    "gh_token12345",
+					"githubConfigUrl":                    "https://github.com",
+				},
+				KubectlOptions: k8s.NewKubectlOptions("", "", releaseNamespace),
+			},
+		},
 	}
 
 	for name, tc := range tt {
@@ -2468,3 +2757,43 @@ func TestNamespaceOverride(t *testing.T) {
 		})
 	}
 }
+
+func TestAutoscalingRunnerSetCustomAnnotationsAndLabelsApplied(t *testing.T) {
+	t.Parallel()
+
+	// Path to the helm chart we will test
+	helmChartPath, err := filepath.Abs("../../gha-runner-scale-set")
+	require.NoError(t, err)
+
+	releaseName := "test-runners"
+	namespaceName := "test-" + strings.ToLower(random.UniqueId())
+
+	options := &helm.Options{
+		Logger: logger.Discard,
+		SetValues: map[string]string{
+			"githubConfigUrl":                                              "https://github.com/actions",
+			"githubConfigSecret.github_token":                              "gh_token12345",
+			"controllerServiceAccount.name":                                "arc",
+			"controllerServiceAccount.namespace":                           "arc-system",
+			"annotations.actions\\.github\\.com/vault":                     "azure_key_vault",
+			"annotations.actions\\.github\\.com/cleanup-manager-role-name": "not-propagated",
+			"labels.custom":                                                "custom",
+			"labels.app\\.kubernetes\\.io/component":                       "not-propagated",
+		},
+		KubectlOptions: k8s.NewKubectlOptions("", "", namespaceName),
+	}
+
+	output := helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"templates/autoscalingrunnerset.yaml"})
+
+	var autoscalingRunnerSet v1alpha1.AutoscalingRunnerSet
+	helm.UnmarshalK8SYaml(t, output, &autoscalingRunnerSet)
+
+	vault := autoscalingRunnerSet.Annotations["actions.github.com/vault"]
+	assert.Equal(t, "azure_key_vault", vault)
+
+	custom := autoscalingRunnerSet.Labels["custom"]
+	assert.Equal(t, "custom", custom)
+
+	assert.NotEqual(t, "not-propagated", autoscalingRunnerSet.Annotations["actions.github.com/cleanup-manager-role-name"])
+	assert.NotEqual(t, "not-propagated", autoscalingRunnerSet.Labels["app.kubernetes.io/component"])
+}

charts/gha-runner-scale-set/tests/values_k8s_extra_role_rules.yaml

@@ -0,0 +1,30 @@
+githubConfigUrl: https://github.com/actions/actions-runner-controller
+githubConfigSecret:
+  github_token: test
+template:
+  spec:
+    containers:
+      - name: other
+        image: other-image:latest
+    volumes:
+      - name: foo
+        emptyDir: {}
+      - name: bar
+        emptyDir: {}
+      - name: work
+        hostPath:
+          path: /data
+          type: Directory
+containerMode:
+  type: kubernetes
+  kubernetesModeAdditionalRoleRule:
+    - apiGroups:
+        - apps
+      resources:
+        - deployments
+      verbs:
+        - get
+        - list
+        - create
+        - delete
+

charts/gha-runner-scale-set/values.yaml

@@ -1,12 +1,12 @@
 ## githubConfigUrl is the GitHub url for where you want to configure runners
-## ex: https://github.com/myorg/myrepo or https://github.com/myorg
+## ex: https://github.com/myorg/myrepo or https://github.com/myorg or https://github.com/enterprises/myenterprise
 githubConfigUrl: ""
 
 ## githubConfigSecret is the k8s secret information to use when authenticating via the GitHub API.
 ## You can choose to supply:
 ##   A) a PAT token,
 ##   B) a GitHub App, or
-##   C) a pre-defined Kubernetes secret.
+##   C) a pre-defined secret.
 ## The syntax for each of these variations is documented below.
 ## (Variation A) When using a PAT token, the syntax is as follows:
 githubConfigSecret:
@@ -17,6 +17,7 @@ githubConfigSecret:
 ## (Variation B) When using a GitHub App, the syntax is as follows:
 # githubConfigSecret:
 #   # NOTE: IDs MUST be strings, use quotes
+#   # The github_app_id can be an app_id or the client_id
 #   github_app_id: ""
 #   github_app_installation_id: ""
 #   github_app_private_key: |
@@ -27,8 +28,11 @@ githubConfigSecret:
 #      .
 #      private key line N
 #
-## (Variation C) When using a pre-defined Kubernetes secret in the same namespace that the gha-runner-scale-set is going to deploy,
-## the syntax is as follows:
+## (Variation C) When using a pre-defined secret.
+## The secret can be pulled either directly from Kubernetes, or from the vault, depending on configuration.
+## Kubernetes secret in the same namespace that the gha-runner-scale-set is going to deploy.
+## On the other hand, if the vault is configured, secret name will be used to fetch the app configuration.
+## The syntax is as follows:
 # githubConfigSecret: pre-defined-secret
 ## Notes on using pre-defined Kubernetes secrets:
 ##   You need to make sure your predefined secret has all the required secret data set properly.
@@ -84,6 +88,26 @@ githubConfigSecret:
 #       key: ca.crt
 #   runnerMountPath: /usr/local/share/ca-certificates/
 
+# keyVault:
+  # Available values: "azure_key_vault"
+  # type: ""
+  # Configuration related to azure key vault
+  # azure_key_vault:
+  #   url: ""
+  #   client_id: ""
+  #   tenant_id: ""
+  #   certificate_path: ""
+    # proxy:
+    #   http:
+    #     url: http://proxy.com:1234
+    #     credentialSecretRef: proxy-auth # a secret with `username` and `password` keys
+    #   https:
+    #     url: http://proxy.com:1234
+    #     credentialSecretRef: proxy-auth # a secret with `username` and `password` keys
+    #   noProxy:
+    #     - example.com
+    #     - example.org
+
 ## Container mode is an object that provides out-of-box configuration
 ## for dind and kubernetes mode. Template will be modified as documented under the
 ## template object.
@@ -91,7 +115,7 @@ githubConfigSecret:
 ## If any customization is required for dind or kubernetes mode, containerMode should remain
 ## empty, and configuration should be applied to the template.
 # containerMode:
-#   type: "dind"  ## type can be set to dind or kubernetes
+#   type: "dind"  ## type can be set to "dind", "kubernetes", or "kubernetes-novolume"
 #   ## the following is required when containerMode.type=kubernetes
 #   kubernetesModeWorkVolumeClaim:
 #     accessModes: ["ReadWriteOnce"]
@@ -100,6 +124,7 @@ githubConfigSecret:
 #     resources:
 #       requests:
 #         storage: 1Gi
+#   kubernetesModeAdditionalRoleRules: []
 #
 
 ## listenerTemplate is the PodSpec for each listener Pod
@@ -130,7 +155,7 @@ githubConfigSecret:
 #   counters:
 #     gha_started_jobs_total:
 #       labels:
-#         ["repository", "organization", "enterprise", "job_name", "event_name"]
+#         ["repository", "organization", "enterprise", "job_name", "event_name", "job_workflow_ref", "job_workflow_name", "job_workflow_target"]
 #     gha_completed_jobs_total:
 #       labels:
 #         [
@@ -140,6 +165,9 @@ githubConfigSecret:
 #           "job_name",
 #           "event_name",
 #           "job_result",
+#           "job_workflow_ref",
+#           "job_workflow_name",
+#           "job_workflow_target",
 #         ]
 #   gauges:
 #     gha_assigned_jobs:
@@ -161,7 +189,7 @@ githubConfigSecret:
 #   histograms:
 #     gha_job_startup_duration_seconds:
 #       labels:
-#         ["repository", "organization", "enterprise", "job_name", "event_name"]
+#         ["repository", "organization", "enterprise", "job_name", "event_name","job_workflow_ref", "job_workflow_name", "job_workflow_target"]
 #       buckets:
 #         [
 #           0.01,
@@ -219,6 +247,9 @@ githubConfigSecret:
 #           "job_name",
 #           "event_name",
 #           "job_result",
+#           "job_workflow_ref",
+#           "job_workflow_name",
+#           "job_workflow_target"
 #         ]
 #       buckets:
 #         [
@@ -283,18 +314,6 @@ template:
   ##       volumeMounts:
   ##         - name: dind-externals
   ##           mountPath: /home/runner/tmpDir
-  ##     containers:
-  ##     - name: runner
-  ##       image: ghcr.io/actions/actions-runner:latest
-  ##       command: ["/home/runner/run.sh"]
-  ##       env:
-  ##         - name: DOCKER_HOST
-  ##           value: unix:///var/run/docker.sock
-  ##       volumeMounts:
-  ##         - name: work
-  ##           mountPath: /home/runner/_work
-  ##         - name: dind-sock
-  ##           mountPath: /var/run
   ##     - name: dind
   ##       image: docker:dind
   ##       args:
@@ -306,6 +325,15 @@ template:
   ##           value: "123"
   ##       securityContext:
   ##         privileged: true
+  ##       restartPolicy: Always
+  ##       startupProbe:
+  ##         exec:
+  ##           command:
+  ##             - docker
+  ##             - info
+  ##         initialDelaySeconds: 0
+  ##         failureThreshold: 24
+  ##         periodSeconds: 5
   ##       volumeMounts:
   ##         - name: work
   ##           mountPath: /home/runner/_work
@@ -313,6 +341,20 @@ template:
   ##           mountPath: /var/run
   ##         - name: dind-externals
   ##           mountPath: /home/runner/externals
+  ##     containers:
+  ##     - name: runner
+  ##       image: ghcr.io/actions/actions-runner:latest
+  ##       command: ["/home/runner/run.sh"]
+  ##       env:
+  ##         - name: DOCKER_HOST
+  ##           value: unix:///var/run/docker.sock
+  ##         - name: RUNNER_WAIT_FOR_DOCKER_IN_SECONDS
+  ##           value: "120"
+  ##       volumeMounts:
+  ##         - name: work
+  ##           mountPath: /home/runner/_work
+  ##         - name: dind-sock
+  ##           mountPath: /var/run
   ##     volumes:
   ##     - name: work
   ##       emptyDir: {}
@@ -350,6 +392,25 @@ template:
   ##               resources:
   ##                 requests:
   ##                   storage: 1Gi
+  ######################################################################################################
+  ## with containerMode.type=kubernetes-novolume, we will populate the template.spec with following pod spec
+  ## template:
+  ##   spec:
+  ##     containers:
+  ##     - name: runner
+  ##       image: ghcr.io/actions/actions-runner:latest
+  ##       command: ["/home/runner/run.sh"]
+  ##       env:
+  ##         - name: ACTIONS_RUNNER_CONTAINER_HOOKS
+  ##           value: /home/runner/k8s-novolume/index.js
+  ##         - name: ACTIONS_RUNNER_POD_NAME
+  ##           valueFrom:
+  ##             fieldRef:
+  ##               fieldPath: metadata.name
+  ##         - name: ACTIONS_RUNNER_IMAGE
+  ##           value: ghcr.io/actions/actions-runner:latest # should match the runnerimage
+  ##         - name: ACTIONS_RUNNER_REQUIRE_JOB_CONTAINER
+  ##           value: "true"
   spec:
     containers:
       - name: runner

cmd/ghalistener/app/app.go

@@ -1,139 +0,0 @@
-package app
-
-import (
-	"context"
-	"errors"
-	"fmt"
-
-	"github.com/actions/actions-runner-controller/cmd/ghalistener/config"
-	"github.com/actions/actions-runner-controller/cmd/ghalistener/listener"
-	"github.com/actions/actions-runner-controller/cmd/ghalistener/metrics"
-	"github.com/actions/actions-runner-controller/cmd/ghalistener/worker"
-	"github.com/actions/actions-runner-controller/github/actions"
-	"github.com/go-logr/logr"
-	"golang.org/x/sync/errgroup"
-)
-
-// App is responsible for initializing required components and running the app.
-type App struct {
-	// configured fields
-	config config.Config
-	logger logr.Logger
-
-	// initialized fields
-	listener Listener
-	worker   Worker
-	metrics  metrics.ServerExporter
-}
-
-//go:generate mockery --name Listener --output ./mocks --outpkg mocks --case underscore
-type Listener interface {
-	Listen(ctx context.Context, handler listener.Handler) error
-}
-
-//go:generate mockery --name Worker --output ./mocks --outpkg mocks --case underscore
-type Worker interface {
-	HandleJobStarted(ctx context.Context, jobInfo *actions.JobStarted) error
-	HandleDesiredRunnerCount(ctx context.Context, count int, jobsCompleted int) (int, error)
-}
-
-func New(config config.Config) (*App, error) {
-	app := &App{
-		config: config,
-	}
-
-	ghConfig, err := actions.ParseGitHubConfigFromURL(config.ConfigureUrl)
-	if err != nil {
-		return nil, fmt.Errorf("failed to parse GitHub config from URL: %w", err)
-	}
-
-	{
-		logger, err := config.Logger()
-		if err != nil {
-			return nil, fmt.Errorf("failed to create logger: %w", err)
-		}
-		app.logger = logger.WithName("listener-app")
-	}
-
-	actionsClient, err := config.ActionsClient(app.logger)
-	if err != nil {
-		return nil, fmt.Errorf("failed to create actions client: %w", err)
-	}
-
-	if config.MetricsAddr != "" {
-		app.metrics = metrics.NewExporter(metrics.ExporterConfig{
-			ScaleSetName:      config.EphemeralRunnerSetName,
-			ScaleSetNamespace: config.EphemeralRunnerSetNamespace,
-			Enterprise:        ghConfig.Enterprise,
-			Organization:      ghConfig.Organization,
-			Repository:        ghConfig.Repository,
-			ServerAddr:        config.MetricsAddr,
-			ServerEndpoint:    config.MetricsEndpoint,
-			Logger:            app.logger.WithName("metrics exporter"),
-			Metrics:           *config.Metrics,
-		})
-	}
-
-	worker, err := worker.New(
-		worker.Config{
-			EphemeralRunnerSetNamespace: config.EphemeralRunnerSetNamespace,
-			EphemeralRunnerSetName:      config.EphemeralRunnerSetName,
-			MaxRunners:                  config.MaxRunners,
-			MinRunners:                  config.MinRunners,
-		},
-		worker.WithLogger(app.logger.WithName("worker")),
-	)
-	if err != nil {
-		return nil, fmt.Errorf("failed to create new kubernetes worker: %w", err)
-	}
-	app.worker = worker
-
-	listener, err := listener.New(listener.Config{
-		Client:     actionsClient,
-		ScaleSetID: app.config.RunnerScaleSetId,
-		MinRunners: app.config.MinRunners,
-		MaxRunners: app.config.MaxRunners,
-		Logger:     app.logger.WithName("listener"),
-		Metrics:    app.metrics,
-	})
-	if err != nil {
-		return nil, fmt.Errorf("failed to create new listener: %w", err)
-	}
-	app.listener = listener
-
-	app.logger.Info("app initialized")
-
-	return app, nil
-}
-
-func (app *App) Run(ctx context.Context) error {
-	var errs []error
-	if app.worker == nil {
-		errs = append(errs, fmt.Errorf("worker not initialized"))
-	}
-	if app.listener == nil {
-		errs = append(errs, fmt.Errorf("listener not initialized"))
-	}
-	if err := errors.Join(errs...); err != nil {
-		return fmt.Errorf("app not initialized: %w", err)
-	}
-
-	g, ctx := errgroup.WithContext(ctx)
-	metricsCtx, cancelMetrics := context.WithCancelCause(ctx)
-
-	g.Go(func() error {
-		app.logger.Info("Starting listener")
-		listnerErr := app.listener.Listen(ctx, app.worker)
-		cancelMetrics(fmt.Errorf("Listener exited: %w", listnerErr))
-		return listnerErr
-	})
-
-	if app.metrics != nil {
-		g.Go(func() error {
-			app.logger.Info("Starting metrics server")
-			return app.metrics.ListenAndServe(metricsCtx)
-		})
-	}
-
-	return g.Wait()
-}

cmd/ghalistener/app/app_test.go

@@ -1,85 +0,0 @@
-package app
-
-import (
-	"context"
-	"errors"
-	"testing"
-
-	appmocks "github.com/actions/actions-runner-controller/cmd/ghalistener/app/mocks"
-	"github.com/actions/actions-runner-controller/cmd/ghalistener/listener"
-	metricsMocks "github.com/actions/actions-runner-controller/cmd/ghalistener/metrics/mocks"
-	"github.com/actions/actions-runner-controller/cmd/ghalistener/worker"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/mock"
-)
-
-func TestApp_Run(t *testing.T) {
-	t.Parallel()
-
-	t.Run("ListenerWorkerGuard", func(t *testing.T) {
-		invalidApps := []*App{
-			{},
-			{worker: &worker.Worker{}},
-			{listener: &listener.Listener{}},
-		}
-
-		for _, app := range invalidApps {
-			assert.Error(t, app.Run(context.Background()))
-		}
-	})
-
-	t.Run("ExitsOnListenerError", func(t *testing.T) {
-		listener := appmocks.NewListener(t)
-		worker := appmocks.NewWorker(t)
-
-		listener.On("Listen", mock.Anything, mock.Anything).Return(errors.New("listener error")).Once()
-
-		app := &App{
-			listener: listener,
-			worker:   worker,
-		}
-
-		err := app.Run(context.Background())
-		assert.Error(t, err)
-	})
-
-	t.Run("ExitsOnListenerNil", func(t *testing.T) {
-		listener := appmocks.NewListener(t)
-		worker := appmocks.NewWorker(t)
-
-		listener.On("Listen", mock.Anything, mock.Anything).Return(nil).Once()
-
-		app := &App{
-			listener: listener,
-			worker:   worker,
-		}
-
-		err := app.Run(context.Background())
-		assert.NoError(t, err)
-	})
-
-	t.Run("CancelListenerOnMetricsServerError", func(t *testing.T) {
-		listener := appmocks.NewListener(t)
-		worker := appmocks.NewWorker(t)
-		metrics := metricsMocks.NewServerPublisher(t)
-		ctx := context.Background()
-
-		listener.On("Listen", mock.Anything, mock.Anything).Run(func(args mock.Arguments) {
-			ctx := args.Get(0).(context.Context)
-			go func() {
-				<-ctx.Done()
-			}()
-		}).Return(nil).Once()
-
-		metrics.On("ListenAndServe", mock.Anything).Return(errors.New("metrics server error")).Once()
-
-		app := &App{
-			listener: listener,
-			worker:   worker,
-			metrics:  metrics,
-		}
-
-		err := app.Run(ctx)
-		assert.Error(t, err)
-	})
-}

cmd/ghalistener/app/mocks/listener.go

@@ -1,43 +0,0 @@
-// Code generated by mockery v2.36.1. DO NOT EDIT.
-
-package mocks
-
-import (
-	context "context"
-
-	listener "github.com/actions/actions-runner-controller/cmd/ghalistener/listener"
-	mock "github.com/stretchr/testify/mock"
-)
-
-// Listener is an autogenerated mock type for the Listener type
-type Listener struct {
-	mock.Mock
-}
-
-// Listen provides a mock function with given fields: ctx, handler
-func (_m *Listener) Listen(ctx context.Context, handler listener.Handler) error {
-	ret := _m.Called(ctx, handler)
-
-	var r0 error
-	if rf, ok := ret.Get(0).(func(context.Context, listener.Handler) error); ok {
-		r0 = rf(ctx, handler)
-	} else {
-		r0 = ret.Error(0)
-	}
-
-	return r0
-}
-
-// NewListener creates a new instance of Listener. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-// The first argument is typically a *testing.T value.
-func NewListener(t interface {
-	mock.TestingT
-	Cleanup(func())
-}) *Listener {
-	mock := &Listener{}
-	mock.Mock.Test(t)
-
-	t.Cleanup(func() { mock.AssertExpectations(t) })
-
-	return mock
-}

cmd/ghalistener/app/mocks/worker.go

@@ -1,68 +0,0 @@
-// Code generated by mockery v2.36.1. DO NOT EDIT.
-
-package mocks
-
-import (
-	actions "github.com/actions/actions-runner-controller/github/actions"
-
-	context "context"
-
-	mock "github.com/stretchr/testify/mock"
-)
-
-// Worker is an autogenerated mock type for the Worker type
-type Worker struct {
-	mock.Mock
-}
-
-// HandleDesiredRunnerCount provides a mock function with given fields: ctx, count, acquireCount
-func (_m *Worker) HandleDesiredRunnerCount(ctx context.Context, count int, acquireCount int) (int, error) {
-	ret := _m.Called(ctx, count, acquireCount)
-
-	var r0 int
-	var r1 error
-	if rf, ok := ret.Get(0).(func(context.Context, int, int) (int, error)); ok {
-		return rf(ctx, count, acquireCount)
-	}
-	if rf, ok := ret.Get(0).(func(context.Context, int, int) int); ok {
-		r0 = rf(ctx, count, acquireCount)
-	} else {
-		r0 = ret.Get(0).(int)
-	}
-
-	if rf, ok := ret.Get(1).(func(context.Context, int, int) error); ok {
-		r1 = rf(ctx, count, acquireCount)
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// HandleJobStarted provides a mock function with given fields: ctx, jobInfo
-func (_m *Worker) HandleJobStarted(ctx context.Context, jobInfo *actions.JobStarted) error {
-	ret := _m.Called(ctx, jobInfo)
-
-	var r0 error
-	if rf, ok := ret.Get(0).(func(context.Context, *actions.JobStarted) error); ok {
-		r0 = rf(ctx, jobInfo)
-	} else {
-		r0 = ret.Error(0)
-	}
-
-	return r0
-}
-
-// NewWorker creates a new instance of Worker. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-// The first argument is typically a *testing.T value.
-func NewWorker(t interface {
-	mock.TestingT
-	Cleanup(func())
-}) *Worker {
-	mock := &Worker{}
-	mock.Mock.Test(t)
-
-	t.Cleanup(func() { mock.AssertExpectations(t) })
-
-	return mock
-}

cmd/ghalistener/config/config.go

@@ -1,32 +1,42 @@
 package config
 
 import (
+	"context"
 	"crypto/x509"
 	"encoding/json"
 	"fmt"
+	"log/slog"
 	"net/http"
 	"net/url"
 	"os"
+	"strings"
 
 	"github.com/actions/actions-runner-controller/apis/actions.github.com/v1alpha1"
+	"github.com/actions/actions-runner-controller/apis/actions.github.com/v1alpha1/appconfig"
 	"github.com/actions/actions-runner-controller/build"
-	"github.com/actions/actions-runner-controller/github/actions"
-	"github.com/actions/actions-runner-controller/logging"
-	"github.com/go-logr/logr"
+	"github.com/actions/actions-runner-controller/vault"
+	"github.com/actions/actions-runner-controller/vault/azurekeyvault"
+	"github.com/actions/scaleset"
 	"golang.org/x/net/http/httpproxy"
 )
 
+const appName = "ghalistener"
+
 type Config struct {
-	ConfigureUrl                string                  `json:"configure_url"`
-	AppID                       int64                   `json:"app_id"`
-	AppInstallationID           int64                   `json:"app_installation_id"`
-	AppPrivateKey               string                  `json:"app_private_key"`
-	Token                       string                  `json:"token"`
+	ConfigureUrl   string          `json:"configure_url"`
+	VaultType      vault.VaultType `json:"vault_type"`
+	VaultLookupKey string          `json:"vault_lookup_key"`
+	// If the VaultType is set to "azure_key_vault", this field must be populated.
+	AzureKeyVaultConfig *azurekeyvault.Config `json:"azure_key_vault,omitempty"`
+	// AppConfig contains the GitHub App configuration.
+	// It is initially set to nil if VaultType is set.
+	// Otherwise, it is populated with the GitHub App credentials from the GitHub secret.
+	*appconfig.AppConfig
 	EphemeralRunnerSetNamespace string                  `json:"ephemeral_runner_set_namespace"`
 	EphemeralRunnerSetName      string                  `json:"ephemeral_runner_set_name"`
 	MaxRunners                  int                     `json:"max_runners"`
 	MinRunners                  int                     `json:"min_runners"`
-	RunnerScaleSetId            int                     `json:"runner_scale_set_id"`
+	RunnerScaleSetID            int                     `json:"runner_scale_set_id"`
 	RunnerScaleSetName          string                  `json:"runner_scale_set_name"`
 	ServerRootCA                string                  `json:"server_root_ca"`
 	LogLevel                    string                  `json:"log_level"`
@@ -36,23 +46,58 @@ type Config struct {
 	Metrics                     *v1alpha1.MetricsConfig `json:"metrics"`
 }
 
-func Read(path string) (Config, error) {
-	f, err := os.Open(path)
+func Read(ctx context.Context, configPath string) (*Config, error) {
+	f, err := os.Open(configPath)
 	if err != nil {
-		return Config{}, err
+		return nil, err
 	}
 	defer f.Close()
 
 	var config Config
 	if err := json.NewDecoder(f).Decode(&config); err != nil {
-		return Config{}, fmt.Errorf("failed to decode config: %w", err)
+		return nil, fmt.Errorf("failed to decode config: %w", err)
 	}
 
+	var vault vault.Vault
+	switch config.VaultType {
+	case "":
+		if err := config.Validate(); err != nil {
+			return nil, fmt.Errorf("failed to validate configuration: %v", err)
+		}
+
+		return &config, nil
+	case "azure_key_vault":
+		akv, err := azurekeyvault.New(*config.AzureKeyVaultConfig)
+		if err != nil {
+			return nil, fmt.Errorf("failed to create Azure Key Vault client: %w", err)
+		}
+
+		vault = akv
+	default:
+		return nil, fmt.Errorf("unsupported vault type: %s", config.VaultType)
+	}
+
+	appConfigRaw, err := vault.GetSecret(ctx, config.VaultLookupKey)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get app config from vault: %w", err)
+	}
+
+	appConfig, err := appconfig.FromJSONString(appConfigRaw)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read app config from string: %v", err)
+	}
+
+	config.AppConfig = appConfig
+
 	if err := config.Validate(); err != nil {
-		return Config{}, fmt.Errorf("failed to validate config: %w", err)
+		return nil, fmt.Errorf("config validation failed: %w", err)
 	}
 
-	return config, nil
+	if ctx.Err() != nil {
+		return nil, ctx.Err()
+	}
+
+	return &config, nil
 }
 
 // Validate checks the configuration for errors.
@@ -62,65 +107,80 @@ func (c *Config) Validate() error {
 	}
 
 	if len(c.EphemeralRunnerSetNamespace) == 0 || len(c.EphemeralRunnerSetName) == 0 {
-		return fmt.Errorf("EphemeralRunnerSetNamespace '%s' or EphemeralRunnerSetName '%s' is missing", c.EphemeralRunnerSetNamespace, c.EphemeralRunnerSetName)
+		return fmt.Errorf("EphemeralRunnerSetNamespace %q or EphemeralRunnerSetName %q is missing", c.EphemeralRunnerSetNamespace, c.EphemeralRunnerSetName)
 	}
 
-	if c.RunnerScaleSetId == 0 {
-		return fmt.Errorf("RunnerScaleSetId '%d' is missing", c.RunnerScaleSetId)
+	if c.RunnerScaleSetID == 0 {
+		return fmt.Errorf(`RunnerScaleSetId "%d" is missing`, c.RunnerScaleSetID)
 	}
 
 	if c.MaxRunners < c.MinRunners {
-		return fmt.Errorf("MinRunners '%d' cannot be greater than MaxRunners '%d'", c.MinRunners, c.MaxRunners)
+		return fmt.Errorf(`MinRunners "%d" cannot be greater than MaxRunners "%d"`, c.MinRunners, c.MaxRunners)
 	}
 
-	hasToken := len(c.Token) > 0
-	hasPrivateKeyConfig := c.AppID > 0 && c.AppPrivateKey != ""
-
-	if !hasToken && !hasPrivateKeyConfig {
-		return fmt.Errorf("GitHub auth credential is missing, token length: '%d', appId: '%d', installationId: '%d', private key length: '%d", len(c.Token), c.AppID, c.AppInstallationID, len(c.AppPrivateKey))
+	if c.VaultType != "" {
+		if err := c.VaultType.Validate(); err != nil {
+			return fmt.Errorf("VaultType validation failed: %w", err)
+		}
+		if c.VaultLookupKey == "" {
+			return fmt.Errorf("VaultLookupKey is required when VaultType is set to %q", c.VaultType)
+		}
 	}
 
-	if hasToken && hasPrivateKeyConfig {
-		return fmt.Errorf("only one GitHub auth method supported at a time. Have both PAT and App auth: token length: '%d', appId: '%d', installationId: '%d', private key length: '%d", len(c.Token), c.AppID, c.AppInstallationID, len(c.AppPrivateKey))
+	if c.VaultType == "" && c.VaultLookupKey == "" {
+		if err := c.AppConfig.Validate(); err != nil {
+			return fmt.Errorf("AppConfig validation failed: %w", err)
+		}
 	}
 
 	return nil
 }
 
-func (c *Config) Logger() (logr.Logger, error) {
-	logLevel := string(logging.LogLevelDebug)
-	if c.LogLevel != "" {
-		logLevel = c.LogLevel
+func (c *Config) Logger() (*slog.Logger, error) {
+	var lvl slog.Level
+	switch strings.ToLower(c.LogLevel) {
+	case "debug":
+		lvl = slog.LevelDebug
+	case "info":
+		lvl = slog.LevelInfo
+	case "warn":
+		lvl = slog.LevelWarn
+	case "error":
+		lvl = slog.LevelError
+	default:
+		return nil, fmt.Errorf("invalid log level: %s", c.LogLevel)
 	}
 
-	logFormat := string(logging.LogFormatText)
-	if c.LogFormat != "" {
-		logFormat = c.LogFormat
+	var logger *slog.Logger
+	switch c.LogFormat {
+	case "json":
+		logger = slog.New(slog.NewJSONHandler(os.Stdout, &slog.HandlerOptions{
+			AddSource: true,
+			Level:     lvl,
+		}))
+	case "text":
+		logger = slog.New(slog.NewTextHandler(os.Stdout, &slog.HandlerOptions{
+			AddSource: true,
+			Level:     lvl,
+		}))
+	default:
+		return nil, fmt.Errorf("invalid log format: %s", c.LogFormat)
 	}
 
-	logger, err := logging.NewLogger(logLevel, logFormat)
-	if err != nil {
-		return logr.Logger{}, fmt.Errorf("NewLogger failed: %w", err)
-	}
-
-	return logger, nil
+	return logger.With("app", appName), nil
 }
 
-func (c *Config) ActionsClient(logger logr.Logger, clientOptions ...actions.ClientOption) (*actions.Client, error) {
-	var creds actions.ActionsAuth
-	switch c.Token {
-	case "":
-		creds.AppCreds = &actions.GitHubAppAuth{
-			AppID:             c.AppID,
-			AppInstallationID: c.AppInstallationID,
-			AppPrivateKey:     c.AppPrivateKey,
-		}
-	default:
-		creds.Token = c.Token
+func (c *Config) ActionsClient(logger *slog.Logger, clientOptions ...scaleset.HTTPOption) (*scaleset.Client, error) {
+	systemInfo := scaleset.SystemInfo{
+		System:     "actions-runner-controller",
+		Version:    build.Version,
+		CommitSHA:  build.CommitSHA,
+		ScaleSetID: c.RunnerScaleSetID,
+		Subsystem:  appName,
 	}
 
-	options := append([]actions.ClientOption{
-		actions.WithLogger(logger),
+	options := append([]scaleset.HTTPOption{
+		scaleset.WithLogger(logger),
 	}, clientOptions...)
 
 	if c.ServerRootCA != "" {
@@ -134,31 +194,47 @@ func (c *Config) ActionsClient(logger logr.Logger, clientOptions ...actions.Clie
 			return nil, fmt.Errorf("failed to parse root certificate")
 		}
 
-		options = append(options, actions.WithRootCAs(pool))
+		options = append(options, scaleset.WithRootCAs(pool))
 	}
 
 	proxyFunc := httpproxy.FromEnvironment().ProxyFunc()
-	options = append(options, actions.WithProxy(func(req *http.Request) (*url.URL, error) {
+	options = append(options, scaleset.WithProxy(func(req *http.Request) (*url.URL, error) {
 		return proxyFunc(req.URL)
 	}))
 
-	client, err := actions.NewClient(c.ConfigureUrl, &creds, options...)
-	if err != nil {
-		return nil, fmt.Errorf("failed to create actions client: %w", err)
+	var client *scaleset.Client
+	switch c.Token {
+	case "":
+		c, err := scaleset.NewClientWithGitHubApp(
+			scaleset.ClientWithGitHubAppConfig{
+				GitHubConfigURL: c.ConfigureUrl,
+				GitHubAppAuth: scaleset.GitHubAppAuth{
+					ClientID:       c.AppConfig.AppID,
+					InstallationID: c.AppConfig.AppInstallationID,
+					PrivateKey:     c.AppConfig.AppPrivateKey,
+				},
+				SystemInfo: systemInfo,
+			},
+			options...,
+		)
+		if err != nil {
+			return nil, fmt.Errorf("failed to instantiate client with GitHub App auth: %w", err)
+		}
+		client = c
+	default:
+		c, err := scaleset.NewClientWithPersonalAccessToken(
+			scaleset.NewClientWithPersonalAccessTokenConfig{
+				GitHubConfigURL:     c.ConfigureUrl,
+				PersonalAccessToken: c.Token,
+				SystemInfo:          systemInfo,
+			},
+			options...,
+		)
+		if err != nil {
+			return nil, fmt.Errorf("failed to instantiate client with PAT auth: %w", err)
+		}
+		client = c
 	}
 
-	client.SetUserAgent(actions.UserAgentInfo{
-		Version:    build.Version,
-		CommitSHA:  build.CommitSHA,
-		ScaleSetID: c.RunnerScaleSetId,
-		HasProxy:   hasProxy(),
-		Subsystem:  "ghalistener",
-	})
-
 	return client, nil
 }
-
-func hasProxy() bool {
-	proxyFunc := httpproxy.FromEnvironment().ProxyFunc()
-	return proxyFunc != nil
-}

cmd/ghalistener/config/config_client_test.go

@@ -3,20 +3,23 @@ package config_test
 import (
 	"context"
 	"crypto/tls"
+	"encoding/json"
+	"log/slog"
 	"net/http"
-	"net/http/httptest"
 	"os"
 	"path/filepath"
 	"testing"
 
+	"github.com/actions/actions-runner-controller/apis/actions.github.com/v1alpha1/appconfig"
 	"github.com/actions/actions-runner-controller/cmd/ghalistener/config"
-	"github.com/actions/actions-runner-controller/github/actions"
 	"github.com/actions/actions-runner-controller/github/actions/testserver"
-	"github.com/go-logr/logr"
+	"github.com/actions/scaleset"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 
+var discardLogger = slog.New(slog.DiscardHandler)
+
 func TestCustomerServerRootCA(t *testing.T) {
 	ctx := context.Background()
 	certsFolder := filepath.Join(
@@ -53,10 +56,12 @@ func TestCustomerServerRootCA(t *testing.T) {
 	config := config.Config{
 		ConfigureUrl: server.ConfigURLForOrg("myorg"),
 		ServerRootCA: certsString,
-		Token:        "token",
+		AppConfig: &appconfig.AppConfig{
+			Token: "token",
+		},
 	}
 
-	client, err := config.ActionsClient(logr.Discard())
+	client, err := config.ActionsClient(discardLogger)
 	require.NoError(t, err)
 	_, err = client.GetRunnerScaleSet(ctx, 1, "test")
 	require.NoError(t, err)
@@ -64,98 +69,70 @@ func TestCustomerServerRootCA(t *testing.T) {
 }
 
 func TestProxySettings(t *testing.T) {
+	assertHasProxy := func(t *testing.T, debugInfo string, want bool) {
+		type debugInfoContent struct {
+			HasProxy bool `json:"has_proxy"`
+		}
+		var got debugInfoContent
+		err := json.Unmarshal([]byte(debugInfo), &got)
+		require.NoError(t, err)
+		assert.Equal(t, want, got.HasProxy)
+	}
+
 	t.Run("http", func(t *testing.T) {
-		wentThroughProxy := false
-
-		proxy := httptest.NewServer(http.HandlerFunc(func(http.ResponseWriter, *http.Request) {
-			wentThroughProxy = true
-		}))
-		t.Cleanup(func() {
-			proxy.Close()
-		})
-
 		prevProxy := os.Getenv("http_proxy")
-		os.Setenv("http_proxy", proxy.URL)
+		os.Setenv("http_proxy", "http://proxy:8080")
 		defer os.Setenv("http_proxy", prevProxy)
 
 		config := config.Config{
 			ConfigureUrl: "https://github.com/org/repo",
-			Token:        "token",
+			AppConfig: &appconfig.AppConfig{
+				Token: "token",
+			},
 		}
 
-		client, err := config.ActionsClient(logr.Discard())
+		client, err := config.ActionsClient(discardLogger)
 		require.NoError(t, err)
 
-		req, err := http.NewRequest(http.MethodGet, "http://example.com", nil)
-		require.NoError(t, err)
-		_, err = client.Do(req)
-		require.NoError(t, err)
-
-		assert.True(t, wentThroughProxy)
+		assertHasProxy(t, client.DebugInfo(), true)
 	})
 
 	t.Run("https", func(t *testing.T) {
-		wentThroughProxy := false
-
-		proxy := httptest.NewServer(http.HandlerFunc(func(http.ResponseWriter, *http.Request) {
-			wentThroughProxy = true
-		}))
-		t.Cleanup(func() {
-			proxy.Close()
-		})
-
 		prevProxy := os.Getenv("https_proxy")
-		os.Setenv("https_proxy", proxy.URL)
+		os.Setenv("https_proxy", "https://proxy:443")
 		defer os.Setenv("https_proxy", prevProxy)
 
 		config := config.Config{
 			ConfigureUrl: "https://github.com/org/repo",
-			Token:        "token",
+			AppConfig: &appconfig.AppConfig{
+				Token: "token",
+			},
 		}
 
-		client, err := config.ActionsClient(logr.Discard(), actions.WithRetryMax(0))
+		client, err := config.ActionsClient(
+			discardLogger,
+			scaleset.WithRetryMax(0),
+		)
 		require.NoError(t, err)
 
-		req, err := http.NewRequest(http.MethodGet, "https://example.com", nil)
-		require.NoError(t, err)
-
-		_, err = client.Do(req)
-		// proxy doesn't support https
-		assert.Error(t, err)
-		assert.True(t, wentThroughProxy)
+		assertHasProxy(t, client.DebugInfo(), true)
 	})
 
 	t.Run("no_proxy", func(t *testing.T) {
-		wentThroughProxy := false
-
-		proxy := httptest.NewServer(http.HandlerFunc(func(http.ResponseWriter, *http.Request) {
-			wentThroughProxy = true
-		}))
-		t.Cleanup(func() {
-			proxy.Close()
-		})
-
-		prevProxy := os.Getenv("http_proxy")
-		os.Setenv("http_proxy", proxy.URL)
-		defer os.Setenv("http_proxy", prevProxy)
-
 		prevNoProxy := os.Getenv("no_proxy")
 		os.Setenv("no_proxy", "example.com")
 		defer os.Setenv("no_proxy", prevNoProxy)
 
 		config := config.Config{
 			ConfigureUrl: "https://github.com/org/repo",
-			Token:        "token",
+			AppConfig: &appconfig.AppConfig{
+				Token: "token",
+			},
 		}
 
-		client, err := config.ActionsClient(logr.Discard())
+		client, err := config.ActionsClient(discardLogger)
 		require.NoError(t, err)
 
-		req, err := http.NewRequest(http.MethodGet, "http://example.com", nil)
-		require.NoError(t, err)
-
-		_, err = client.Do(req)
-		require.NoError(t, err)
-		assert.False(t, wentThroughProxy)
+		assertHasProxy(t, client.DebugInfo(), true)
 	})
 }

cmd/ghalistener/config/config_test.go

@@ -1,92 +0,0 @@
-package config
-
-import (
-	"fmt"
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-)
-
-func TestConfigValidationMinMax(t *testing.T) {
-	config := &Config{
-		ConfigureUrl:                "github.com/some_org/some_repo",
-		EphemeralRunnerSetNamespace: "namespace",
-		EphemeralRunnerSetName:      "deployment",
-		RunnerScaleSetId:            1,
-		MinRunners:                  5,
-		MaxRunners:                  2,
-		Token:                       "token",
-	}
-	err := config.Validate()
-	assert.ErrorContains(t, err, "MinRunners '5' cannot be greater than MaxRunners '2", "Expected error about MinRunners > MaxRunners")
-}
-
-func TestConfigValidationMissingToken(t *testing.T) {
-	config := &Config{
-		ConfigureUrl:                "github.com/some_org/some_repo",
-		EphemeralRunnerSetNamespace: "namespace",
-		EphemeralRunnerSetName:      "deployment",
-		RunnerScaleSetId:            1,
-	}
-	err := config.Validate()
-	expectedError := fmt.Sprintf("GitHub auth credential is missing, token length: '%d', appId: '%d', installationId: '%d', private key length: '%d", len(config.Token), config.AppID, config.AppInstallationID, len(config.AppPrivateKey))
-	assert.ErrorContains(t, err, expectedError, "Expected error about missing auth")
-}
-
-func TestConfigValidationAppKey(t *testing.T) {
-	config := &Config{
-		AppID:                       1,
-		AppInstallationID:           10,
-		ConfigureUrl:                "github.com/some_org/some_repo",
-		EphemeralRunnerSetNamespace: "namespace",
-		EphemeralRunnerSetName:      "deployment",
-		RunnerScaleSetId:            1,
-	}
-	err := config.Validate()
-	expectedError := fmt.Sprintf("GitHub auth credential is missing, token length: '%d', appId: '%d', installationId: '%d', private key length: '%d", len(config.Token), config.AppID, config.AppInstallationID, len(config.AppPrivateKey))
-	assert.ErrorContains(t, err, expectedError, "Expected error about missing auth")
-}
-
-func TestConfigValidationOnlyOneTypeOfCredentials(t *testing.T) {
-	config := &Config{
-		AppID:                       1,
-		AppInstallationID:           10,
-		AppPrivateKey:               "asdf",
-		Token:                       "asdf",
-		ConfigureUrl:                "github.com/some_org/some_repo",
-		EphemeralRunnerSetNamespace: "namespace",
-		EphemeralRunnerSetName:      "deployment",
-		RunnerScaleSetId:            1,
-	}
-	err := config.Validate()
-	expectedError := fmt.Sprintf("only one GitHub auth method supported at a time. Have both PAT and App auth: token length: '%d', appId: '%d', installationId: '%d', private key length: '%d", len(config.Token), config.AppID, config.AppInstallationID, len(config.AppPrivateKey))
-	assert.ErrorContains(t, err, expectedError, "Expected error about missing auth")
-}
-
-func TestConfigValidation(t *testing.T) {
-	config := &Config{
-		ConfigureUrl:                "https://github.com/actions",
-		EphemeralRunnerSetNamespace: "namespace",
-		EphemeralRunnerSetName:      "deployment",
-		RunnerScaleSetId:            1,
-		MinRunners:                  1,
-		MaxRunners:                  5,
-		Token:                       "asdf",
-	}
-
-	err := config.Validate()
-
-	assert.NoError(t, err, "Expected no error")
-}
-
-func TestConfigValidationConfigUrl(t *testing.T) {
-	config := &Config{
-		EphemeralRunnerSetNamespace: "namespace",
-		EphemeralRunnerSetName:      "deployment",
-		RunnerScaleSetId:            1,
-	}
-
-	err := config.Validate()
-
-	assert.ErrorContains(t, err, "GitHubConfigUrl is not provided", "Expected error about missing ConfigureUrl")
-}

cmd/ghalistener/config/config_validation_test.go

@@ -0,0 +1,170 @@
+package config
+
+import (
+	"testing"
+
+	"github.com/actions/actions-runner-controller/apis/actions.github.com/v1alpha1/appconfig"
+	"github.com/actions/actions-runner-controller/vault"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestConfigValidationMinMax(t *testing.T) {
+	config := &Config{
+		ConfigureUrl:                "github.com/some_org/some_repo",
+		EphemeralRunnerSetNamespace: "namespace",
+		EphemeralRunnerSetName:      "deployment",
+		RunnerScaleSetID:            1,
+		MinRunners:                  5,
+		MaxRunners:                  2,
+		AppConfig: &appconfig.AppConfig{
+			Token: "token",
+		},
+	}
+	err := config.Validate()
+	assert.ErrorContains(t, err, `MinRunners "5" cannot be greater than MaxRunners "2"`, "Expected error about MinRunners > MaxRunners")
+}
+
+func TestConfigValidationMissingToken(t *testing.T) {
+	config := &Config{
+		ConfigureUrl:                "github.com/some_org/some_repo",
+		EphemeralRunnerSetNamespace: "namespace",
+		EphemeralRunnerSetName:      "deployment",
+		RunnerScaleSetID:            1,
+	}
+	err := config.Validate()
+	expectedError := "AppConfig validation failed: missing app config"
+	assert.ErrorContains(t, err, expectedError, "Expected error about missing auth")
+}
+
+func TestConfigValidationAppKey(t *testing.T) {
+	t.Parallel()
+
+	t.Run("app id integer", func(t *testing.T) {
+		t.Parallel()
+		config := &Config{
+			AppConfig: &appconfig.AppConfig{
+				AppID:             "1",
+				AppInstallationID: 10,
+			},
+			ConfigureUrl:                "github.com/some_org/some_repo",
+			EphemeralRunnerSetNamespace: "namespace",
+			EphemeralRunnerSetName:      "deployment",
+			RunnerScaleSetID:            1,
+		}
+		err := config.Validate()
+		expectedError := "AppConfig validation failed: no credentials provided: either a PAT or GitHub App credentials should be provided"
+		assert.ErrorContains(t, err, expectedError, "Expected error about missing auth")
+	})
+
+	t.Run("app id as client id", func(t *testing.T) {
+		t.Parallel()
+		config := &Config{
+			AppConfig: &appconfig.AppConfig{
+				AppID:             "Iv23f8doAlphaNumer1c",
+				AppInstallationID: 10,
+			},
+			ConfigureUrl:                "github.com/some_org/some_repo",
+			EphemeralRunnerSetNamespace: "namespace",
+			EphemeralRunnerSetName:      "deployment",
+			RunnerScaleSetID:            1,
+		}
+		err := config.Validate()
+		expectedError := "AppConfig validation failed: no credentials provided: either a PAT or GitHub App credentials should be provided"
+		assert.ErrorContains(t, err, expectedError, "Expected error about missing auth")
+	})
+}
+
+func TestConfigValidationOnlyOneTypeOfCredentials(t *testing.T) {
+	config := &Config{
+		AppConfig: &appconfig.AppConfig{
+			AppID:             "1",
+			AppInstallationID: 10,
+			AppPrivateKey:     "asdf",
+			Token:             "asdf",
+		},
+		ConfigureUrl:                "github.com/some_org/some_repo",
+		EphemeralRunnerSetNamespace: "namespace",
+		EphemeralRunnerSetName:      "deployment",
+		RunnerScaleSetID:            1,
+	}
+	err := config.Validate()
+	expectedError := "AppConfig validation failed: both PAT and GitHub App credentials provided. should only provide one"
+	assert.ErrorContains(t, err, expectedError, "Expected error about missing auth")
+}
+
+func TestConfigValidation(t *testing.T) {
+	config := &Config{
+		ConfigureUrl:                "https://github.com/actions",
+		EphemeralRunnerSetNamespace: "namespace",
+		EphemeralRunnerSetName:      "deployment",
+		RunnerScaleSetID:            1,
+		MinRunners:                  1,
+		MaxRunners:                  5,
+		AppConfig: &appconfig.AppConfig{
+			Token: "asdf",
+		},
+	}
+
+	err := config.Validate()
+
+	assert.NoError(t, err, "Expected no error")
+}
+
+func TestConfigValidationConfigUrl(t *testing.T) {
+	config := &Config{
+		EphemeralRunnerSetNamespace: "namespace",
+		EphemeralRunnerSetName:      "deployment",
+		RunnerScaleSetID:            1,
+	}
+
+	err := config.Validate()
+
+	assert.ErrorContains(t, err, "GitHubConfigUrl is not provided", "Expected error about missing ConfigureUrl")
+}
+
+func TestConfigValidationWithVaultConfig(t *testing.T) {
+	t.Run("valid", func(t *testing.T) {
+		config := &Config{
+			ConfigureUrl:                "https://github.com/actions",
+			EphemeralRunnerSetNamespace: "namespace",
+			EphemeralRunnerSetName:      "deployment",
+			RunnerScaleSetID:            1,
+			MinRunners:                  1,
+			MaxRunners:                  5,
+			VaultType:                   vault.VaultTypeAzureKeyVault,
+			VaultLookupKey:              "testkey",
+		}
+		err := config.Validate()
+		assert.NoError(t, err, "Expected no error for valid vault type")
+	})
+
+	t.Run("invalid vault type", func(t *testing.T) {
+		config := &Config{
+			ConfigureUrl:                "https://github.com/actions",
+			EphemeralRunnerSetNamespace: "namespace",
+			EphemeralRunnerSetName:      "deployment",
+			RunnerScaleSetID:            1,
+			MinRunners:                  1,
+			MaxRunners:                  5,
+			VaultType:                   vault.VaultType("invalid_vault_type"),
+			VaultLookupKey:              "testkey",
+		}
+		err := config.Validate()
+		assert.ErrorContains(t, err, `unknown vault type: "invalid_vault_type"`, "Expected error for invalid vault type")
+	})
+
+	t.Run("vault type set without lookup key", func(t *testing.T) {
+		config := &Config{
+			ConfigureUrl:                "https://github.com/actions",
+			EphemeralRunnerSetNamespace: "namespace",
+			EphemeralRunnerSetName:      "deployment",
+			RunnerScaleSetID:            1,
+			MinRunners:                  1,
+			MaxRunners:                  5,
+			VaultType:                   vault.VaultTypeAzureKeyVault,
+			VaultLookupKey:              "",
+		}
+		err := config.Validate()
+		assert.ErrorContains(t, err, `VaultLookupKey is required when VaultType is set to "azure_key_vault"`, "Expected error for vault type without lookup key")
+	})
+}

cmd/ghalistener/listener/listener.go

@@ -1,452 +0,0 @@
-package listener
-
-import (
-	"context"
-	"encoding/json"
-	"errors"
-	"fmt"
-	"net/http"
-	"os"
-	"time"
-
-	"github.com/actions/actions-runner-controller/cmd/ghalistener/metrics"
-	"github.com/actions/actions-runner-controller/github/actions"
-	"github.com/go-logr/logr"
-	"github.com/google/uuid"
-)
-
-const (
-	sessionCreationMaxRetries = 10
-)
-
-// message types
-const (
-	messageTypeJobAvailable = "JobAvailable"
-	messageTypeJobAssigned  = "JobAssigned"
-	messageTypeJobStarted   = "JobStarted"
-	messageTypeJobCompleted = "JobCompleted"
-)
-
-//go:generate mockery --name Client --output ./mocks --outpkg mocks --case underscore
-type Client interface {
-	GetAcquirableJobs(ctx context.Context, runnerScaleSetId int) (*actions.AcquirableJobList, error)
-	CreateMessageSession(ctx context.Context, runnerScaleSetId int, owner string) (*actions.RunnerScaleSetSession, error)
-	GetMessage(ctx context.Context, messageQueueUrl, messageQueueAccessToken string, lastMessageId int64, maxCapacity int) (*actions.RunnerScaleSetMessage, error)
-	DeleteMessage(ctx context.Context, messageQueueUrl, messageQueueAccessToken string, messageId int64) error
-	AcquireJobs(ctx context.Context, runnerScaleSetId int, messageQueueAccessToken string, requestIds []int64) ([]int64, error)
-	RefreshMessageSession(ctx context.Context, runnerScaleSetId int, sessionId *uuid.UUID) (*actions.RunnerScaleSetSession, error)
-	DeleteMessageSession(ctx context.Context, runnerScaleSetId int, sessionId *uuid.UUID) error
-}
-
-type Config struct {
-	Client     Client
-	ScaleSetID int
-	MinRunners int
-	MaxRunners int
-	Logger     logr.Logger
-	Metrics    metrics.Publisher
-}
-
-func (c *Config) Validate() error {
-	if c.Client == nil {
-		return errors.New("client is required")
-	}
-	if c.ScaleSetID == 0 {
-		return errors.New("scaleSetID is required")
-	}
-	if c.MinRunners < 0 {
-		return errors.New("minRunners must be greater than or equal to 0")
-	}
-	if c.MaxRunners < 0 {
-		return errors.New("maxRunners must be greater than or equal to 0")
-	}
-	if c.MaxRunners > 0 && c.MinRunners > c.MaxRunners {
-		return errors.New("minRunners must be less than or equal to maxRunners")
-	}
-	return nil
-}
-
-// The Listener's role is to manage all interactions with the actions service.
-// It receives messages and processes them using the given handler.
-type Listener struct {
-	// configured fields
-	scaleSetID int               // The ID of the scale set associated with the listener.
-	client     Client            // The client used to interact with the scale set.
-	metrics    metrics.Publisher // The publisher used to publish metrics.
-
-	// internal fields
-	logger   logr.Logger // The logger used for logging.
-	hostname string      // The hostname of the listener.
-
-	// updated fields
-	lastMessageID int64                          // The ID of the last processed message.
-	maxCapacity   int                            // The maximum number of runners that can be created.
-	session       *actions.RunnerScaleSetSession // The session for managing the runner scale set.
-}
-
-func New(config Config) (*Listener, error) {
-	if err := config.Validate(); err != nil {
-		return nil, fmt.Errorf("invalid config: %w", err)
-	}
-
-	listener := &Listener{
-		scaleSetID:  config.ScaleSetID,
-		client:      config.Client,
-		logger:      config.Logger,
-		metrics:     metrics.Discard,
-		maxCapacity: config.MaxRunners,
-	}
-
-	if config.Metrics != nil {
-		listener.metrics = config.Metrics
-	}
-
-	listener.metrics.PublishStatic(config.MinRunners, config.MaxRunners)
-
-	hostname, err := os.Hostname()
-	if err != nil {
-		hostname = uuid.NewString()
-		listener.logger.Info("Failed to get hostname, fallback to uuid", "uuid", hostname, "error", err)
-	}
-	listener.hostname = hostname
-
-	return listener, nil
-}
-
-//go:generate mockery --name Handler --output ./mocks --outpkg mocks --case underscore
-type Handler interface {
-	HandleJobStarted(ctx context.Context, jobInfo *actions.JobStarted) error
-	HandleDesiredRunnerCount(ctx context.Context, count, jobsCompleted int) (int, error)
-}
-
-// Listen listens for incoming messages and handles them using the provided handler.
-// It continuously listens for messages until the context is cancelled.
-// The initial message contains the current statistics and acquirable jobs, if any.
-// The handler is responsible for handling the initial message and subsequent messages.
-// If an error occurs during any step, Listen returns an error.
-func (l *Listener) Listen(ctx context.Context, handler Handler) error {
-	if err := l.createSession(ctx); err != nil {
-		return fmt.Errorf("createSession failed: %w", err)
-	}
-
-	defer func() {
-		if err := l.deleteMessageSession(); err != nil {
-			l.logger.Error(err, "failed to delete message session")
-		}
-	}()
-
-	initialMessage := &actions.RunnerScaleSetMessage{
-		MessageId:   0,
-		MessageType: "RunnerScaleSetJobMessages",
-		Statistics:  l.session.Statistics,
-		Body:        "",
-	}
-
-	if l.session.Statistics == nil {
-		return fmt.Errorf("session statistics is nil")
-	}
-	l.metrics.PublishStatistics(initialMessage.Statistics)
-
-	desiredRunners, err := handler.HandleDesiredRunnerCount(ctx, initialMessage.Statistics.TotalAssignedJobs, 0)
-	if err != nil {
-		return fmt.Errorf("handling initial message failed: %w", err)
-	}
-	l.metrics.PublishDesiredRunners(desiredRunners)
-
-	for {
-		select {
-		case <-ctx.Done():
-			return ctx.Err()
-		default:
-		}
-
-		msg, err := l.getMessage(ctx)
-		if err != nil {
-			return fmt.Errorf("failed to get message: %w", err)
-		}
-
-		if msg == nil {
-			_, err := handler.HandleDesiredRunnerCount(ctx, 0, 0)
-			if err != nil {
-				return fmt.Errorf("handling nil message failed: %w", err)
-			}
-
-			continue
-		}
-
-		// Remove cancellation from the context to avoid cancelling the message handling.
-		if err := l.handleMessage(context.WithoutCancel(ctx), handler, msg); err != nil {
-			return fmt.Errorf("failed to handle message: %w", err)
-		}
-	}
-}
-
-func (l *Listener) handleMessage(ctx context.Context, handler Handler, msg *actions.RunnerScaleSetMessage) error {
-	parsedMsg, err := l.parseMessage(ctx, msg)
-	if err != nil {
-		return fmt.Errorf("failed to parse message: %w", err)
-	}
-	l.metrics.PublishStatistics(parsedMsg.statistics)
-
-	if len(parsedMsg.jobsAvailable) > 0 {
-		acquiredJobIDs, err := l.acquireAvailableJobs(ctx, parsedMsg.jobsAvailable)
-		if err != nil {
-			return fmt.Errorf("failed to acquire jobs: %w", err)
-		}
-
-		l.logger.Info("Jobs are acquired", "count", len(acquiredJobIDs), "requestIds", fmt.Sprint(acquiredJobIDs))
-	}
-
-	for _, jobCompleted := range parsedMsg.jobsCompleted {
-		l.metrics.PublishJobCompleted(jobCompleted)
-	}
-
-	l.lastMessageID = msg.MessageId
-
-	if err := l.deleteLastMessage(ctx); err != nil {
-		return fmt.Errorf("failed to delete message: %w", err)
-	}
-
-	for _, jobStarted := range parsedMsg.jobsStarted {
-		if err := handler.HandleJobStarted(ctx, jobStarted); err != nil {
-			return fmt.Errorf("failed to handle job started: %w", err)
-		}
-		l.metrics.PublishJobStarted(jobStarted)
-	}
-
-	desiredRunners, err := handler.HandleDesiredRunnerCount(ctx, parsedMsg.statistics.TotalAssignedJobs, len(parsedMsg.jobsCompleted))
-	if err != nil {
-		return fmt.Errorf("failed to handle desired runner count: %w", err)
-	}
-	l.metrics.PublishDesiredRunners(desiredRunners)
-	return nil
-}
-
-func (l *Listener) createSession(ctx context.Context) error {
-	var session *actions.RunnerScaleSetSession
-	var retries int
-
-	for {
-		var err error
-		session, err = l.client.CreateMessageSession(ctx, l.scaleSetID, l.hostname)
-		if err == nil {
-			break
-		}
-
-		clientErr := &actions.HttpClientSideError{}
-		if !errors.As(err, &clientErr) {
-			return fmt.Errorf("failed to create session: %w", err)
-		}
-
-		if clientErr.Code != http.StatusConflict {
-			return fmt.Errorf("failed to create session: %w", err)
-		}
-
-		retries++
-		if retries >= sessionCreationMaxRetries {
-			return fmt.Errorf("failed to create session after %d retries: %w", retries, err)
-		}
-
-		l.logger.Info("Unable to create message session. Will try again in 30 seconds", "error", err.Error())
-
-		select {
-		case <-ctx.Done():
-			return fmt.Errorf("context cancelled: %w", ctx.Err())
-		case <-time.After(30 * time.Second):
-		}
-	}
-
-	statistics, err := json.Marshal(session.Statistics)
-	if err != nil {
-		return fmt.Errorf("failed to marshal statistics: %w", err)
-	}
-	l.logger.Info("Current runner scale set statistics.", "statistics", string(statistics))
-
-	l.session = session
-
-	return nil
-}
-
-func (l *Listener) getMessage(ctx context.Context) (*actions.RunnerScaleSetMessage, error) {
-	l.logger.Info("Getting next message", "lastMessageID", l.lastMessageID)
-	msg, err := l.client.GetMessage(ctx, l.session.MessageQueueUrl, l.session.MessageQueueAccessToken, l.lastMessageID, l.maxCapacity)
-	if err == nil { // if NO error
-		return msg, nil
-	}
-
-	expiredError := &actions.MessageQueueTokenExpiredError{}
-	if !errors.As(err, &expiredError) {
-		return nil, fmt.Errorf("failed to get next message: %w", err)
-	}
-
-	if err := l.refreshSession(ctx); err != nil {
-		return nil, err
-	}
-
-	l.logger.Info("Getting next message", "lastMessageID", l.lastMessageID)
-
-	msg, err = l.client.GetMessage(ctx, l.session.MessageQueueUrl, l.session.MessageQueueAccessToken, l.lastMessageID, l.maxCapacity)
-	if err != nil { // if NO error
-		return nil, fmt.Errorf("failed to get next message after message session refresh: %w", err)
-	}
-
-	return msg, nil
-}
-
-func (l *Listener) deleteLastMessage(ctx context.Context) error {
-	l.logger.Info("Deleting last message", "lastMessageID", l.lastMessageID)
-	err := l.client.DeleteMessage(ctx, l.session.MessageQueueUrl, l.session.MessageQueueAccessToken, l.lastMessageID)
-	if err == nil { // if NO error
-		return nil
-	}
-
-	expiredError := &actions.MessageQueueTokenExpiredError{}
-	if !errors.As(err, &expiredError) {
-		return fmt.Errorf("failed to delete last message: %w", err)
-	}
-
-	if err := l.refreshSession(ctx); err != nil {
-		return err
-	}
-
-	err = l.client.DeleteMessage(ctx, l.session.MessageQueueUrl, l.session.MessageQueueAccessToken, l.lastMessageID)
-	if err != nil {
-		return fmt.Errorf("failed to delete last message after message session refresh: %w", err)
-	}
-
-	return nil
-}
-
-type parsedMessage struct {
-	statistics    *actions.RunnerScaleSetStatistic
-	jobsStarted   []*actions.JobStarted
-	jobsAvailable []*actions.JobAvailable
-	jobsCompleted []*actions.JobCompleted
-}
-
-func (l *Listener) parseMessage(ctx context.Context, msg *actions.RunnerScaleSetMessage) (*parsedMessage, error) {
-	if msg.MessageType != "RunnerScaleSetJobMessages" {
-		l.logger.Info("Skipping message", "messageType", msg.MessageType)
-		return nil, fmt.Errorf("invalid message type: %s", msg.MessageType)
-	}
-
-	l.logger.Info("Processing message", "messageId", msg.MessageId, "messageType", msg.MessageType)
-	if msg.Statistics == nil {
-		return nil, fmt.Errorf("invalid message: statistics is nil")
-	}
-
-	l.logger.Info("New runner scale set statistics.", "statistics", msg.Statistics)
-
-	var batchedMessages []json.RawMessage
-	if len(msg.Body) > 0 {
-		if err := json.Unmarshal([]byte(msg.Body), &batchedMessages); err != nil {
-			return nil, fmt.Errorf("failed to unmarshal batched messages: %w", err)
-		}
-	}
-
-	parsedMsg := &parsedMessage{
-		statistics: msg.Statistics,
-	}
-
-	for _, msg := range batchedMessages {
-		var messageType actions.JobMessageType
-		if err := json.Unmarshal(msg, &messageType); err != nil {
-			return nil, fmt.Errorf("failed to decode job message type: %w", err)
-		}
-
-		switch messageType.MessageType {
-		case messageTypeJobAvailable:
-			var jobAvailable actions.JobAvailable
-			if err := json.Unmarshal(msg, &jobAvailable); err != nil {
-				return nil, fmt.Errorf("failed to decode job available: %w", err)
-			}
-
-			l.logger.Info("Job available message received", "jobId", jobAvailable.RunnerRequestId)
-			parsedMsg.jobsAvailable = append(parsedMsg.jobsAvailable, &jobAvailable)
-
-		case messageTypeJobAssigned:
-			var jobAssigned actions.JobAssigned
-			if err := json.Unmarshal(msg, &jobAssigned); err != nil {
-				return nil, fmt.Errorf("failed to decode job assigned: %w", err)
-			}
-
-			l.logger.Info("Job assigned message received", "jobId", jobAssigned.RunnerRequestId)
-
-		case messageTypeJobStarted:
-			var jobStarted actions.JobStarted
-			if err := json.Unmarshal(msg, &jobStarted); err != nil {
-				return nil, fmt.Errorf("could not decode job started message. %w", err)
-			}
-			l.logger.Info("Job started message received.", "RequestId", jobStarted.RunnerRequestId, "RunnerId", jobStarted.RunnerId)
-			parsedMsg.jobsStarted = append(parsedMsg.jobsStarted, &jobStarted)
-
-		case messageTypeJobCompleted:
-			var jobCompleted actions.JobCompleted
-			if err := json.Unmarshal(msg, &jobCompleted); err != nil {
-				return nil, fmt.Errorf("failed to decode job completed: %w", err)
-			}
-
-			l.logger.Info("Job completed message received.", "RequestId", jobCompleted.RunnerRequestId, "Result", jobCompleted.Result, "RunnerId", jobCompleted.RunnerId, "RunnerName", jobCompleted.RunnerName)
-			parsedMsg.jobsCompleted = append(parsedMsg.jobsCompleted, &jobCompleted)
-
-		default:
-			l.logger.Info("unknown job message type.", "messageType", messageType.MessageType)
-		}
-	}
-
-	return parsedMsg, nil
-}
-
-func (l *Listener) acquireAvailableJobs(ctx context.Context, jobsAvailable []*actions.JobAvailable) ([]int64, error) {
-	ids := make([]int64, 0, len(jobsAvailable))
-	for _, job := range jobsAvailable {
-		ids = append(ids, job.RunnerRequestId)
-	}
-
-	l.logger.Info("Acquiring jobs", "count", len(ids), "requestIds", fmt.Sprint(ids))
-
-	idsAcquired, err := l.client.AcquireJobs(ctx, l.scaleSetID, l.session.MessageQueueAccessToken, ids)
-	if err == nil { // if NO errors
-		return idsAcquired, nil
-	}
-
-	expiredError := &actions.MessageQueueTokenExpiredError{}
-	if !errors.As(err, &expiredError) {
-		return nil, fmt.Errorf("failed to acquire jobs: %w", err)
-	}
-
-	if err := l.refreshSession(ctx); err != nil {
-		return nil, err
-	}
-
-	idsAcquired, err = l.client.AcquireJobs(ctx, l.scaleSetID, l.session.MessageQueueAccessToken, ids)
-	if err != nil {
-		return nil, fmt.Errorf("failed to acquire jobs after session refresh: %w", err)
-	}
-
-	return idsAcquired, nil
-}
-
-func (l *Listener) refreshSession(ctx context.Context) error {
-	l.logger.Info("Message queue token is expired during GetNextMessage, refreshing...")
-	session, err := l.client.RefreshMessageSession(ctx, l.session.RunnerScaleSet.Id, l.session.SessionId)
-	if err != nil {
-		return fmt.Errorf("refresh message session failed. %w", err)
-	}
-
-	l.session = session
-	return nil
-}
-
-func (l *Listener) deleteMessageSession() error {
-	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
-	defer cancel()
-
-	l.logger.Info("Deleting message session")
-
-	if err := l.client.DeleteMessageSession(ctx, l.session.RunnerScaleSet.Id, l.session.SessionId); err != nil {
-		return fmt.Errorf("failed to delete message session: %w", err)
-	}
-
-	return nil
-}

cmd/ghalistener/listener/listener_test.go

@@ -1,970 +0,0 @@
-package listener
-
-import (
-	"context"
-	"encoding/json"
-	"errors"
-	"net/http"
-	"testing"
-	"time"
-
-	listenermocks "github.com/actions/actions-runner-controller/cmd/ghalistener/listener/mocks"
-	"github.com/actions/actions-runner-controller/cmd/ghalistener/metrics"
-	"github.com/actions/actions-runner-controller/github/actions"
-	"github.com/google/uuid"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/mock"
-	"github.com/stretchr/testify/require"
-)
-
-func TestNew(t *testing.T) {
-	t.Parallel()
-	t.Run("InvalidConfig", func(t *testing.T) {
-		t.Parallel()
-		var config Config
-		_, err := New(config)
-		assert.NotNil(t, err)
-	})
-
-	t.Run("ValidConfig", func(t *testing.T) {
-		t.Parallel()
-		config := Config{
-			Client:     listenermocks.NewClient(t),
-			ScaleSetID: 1,
-			Metrics:    metrics.Discard,
-		}
-		l, err := New(config)
-		assert.Nil(t, err)
-		assert.NotNil(t, l)
-	})
-}
-
-func TestListener_createSession(t *testing.T) {
-	t.Parallel()
-	t.Run("FailOnce", func(t *testing.T) {
-		t.Parallel()
-		ctx := context.Background()
-
-		config := Config{
-			ScaleSetID: 1,
-			Metrics:    metrics.Discard,
-		}
-
-		client := listenermocks.NewClient(t)
-		client.On("CreateMessageSession", ctx, mock.Anything, mock.Anything).Return(nil, assert.AnError).Once()
-		config.Client = client
-
-		l, err := New(config)
-		require.Nil(t, err)
-
-		err = l.createSession(ctx)
-		assert.NotNil(t, err)
-	})
-
-	t.Run("FailContext", func(t *testing.T) {
-		t.Parallel()
-		ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
-		defer cancel()
-
-		config := Config{
-			ScaleSetID: 1,
-			Metrics:    metrics.Discard,
-		}
-
-		client := listenermocks.NewClient(t)
-		client.On("CreateMessageSession", ctx, mock.Anything, mock.Anything).Return(nil,
-			&actions.HttpClientSideError{Code: http.StatusConflict}).Once()
-		config.Client = client
-
-		l, err := New(config)
-		require.Nil(t, err)
-
-		err = l.createSession(ctx)
-		assert.True(t, errors.Is(err, context.DeadlineExceeded))
-	})
-
-	t.Run("SetsSession", func(t *testing.T) {
-		t.Parallel()
-		config := Config{
-			ScaleSetID: 1,
-			Metrics:    metrics.Discard,
-		}
-
-		client := listenermocks.NewClient(t)
-
-		uuid := uuid.New()
-		session := &actions.RunnerScaleSetSession{
-			SessionId:               &uuid,
-			OwnerName:               "example",
-			RunnerScaleSet:          &actions.RunnerScaleSet{},
-			MessageQueueUrl:         "https://example.com",
-			MessageQueueAccessToken: "1234567890",
-			Statistics:              nil,
-		}
-		client.On("CreateMessageSession", mock.Anything, mock.Anything, mock.Anything).Return(session, nil).Once()
-		config.Client = client
-
-		l, err := New(config)
-		require.Nil(t, err)
-
-		err = l.createSession(context.Background())
-		assert.Nil(t, err)
-		assert.Equal(t, session, l.session)
-	})
-}
-
-func TestListener_getMessage(t *testing.T) {
-	t.Parallel()
-
-	t.Run("ReceivesMessage", func(t *testing.T) {
-		t.Parallel()
-
-		ctx := context.Background()
-		config := Config{
-			ScaleSetID: 1,
-			Metrics:    metrics.Discard,
-			MaxRunners: 10,
-		}
-
-		client := listenermocks.NewClient(t)
-		want := &actions.RunnerScaleSetMessage{
-			MessageId: 1,
-		}
-		client.On("GetMessage", ctx, mock.Anything, mock.Anything, mock.Anything, 10).Return(want, nil).Once()
-		config.Client = client
-
-		l, err := New(config)
-		require.Nil(t, err)
-		l.session = &actions.RunnerScaleSetSession{}
-
-		got, err := l.getMessage(ctx)
-		assert.Nil(t, err)
-		assert.Equal(t, want, got)
-	})
-
-	t.Run("NotExpiredError", func(t *testing.T) {
-		t.Parallel()
-
-		ctx := context.Background()
-		config := Config{
-			ScaleSetID: 1,
-			Metrics:    metrics.Discard,
-			MaxRunners: 10,
-		}
-
-		client := listenermocks.NewClient(t)
-		client.On("GetMessage", ctx, mock.Anything, mock.Anything, mock.Anything, 10).Return(nil, &actions.HttpClientSideError{Code: http.StatusNotFound}).Once()
-		config.Client = client
-
-		l, err := New(config)
-		require.Nil(t, err)
-
-		l.session = &actions.RunnerScaleSetSession{}
-
-		_, err = l.getMessage(ctx)
-		assert.NotNil(t, err)
-	})
-
-	t.Run("RefreshAndSucceeds", func(t *testing.T) {
-		t.Parallel()
-
-		ctx := context.Background()
-		config := Config{
-			ScaleSetID: 1,
-			Metrics:    metrics.Discard,
-			MaxRunners: 10,
-		}
-
-		client := listenermocks.NewClient(t)
-
-		uuid := uuid.New()
-		session := &actions.RunnerScaleSetSession{
-			SessionId:               &uuid,
-			OwnerName:               "example",
-			RunnerScaleSet:          &actions.RunnerScaleSet{},
-			MessageQueueUrl:         "https://example.com",
-			MessageQueueAccessToken: "1234567890",
-			Statistics:              nil,
-		}
-		client.On("RefreshMessageSession", ctx, mock.Anything, mock.Anything).Return(session, nil).Once()
-
-		client.On("GetMessage", ctx, mock.Anything, mock.Anything, mock.Anything, 10).Return(nil, &actions.MessageQueueTokenExpiredError{}).Once()
-
-		want := &actions.RunnerScaleSetMessage{
-			MessageId: 1,
-		}
-		client.On("GetMessage", ctx, mock.Anything, mock.Anything, mock.Anything, 10).Return(want, nil).Once()
-
-		config.Client = client
-
-		l, err := New(config)
-		require.Nil(t, err)
-
-		l.session = &actions.RunnerScaleSetSession{
-			SessionId:      &uuid,
-			RunnerScaleSet: &actions.RunnerScaleSet{},
-		}
-
-		got, err := l.getMessage(ctx)
-		assert.Nil(t, err)
-		assert.Equal(t, want, got)
-	})
-
-	t.Run("RefreshAndFails", func(t *testing.T) {
-		t.Parallel()
-
-		ctx := context.Background()
-		config := Config{
-			ScaleSetID: 1,
-			Metrics:    metrics.Discard,
-			MaxRunners: 10,
-		}
-
-		client := listenermocks.NewClient(t)
-
-		uuid := uuid.New()
-		session := &actions.RunnerScaleSetSession{
-			SessionId:               &uuid,
-			OwnerName:               "example",
-			RunnerScaleSet:          &actions.RunnerScaleSet{},
-			MessageQueueUrl:         "https://example.com",
-			MessageQueueAccessToken: "1234567890",
-			Statistics:              nil,
-		}
-		client.On("RefreshMessageSession", ctx, mock.Anything, mock.Anything).Return(session, nil).Once()
-
-		client.On("GetMessage", ctx, mock.Anything, mock.Anything, mock.Anything, 10).Return(nil, &actions.MessageQueueTokenExpiredError{}).Twice()
-
-		config.Client = client
-
-		l, err := New(config)
-		require.Nil(t, err)
-
-		l.session = &actions.RunnerScaleSetSession{
-			SessionId:      &uuid,
-			RunnerScaleSet: &actions.RunnerScaleSet{},
-		}
-
-		got, err := l.getMessage(ctx)
-		assert.NotNil(t, err)
-		assert.Nil(t, got)
-	})
-}
-
-func TestListener_refreshSession(t *testing.T) {
-	t.Parallel()
-
-	t.Run("SuccessfullyRefreshes", func(t *testing.T) {
-		t.Parallel()
-
-		ctx := context.Background()
-		config := Config{
-			ScaleSetID: 1,
-			Metrics:    metrics.Discard,
-		}
-
-		client := listenermocks.NewClient(t)
-
-		newUUID := uuid.New()
-		session := &actions.RunnerScaleSetSession{
-			SessionId:               &newUUID,
-			OwnerName:               "example",
-			RunnerScaleSet:          &actions.RunnerScaleSet{},
-			MessageQueueUrl:         "https://example.com",
-			MessageQueueAccessToken: "1234567890",
-			Statistics:              nil,
-		}
-		client.On("RefreshMessageSession", ctx, mock.Anything, mock.Anything).Return(session, nil).Once()
-
-		config.Client = client
-
-		l, err := New(config)
-		require.Nil(t, err)
-
-		oldUUID := uuid.New()
-		l.session = &actions.RunnerScaleSetSession{
-			SessionId:      &oldUUID,
-			RunnerScaleSet: &actions.RunnerScaleSet{},
-		}
-
-		err = l.refreshSession(ctx)
-		assert.Nil(t, err)
-		assert.Equal(t, session, l.session)
-	})
-
-	t.Run("FailsToRefresh", func(t *testing.T) {
-		t.Parallel()
-
-		ctx := context.Background()
-		config := Config{
-			ScaleSetID: 1,
-			Metrics:    metrics.Discard,
-		}
-
-		client := listenermocks.NewClient(t)
-
-		client.On("RefreshMessageSession", ctx, mock.Anything, mock.Anything).Return(nil, errors.New("error")).Once()
-
-		config.Client = client
-
-		l, err := New(config)
-		require.Nil(t, err)
-
-		oldUUID := uuid.New()
-		oldSession := &actions.RunnerScaleSetSession{
-			SessionId:      &oldUUID,
-			RunnerScaleSet: &actions.RunnerScaleSet{},
-		}
-		l.session = oldSession
-
-		err = l.refreshSession(ctx)
-		assert.NotNil(t, err)
-		assert.Equal(t, oldSession, l.session)
-	})
-}
-
-func TestListener_deleteLastMessage(t *testing.T) {
-	t.Parallel()
-
-	t.Run("SuccessfullyDeletes", func(t *testing.T) {
-		t.Parallel()
-
-		ctx := context.Background()
-		config := Config{
-			ScaleSetID: 1,
-			Metrics:    metrics.Discard,
-		}
-
-		client := listenermocks.NewClient(t)
-
-		client.On("DeleteMessage", ctx, mock.Anything, mock.Anything, mock.MatchedBy(func(lastMessageID any) bool {
-			return lastMessageID.(int64) == int64(5)
-		})).Return(nil).Once()
-
-		config.Client = client
-
-		l, err := New(config)
-		require.Nil(t, err)
-
-		l.session = &actions.RunnerScaleSetSession{}
-		l.lastMessageID = 5
-
-		err = l.deleteLastMessage(ctx)
-		assert.Nil(t, err)
-	})
-
-	t.Run("FailsToDelete", func(t *testing.T) {
-		t.Parallel()
-
-		ctx := context.Background()
-		config := Config{
-			ScaleSetID: 1,
-			Metrics:    metrics.Discard,
-		}
-
-		client := listenermocks.NewClient(t)
-
-		client.On("DeleteMessage", ctx, mock.Anything, mock.Anything, mock.Anything).Return(errors.New("error")).Once()
-
-		config.Client = client
-
-		l, err := New(config)
-		require.Nil(t, err)
-
-		l.session = &actions.RunnerScaleSetSession{}
-		l.lastMessageID = 5
-
-		err = l.deleteLastMessage(ctx)
-		assert.NotNil(t, err)
-	})
-
-	t.Run("RefreshAndSucceeds", func(t *testing.T) {
-		t.Parallel()
-
-		ctx := context.Background()
-		config := Config{
-			ScaleSetID: 1,
-			Metrics:    metrics.Discard,
-		}
-
-		client := listenermocks.NewClient(t)
-
-		newUUID := uuid.New()
-		session := &actions.RunnerScaleSetSession{
-			SessionId:               &newUUID,
-			OwnerName:               "example",
-			RunnerScaleSet:          &actions.RunnerScaleSet{},
-			MessageQueueUrl:         "https://example.com",
-			MessageQueueAccessToken: "1234567890",
-			Statistics:              nil,
-		}
-		client.On("RefreshMessageSession", ctx, mock.Anything, mock.Anything).Return(session, nil).Once()
-
-		client.On("DeleteMessage", ctx, mock.Anything, mock.Anything, mock.Anything).Return(&actions.MessageQueueTokenExpiredError{}).Once()
-
-		client.On("DeleteMessage", ctx, mock.Anything, mock.Anything, mock.MatchedBy(func(lastMessageID any) bool {
-			return lastMessageID.(int64) == int64(5)
-		})).Return(nil).Once()
-		config.Client = client
-
-		l, err := New(config)
-		require.Nil(t, err)
-
-		oldUUID := uuid.New()
-		l.session = &actions.RunnerScaleSetSession{
-			SessionId:      &oldUUID,
-			RunnerScaleSet: &actions.RunnerScaleSet{},
-		}
-		l.lastMessageID = 5
-
-		config.Client = client
-
-		err = l.deleteLastMessage(ctx)
-		assert.NoError(t, err)
-	})
-
-	t.Run("RefreshAndFails", func(t *testing.T) {
-		t.Parallel()
-
-		ctx := context.Background()
-		config := Config{
-			ScaleSetID: 1,
-			Metrics:    metrics.Discard,
-		}
-
-		client := listenermocks.NewClient(t)
-
-		newUUID := uuid.New()
-		session := &actions.RunnerScaleSetSession{
-			SessionId:               &newUUID,
-			OwnerName:               "example",
-			RunnerScaleSet:          &actions.RunnerScaleSet{},
-			MessageQueueUrl:         "https://example.com",
-			MessageQueueAccessToken: "1234567890",
-			Statistics:              nil,
-		}
-		client.On("RefreshMessageSession", ctx, mock.Anything, mock.Anything).Return(session, nil).Once()
-
-		client.On("DeleteMessage", ctx, mock.Anything, mock.Anything, mock.Anything).Return(&actions.MessageQueueTokenExpiredError{}).Twice()
-
-		config.Client = client
-
-		l, err := New(config)
-		require.Nil(t, err)
-
-		oldUUID := uuid.New()
-		l.session = &actions.RunnerScaleSetSession{
-			SessionId:      &oldUUID,
-			RunnerScaleSet: &actions.RunnerScaleSet{},
-		}
-		l.lastMessageID = 5
-
-		config.Client = client
-
-		err = l.deleteLastMessage(ctx)
-		assert.Error(t, err)
-	})
-}
-
-func TestListener_Listen(t *testing.T) {
-	t.Parallel()
-
-	t.Run("CreateSessionFails", func(t *testing.T) {
-		t.Parallel()
-		ctx := context.Background()
-		config := Config{
-			ScaleSetID: 1,
-			Metrics:    metrics.Discard,
-		}
-
-		client := listenermocks.NewClient(t)
-		client.On("CreateMessageSession", ctx, mock.Anything, mock.Anything).Return(nil, assert.AnError).Once()
-		config.Client = client
-
-		l, err := New(config)
-		require.Nil(t, err)
-
-		err = l.Listen(ctx, nil)
-		assert.NotNil(t, err)
-	})
-
-	t.Run("CallHandleRegardlessOfInitialMessage", func(t *testing.T) {
-		t.Parallel()
-		ctx, cancel := context.WithCancel(context.Background())
-
-		config := Config{
-			ScaleSetID: 1,
-			Metrics:    metrics.Discard,
-		}
-
-		client := listenermocks.NewClient(t)
-
-		uuid := uuid.New()
-		session := &actions.RunnerScaleSetSession{
-			SessionId:               &uuid,
-			OwnerName:               "example",
-			RunnerScaleSet:          &actions.RunnerScaleSet{},
-			MessageQueueUrl:         "https://example.com",
-			MessageQueueAccessToken: "1234567890",
-			Statistics:              &actions.RunnerScaleSetStatistic{},
-		}
-		client.On("CreateMessageSession", ctx, mock.Anything, mock.Anything).Return(session, nil).Once()
-		client.On("DeleteMessageSession", mock.Anything, session.RunnerScaleSet.Id, session.SessionId).Return(nil).Once()
-
-		config.Client = client
-
-		l, err := New(config)
-		require.Nil(t, err)
-
-		var called bool
-		handler := listenermocks.NewHandler(t)
-		handler.On("HandleDesiredRunnerCount", mock.Anything, mock.Anything, 0).
-			Return(0, nil).
-			Run(
-				func(mock.Arguments) {
-					called = true
-					cancel()
-				},
-			).
-			Once()
-
-		err = l.Listen(ctx, handler)
-		assert.True(t, errors.Is(err, context.Canceled))
-		assert.True(t, called)
-	})
-
-	t.Run("CancelContextAfterGetMessage", func(t *testing.T) {
-		t.Parallel()
-
-		ctx, cancel := context.WithCancel(context.Background())
-
-		config := Config{
-			ScaleSetID: 1,
-			Metrics:    metrics.Discard,
-			MaxRunners: 10,
-		}
-
-		client := listenermocks.NewClient(t)
-		uuid := uuid.New()
-		session := &actions.RunnerScaleSetSession{
-			SessionId:               &uuid,
-			OwnerName:               "example",
-			RunnerScaleSet:          &actions.RunnerScaleSet{},
-			MessageQueueUrl:         "https://example.com",
-			MessageQueueAccessToken: "1234567890",
-			Statistics:              &actions.RunnerScaleSetStatistic{},
-		}
-		client.On("CreateMessageSession", ctx, mock.Anything, mock.Anything).Return(session, nil).Once()
-		client.On("DeleteMessageSession", mock.Anything, session.RunnerScaleSet.Id, session.SessionId).Return(nil).Once()
-
-		msg := &actions.RunnerScaleSetMessage{
-			MessageId:   1,
-			MessageType: "RunnerScaleSetJobMessages",
-			Statistics:  &actions.RunnerScaleSetStatistic{},
-		}
-		client.On("GetMessage", ctx, mock.Anything, mock.Anything, mock.Anything, 10).
-			Return(msg, nil).
-			Run(
-				func(mock.Arguments) {
-					cancel()
-				},
-			).
-			Once()
-
-		// Ensure delete message is called without cancel
-		client.On("DeleteMessage", context.WithoutCancel(ctx), mock.Anything, mock.Anything, mock.Anything).Return(nil).Once()
-
-		config.Client = client
-
-		handler := listenermocks.NewHandler(t)
-		handler.On("HandleDesiredRunnerCount", mock.Anything, mock.Anything, 0).
-			Return(0, nil).
-			Once()
-
-		handler.On("HandleDesiredRunnerCount", mock.Anything, mock.Anything, 0).
-			Return(0, nil).
-			Once()
-
-		l, err := New(config)
-		require.Nil(t, err)
-
-		err = l.Listen(ctx, handler)
-		assert.ErrorIs(t, context.Canceled, err)
-	})
-}
-
-func TestListener_acquireAvailableJobs(t *testing.T) {
-	t.Parallel()
-
-	t.Run("FailingToAcquireJobs", func(t *testing.T) {
-		t.Parallel()
-
-		ctx := context.Background()
-		config := Config{
-			ScaleSetID: 1,
-			Metrics:    metrics.Discard,
-		}
-
-		client := listenermocks.NewClient(t)
-
-		client.On("AcquireJobs", ctx, mock.Anything, mock.Anything, mock.Anything).Return(nil, assert.AnError).Once()
-
-		config.Client = client
-
-		l, err := New(config)
-		require.Nil(t, err)
-
-		uuid := uuid.New()
-		l.session = &actions.RunnerScaleSetSession{
-			SessionId:               &uuid,
-			OwnerName:               "example",
-			RunnerScaleSet:          &actions.RunnerScaleSet{},
-			MessageQueueUrl:         "https://example.com",
-			MessageQueueAccessToken: "1234567890",
-			Statistics:              &actions.RunnerScaleSetStatistic{},
-		}
-
-		availableJobs := []*actions.JobAvailable{
-			{
-				JobMessageBase: actions.JobMessageBase{
-					RunnerRequestId: 1,
-				},
-			},
-			{
-				JobMessageBase: actions.JobMessageBase{
-					RunnerRequestId: 2,
-				},
-			},
-			{
-				JobMessageBase: actions.JobMessageBase{
-					RunnerRequestId: 3,
-				},
-			},
-		}
-		_, err = l.acquireAvailableJobs(ctx, availableJobs)
-		assert.Error(t, err)
-	})
-
-	t.Run("SuccessfullyAcquiresJobsOnFirstRun", func(t *testing.T) {
-		t.Parallel()
-
-		ctx := context.Background()
-		config := Config{
-			ScaleSetID: 1,
-			Metrics:    metrics.Discard,
-		}
-
-		client := listenermocks.NewClient(t)
-
-		jobIDs := []int64{1, 2, 3}
-
-		client.On("AcquireJobs", ctx, mock.Anything, mock.Anything, mock.Anything).Return(jobIDs, nil).Once()
-
-		config.Client = client
-
-		l, err := New(config)
-		require.Nil(t, err)
-
-		uuid := uuid.New()
-		l.session = &actions.RunnerScaleSetSession{
-			SessionId:               &uuid,
-			OwnerName:               "example",
-			RunnerScaleSet:          &actions.RunnerScaleSet{},
-			MessageQueueUrl:         "https://example.com",
-			MessageQueueAccessToken: "1234567890",
-			Statistics:              &actions.RunnerScaleSetStatistic{},
-		}
-
-		availableJobs := []*actions.JobAvailable{
-			{
-				JobMessageBase: actions.JobMessageBase{
-					RunnerRequestId: 1,
-				},
-			},
-			{
-				JobMessageBase: actions.JobMessageBase{
-					RunnerRequestId: 2,
-				},
-			},
-			{
-				JobMessageBase: actions.JobMessageBase{
-					RunnerRequestId: 3,
-				},
-			},
-		}
-		acquiredJobIDs, err := l.acquireAvailableJobs(ctx, availableJobs)
-		assert.NoError(t, err)
-		assert.Equal(t, []int64{1, 2, 3}, acquiredJobIDs)
-	})
-
-	t.Run("RefreshAndSucceeds", func(t *testing.T) {
-		t.Parallel()
-
-		ctx := context.Background()
-		config := Config{
-			ScaleSetID: 1,
-			Metrics:    metrics.Discard,
-		}
-
-		client := listenermocks.NewClient(t)
-
-		uuid := uuid.New()
-		session := &actions.RunnerScaleSetSession{
-			SessionId:               &uuid,
-			OwnerName:               "example",
-			RunnerScaleSet:          &actions.RunnerScaleSet{},
-			MessageQueueUrl:         "https://example.com",
-			MessageQueueAccessToken: "1234567890",
-			Statistics:              nil,
-		}
-		client.On("RefreshMessageSession", ctx, mock.Anything, mock.Anything).Return(session, nil).Once()
-
-		// Second call to AcquireJobs will succeed
-		want := []int64{1, 2, 3}
-		availableJobs := []*actions.JobAvailable{
-			{
-				JobMessageBase: actions.JobMessageBase{
-					RunnerRequestId: 1,
-				},
-			},
-			{
-				JobMessageBase: actions.JobMessageBase{
-					RunnerRequestId: 2,
-				},
-			},
-			{
-				JobMessageBase: actions.JobMessageBase{
-					RunnerRequestId: 3,
-				},
-			},
-		}
-
-		// First call to AcquireJobs will fail with a token expired error
-		client.On("AcquireJobs", ctx, mock.Anything, mock.Anything, mock.Anything).
-			Run(func(args mock.Arguments) {
-				ids := args.Get(3).([]int64)
-				assert.Equal(t, want, ids)
-			}).
-			Return(nil, &actions.MessageQueueTokenExpiredError{}).
-			Once()
-
-		// Second call should succeed
-		client.On("AcquireJobs", ctx, mock.Anything, mock.Anything, mock.Anything).
-			Run(func(args mock.Arguments) {
-				ids := args.Get(3).([]int64)
-				assert.Equal(t, want, ids)
-			}).
-			Return(want, nil).
-			Once()
-
-		config.Client = client
-
-		l, err := New(config)
-		require.Nil(t, err)
-
-		l.session = &actions.RunnerScaleSetSession{
-			SessionId:      &uuid,
-			RunnerScaleSet: &actions.RunnerScaleSet{},
-		}
-
-		got, err := l.acquireAvailableJobs(ctx, availableJobs)
-		assert.Nil(t, err)
-		assert.Equal(t, want, got)
-	})
-
-	t.Run("RefreshAndFails", func(t *testing.T) {
-		t.Parallel()
-
-		ctx := context.Background()
-		config := Config{
-			ScaleSetID: 1,
-			Metrics:    metrics.Discard,
-		}
-
-		client := listenermocks.NewClient(t)
-
-		uuid := uuid.New()
-		session := &actions.RunnerScaleSetSession{
-			SessionId:               &uuid,
-			OwnerName:               "example",
-			RunnerScaleSet:          &actions.RunnerScaleSet{},
-			MessageQueueUrl:         "https://example.com",
-			MessageQueueAccessToken: "1234567890",
-			Statistics:              nil,
-		}
-		client.On("RefreshMessageSession", ctx, mock.Anything, mock.Anything).Return(session, nil).Once()
-
-		client.On("AcquireJobs", ctx, mock.Anything, mock.Anything, mock.Anything).Return(nil, &actions.MessageQueueTokenExpiredError{}).Twice()
-
-		config.Client = client
-
-		l, err := New(config)
-		require.Nil(t, err)
-
-		l.session = &actions.RunnerScaleSetSession{
-			SessionId:      &uuid,
-			RunnerScaleSet: &actions.RunnerScaleSet{},
-		}
-
-		availableJobs := []*actions.JobAvailable{
-			{
-				JobMessageBase: actions.JobMessageBase{
-					RunnerRequestId: 1,
-				},
-			},
-			{
-				JobMessageBase: actions.JobMessageBase{
-					RunnerRequestId: 2,
-				},
-			},
-			{
-				JobMessageBase: actions.JobMessageBase{
-					RunnerRequestId: 3,
-				},
-			},
-		}
-
-		got, err := l.acquireAvailableJobs(ctx, availableJobs)
-		assert.NotNil(t, err)
-		assert.Nil(t, got)
-	})
-}
-
-func TestListener_parseMessage(t *testing.T) {
-	t.Run("FailOnEmptyStatistics", func(t *testing.T) {
-		msg := &actions.RunnerScaleSetMessage{
-			MessageId:   1,
-			MessageType: "RunnerScaleSetJobMessages",
-			Statistics:  nil,
-		}
-
-		l := &Listener{}
-		parsedMsg, err := l.parseMessage(context.Background(), msg)
-		assert.Error(t, err)
-		assert.Nil(t, parsedMsg)
-	})
-
-	t.Run("FailOnIncorrectMessageType", func(t *testing.T) {
-		msg := &actions.RunnerScaleSetMessage{
-			MessageId:   1,
-			MessageType: "RunnerMessages", // arbitrary message type
-			Statistics:  &actions.RunnerScaleSetStatistic{},
-		}
-
-		l := &Listener{}
-		parsedMsg, err := l.parseMessage(context.Background(), msg)
-		assert.Error(t, err)
-		assert.Nil(t, parsedMsg)
-	})
-
-	t.Run("ParseAll", func(t *testing.T) {
-		msg := &actions.RunnerScaleSetMessage{
-			MessageId:   1,
-			MessageType: "RunnerScaleSetJobMessages",
-			Body:        "",
-			Statistics: &actions.RunnerScaleSetStatistic{
-				TotalAvailableJobs:     1,
-				TotalAcquiredJobs:      2,
-				TotalAssignedJobs:      3,
-				TotalRunningJobs:       4,
-				TotalRegisteredRunners: 5,
-				TotalBusyRunners:       6,
-				TotalIdleRunners:       7,
-			},
-		}
-
-		var batchedMessages []any
-		jobsAvailable := []*actions.JobAvailable{
-			{
-				AcquireJobUrl: "https://github.com/example",
-				JobMessageBase: actions.JobMessageBase{
-					JobMessageType: actions.JobMessageType{
-						MessageType: messageTypeJobAvailable,
-					},
-					RunnerRequestId: 1,
-				},
-			},
-			{
-				AcquireJobUrl: "https://github.com/example",
-				JobMessageBase: actions.JobMessageBase{
-					JobMessageType: actions.JobMessageType{
-						MessageType: messageTypeJobAvailable,
-					},
-					RunnerRequestId: 2,
-				},
-			},
-		}
-		for _, msg := range jobsAvailable {
-			batchedMessages = append(batchedMessages, msg)
-		}
-
-		jobsAssigned := []*actions.JobAssigned{
-			{
-				JobMessageBase: actions.JobMessageBase{
-					JobMessageType: actions.JobMessageType{
-						MessageType: messageTypeJobAssigned,
-					},
-					RunnerRequestId: 3,
-				},
-			},
-			{
-				JobMessageBase: actions.JobMessageBase{
-					JobMessageType: actions.JobMessageType{
-						MessageType: messageTypeJobAssigned,
-					},
-					RunnerRequestId: 4,
-				},
-			},
-		}
-		for _, msg := range jobsAssigned {
-			batchedMessages = append(batchedMessages, msg)
-		}
-
-		jobsStarted := []*actions.JobStarted{
-			{
-				JobMessageBase: actions.JobMessageBase{
-					JobMessageType: actions.JobMessageType{
-						MessageType: messageTypeJobStarted,
-					},
-					RunnerRequestId: 5,
-				},
-				RunnerId:   2,
-				RunnerName: "runner2",
-			},
-		}
-		for _, msg := range jobsStarted {
-			batchedMessages = append(batchedMessages, msg)
-		}
-
-		jobsCompleted := []*actions.JobCompleted{
-			{
-				JobMessageBase: actions.JobMessageBase{
-					JobMessageType: actions.JobMessageType{
-						MessageType: messageTypeJobCompleted,
-					},
-					RunnerRequestId: 6,
-				},
-				Result:     "success",
-				RunnerId:   1,
-				RunnerName: "runner1",
-			},
-		}
-		for _, msg := range jobsCompleted {
-			batchedMessages = append(batchedMessages, msg)
-		}
-
-		b, err := json.Marshal(batchedMessages)
-		require.NoError(t, err)
-
-		msg.Body = string(b)
-
-		l := &Listener{}
-		parsedMsg, err := l.parseMessage(context.Background(), msg)
-		require.NoError(t, err)
-
-		assert.Equal(t, msg.Statistics, parsedMsg.statistics)
-		assert.Equal(t, jobsAvailable, parsedMsg.jobsAvailable)
-		assert.Equal(t, jobsStarted, parsedMsg.jobsStarted)
-		assert.Equal(t, jobsCompleted, parsedMsg.jobsCompleted)
-	})
-}

cmd/ghalistener/listener/metrics_test.go

@@ -1,205 +0,0 @@
-package listener
-
-import (
-	"context"
-	"encoding/json"
-	"testing"
-
-	listenermocks "github.com/actions/actions-runner-controller/cmd/ghalistener/listener/mocks"
-	metricsmocks "github.com/actions/actions-runner-controller/cmd/ghalistener/metrics/mocks"
-	"github.com/actions/actions-runner-controller/github/actions"
-	"github.com/google/uuid"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/mock"
-	"github.com/stretchr/testify/require"
-)
-
-func TestInitialMetrics(t *testing.T) {
-	t.Parallel()
-
-	t.Run("SetStaticMetrics", func(t *testing.T) {
-		t.Parallel()
-
-		metrics := metricsmocks.NewPublisher(t)
-
-		minRunners := 5
-		maxRunners := 10
-		metrics.On("PublishStatic", minRunners, maxRunners).Once()
-
-		config := Config{
-			Client:     listenermocks.NewClient(t),
-			ScaleSetID: 1,
-			Metrics:    metrics,
-			MinRunners: minRunners,
-			MaxRunners: maxRunners,
-		}
-		l, err := New(config)
-
-		assert.Nil(t, err)
-		assert.NotNil(t, l)
-	})
-
-	t.Run("InitialMessageStatistics", func(t *testing.T) {
-		t.Parallel()
-
-		ctx, cancel := context.WithCancel(context.Background())
-
-		sessionStatistics := &actions.RunnerScaleSetStatistic{
-			TotalAvailableJobs:     1,
-			TotalAcquiredJobs:      2,
-			TotalAssignedJobs:      3,
-			TotalRunningJobs:       4,
-			TotalRegisteredRunners: 5,
-			TotalBusyRunners:       6,
-			TotalIdleRunners:       7,
-		}
-
-		uuid := uuid.New()
-		session := &actions.RunnerScaleSetSession{
-			SessionId:               &uuid,
-			OwnerName:               "example",
-			RunnerScaleSet:          &actions.RunnerScaleSet{},
-			MessageQueueUrl:         "https://example.com",
-			MessageQueueAccessToken: "1234567890",
-			Statistics:              sessionStatistics,
-		}
-
-		metrics := metricsmocks.NewPublisher(t)
-		metrics.On("PublishStatic", mock.Anything, mock.Anything).Once()
-		metrics.On("PublishStatistics", sessionStatistics).Once()
-		metrics.On("PublishDesiredRunners", sessionStatistics.TotalAssignedJobs).
-			Run(
-				func(mock.Arguments) {
-					cancel()
-				},
-			).Once()
-
-		config := Config{
-			Client:     listenermocks.NewClient(t),
-			ScaleSetID: 1,
-			Metrics:    metrics,
-		}
-
-		client := listenermocks.NewClient(t)
-		client.On("CreateMessageSession", mock.Anything, mock.Anything, mock.Anything).Return(session, nil).Once()
-		client.On("DeleteMessageSession", mock.Anything, session.RunnerScaleSet.Id, session.SessionId).Return(nil).Once()
-		config.Client = client
-
-		handler := listenermocks.NewHandler(t)
-		handler.On("HandleDesiredRunnerCount", mock.Anything, sessionStatistics.TotalAssignedJobs, 0).
-			Return(sessionStatistics.TotalAssignedJobs, nil).
-			Once()
-
-		l, err := New(config)
-		assert.Nil(t, err)
-		assert.NotNil(t, l)
-
-		assert.ErrorIs(t, context.Canceled, l.Listen(ctx, handler))
-	})
-}
-
-func TestHandleMessageMetrics(t *testing.T) {
-	t.Parallel()
-
-	msg := &actions.RunnerScaleSetMessage{
-		MessageId:   1,
-		MessageType: "RunnerScaleSetJobMessages",
-		Body:        "",
-		Statistics: &actions.RunnerScaleSetStatistic{
-			TotalAvailableJobs:     1,
-			TotalAcquiredJobs:      2,
-			TotalAssignedJobs:      3,
-			TotalRunningJobs:       4,
-			TotalRegisteredRunners: 5,
-			TotalBusyRunners:       6,
-			TotalIdleRunners:       7,
-		},
-	}
-
-	var batchedMessages []any
-	jobsStarted := []*actions.JobStarted{
-		{
-			JobMessageBase: actions.JobMessageBase{
-				JobMessageType: actions.JobMessageType{
-					MessageType: messageTypeJobStarted,
-				},
-				RunnerRequestId: 8,
-			},
-			RunnerId:   3,
-			RunnerName: "runner3",
-		},
-	}
-	for _, msg := range jobsStarted {
-		batchedMessages = append(batchedMessages, msg)
-	}
-
-	jobsCompleted := []*actions.JobCompleted{
-		{
-			JobMessageBase: actions.JobMessageBase{
-				JobMessageType: actions.JobMessageType{
-					MessageType: messageTypeJobCompleted,
-				},
-				RunnerRequestId: 6,
-			},
-			Result:     "success",
-			RunnerId:   1,
-			RunnerName: "runner1",
-		},
-		{
-			JobMessageBase: actions.JobMessageBase{
-				JobMessageType: actions.JobMessageType{
-					MessageType: messageTypeJobCompleted,
-				},
-				RunnerRequestId: 7,
-			},
-			Result:     "success",
-			RunnerId:   2,
-			RunnerName: "runner2",
-		},
-	}
-	for _, msg := range jobsCompleted {
-		batchedMessages = append(batchedMessages, msg)
-	}
-
-	b, err := json.Marshal(batchedMessages)
-	require.NoError(t, err)
-
-	msg.Body = string(b)
-
-	desiredResult := 4
-
-	metrics := metricsmocks.NewPublisher(t)
-	metrics.On("PublishStatic", 0, 0).Once()
-	metrics.On("PublishStatistics", msg.Statistics).Once()
-	metrics.On("PublishJobCompleted", jobsCompleted[0]).Once()
-	metrics.On("PublishJobCompleted", jobsCompleted[1]).Once()
-	metrics.On("PublishJobStarted", jobsStarted[0]).Once()
-	metrics.On("PublishDesiredRunners", desiredResult).Once()
-
-	handler := listenermocks.NewHandler(t)
-	handler.On("HandleJobStarted", mock.Anything, jobsStarted[0]).Return(nil).Once()
-	handler.On("HandleDesiredRunnerCount", mock.Anything, mock.Anything, 2).Return(desiredResult, nil).Once()
-
-	client := listenermocks.NewClient(t)
-	client.On("DeleteMessage", mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(nil).Once()
-
-	config := Config{
-		Client:     listenermocks.NewClient(t),
-		ScaleSetID: 1,
-		Metrics:    metrics,
-	}
-
-	l, err := New(config)
-	require.NoError(t, err)
-	l.client = client
-	l.session = &actions.RunnerScaleSetSession{
-		OwnerName:               "",
-		RunnerScaleSet:          &actions.RunnerScaleSet{},
-		MessageQueueUrl:         "",
-		MessageQueueAccessToken: "",
-		Statistics:              &actions.RunnerScaleSetStatistic{},
-	}
-
-	err = l.handleMessage(context.Background(), handler, msg)
-	require.NoError(t, err)
-}

cmd/ghalistener/listener/mocks/client.go

@@ -1,190 +0,0 @@
-// Code generated by mockery v2.36.1. DO NOT EDIT.
-
-package mocks
-
-import (
-	context "context"
-
-	actions "github.com/actions/actions-runner-controller/github/actions"
-
-	mock "github.com/stretchr/testify/mock"
-
-	uuid "github.com/google/uuid"
-)
-
-// Client is an autogenerated mock type for the Client type
-type Client struct {
-	mock.Mock
-}
-
-// AcquireJobs provides a mock function with given fields: ctx, runnerScaleSetId, messageQueueAccessToken, requestIds
-func (_m *Client) AcquireJobs(ctx context.Context, runnerScaleSetId int, messageQueueAccessToken string, requestIds []int64) ([]int64, error) {
-	ret := _m.Called(ctx, runnerScaleSetId, messageQueueAccessToken, requestIds)
-
-	var r0 []int64
-	var r1 error
-	if rf, ok := ret.Get(0).(func(context.Context, int, string, []int64) ([]int64, error)); ok {
-		return rf(ctx, runnerScaleSetId, messageQueueAccessToken, requestIds)
-	}
-	if rf, ok := ret.Get(0).(func(context.Context, int, string, []int64) []int64); ok {
-		r0 = rf(ctx, runnerScaleSetId, messageQueueAccessToken, requestIds)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).([]int64)
-		}
-	}
-
-	if rf, ok := ret.Get(1).(func(context.Context, int, string, []int64) error); ok {
-		r1 = rf(ctx, runnerScaleSetId, messageQueueAccessToken, requestIds)
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// CreateMessageSession provides a mock function with given fields: ctx, runnerScaleSetId, owner
-func (_m *Client) CreateMessageSession(ctx context.Context, runnerScaleSetId int, owner string) (*actions.RunnerScaleSetSession, error) {
-	ret := _m.Called(ctx, runnerScaleSetId, owner)
-
-	var r0 *actions.RunnerScaleSetSession
-	var r1 error
-	if rf, ok := ret.Get(0).(func(context.Context, int, string) (*actions.RunnerScaleSetSession, error)); ok {
-		return rf(ctx, runnerScaleSetId, owner)
-	}
-	if rf, ok := ret.Get(0).(func(context.Context, int, string) *actions.RunnerScaleSetSession); ok {
-		r0 = rf(ctx, runnerScaleSetId, owner)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(*actions.RunnerScaleSetSession)
-		}
-	}
-
-	if rf, ok := ret.Get(1).(func(context.Context, int, string) error); ok {
-		r1 = rf(ctx, runnerScaleSetId, owner)
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// DeleteMessage provides a mock function with given fields: ctx, messageQueueUrl, messageQueueAccessToken, messageId
-func (_m *Client) DeleteMessage(ctx context.Context, messageQueueUrl string, messageQueueAccessToken string, messageId int64) error {
-	ret := _m.Called(ctx, messageQueueUrl, messageQueueAccessToken, messageId)
-
-	var r0 error
-	if rf, ok := ret.Get(0).(func(context.Context, string, string, int64) error); ok {
-		r0 = rf(ctx, messageQueueUrl, messageQueueAccessToken, messageId)
-	} else {
-		r0 = ret.Error(0)
-	}
-
-	return r0
-}
-
-// DeleteMessageSession provides a mock function with given fields: ctx, runnerScaleSetId, sessionId
-func (_m *Client) DeleteMessageSession(ctx context.Context, runnerScaleSetId int, sessionId *uuid.UUID) error {
-	ret := _m.Called(ctx, runnerScaleSetId, sessionId)
-
-	var r0 error
-	if rf, ok := ret.Get(0).(func(context.Context, int, *uuid.UUID) error); ok {
-		r0 = rf(ctx, runnerScaleSetId, sessionId)
-	} else {
-		r0 = ret.Error(0)
-	}
-
-	return r0
-}
-
-// GetAcquirableJobs provides a mock function with given fields: ctx, runnerScaleSetId
-func (_m *Client) GetAcquirableJobs(ctx context.Context, runnerScaleSetId int) (*actions.AcquirableJobList, error) {
-	ret := _m.Called(ctx, runnerScaleSetId)
-
-	var r0 *actions.AcquirableJobList
-	var r1 error
-	if rf, ok := ret.Get(0).(func(context.Context, int) (*actions.AcquirableJobList, error)); ok {
-		return rf(ctx, runnerScaleSetId)
-	}
-	if rf, ok := ret.Get(0).(func(context.Context, int) *actions.AcquirableJobList); ok {
-		r0 = rf(ctx, runnerScaleSetId)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(*actions.AcquirableJobList)
-		}
-	}
-
-	if rf, ok := ret.Get(1).(func(context.Context, int) error); ok {
-		r1 = rf(ctx, runnerScaleSetId)
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// GetMessage provides a mock function with given fields: ctx, messageQueueUrl, messageQueueAccessToken, lastMessageId, maxCapacity
-func (_m *Client) GetMessage(ctx context.Context, messageQueueUrl string, messageQueueAccessToken string, lastMessageId int64, maxCapacity int) (*actions.RunnerScaleSetMessage, error) {
-	ret := _m.Called(ctx, messageQueueUrl, messageQueueAccessToken, lastMessageId, maxCapacity)
-
-	var r0 *actions.RunnerScaleSetMessage
-	var r1 error
-	if rf, ok := ret.Get(0).(func(context.Context, string, string, int64, int) (*actions.RunnerScaleSetMessage, error)); ok {
-		return rf(ctx, messageQueueUrl, messageQueueAccessToken, lastMessageId, maxCapacity)
-	}
-	if rf, ok := ret.Get(0).(func(context.Context, string, string, int64, int) *actions.RunnerScaleSetMessage); ok {
-		r0 = rf(ctx, messageQueueUrl, messageQueueAccessToken, lastMessageId, maxCapacity)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(*actions.RunnerScaleSetMessage)
-		}
-	}
-
-	if rf, ok := ret.Get(1).(func(context.Context, string, string, int64, int) error); ok {
-		r1 = rf(ctx, messageQueueUrl, messageQueueAccessToken, lastMessageId, maxCapacity)
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// RefreshMessageSession provides a mock function with given fields: ctx, runnerScaleSetId, sessionId
-func (_m *Client) RefreshMessageSession(ctx context.Context, runnerScaleSetId int, sessionId *uuid.UUID) (*actions.RunnerScaleSetSession, error) {
-	ret := _m.Called(ctx, runnerScaleSetId, sessionId)
-
-	var r0 *actions.RunnerScaleSetSession
-	var r1 error
-	if rf, ok := ret.Get(0).(func(context.Context, int, *uuid.UUID) (*actions.RunnerScaleSetSession, error)); ok {
-		return rf(ctx, runnerScaleSetId, sessionId)
-	}
-	if rf, ok := ret.Get(0).(func(context.Context, int, *uuid.UUID) *actions.RunnerScaleSetSession); ok {
-		r0 = rf(ctx, runnerScaleSetId, sessionId)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(*actions.RunnerScaleSetSession)
-		}
-	}
-
-	if rf, ok := ret.Get(1).(func(context.Context, int, *uuid.UUID) error); ok {
-		r1 = rf(ctx, runnerScaleSetId, sessionId)
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// NewClient creates a new instance of Client. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-// The first argument is typically a *testing.T value.
-func NewClient(t interface {
-	mock.TestingT
-	Cleanup(func())
-}) *Client {
-	mock := &Client{}
-	mock.Mock.Test(t)
-
-	t.Cleanup(func() { mock.AssertExpectations(t) })
-
-	return mock
-}

cmd/ghalistener/listener/mocks/handler.go

@@ -1,68 +0,0 @@
-// Code generated by mockery v2.36.1. DO NOT EDIT.
-
-package mocks
-
-import (
-	context "context"
-
-	actions "github.com/actions/actions-runner-controller/github/actions"
-
-	mock "github.com/stretchr/testify/mock"
-)
-
-// Handler is an autogenerated mock type for the Handler type
-type Handler struct {
-	mock.Mock
-}
-
-// HandleDesiredRunnerCount provides a mock function with given fields: ctx, count, jobsCompleted
-func (_m *Handler) HandleDesiredRunnerCount(ctx context.Context, count int, jobsCompleted int) (int, error) {
-	ret := _m.Called(ctx, count, jobsCompleted)
-
-	var r0 int
-	var r1 error
-	if rf, ok := ret.Get(0).(func(context.Context, int, int) (int, error)); ok {
-		return rf(ctx, count, jobsCompleted)
-	}
-	if rf, ok := ret.Get(0).(func(context.Context, int, int) int); ok {
-		r0 = rf(ctx, count, jobsCompleted)
-	} else {
-		r0 = ret.Get(0).(int)
-	}
-
-	if rf, ok := ret.Get(1).(func(context.Context, int, int) error); ok {
-		r1 = rf(ctx, count, jobsCompleted)
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// HandleJobStarted provides a mock function with given fields: ctx, jobInfo
-func (_m *Handler) HandleJobStarted(ctx context.Context, jobInfo *actions.JobStarted) error {
-	ret := _m.Called(ctx, jobInfo)
-
-	var r0 error
-	if rf, ok := ret.Get(0).(func(context.Context, *actions.JobStarted) error); ok {
-		r0 = rf(ctx, jobInfo)
-	} else {
-		r0 = ret.Error(0)
-	}
-
-	return r0
-}
-
-// NewHandler creates a new instance of Handler. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-// The first argument is typically a *testing.T value.
-func NewHandler(t interface {
-	mock.TestingT
-	Cleanup(func())
-}) *Handler {
-	mock := &Handler{}
-	mock.Mock.Test(t)
-
-	t.Cleanup(func() { mock.AssertExpectations(t) })
-
-	return mock
-}

cmd/ghalistener/main.go

@@ -8,33 +8,141 @@ import (
 	"os/signal"
 	"syscall"
 
-	"github.com/actions/actions-runner-controller/cmd/ghalistener/app"
 	"github.com/actions/actions-runner-controller/cmd/ghalistener/config"
+	"github.com/actions/actions-runner-controller/cmd/ghalistener/metrics"
+	"github.com/actions/actions-runner-controller/cmd/ghalistener/scaler"
+	"github.com/actions/actions-runner-controller/github/actions"
+	"github.com/actions/scaleset/listener"
+	"github.com/google/uuid"
+	"golang.org/x/sync/errgroup"
 )
 
 func main() {
+	ctx, stop := signal.NotifyContext(context.Background(), syscall.SIGINT, syscall.SIGTERM)
+	defer stop()
+
 	configPath, ok := os.LookupEnv("LISTENER_CONFIG_PATH")
 	if !ok {
 		fmt.Fprintf(os.Stderr, "Error: LISTENER_CONFIG_PATH environment variable is not set\n")
 		os.Exit(1)
 	}
-	config, err := config.Read(configPath)
+
+	config, err := config.Read(ctx, configPath)
 	if err != nil {
 		log.Printf("Failed to read config: %v", err)
 		os.Exit(1)
 	}
 
-	app, err := app.New(config)
-	if err != nil {
-		log.Printf("Failed to initialize app: %v", err)
-		os.Exit(1)
-	}
-
-	ctx, stop := signal.NotifyContext(context.Background(), syscall.SIGINT, syscall.SIGTERM)
-	defer stop()
-
-	if err := app.Run(ctx); err != nil {
+	if err := run(ctx, config); err != nil {
 		log.Printf("Application returned an error: %v", err)
 		os.Exit(1)
 	}
 }
+
+func run(ctx context.Context, config *config.Config) error {
+	ghConfig, err := actions.ParseGitHubConfigFromURL(config.ConfigureUrl)
+	if err != nil {
+		return fmt.Errorf("failed to parse GitHub config from URL: %w", err)
+	}
+
+	logger, err := config.Logger()
+	if err != nil {
+		return fmt.Errorf("failed to create logger: %w", err)
+	}
+
+	var metricsExporter metrics.ServerExporter
+	if config.MetricsAddr != "" {
+		metricsExporter = metrics.NewExporter(metrics.ExporterConfig{
+			ScaleSetName:      config.EphemeralRunnerSetName,
+			ScaleSetNamespace: config.EphemeralRunnerSetNamespace,
+			Enterprise:        ghConfig.Enterprise,
+			Organization:      ghConfig.Organization,
+			Repository:        ghConfig.Repository,
+			ServerAddr:        config.MetricsAddr,
+			ServerEndpoint:    config.MetricsEndpoint,
+			Metrics:           config.Metrics,
+			Logger:            logger.With("component", "metrics exporter"),
+		})
+	}
+
+	hostname, err := os.Hostname()
+	if err != nil {
+		hostname = uuid.NewString()
+		logger.Info("Failed to get hostname, fallback to uuid", "uuid", hostname, "error", err)
+	}
+
+	scalesetClient, err := config.ActionsClient(logger)
+	if err != nil {
+		return fmt.Errorf("failed to create actions client: %w", err)
+	}
+
+	sessionClient, err := scalesetClient.MessageSessionClient(
+		ctx,
+		config.RunnerScaleSetID,
+		hostname,
+	)
+	if err != nil {
+		return fmt.Errorf("failed to create actions message session client: %w", err)
+	}
+	defer func() {
+		if err := sessionClient.Close(context.Background()); err != nil {
+			logger.Error("Failed to close session client", "error", err)
+		}
+	}()
+
+	var listenerOptions []listener.Option
+	if metricsExporter != nil {
+		listenerOptions = append(
+			listenerOptions,
+			listener.WithMetricsRecorder(
+				metricsExporter,
+			),
+		)
+		metricsExporter.RecordStatic(config.MinRunners, config.MaxRunners)
+	}
+
+	listener, err := listener.New(
+		sessionClient,
+		listener.Config{
+			ScaleSetID: config.RunnerScaleSetID,
+			MaxRunners: config.MaxRunners,
+			Logger:     logger.With("component", "listener"),
+		},
+		listenerOptions...,
+	)
+	if err != nil {
+		return fmt.Errorf("failed to create new listener: %w", err)
+	}
+
+	scaler, err := scaler.New(
+		scaler.Config{
+			EphemeralRunnerSetNamespace: config.EphemeralRunnerSetNamespace,
+			EphemeralRunnerSetName:      config.EphemeralRunnerSetName,
+			MaxRunners:                  config.MaxRunners,
+			MinRunners:                  config.MinRunners,
+		},
+		scaler.WithLogger(logger.With("component", "worker")),
+	)
+	if err != nil {
+		return fmt.Errorf("failed to create new kubernetes worker: %w", err)
+	}
+
+	g, ctx := errgroup.WithContext(ctx)
+	metricsCtx, cancelMetrics := context.WithCancelCause(ctx)
+
+	g.Go(func() error {
+		logger.Info("Starting listener")
+		listnerErr := listener.Run(ctx, scaler)
+		cancelMetrics(fmt.Errorf("listener exited: %w", listnerErr))
+		return listnerErr
+	})
+
+	if metricsExporter != nil {
+		g.Go(func() error {
+			logger.Info("Starting metrics server")
+			return metricsExporter.ListenAndServe(metricsCtx)
+		})
+	}
+
+	return g.Wait()
+}

cmd/ghalistener/metrics/metrics.go

@@ -2,14 +2,13 @@ package metrics
 
 import (
 	"context"
-	"errors"
+	"log/slog"
 	"net/http"
 	"strings"
 	"time"
 
 	"github.com/actions/actions-runner-controller/apis/actions.github.com/v1alpha1"
-	"github.com/actions/actions-runner-controller/github/actions"
-	"github.com/go-logr/logr"
+	"github.com/actions/scaleset"
 	"github.com/prometheus/client_golang/prometheus"
 	"github.com/prometheus/client_golang/prometheus/promhttp"
 )
@@ -21,6 +20,9 @@ const (
 	labelKeyOrganization            = "organization"
 	labelKeyRepository              = "repository"
 	labelKeyJobName                 = "job_name"
+	labelKeyJobWorkflowRef          = "job_workflow_ref"
+	labelKeyJobWorkflowName         = "job_workflow_name"
+	labelKeyJobWorkflowTarget       = "job_workflow_target"
 	labelKeyEventName               = "event_name"
 	labelKeyJobResult               = "job_result"
 )
@@ -73,50 +75,52 @@ var metricsHelp = metricsHelpRegistry{
 	},
 }
 
-func (e *exporter) jobLabels(jobBase *actions.JobMessageBase) prometheus.Labels {
+func (e *exporter) jobLabels(jobBase *scaleset.JobMessageBase) prometheus.Labels {
+	workflowRefInfo := ParseWorkflowRef(jobBase.JobWorkflowRef)
 	return prometheus.Labels{
-		labelKeyEnterprise:   e.scaleSetLabels[labelKeyEnterprise],
-		labelKeyOrganization: jobBase.OwnerName,
-		labelKeyRepository:   jobBase.RepositoryName,
-		labelKeyJobName:      jobBase.JobDisplayName,
-		labelKeyEventName:    jobBase.EventName,
+		labelKeyEnterprise:        e.scaleSetLabels[labelKeyEnterprise],
+		labelKeyOrganization:      jobBase.OwnerName,
+		labelKeyRepository:        jobBase.RepositoryName,
+		labelKeyJobName:           jobBase.JobDisplayName,
+		labelKeyJobWorkflowRef:    jobBase.JobWorkflowRef,
+		labelKeyJobWorkflowName:   workflowRefInfo.Name,
+		labelKeyJobWorkflowTarget: workflowRefInfo.Target,
+		labelKeyEventName:         jobBase.EventName,
 	}
 }
 
-func (e *exporter) completedJobLabels(msg *actions.JobCompleted) prometheus.Labels {
+func (e *exporter) completedJobLabels(msg *scaleset.JobCompleted) prometheus.Labels {
 	l := e.jobLabels(&msg.JobMessageBase)
 	l[labelKeyJobResult] = msg.Result
 	return l
 }
 
-func (e *exporter) startedJobLabels(msg *actions.JobStarted) prometheus.Labels {
+func (e *exporter) startedJobLabels(msg *scaleset.JobStarted) prometheus.Labels {
 	return e.jobLabels(&msg.JobMessageBase)
 }
 
-//go:generate mockery --name Publisher --output ./mocks --outpkg mocks --case underscore
-type Publisher interface {
-	PublishStatic(min, max int)
-	PublishStatistics(stats *actions.RunnerScaleSetStatistic)
-	PublishJobStarted(msg *actions.JobStarted)
-	PublishJobCompleted(msg *actions.JobCompleted)
-	PublishDesiredRunners(count int)
+type Recorder interface {
+	RecordStatic(min, max int)
+	RecordStatistics(stats *scaleset.RunnerScaleSetStatistic)
+	RecordJobStarted(msg *scaleset.JobStarted)
+	RecordJobCompleted(msg *scaleset.JobCompleted)
+	RecordDesiredRunners(count int)
 }
 
-//go:generate mockery --name ServerPublisher --output ./mocks --outpkg mocks --case underscore
 type ServerExporter interface {
-	Publisher
+	Recorder
 	ListenAndServe(ctx context.Context) error
 }
 
 var (
-	_ Publisher      = &discard{}
+	_ Recorder       = &discard{}
 	_ ServerExporter = &exporter{}
 )
 
-var Discard Publisher = &discard{}
+var Discard Recorder = &discard{}
 
 type exporter struct {
-	logger         logr.Logger
+	logger         *slog.Logger
 	scaleSetLabels prometheus.Labels
 	*metrics
 	srv *http.Server
@@ -151,14 +155,149 @@ type ExporterConfig struct {
 	Repository        string
 	ServerAddr        string
 	ServerEndpoint    string
-	Logger            logr.Logger
-	Metrics           v1alpha1.MetricsConfig
+	Logger            *slog.Logger
+	Metrics           *v1alpha1.MetricsConfig
+}
+
+var defaultMetrics = v1alpha1.MetricsConfig{
+	Counters: map[string]*v1alpha1.CounterMetric{
+		MetricStartedJobsTotal: {
+			Labels: []string{
+				labelKeyEnterprise,
+				labelKeyOrganization,
+				labelKeyRepository,
+				labelKeyJobName,
+				labelKeyEventName,
+			},
+		},
+		MetricCompletedJobsTotal: {
+			Labels: []string{
+				labelKeyEnterprise,
+				labelKeyOrganization,
+				labelKeyRepository,
+				labelKeyJobName,
+				labelKeyEventName,
+				labelKeyJobResult,
+			},
+		},
+	},
+	Gauges: map[string]*v1alpha1.GaugeMetric{
+		MetricAssignedJobs: {
+			Labels: []string{
+				labelKeyEnterprise,
+				labelKeyOrganization,
+				labelKeyRepository,
+				labelKeyRunnerScaleSetName,
+				labelKeyRunnerScaleSetNamespace,
+			},
+		},
+		MetricRunningJobs: {
+			Labels: []string{
+				labelKeyEnterprise,
+				labelKeyOrganization,
+				labelKeyRepository,
+				labelKeyRunnerScaleSetName,
+				labelKeyRunnerScaleSetNamespace,
+			},
+		},
+		MetricRegisteredRunners: {
+			Labels: []string{
+				labelKeyEnterprise,
+				labelKeyOrganization,
+				labelKeyRepository,
+				labelKeyRunnerScaleSetName,
+				labelKeyRunnerScaleSetNamespace,
+			},
+		},
+		MetricBusyRunners: {
+			Labels: []string{
+				labelKeyEnterprise,
+				labelKeyOrganization,
+				labelKeyRepository,
+				labelKeyRunnerScaleSetName,
+				labelKeyRunnerScaleSetNamespace,
+			},
+		},
+		MetricMinRunners: {
+			Labels: []string{
+				labelKeyEnterprise,
+				labelKeyOrganization,
+				labelKeyRepository,
+				labelKeyRunnerScaleSetName,
+				labelKeyRunnerScaleSetNamespace,
+			},
+		},
+		MetricMaxRunners: {
+			Labels: []string{
+				labelKeyEnterprise,
+				labelKeyOrganization,
+				labelKeyRepository,
+				labelKeyRunnerScaleSetName,
+				labelKeyRunnerScaleSetNamespace,
+			},
+		},
+		MetricDesiredRunners: {
+			Labels: []string{
+				labelKeyEnterprise,
+				labelKeyOrganization,
+				labelKeyRepository,
+				labelKeyRunnerScaleSetName,
+				labelKeyRunnerScaleSetNamespace,
+			},
+		},
+		MetricIdleRunners: {
+			Labels: []string{
+				labelKeyEnterprise,
+				labelKeyOrganization,
+				labelKeyRepository,
+				labelKeyRunnerScaleSetName,
+				labelKeyRunnerScaleSetNamespace,
+			},
+		},
+	},
+	Histograms: map[string]*v1alpha1.HistogramMetric{
+		MetricJobStartupDurationSeconds: {
+			Labels: []string{
+				labelKeyEnterprise,
+				labelKeyOrganization,
+				labelKeyRepository,
+				labelKeyJobName,
+				labelKeyEventName,
+			},
+			Buckets: defaultRuntimeBuckets,
+		},
+		MetricJobExecutionDurationSeconds: {
+			Labels: []string{
+				labelKeyEnterprise,
+				labelKeyOrganization,
+				labelKeyRepository,
+				labelKeyJobName,
+				labelKeyEventName,
+				labelKeyJobResult,
+			},
+			Buckets: defaultRuntimeBuckets,
+		},
+	},
+}
+
+func (e *ExporterConfig) defaults() {
+	if e.ServerAddr == "" {
+		e.ServerAddr = ":8080"
+	}
+	if e.ServerEndpoint == "" {
+		e.ServerEndpoint = "/metrics"
+	}
+	if e.Metrics == nil {
+		defaultMetrics := defaultMetrics
+		e.Metrics = &defaultMetrics
+	}
 }
 
 func NewExporter(config ExporterConfig) ServerExporter {
+	config.defaults()
 	reg := prometheus.NewRegistry()
 
-	metrics := installMetrics(config.Metrics, reg, config.Logger)
+	metrics := installMetrics(*config.Metrics, reg, config.Logger)
 
 	mux := http.NewServeMux()
 	mux.Handle(
@@ -167,7 +306,7 @@ func NewExporter(config ExporterConfig) ServerExporter {
 	)
 
 	return &exporter{
-		logger: config.Logger.WithName("metrics"),
+		logger: config.Logger.With("component", "metrics exporter"),
 		scaleSetLabels: prometheus.Labels{
 			labelKeyRunnerScaleSetName:      config.ScaleSetName,
 			labelKeyRunnerScaleSetNamespace: config.ScaleSetNamespace,
@@ -183,9 +322,7 @@ func NewExporter(config ExporterConfig) ServerExporter {
 	}
 }
 
-var errUnknownMetricName = errors.New("unknown metric name")
-
-func installMetrics(config v1alpha1.MetricsConfig, reg *prometheus.Registry, logger logr.Logger) *metrics {
+func installMetrics(config v1alpha1.MetricsConfig, reg *prometheus.Registry, logger *slog.Logger) *metrics {
 	logger.Info(
 		"Registering metrics",
 		"gauges",
@@ -203,7 +340,11 @@ func installMetrics(config v1alpha1.MetricsConfig, reg *prometheus.Registry, log
 	for name, cfg := range config.Gauges {
 		help, ok := metricsHelp.gauges[name]
 		if !ok {
-			logger.Error(errUnknownMetricName, "name", name, "kind", "gauge")
+			logger.Error(
+				"unknown metric name",
+				slog.String("name", name),
+				slog.String("kind", "gauge"),
+			)
 			continue
 		}
 
@@ -225,7 +366,11 @@ func installMetrics(config v1alpha1.MetricsConfig, reg *prometheus.Registry, log
 	for name, cfg := range config.Counters {
 		help, ok := metricsHelp.counters[name]
 		if !ok {
-			logger.Error(errUnknownMetricName, "name", name, "kind", "counter")
+			logger.Error(
+				"unknown metric name",
+				slog.String("name", name),
+				slog.String("kind", "counter"),
+			)
 			continue
 		}
 		c := prometheus.V2.NewCounterVec(prometheus.CounterVecOpts{
@@ -246,7 +391,11 @@ func installMetrics(config v1alpha1.MetricsConfig, reg *prometheus.Registry, log
 	for name, cfg := range config.Histograms {
 		help, ok := metricsHelp.histograms[name]
 		if !ok {
-			logger.Error(errUnknownMetricName, "name", name, "kind", "histogram")
+			logger.Error(
+				"unknown metric name",
+				slog.String("name", name),
+				slog.String("kind", "histogram"),
+			)
 			continue
 		}
 
@@ -322,20 +471,20 @@ func (e *exporter) observeHistogram(name string, allLabels prometheus.Labels, va
 	m.histogram.With(labels).Observe(val)
 }
 
-func (e *exporter) PublishStatic(min, max int) {
+func (e *exporter) RecordStatic(min, max int) {
 	e.setGauge(MetricMaxRunners, e.scaleSetLabels, float64(max))
 	e.setGauge(MetricMinRunners, e.scaleSetLabels, float64(min))
 }
 
-func (e *exporter) PublishStatistics(stats *actions.RunnerScaleSetStatistic) {
+func (e *exporter) RecordStatistics(stats *scaleset.RunnerScaleSetStatistic) {
 	e.setGauge(MetricAssignedJobs, e.scaleSetLabels, float64(stats.TotalAssignedJobs))
 	e.setGauge(MetricRunningJobs, e.scaleSetLabels, float64(stats.TotalRunningJobs))
 	e.setGauge(MetricRegisteredRunners, e.scaleSetLabels, float64(stats.TotalRegisteredRunners))
-	e.setGauge(MetricBusyRunners, e.scaleSetLabels, float64(float64(stats.TotalBusyRunners)))
+	e.setGauge(MetricBusyRunners, e.scaleSetLabels, float64(stats.TotalBusyRunners))
 	e.setGauge(MetricIdleRunners, e.scaleSetLabels, float64(stats.TotalIdleRunners))
 }
 
-func (e *exporter) PublishJobStarted(msg *actions.JobStarted) {
+func (e *exporter) RecordJobStarted(msg *scaleset.JobStarted) {
 	l := e.startedJobLabels(msg)
 	e.incCounter(MetricStartedJobsTotal, l)
 
@@ -343,7 +492,7 @@ func (e *exporter) PublishJobStarted(msg *actions.JobStarted) {
 	e.observeHistogram(MetricJobStartupDurationSeconds, l, float64(startupDuration))
 }
 
-func (e *exporter) PublishJobCompleted(msg *actions.JobCompleted) {
+func (e *exporter) RecordJobCompleted(msg *scaleset.JobCompleted) {
 	l := e.completedJobLabels(msg)
 	e.incCounter(MetricCompletedJobsTotal, l)
 
@@ -351,17 +500,17 @@ func (e *exporter) PublishJobCompleted(msg *actions.JobCompleted) {
 	e.observeHistogram(MetricJobExecutionDurationSeconds, l, float64(executionDuration))
 }
 
-func (e *exporter) PublishDesiredRunners(count int) {
+func (e *exporter) RecordDesiredRunners(count int) {
 	e.setGauge(MetricDesiredRunners, e.scaleSetLabels, float64(count))
 }
 
 type discard struct{}
 
-func (*discard) PublishStatic(int, int)                             {}
-func (*discard) PublishStatistics(*actions.RunnerScaleSetStatistic) {}
-func (*discard) PublishJobStarted(*actions.JobStarted)              {}
-func (*discard) PublishJobCompleted(*actions.JobCompleted)          {}
-func (*discard) PublishDesiredRunners(int)                          {}
+func (*discard) RecordStatic(int, int)                              {}
+func (*discard) RecordStatistics(*scaleset.RunnerScaleSetStatistic) {}
+func (*discard) RecordJobStarted(*scaleset.JobStarted)              {}
+func (*discard) RecordJobCompleted(*scaleset.JobCompleted)          {}
+func (*discard) RecordDesiredRunners(int)                           {}
 
 var defaultRuntimeBuckets []float64 = []float64{
 	0.01,

cmd/ghalistener/metrics/metrics_integration_test.go

@@ -0,0 +1,99 @@
+package metrics
+
+import (
+	"testing"
+
+	"github.com/actions/scaleset"
+	"github.com/prometheus/client_golang/prometheus"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestMetricsWithWorkflowRefParsing(t *testing.T) {
+	// Create a test exporter
+	exporter := &exporter{
+		scaleSetLabels: prometheus.Labels{
+			labelKeyEnterprise:              "test-enterprise",
+			labelKeyOrganization:            "test-org",
+			labelKeyRepository:              "test-repo",
+			labelKeyRunnerScaleSetName:      "test-scale-set",
+			labelKeyRunnerScaleSetNamespace: "test-namespace",
+		},
+	}
+
+	tests := []struct {
+		name       string
+		jobBase    scaleset.JobMessageBase
+		wantName   string
+		wantTarget string
+	}{
+		{
+			name: "main branch workflow",
+			jobBase: scaleset.JobMessageBase{
+				OwnerName:      "actions",
+				RepositoryName: "runner",
+				JobDisplayName: "Build and Test",
+				JobWorkflowRef: "actions/runner/.github/workflows/build.yml@refs/heads/main",
+				EventName:      "push",
+			},
+			wantName:   "build",
+			wantTarget: "heads/main",
+		},
+		{
+			name: "feature branch workflow",
+			jobBase: scaleset.JobMessageBase{
+				OwnerName:      "myorg",
+				RepositoryName: "myrepo",
+				JobDisplayName: "CI/CD Pipeline",
+				JobWorkflowRef: "myorg/myrepo/.github/workflows/ci-cd-pipeline.yml@refs/heads/feature/new-metrics",
+				EventName:      "push",
+			},
+			wantName:   "ci-cd-pipeline",
+			wantTarget: "heads/feature/new-metrics",
+		},
+		{
+			name: "pull request workflow",
+			jobBase: scaleset.JobMessageBase{
+				OwnerName:      "actions",
+				RepositoryName: "runner",
+				JobDisplayName: "PR Checks",
+				JobWorkflowRef: "actions/runner/.github/workflows/pr-checks.yml@refs/pull/123/merge",
+				EventName:      "pull_request",
+			},
+			wantName:   "pr-checks",
+			wantTarget: "pull/123",
+		},
+		{
+			name: "tag workflow",
+			jobBase: scaleset.JobMessageBase{
+				OwnerName:      "actions",
+				RepositoryName: "runner",
+				JobDisplayName: "Release",
+				JobWorkflowRef: "actions/runner/.github/workflows/release.yml@refs/tags/v1.2.3",
+				EventName:      "release",
+			},
+			wantName:   "release",
+			wantTarget: "tags/v1.2.3",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			labels := exporter.jobLabels(&tt.jobBase)
+
+			// Build expected labels
+			expectedLabels := prometheus.Labels{
+				labelKeyEnterprise:        "test-enterprise",
+				labelKeyOrganization:      tt.jobBase.OwnerName,
+				labelKeyRepository:        tt.jobBase.RepositoryName,
+				labelKeyJobName:           tt.jobBase.JobDisplayName,
+				labelKeyJobWorkflowRef:    tt.jobBase.JobWorkflowRef,
+				labelKeyJobWorkflowName:   tt.wantName,
+				labelKeyJobWorkflowTarget: tt.wantTarget,
+				labelKeyEventName:         tt.jobBase.EventName,
+			}
+
+			// Assert all expected labels match
+			assert.Equal(t, expectedLabels, labels, "jobLabels() returned unexpected labels for %s", tt.name)
+		})
+	}
+}

cmd/ghalistener/metrics/metrics_test.go

@@ -1,14 +1,17 @@
 package metrics
 
 import (
+	"log/slog"
 	"testing"
 
 	"github.com/actions/actions-runner-controller/apis/actions.github.com/v1alpha1"
-	"github.com/go-logr/logr"
 	"github.com/prometheus/client_golang/prometheus"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )
 
+var discardLogger = slog.New(slog.DiscardHandler)
+
 func TestInstallMetrics(t *testing.T) {
 	metricsConfig := v1alpha1.MetricsConfig{
 		Counters: map[string]*v1alpha1.CounterMetric{
@@ -73,7 +76,7 @@ func TestInstallMetrics(t *testing.T) {
 	}
 	reg := prometheus.NewRegistry()
 
-	got := installMetrics(metricsConfig, reg, logr.Discard())
+	got := installMetrics(metricsConfig, reg, discardLogger)
 	assert.Len(t, got.counters, 1)
 	assert.Len(t, got.gauges, 1)
 	assert.Len(t, got.histograms, 2)
@@ -86,3 +89,179 @@ func TestInstallMetrics(t *testing.T) {
 	assert.Equal(t, duration.config.Labels, metricsConfig.Histograms[MetricJobStartupDurationSeconds].Labels)
 	assert.Equal(t, duration.config.Buckets, defaultRuntimeBuckets)
 }
+
+func TestNewExporter(t *testing.T) {
+	t.Run("with defaults metrics applied", func(t *testing.T) {
+		config := ExporterConfig{
+			ScaleSetName:      "test-scale-set",
+			ScaleSetNamespace: "test-namespace",
+			Enterprise:        "",
+			Organization:      "org",
+			Repository:        "repo",
+			ServerAddr:        ":6060",
+			ServerEndpoint:    "/metrics",
+			Logger:            discardLogger,
+			Metrics:           nil, // when metrics is nil, all default metrics should be registered
+		}
+
+		exporter, ok := NewExporter(config).(*exporter)
+		require.True(t, ok, "expected exporter to be of type *exporter")
+		require.NotNil(t, exporter)
+
+		reg := prometheus.NewRegistry()
+		wantMetrics := installMetrics(defaultMetrics, reg, config.Logger)
+
+		assert.Equal(t, len(wantMetrics.counters), len(exporter.counters))
+		for k, v := range wantMetrics.counters {
+			assert.Contains(t, exporter.counters, k)
+			assert.Equal(t, v.config, exporter.counters[k].config)
+		}
+
+		assert.Equal(t, len(wantMetrics.gauges), len(exporter.gauges))
+		for k, v := range wantMetrics.gauges {
+			assert.Contains(t, exporter.gauges, k)
+			assert.Equal(t, v.config, exporter.gauges[k].config)
+		}
+
+		assert.Equal(t, len(wantMetrics.histograms), len(exporter.histograms))
+		for k, v := range wantMetrics.histograms {
+			assert.Contains(t, exporter.histograms, k)
+			assert.Equal(t, v.config, exporter.histograms[k].config)
+		}
+
+		require.NotNil(t, exporter.srv)
+		assert.Equal(t, config.ServerAddr, exporter.srv.Addr)
+	})
+
+	t.Run("with default server URL", func(t *testing.T) {
+		config := ExporterConfig{
+			ScaleSetName:      "test-scale-set",
+			ScaleSetNamespace: "test-namespace",
+			Enterprise:        "",
+			Organization:      "org",
+			Repository:        "repo",
+			ServerAddr:        "", // empty ServerAddr should default to ":8080"
+			ServerEndpoint:    "",
+			Logger:            discardLogger,
+			Metrics:           nil, // when metrics is nil, all default metrics should be registered
+		}
+
+		exporter, ok := NewExporter(config).(*exporter)
+		require.True(t, ok, "expected exporter to be of type *exporter")
+		require.NotNil(t, exporter)
+
+		reg := prometheus.NewRegistry()
+		wantMetrics := installMetrics(defaultMetrics, reg, config.Logger)
+
+		assert.Equal(t, len(wantMetrics.counters), len(exporter.counters))
+		for k, v := range wantMetrics.counters {
+			assert.Contains(t, exporter.counters, k)
+			assert.Equal(t, v.config, exporter.counters[k].config)
+		}
+
+		assert.Equal(t, len(wantMetrics.gauges), len(exporter.gauges))
+		for k, v := range wantMetrics.gauges {
+			assert.Contains(t, exporter.gauges, k)
+			assert.Equal(t, v.config, exporter.gauges[k].config)
+		}
+
+		assert.Equal(t, len(wantMetrics.histograms), len(exporter.histograms))
+		for k, v := range wantMetrics.histograms {
+			assert.Contains(t, exporter.histograms, k)
+			assert.Equal(t, v.config, exporter.histograms[k].config)
+		}
+
+		require.NotNil(t, exporter.srv)
+		assert.Equal(t, exporter.srv.Addr, ":8080")
+	})
+
+	t.Run("with metrics configured", func(t *testing.T) {
+		metricsConfig := v1alpha1.MetricsConfig{
+			Counters: map[string]*v1alpha1.CounterMetric{
+				MetricStartedJobsTotal: {
+					Labels: []string{labelKeyRepository},
+				},
+			},
+			Gauges: map[string]*v1alpha1.GaugeMetric{
+				MetricAssignedJobs: {
+					Labels: []string{labelKeyRepository},
+				},
+			},
+			Histograms: map[string]*v1alpha1.HistogramMetric{
+				MetricJobExecutionDurationSeconds: {
+					Labels:  []string{labelKeyRepository},
+					Buckets: []float64{0.1, 1},
+				},
+			},
+		}
+
+		config := ExporterConfig{
+			ScaleSetName:      "test-scale-set",
+			ScaleSetNamespace: "test-namespace",
+			Enterprise:        "",
+			Organization:      "org",
+			Repository:        "repo",
+			ServerAddr:        ":6060",
+			ServerEndpoint:    "/metrics",
+			Logger:            discardLogger,
+			Metrics:           &metricsConfig,
+		}
+
+		exporter, ok := NewExporter(config).(*exporter)
+		require.True(t, ok, "expected exporter to be of type *exporter")
+		require.NotNil(t, exporter)
+
+		reg := prometheus.NewRegistry()
+		wantMetrics := installMetrics(metricsConfig, reg, config.Logger)
+
+		assert.Equal(t, len(wantMetrics.counters), len(exporter.counters))
+		for k, v := range wantMetrics.counters {
+			assert.Contains(t, exporter.counters, k)
+			assert.Equal(t, v.config, exporter.counters[k].config)
+		}
+
+		assert.Equal(t, len(wantMetrics.gauges), len(exporter.gauges))
+		for k, v := range wantMetrics.gauges {
+			assert.Contains(t, exporter.gauges, k)
+			assert.Equal(t, v.config, exporter.gauges[k].config)
+		}
+
+		assert.Equal(t, len(wantMetrics.histograms), len(exporter.histograms))
+		for k, v := range wantMetrics.histograms {
+			assert.Contains(t, exporter.histograms, k)
+			assert.Equal(t, v.config, exporter.histograms[k].config)
+		}
+
+		require.NotNil(t, exporter.srv)
+		assert.Equal(t, config.ServerAddr, exporter.srv.Addr)
+	})
+}
+
+func TestExporterConfigDefaults(t *testing.T) {
+	config := ExporterConfig{
+		ScaleSetName:      "test-scale-set",
+		ScaleSetNamespace: "test-namespace",
+		Enterprise:        "",
+		Organization:      "org",
+		Repository:        "repo",
+		ServerAddr:        "",
+		ServerEndpoint:    "",
+		Logger:            discardLogger,
+		Metrics:           nil, // when metrics is nil, all default metrics should be registered
+	}
+
+	config.defaults()
+	want := ExporterConfig{
+		ScaleSetName:      "test-scale-set",
+		ScaleSetNamespace: "test-namespace",
+		Enterprise:        "",
+		Organization:      "org",
+		Repository:        "repo",
+		ServerAddr:        ":8080",    // default server address
+		ServerEndpoint:    "/metrics", // default server endpoint
+		Logger:            discardLogger,
+		Metrics:           &defaultMetrics, // when metrics is nil, all default metrics should be registered
+	}
+
+	assert.Equal(t, want, config)
+}

cmd/ghalistener/metrics/mocks/publisher.go

@@ -1,53 +0,0 @@
-// Code generated by mockery v2.36.1. DO NOT EDIT.
-
-package mocks
-
-import (
-	actions "github.com/actions/actions-runner-controller/github/actions"
-
-	mock "github.com/stretchr/testify/mock"
-)
-
-// Publisher is an autogenerated mock type for the Publisher type
-type Publisher struct {
-	mock.Mock
-}
-
-// PublishDesiredRunners provides a mock function with given fields: count
-func (_m *Publisher) PublishDesiredRunners(count int) {
-	_m.Called(count)
-}
-
-// PublishJobCompleted provides a mock function with given fields: msg
-func (_m *Publisher) PublishJobCompleted(msg *actions.JobCompleted) {
-	_m.Called(msg)
-}
-
-// PublishJobStarted provides a mock function with given fields: msg
-func (_m *Publisher) PublishJobStarted(msg *actions.JobStarted) {
-	_m.Called(msg)
-}
-
-// PublishStatic provides a mock function with given fields: min, max
-func (_m *Publisher) PublishStatic(min int, max int) {
-	_m.Called(min, max)
-}
-
-// PublishStatistics provides a mock function with given fields: stats
-func (_m *Publisher) PublishStatistics(stats *actions.RunnerScaleSetStatistic) {
-	_m.Called(stats)
-}
-
-// NewPublisher creates a new instance of Publisher. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-// The first argument is typically a *testing.T value.
-func NewPublisher(t interface {
-	mock.TestingT
-	Cleanup(func())
-}) *Publisher {
-	mock := &Publisher{}
-	mock.Mock.Test(t)
-
-	t.Cleanup(func() { mock.AssertExpectations(t) })
-
-	return mock
-}

cmd/ghalistener/metrics/mocks/server_publisher.go

@@ -1,69 +0,0 @@
-// Code generated by mockery v2.36.1. DO NOT EDIT.
-
-package mocks
-
-import (
-	context "context"
-
-	actions "github.com/actions/actions-runner-controller/github/actions"
-
-	mock "github.com/stretchr/testify/mock"
-)
-
-// ServerPublisher is an autogenerated mock type for the ServerPublisher type
-type ServerPublisher struct {
-	mock.Mock
-}
-
-// ListenAndServe provides a mock function with given fields: ctx
-func (_m *ServerPublisher) ListenAndServe(ctx context.Context) error {
-	ret := _m.Called(ctx)
-
-	var r0 error
-	if rf, ok := ret.Get(0).(func(context.Context) error); ok {
-		r0 = rf(ctx)
-	} else {
-		r0 = ret.Error(0)
-	}
-
-	return r0
-}
-
-// PublishDesiredRunners provides a mock function with given fields: count
-func (_m *ServerPublisher) PublishDesiredRunners(count int) {
-	_m.Called(count)
-}
-
-// PublishJobCompleted provides a mock function with given fields: msg
-func (_m *ServerPublisher) PublishJobCompleted(msg *actions.JobCompleted) {
-	_m.Called(msg)
-}
-
-// PublishJobStarted provides a mock function with given fields: msg
-func (_m *ServerPublisher) PublishJobStarted(msg *actions.JobStarted) {
-	_m.Called(msg)
-}
-
-// PublishStatic provides a mock function with given fields: min, max
-func (_m *ServerPublisher) PublishStatic(min int, max int) {
-	_m.Called(min, max)
-}
-
-// PublishStatistics provides a mock function with given fields: stats
-func (_m *ServerPublisher) PublishStatistics(stats *actions.RunnerScaleSetStatistic) {
-	_m.Called(stats)
-}
-
-// NewServerPublisher creates a new instance of ServerPublisher. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-// The first argument is typically a *testing.T value.
-func NewServerPublisher(t interface {
-	mock.TestingT
-	Cleanup(func())
-}) *ServerPublisher {
-	mock := &ServerPublisher{}
-	mock.Mock.Test(t)
-
-	t.Cleanup(func() { mock.AssertExpectations(t) })
-
-	return mock
-}

cmd/ghalistener/metrics/mocks_test.go

@@ -0,0 +1,529 @@
+// Code generated by mockery; DO NOT EDIT.
+// github.com/vektra/mockery
+// template: testify
+
+package metrics
+
+import (
+	"context"
+
+	"github.com/actions/scaleset"
+	mock "github.com/stretchr/testify/mock"
+)
+
+// NewMockRecorder creates a new instance of MockRecorder. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockRecorder(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockRecorder {
+	mock := &MockRecorder{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
+
+// MockRecorder is an autogenerated mock type for the Recorder type
+type MockRecorder struct {
+	mock.Mock
+}
+
+type MockRecorder_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockRecorder) EXPECT() *MockRecorder_Expecter {
+	return &MockRecorder_Expecter{mock: &_m.Mock}
+}
+
+// RecordDesiredRunners provides a mock function for the type MockRecorder
+func (_mock *MockRecorder) RecordDesiredRunners(count int) {
+	_mock.Called(count)
+	return
+}
+
+// MockRecorder_RecordDesiredRunners_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'RecordDesiredRunners'
+type MockRecorder_RecordDesiredRunners_Call struct {
+	*mock.Call
+}
+
+// RecordDesiredRunners is a helper method to define mock.On call
+//   - count int
+func (_e *MockRecorder_Expecter) RecordDesiredRunners(count interface{}) *MockRecorder_RecordDesiredRunners_Call {
+	return &MockRecorder_RecordDesiredRunners_Call{Call: _e.mock.On("RecordDesiredRunners", count)}
+}
+
+func (_c *MockRecorder_RecordDesiredRunners_Call) Run(run func(count int)) *MockRecorder_RecordDesiredRunners_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 int
+		if args[0] != nil {
+			arg0 = args[0].(int)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *MockRecorder_RecordDesiredRunners_Call) Return() *MockRecorder_RecordDesiredRunners_Call {
+	_c.Call.Return()
+	return _c
+}
+
+func (_c *MockRecorder_RecordDesiredRunners_Call) RunAndReturn(run func(count int)) *MockRecorder_RecordDesiredRunners_Call {
+	_c.Run(run)
+	return _c
+}
+
+// RecordJobCompleted provides a mock function for the type MockRecorder
+func (_mock *MockRecorder) RecordJobCompleted(msg *scaleset.JobCompleted) {
+	_mock.Called(msg)
+	return
+}
+
+// MockRecorder_RecordJobCompleted_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'RecordJobCompleted'
+type MockRecorder_RecordJobCompleted_Call struct {
+	*mock.Call
+}
+
+// RecordJobCompleted is a helper method to define mock.On call
+//   - msg *scaleset.JobCompleted
+func (_e *MockRecorder_Expecter) RecordJobCompleted(msg interface{}) *MockRecorder_RecordJobCompleted_Call {
+	return &MockRecorder_RecordJobCompleted_Call{Call: _e.mock.On("RecordJobCompleted", msg)}
+}
+
+func (_c *MockRecorder_RecordJobCompleted_Call) Run(run func(msg *scaleset.JobCompleted)) *MockRecorder_RecordJobCompleted_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 *scaleset.JobCompleted
+		if args[0] != nil {
+			arg0 = args[0].(*scaleset.JobCompleted)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *MockRecorder_RecordJobCompleted_Call) Return() *MockRecorder_RecordJobCompleted_Call {
+	_c.Call.Return()
+	return _c
+}
+
+func (_c *MockRecorder_RecordJobCompleted_Call) RunAndReturn(run func(msg *scaleset.JobCompleted)) *MockRecorder_RecordJobCompleted_Call {
+	_c.Run(run)
+	return _c
+}
+
+// RecordJobStarted provides a mock function for the type MockRecorder
+func (_mock *MockRecorder) RecordJobStarted(msg *scaleset.JobStarted) {
+	_mock.Called(msg)
+	return
+}
+
+// MockRecorder_RecordJobStarted_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'RecordJobStarted'
+type MockRecorder_RecordJobStarted_Call struct {
+	*mock.Call
+}
+
+// RecordJobStarted is a helper method to define mock.On call
+//   - msg *scaleset.JobStarted
+func (_e *MockRecorder_Expecter) RecordJobStarted(msg interface{}) *MockRecorder_RecordJobStarted_Call {
+	return &MockRecorder_RecordJobStarted_Call{Call: _e.mock.On("RecordJobStarted", msg)}
+}
+
+func (_c *MockRecorder_RecordJobStarted_Call) Run(run func(msg *scaleset.JobStarted)) *MockRecorder_RecordJobStarted_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 *scaleset.JobStarted
+		if args[0] != nil {
+			arg0 = args[0].(*scaleset.JobStarted)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *MockRecorder_RecordJobStarted_Call) Return() *MockRecorder_RecordJobStarted_Call {
+	_c.Call.Return()
+	return _c
+}
+
+func (_c *MockRecorder_RecordJobStarted_Call) RunAndReturn(run func(msg *scaleset.JobStarted)) *MockRecorder_RecordJobStarted_Call {
+	_c.Run(run)
+	return _c
+}
+
+// RecordStatic provides a mock function for the type MockRecorder
+func (_mock *MockRecorder) RecordStatic(min int, max int) {
+	_mock.Called(min, max)
+	return
+}
+
+// MockRecorder_RecordStatic_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'RecordStatic'
+type MockRecorder_RecordStatic_Call struct {
+	*mock.Call
+}
+
+// RecordStatic is a helper method to define mock.On call
+//   - min int
+//   - max int
+func (_e *MockRecorder_Expecter) RecordStatic(min interface{}, max interface{}) *MockRecorder_RecordStatic_Call {
+	return &MockRecorder_RecordStatic_Call{Call: _e.mock.On("RecordStatic", min, max)}
+}
+
+func (_c *MockRecorder_RecordStatic_Call) Run(run func(min int, max int)) *MockRecorder_RecordStatic_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 int
+		if args[0] != nil {
+			arg0 = args[0].(int)
+		}
+		var arg1 int
+		if args[1] != nil {
+			arg1 = args[1].(int)
+		}
+		run(
+			arg0,
+			arg1,
+		)
+	})
+	return _c
+}
+
+func (_c *MockRecorder_RecordStatic_Call) Return() *MockRecorder_RecordStatic_Call {
+	_c.Call.Return()
+	return _c
+}
+
+func (_c *MockRecorder_RecordStatic_Call) RunAndReturn(run func(min int, max int)) *MockRecorder_RecordStatic_Call {
+	_c.Run(run)
+	return _c
+}
+
+// RecordStatistics provides a mock function for the type MockRecorder
+func (_mock *MockRecorder) RecordStatistics(stats *scaleset.RunnerScaleSetStatistic) {
+	_mock.Called(stats)
+	return
+}
+
+// MockRecorder_RecordStatistics_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'RecordStatistics'
+type MockRecorder_RecordStatistics_Call struct {
+	*mock.Call
+}
+
+// RecordStatistics is a helper method to define mock.On call
+//   - stats *scaleset.RunnerScaleSetStatistic
+func (_e *MockRecorder_Expecter) RecordStatistics(stats interface{}) *MockRecorder_RecordStatistics_Call {
+	return &MockRecorder_RecordStatistics_Call{Call: _e.mock.On("RecordStatistics", stats)}
+}
+
+func (_c *MockRecorder_RecordStatistics_Call) Run(run func(stats *scaleset.RunnerScaleSetStatistic)) *MockRecorder_RecordStatistics_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 *scaleset.RunnerScaleSetStatistic
+		if args[0] != nil {
+			arg0 = args[0].(*scaleset.RunnerScaleSetStatistic)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *MockRecorder_RecordStatistics_Call) Return() *MockRecorder_RecordStatistics_Call {
+	_c.Call.Return()
+	return _c
+}
+
+func (_c *MockRecorder_RecordStatistics_Call) RunAndReturn(run func(stats *scaleset.RunnerScaleSetStatistic)) *MockRecorder_RecordStatistics_Call {
+	_c.Run(run)
+	return _c
+}
+
+// NewMockServerExporter creates a new instance of MockServerExporter. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockServerExporter(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockServerExporter {
+	mock := &MockServerExporter{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
+
+// MockServerExporter is an autogenerated mock type for the ServerExporter type
+type MockServerExporter struct {
+	mock.Mock
+}
+
+type MockServerExporter_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockServerExporter) EXPECT() *MockServerExporter_Expecter {
+	return &MockServerExporter_Expecter{mock: &_m.Mock}
+}
+
+// ListenAndServe provides a mock function for the type MockServerExporter
+func (_mock *MockServerExporter) ListenAndServe(ctx context.Context) error {
+	ret := _mock.Called(ctx)
+
+	if len(ret) == 0 {
+		panic("no return value specified for ListenAndServe")
+	}
+
+	var r0 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context) error); ok {
+		r0 = returnFunc(ctx)
+	} else {
+		r0 = ret.Error(0)
+	}
+	return r0
+}
+
+// MockServerExporter_ListenAndServe_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ListenAndServe'
+type MockServerExporter_ListenAndServe_Call struct {
+	*mock.Call
+}
+
+// ListenAndServe is a helper method to define mock.On call
+//   - ctx context.Context
+func (_e *MockServerExporter_Expecter) ListenAndServe(ctx interface{}) *MockServerExporter_ListenAndServe_Call {
+	return &MockServerExporter_ListenAndServe_Call{Call: _e.mock.On("ListenAndServe", ctx)}
+}
+
+func (_c *MockServerExporter_ListenAndServe_Call) Run(run func(ctx context.Context)) *MockServerExporter_ListenAndServe_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *MockServerExporter_ListenAndServe_Call) Return(err error) *MockServerExporter_ListenAndServe_Call {
+	_c.Call.Return(err)
+	return _c
+}
+
+func (_c *MockServerExporter_ListenAndServe_Call) RunAndReturn(run func(ctx context.Context) error) *MockServerExporter_ListenAndServe_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// RecordDesiredRunners provides a mock function for the type MockServerExporter
+func (_mock *MockServerExporter) RecordDesiredRunners(count int) {
+	_mock.Called(count)
+	return
+}
+
+// MockServerExporter_RecordDesiredRunners_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'RecordDesiredRunners'
+type MockServerExporter_RecordDesiredRunners_Call struct {
+	*mock.Call
+}
+
+// RecordDesiredRunners is a helper method to define mock.On call
+//   - count int
+func (_e *MockServerExporter_Expecter) RecordDesiredRunners(count interface{}) *MockServerExporter_RecordDesiredRunners_Call {
+	return &MockServerExporter_RecordDesiredRunners_Call{Call: _e.mock.On("RecordDesiredRunners", count)}
+}
+
+func (_c *MockServerExporter_RecordDesiredRunners_Call) Run(run func(count int)) *MockServerExporter_RecordDesiredRunners_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 int
+		if args[0] != nil {
+			arg0 = args[0].(int)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *MockServerExporter_RecordDesiredRunners_Call) Return() *MockServerExporter_RecordDesiredRunners_Call {
+	_c.Call.Return()
+	return _c
+}
+
+func (_c *MockServerExporter_RecordDesiredRunners_Call) RunAndReturn(run func(count int)) *MockServerExporter_RecordDesiredRunners_Call {
+	_c.Run(run)
+	return _c
+}
+
+// RecordJobCompleted provides a mock function for the type MockServerExporter
+func (_mock *MockServerExporter) RecordJobCompleted(msg *scaleset.JobCompleted) {
+	_mock.Called(msg)
+	return
+}
+
+// MockServerExporter_RecordJobCompleted_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'RecordJobCompleted'
+type MockServerExporter_RecordJobCompleted_Call struct {
+	*mock.Call
+}
+
+// RecordJobCompleted is a helper method to define mock.On call
+//   - msg *scaleset.JobCompleted
+func (_e *MockServerExporter_Expecter) RecordJobCompleted(msg interface{}) *MockServerExporter_RecordJobCompleted_Call {
+	return &MockServerExporter_RecordJobCompleted_Call{Call: _e.mock.On("RecordJobCompleted", msg)}
+}
+
+func (_c *MockServerExporter_RecordJobCompleted_Call) Run(run func(msg *scaleset.JobCompleted)) *MockServerExporter_RecordJobCompleted_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 *scaleset.JobCompleted
+		if args[0] != nil {
+			arg0 = args[0].(*scaleset.JobCompleted)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *MockServerExporter_RecordJobCompleted_Call) Return() *MockServerExporter_RecordJobCompleted_Call {
+	_c.Call.Return()
+	return _c
+}
+
+func (_c *MockServerExporter_RecordJobCompleted_Call) RunAndReturn(run func(msg *scaleset.JobCompleted)) *MockServerExporter_RecordJobCompleted_Call {
+	_c.Run(run)
+	return _c
+}
+
+// RecordJobStarted provides a mock function for the type MockServerExporter
+func (_mock *MockServerExporter) RecordJobStarted(msg *scaleset.JobStarted) {
+	_mock.Called(msg)
+	return
+}
+
+// MockServerExporter_RecordJobStarted_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'RecordJobStarted'
+type MockServerExporter_RecordJobStarted_Call struct {
+	*mock.Call
+}
+
+// RecordJobStarted is a helper method to define mock.On call
+//   - msg *scaleset.JobStarted
+func (_e *MockServerExporter_Expecter) RecordJobStarted(msg interface{}) *MockServerExporter_RecordJobStarted_Call {
+	return &MockServerExporter_RecordJobStarted_Call{Call: _e.mock.On("RecordJobStarted", msg)}
+}
+
+func (_c *MockServerExporter_RecordJobStarted_Call) Run(run func(msg *scaleset.JobStarted)) *MockServerExporter_RecordJobStarted_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 *scaleset.JobStarted
+		if args[0] != nil {
+			arg0 = args[0].(*scaleset.JobStarted)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *MockServerExporter_RecordJobStarted_Call) Return() *MockServerExporter_RecordJobStarted_Call {
+	_c.Call.Return()
+	return _c
+}
+
+func (_c *MockServerExporter_RecordJobStarted_Call) RunAndReturn(run func(msg *scaleset.JobStarted)) *MockServerExporter_RecordJobStarted_Call {
+	_c.Run(run)
+	return _c
+}
+
+// RecordStatic provides a mock function for the type MockServerExporter
+func (_mock *MockServerExporter) RecordStatic(min int, max int) {
+	_mock.Called(min, max)
+	return
+}
+
+// MockServerExporter_RecordStatic_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'RecordStatic'
+type MockServerExporter_RecordStatic_Call struct {
+	*mock.Call
+}
+
+// RecordStatic is a helper method to define mock.On call
+//   - min int
+//   - max int
+func (_e *MockServerExporter_Expecter) RecordStatic(min interface{}, max interface{}) *MockServerExporter_RecordStatic_Call {
+	return &MockServerExporter_RecordStatic_Call{Call: _e.mock.On("RecordStatic", min, max)}
+}
+
+func (_c *MockServerExporter_RecordStatic_Call) Run(run func(min int, max int)) *MockServerExporter_RecordStatic_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 int
+		if args[0] != nil {
+			arg0 = args[0].(int)
+		}
+		var arg1 int
+		if args[1] != nil {
+			arg1 = args[1].(int)
+		}
+		run(
+			arg0,
+			arg1,
+		)
+	})
+	return _c
+}
+
+func (_c *MockServerExporter_RecordStatic_Call) Return() *MockServerExporter_RecordStatic_Call {
+	_c.Call.Return()
+	return _c
+}
+
+func (_c *MockServerExporter_RecordStatic_Call) RunAndReturn(run func(min int, max int)) *MockServerExporter_RecordStatic_Call {
+	_c.Run(run)
+	return _c
+}
+
+// RecordStatistics provides a mock function for the type MockServerExporter
+func (_mock *MockServerExporter) RecordStatistics(stats *scaleset.RunnerScaleSetStatistic) {
+	_mock.Called(stats)
+	return
+}
+
+// MockServerExporter_RecordStatistics_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'RecordStatistics'
+type MockServerExporter_RecordStatistics_Call struct {
+	*mock.Call
+}
+
+// RecordStatistics is a helper method to define mock.On call
+//   - stats *scaleset.RunnerScaleSetStatistic
+func (_e *MockServerExporter_Expecter) RecordStatistics(stats interface{}) *MockServerExporter_RecordStatistics_Call {
+	return &MockServerExporter_RecordStatistics_Call{Call: _e.mock.On("RecordStatistics", stats)}
+}
+
+func (_c *MockServerExporter_RecordStatistics_Call) Run(run func(stats *scaleset.RunnerScaleSetStatistic)) *MockServerExporter_RecordStatistics_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 *scaleset.RunnerScaleSetStatistic
+		if args[0] != nil {
+			arg0 = args[0].(*scaleset.RunnerScaleSetStatistic)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *MockServerExporter_RecordStatistics_Call) Return() *MockServerExporter_RecordStatistics_Call {
+	_c.Call.Return()
+	return _c
+}
+
+func (_c *MockServerExporter_RecordStatistics_Call) RunAndReturn(run func(stats *scaleset.RunnerScaleSetStatistic)) *MockServerExporter_RecordStatistics_Call {
+	_c.Run(run)
+	return _c
+}

cmd/ghalistener/metrics/workflow_ref_parser.go

@@ -0,0 +1,78 @@
+package metrics
+
+import (
+	"path"
+	"strings"
+)
+
+// WorkflowRefInfo contains parsed information from a job_workflow_ref
+type WorkflowRefInfo struct {
+	// Name is the workflow file name without extension
+	Name string
+	// Target is the target ref with type prefix retained for clarity
+	// Examples:
+	//   - heads/main (branch)
+	//   - heads/feature/new-feature (branch)
+	//   - tags/v1.2.3 (tag)
+	//   - pull/123 (pull request)
+	Target string
+}
+
+// ParseWorkflowRef parses a job_workflow_ref string to extract workflow name and target
+// Format: {owner}/{repo}/.github/workflows/{workflow_file}@{ref}
+// Example: mygithuborg/myrepo/.github/workflows/blank.yml@refs/heads/main
+//
+// The target field preserves type prefixes to differentiate between:
+//   - Branch references: "heads/{branch}" (from refs/heads/{branch})
+//   - Tag references: "tags/{tag}" (from refs/tags/{tag})
+//   - Pull requests: "pull/{number}" (from refs/pull/{number}/merge)
+func ParseWorkflowRef(workflowRef string) WorkflowRefInfo {
+	info := WorkflowRefInfo{}
+
+	if workflowRef == "" {
+		return info
+	}
+
+	// Split by @ to separate path and ref
+	parts := strings.Split(workflowRef, "@")
+	if len(parts) != 2 {
+		return info
+	}
+
+	workflowPath := parts[0]
+	ref := parts[1]
+
+	// Extract workflow name from path
+	// The path format is: {owner}/{repo}/.github/workflows/{workflow_file}
+	workflowFile := path.Base(workflowPath)
+	// Remove .yml or .yaml extension
+	info.Name = strings.TrimSuffix(strings.TrimSuffix(workflowFile, ".yml"), ".yaml")
+
+	// Extract target from ref based on type
+	// Branch refs: refs/heads/{branch}
+	// Tag refs: refs/tags/{tag}
+	// PR refs: refs/pull/{number}/merge
+	const (
+		branchPrefix = "refs/heads/"
+		tagPrefix    = "refs/tags/"
+		prPrefix     = "refs/pull/"
+	)
+
+	switch {
+	case strings.HasPrefix(ref, branchPrefix):
+		// Keep "heads/" prefix to indicate branch
+		info.Target = "heads/" + strings.TrimPrefix(ref, branchPrefix)
+	case strings.HasPrefix(ref, tagPrefix):
+		// Keep "tags/" prefix to indicate tag
+		info.Target = "tags/" + strings.TrimPrefix(ref, tagPrefix)
+	case strings.HasPrefix(ref, prPrefix):
+		// Extract PR number from refs/pull/{number}/merge
+		// Keep "pull/" prefix to indicate pull request
+		prPart := strings.TrimPrefix(ref, prPrefix)
+		if idx := strings.Index(prPart, "/"); idx > 0 {
+			info.Target = "pull/" + prPart[:idx]
+		}
+	}
+
+	return info
+}

cmd/ghalistener/metrics/workflow_ref_parser_test.go

@@ -0,0 +1,82 @@
+package metrics
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestParseWorkflowRef(t *testing.T) {
+	tests := []struct {
+		name        string
+		workflowRef string
+		wantName    string
+		wantTarget  string
+	}{
+		{
+			name:        "standard branch reference with yml",
+			workflowRef: "actions-runner-controller-sandbox/mumoshu-orgrunner-test-01/.github/workflows/blank.yml@refs/heads/main",
+			wantName:    "blank",
+			wantTarget:  "heads/main",
+		},
+		{
+			name:        "branch with special characters",
+			workflowRef: "owner/repo/.github/workflows/ci-cd.yml@refs/heads/feature/new-feature",
+			wantName:    "ci-cd",
+			wantTarget:  "heads/feature/new-feature",
+		},
+		{
+			name:        "yaml extension",
+			workflowRef: "owner/repo/.github/workflows/deploy.yaml@refs/heads/develop",
+			wantName:    "deploy",
+			wantTarget:  "heads/develop",
+		},
+		{
+			name:        "tag reference",
+			workflowRef: "owner/repo/.github/workflows/release.yml@refs/tags/v1.0.0",
+			wantName:    "release",
+			wantTarget:  "tags/v1.0.0",
+		},
+		{
+			name:        "pull request reference",
+			workflowRef: "owner/repo/.github/workflows/test.yml@refs/pull/123/merge",
+			wantName:    "test",
+			wantTarget:  "pull/123",
+		},
+		{
+			name:        "empty workflow ref",
+			workflowRef: "",
+			wantName:    "",
+			wantTarget:  "",
+		},
+		{
+			name:        "invalid format - no @ separator",
+			workflowRef: "owner/repo/.github/workflows/test.yml",
+			wantName:    "",
+			wantTarget:  "",
+		},
+		{
+			name:        "workflow with dots in name",
+			workflowRef: "owner/repo/.github/workflows/build.test.yml@refs/heads/main",
+			wantName:    "build.test",
+			wantTarget:  "heads/main",
+		},
+		{
+			name:        "workflow with hyphen and underscore",
+			workflowRef: "owner/repo/.github/workflows/build-test_deploy.yml@refs/heads/main",
+			wantName:    "build-test_deploy",
+			wantTarget:  "heads/main",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := ParseWorkflowRef(tt.workflowRef)
+			expected := WorkflowRefInfo{
+				Name:   tt.wantName,
+				Target: tt.wantTarget,
+			}
+			assert.Equal(t, expected, got, "ParseWorkflowRef(%q) returned unexpected result", tt.workflowRef)
+		})
+	}
+}

cmd/ghalistener/scaler/scaler.go

@@ -1,30 +1,27 @@
-package worker
+package scaler
 
 import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"log/slog"
+	"math"
 
 	"github.com/actions/actions-runner-controller/apis/actions.github.com/v1alpha1"
-	"github.com/actions/actions-runner-controller/cmd/ghalistener/listener"
-	"github.com/actions/actions-runner-controller/github/actions"
-	"github.com/actions/actions-runner-controller/logging"
+	"github.com/actions/scaleset"
+	"github.com/actions/scaleset/listener"
 	jsonpatch "github.com/evanphx/json-patch"
-	"github.com/go-logr/logr"
 	kerrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/rest"
 )
 
-const workerName = "kubernetesworker"
+type Option func(*Scaler)
 
-type Option func(*Worker)
-
-func WithLogger(logger logr.Logger) Option {
-	return func(w *Worker) {
-		logger = logger.WithName(workerName)
-		w.logger = &logger
+func WithLogger(logger *slog.Logger) Option {
+	return func(w *Scaler) {
+		w.logger = logger
 	}
 }
 
@@ -35,23 +32,25 @@ type Config struct {
 	MinRunners                  int
 }
 
-// The Worker's role is to process the messages it receives from the listener.
+// The Scaler's role is to process the messages it receives from the listener.
 // It then initiates Kubernetes API requests to carry out the necessary actions.
-type Worker struct {
-	clientset *kubernetes.Clientset
-	config    Config
-	lastPatch int
-	patchSeq  int
-	logger    *logr.Logger
+type Scaler struct {
+	clientset     *kubernetes.Clientset
+	config        Config
+	targetRunners int
+	patchSeq      int
+	// dirty is set when there are any events handled before the desired count is called.
+	dirty  bool
+	logger *slog.Logger
 }
 
-var _ listener.Handler = (*Worker)(nil)
+var _ listener.Scaler = (*Scaler)(nil)
 
-func New(config Config, options ...Option) (*Worker, error) {
-	w := &Worker{
-		config:    config,
-		lastPatch: -1,
-		patchSeq:  -1,
+func New(config Config, options ...Option) (*Scaler, error) {
+	w := &Scaler{
+		config:        config,
+		targetRunners: -1,
+		patchSeq:      -1,
 	}
 
 	conf, err := rest.InClusterConfig()
@@ -77,14 +76,9 @@ func New(config Config, options ...Option) (*Worker, error) {
 	return w, nil
 }
 
-func (w *Worker) applyDefaults() error {
+func (w *Scaler) applyDefaults() error {
 	if w.logger == nil {
-		logger, err := logging.NewLogger(logging.LogLevelDebug, logging.LogFormatJSON)
-		if err != nil {
-			return fmt.Errorf("NewLogger failed: %w", err)
-		}
-		logger = logger.WithName(workerName)
-		w.logger = &logger
+		w.logger = slog.New(slog.DiscardHandler)
 	}
 
 	return nil
@@ -95,15 +89,18 @@ func (w *Worker) applyDefaults() error {
 // This update marks the ephemeral runner so that the controller would have more context
 // about the ephemeral runner that should not be deleted when scaling down.
 // It returns an error if there is any issue with updating the job information.
-func (w *Worker) HandleJobStarted(ctx context.Context, jobInfo *actions.JobStarted) error {
+func (w *Scaler) HandleJobStarted(ctx context.Context, jobInfo *scaleset.JobStarted) error {
 	w.logger.Info("Updating job info for the runner",
 		"runnerName", jobInfo.RunnerName,
 		"ownerName", jobInfo.OwnerName,
 		"repoName", jobInfo.RepositoryName,
+		"jobId", jobInfo.JobID,
 		"workflowRef", jobInfo.JobWorkflowRef,
-		"workflowRunId", jobInfo.WorkflowRunId,
+		"workflowRunId", jobInfo.WorkflowRunID,
 		"jobDisplayName", jobInfo.JobDisplayName,
-		"requestId", jobInfo.RunnerRequestId)
+		"requestId", jobInfo.RunnerRequestID)
+
+	w.dirty = true
 
 	original, err := json.Marshal(&v1alpha1.EphemeralRunner{})
 	if err != nil {
@@ -113,9 +110,10 @@ func (w *Worker) HandleJobStarted(ctx context.Context, jobInfo *actions.JobStart
 	patch, err := json.Marshal(
 		&v1alpha1.EphemeralRunner{
 			Status: v1alpha1.EphemeralRunnerStatus{
-				JobRequestId:      jobInfo.RunnerRequestId,
+				JobRequestId:      jobInfo.RunnerRequestID,
 				JobRepositoryName: fmt.Sprintf("%s/%s", jobInfo.OwnerName, jobInfo.RepositoryName),
-				WorkflowRunId:     jobInfo.WorkflowRunId,
+				JobID:             jobInfo.JobID,
+				WorkflowRunId:     jobInfo.WorkflowRunID,
 				JobWorkflowRef:    jobInfo.JobWorkflowRef,
 				JobDisplayName:    jobInfo.JobDisplayName,
 			},
@@ -156,6 +154,11 @@ func (w *Worker) HandleJobStarted(ctx context.Context, jobInfo *actions.JobStart
 	return nil
 }
 
+func (w *Scaler) HandleJobCompleted(ctx context.Context, msg *scaleset.JobCompleted) error {
+	w.dirty = true
+	return nil
+}
+
 // HandleDesiredRunnerCount handles the desired runner count by scaling the ephemeral runner set.
 // The function calculates the target runner count based on the minimum and maximum runner count configuration.
 // If the target runner count is the same as the last patched count, it skips patching and returns nil.
@@ -163,8 +166,8 @@ func (w *Worker) HandleJobStarted(ctx context.Context, jobInfo *actions.JobStart
 // The function then scales the ephemeral runner set by applying the merge patch.
 // Finally, it logs the scaled ephemeral runner set details and returns nil if successful.
 // If any error occurs during the process, it returns an error with a descriptive message.
-func (w *Worker) HandleDesiredRunnerCount(ctx context.Context, count, jobsCompleted int) (int, error) {
-	patchID := w.setDesiredWorkerState(count, jobsCompleted)
+func (w *Scaler) HandleDesiredRunnerCount(ctx context.Context, count int) (int, error) {
+	patchID := w.setDesiredWorkerState(count)
 
 	original, err := json.Marshal(
 		&v1alpha1.EphemeralRunnerSet{
@@ -181,13 +184,13 @@ func (w *Worker) HandleDesiredRunnerCount(ctx context.Context, count, jobsComple
 	patch, err := json.Marshal(
 		&v1alpha1.EphemeralRunnerSet{
 			Spec: v1alpha1.EphemeralRunnerSetSpec{
-				Replicas: w.lastPatch,
+				Replicas: w.targetRunners,
 				PatchID:  patchID,
 			},
 		},
 	)
 	if err != nil {
-		w.logger.Error(err, "could not marshal patch ephemeral runner set")
+		w.logger.Error("could not marshal patch ephemeral runner set", "error", err.Error())
 		return 0, err
 	}
 
@@ -218,30 +221,31 @@ func (w *Worker) HandleDesiredRunnerCount(ctx context.Context, count, jobsComple
 		"name", w.config.EphemeralRunnerSetName,
 		"replicas", patchedEphemeralRunnerSet.Spec.Replicas,
 	)
-	return w.lastPatch, nil
+	return w.targetRunners, nil
 }
 
 // calculateDesiredState calculates the desired state of the worker based on the desired count and the the number of jobs completed.
-func (w *Worker) setDesiredWorkerState(count, jobsCompleted int) int {
-	// Max runners should always be set by the resource builder either to the configured value,
-	// or the maximum int32 (resourcebuilder.newAutoScalingListener()).
-	targetRunnerCount := min(w.config.MinRunners+count, w.config.MaxRunners)
-	w.patchSeq++
-	desiredPatchID := w.patchSeq
+func (w *Scaler) setDesiredWorkerState(count int) int {
+	dirty := w.dirty
+	w.dirty = false
 
-	if count == 0 && jobsCompleted == 0 { // empty batch
-		targetRunnerCount = max(w.lastPatch, targetRunnerCount)
-		if targetRunnerCount == w.config.MinRunners {
-			// We have an empty batch, and the last patch was the min runners.
-			// Since this is an empty batch, and we are at the min runners, they should all be idle.
-			// If controller created few more pods on accident (during scale down events),
-			// this situation allows the controller to scale down to the min runners.
-			// However, it is important to keep the patch sequence increasing so we don't ignore one batch.
-			desiredPatchID = 0
-		}
+	if w.patchSeq == math.MaxInt32 {
+		w.patchSeq = 0
 	}
+	w.patchSeq++
 
-	w.lastPatch = targetRunnerCount
+	targetRunnerCount := min(w.config.MinRunners+count, w.config.MaxRunners)
+	oldTargetRunners := w.targetRunners
+	w.targetRunners = targetRunnerCount
+
+	desiredPatchID := w.patchSeq
+	if !dirty && targetRunnerCount == oldTargetRunners && targetRunnerCount == w.config.MinRunners {
+		// If there were no events sent, and the target runner count
+		// is the same as the last patched count, we can force the state.
+		//
+		// TODO: see to remove w.config.MinRunenrs from the equation, as it is not relevant to the decision of whether to patch or not.
+		desiredPatchID = 0
+	}
 
 	w.logger.Info(
 		"Calculated target runner count",
@@ -249,8 +253,7 @@ func (w *Worker) setDesiredWorkerState(count, jobsCompleted int) int {
 		"decision", targetRunnerCount,
 		"min", w.config.MinRunners,
 		"max", w.config.MaxRunners,
-		"currentRunnerCount", w.lastPatch,
-		"jobsCompleted", jobsCompleted,
+		"currentRunnerCount", w.targetRunners,
 	)
 
 	return desiredPatchID

cmd/ghalistener/scaler/scaler_test.go

@@ -1,326 +1,334 @@
-package worker
+package scaler
 
 import (
+	"log/slog"
 	"math"
 	"testing"
 
-	"github.com/go-logr/logr"
 	"github.com/stretchr/testify/assert"
 )
 
+var discardLogger = slog.New(slog.DiscardHandler)
+
 func TestSetDesiredWorkerState_MinMaxDefaults(t *testing.T) {
-	logger := logr.Discard()
-	newEmptyWorker := func() *Worker {
-		return &Worker{
+	newEmptyWorker := func() *Scaler {
+		return &Scaler{
 			config: Config{
 				MinRunners: 0,
 				MaxRunners: math.MaxInt32,
 			},
-			lastPatch: -1,
-			patchSeq:  -1,
-			logger:    &logger,
+			targetRunners: -1,
+			patchSeq:      -1,
+			logger:        discardLogger,
 		}
 	}
 
 	t.Run("init calculate with acquired 0", func(t *testing.T) {
 		w := newEmptyWorker()
-		patchID := w.setDesiredWorkerState(0, 0)
-		assert.Equal(t, 0, w.lastPatch)
+		patchID := w.setDesiredWorkerState(0)
+		assert.False(t, w.dirty)
+		assert.Equal(t, 0, w.targetRunners)
 		assert.Equal(t, 0, w.patchSeq)
 		assert.Equal(t, 0, patchID)
 	})
 
 	t.Run("init calculate with acquired 1", func(t *testing.T) {
 		w := newEmptyWorker()
-		patchID := w.setDesiredWorkerState(1, 0)
-		assert.Equal(t, 1, w.lastPatch)
+		patchID := w.setDesiredWorkerState(1)
+		assert.False(t, w.dirty)
+		assert.Equal(t, 1, w.targetRunners)
 		assert.Equal(t, 0, w.patchSeq)
 		assert.Equal(t, 0, patchID)
 	})
 
 	t.Run("increment patch when job done", func(t *testing.T) {
 		w := newEmptyWorker()
-		patchID := w.setDesiredWorkerState(1, 0)
+		patchID := w.setDesiredWorkerState(1)
+		assert.False(t, w.dirty)
 		assert.Equal(t, 0, patchID)
-		patchID = w.setDesiredWorkerState(0, 1)
+		w.dirty = true
+		patchID = w.setDesiredWorkerState(0)
+		assert.False(t, w.dirty)
 		assert.Equal(t, 1, patchID)
-		assert.Equal(t, 0, w.lastPatch)
+		assert.Equal(t, 0, w.targetRunners)
 		assert.Equal(t, 1, w.patchSeq)
 	})
 
 	t.Run("increment patch when called with same parameters", func(t *testing.T) {
 		w := newEmptyWorker()
-		patchID := w.setDesiredWorkerState(1, 0)
+		patchID := w.setDesiredWorkerState(1)
+		assert.False(t, w.dirty)
 		assert.Equal(t, 0, patchID)
-		patchID = w.setDesiredWorkerState(1, 0)
+		patchID = w.setDesiredWorkerState(1)
+		assert.False(t, w.dirty)
 		assert.Equal(t, 1, patchID)
-		assert.Equal(t, 1, w.lastPatch)
+		assert.Equal(t, 1, w.targetRunners)
 		assert.Equal(t, 1, w.patchSeq)
 	})
 
 	t.Run("calculate desired scale when acquired > 0 and completed > 0", func(t *testing.T) {
 		w := newEmptyWorker()
-		patchID := w.setDesiredWorkerState(1, 1)
+		w.dirty = true
+		patchID := w.setDesiredWorkerState(1)
+		assert.False(t, w.dirty)
 		assert.Equal(t, 0, patchID)
-		assert.Equal(t, 1, w.lastPatch)
+		assert.Equal(t, 1, w.targetRunners)
 		assert.Equal(t, 0, w.patchSeq)
 	})
 
-	t.Run("re-use the last state when acquired == 0 and completed == 0", func(t *testing.T) {
-		w := newEmptyWorker()
-		patchID := w.setDesiredWorkerState(1, 0)
-		assert.Equal(t, 0, patchID)
-		patchID = w.setDesiredWorkerState(0, 0)
-		assert.Equal(t, 1, patchID)
-		assert.Equal(t, 1, w.lastPatch)
-		assert.Equal(t, 1, w.patchSeq)
-	})
-
 	t.Run("adjust when acquired == 0 and completed == 1", func(t *testing.T) {
 		w := newEmptyWorker()
-		patchID := w.setDesiredWorkerState(1, 1)
+		w.dirty = true
+		patchID := w.setDesiredWorkerState(1)
+		assert.False(t, w.dirty)
 		assert.Equal(t, 0, patchID)
-		patchID = w.setDesiredWorkerState(0, 1)
+		assert.False(t, w.dirty)
+		w.dirty = true
+		patchID = w.setDesiredWorkerState(0)
+		assert.False(t, w.dirty)
 		assert.Equal(t, 1, patchID)
-		assert.Equal(t, 0, w.lastPatch)
+		assert.Equal(t, 0, w.targetRunners)
 		assert.Equal(t, 1, w.patchSeq)
 	})
 }
 
 func TestSetDesiredWorkerState_MinSet(t *testing.T) {
-	logger := logr.Discard()
-	newEmptyWorker := func() *Worker {
-		return &Worker{
+	newEmptyWorker := func() *Scaler {
+		return &Scaler{
 			config: Config{
 				MinRunners: 1,
 				MaxRunners: math.MaxInt32,
 			},
-			lastPatch: -1,
-			patchSeq:  -1,
-			logger:    &logger,
+			targetRunners: -1,
+			patchSeq:      -1,
+			logger:        discardLogger,
 		}
 	}
 
 	t.Run("initial scale when acquired == 0 and completed == 0", func(t *testing.T) {
 		w := newEmptyWorker()
-		patchID := w.setDesiredWorkerState(0, 0)
+		patchID := w.setDesiredWorkerState(0)
+		assert.False(t, w.dirty)
+		assert.False(t, w.dirty)
 		assert.Equal(t, 0, patchID)
-		assert.Equal(t, 1, w.lastPatch)
+		assert.Equal(t, 1, w.targetRunners)
 		assert.Equal(t, 0, w.patchSeq)
 	})
 
-	t.Run("re-use the old state on count == 0 and completed == 0", func(t *testing.T) {
-		w := newEmptyWorker()
-		patchID := w.setDesiredWorkerState(2, 0)
-		assert.Equal(t, 0, patchID)
-		patchID = w.setDesiredWorkerState(0, 0)
-		assert.Equal(t, 1, patchID)
-		assert.Equal(t, 3, w.lastPatch)
-		assert.Equal(t, 1, w.patchSeq)
-	})
-
 	t.Run("request back to 0 on job done", func(t *testing.T) {
 		w := newEmptyWorker()
-		patchID := w.setDesiredWorkerState(2, 0)
+		patchID := w.setDesiredWorkerState(2)
+		assert.False(t, w.dirty)
 		assert.Equal(t, 0, patchID)
-		patchID = w.setDesiredWorkerState(0, 1)
+
+		w.dirty = true
+		patchID = w.setDesiredWorkerState(0)
+		assert.False(t, w.dirty)
 		assert.Equal(t, 1, patchID)
-		assert.Equal(t, 1, w.lastPatch)
+		assert.Equal(t, 1, w.targetRunners)
 		assert.Equal(t, 1, w.patchSeq)
 	})
 
 	t.Run("desired patch is 0 but sequence continues on empty batch and min runners", func(t *testing.T) {
 		w := newEmptyWorker()
-		patchID := w.setDesiredWorkerState(3, 0)
+		patchID := w.setDesiredWorkerState(3)
+		assert.False(t, w.dirty)
 		assert.Equal(t, 0, patchID)
-		assert.Equal(t, 4, w.lastPatch)
+		assert.Equal(t, 4, w.targetRunners)
 		assert.Equal(t, 0, w.patchSeq)
 
-		patchID = w.setDesiredWorkerState(0, 3)
+		w.dirty = true
+		patchID = w.setDesiredWorkerState(0)
+		assert.False(t, w.dirty)
 		assert.Equal(t, 1, patchID)
-		assert.Equal(t, 1, w.lastPatch)
+		assert.Equal(t, 1, w.targetRunners)
 		assert.Equal(t, 1, w.patchSeq)
 
 		// Empty batch on min runners
-		patchID = w.setDesiredWorkerState(0, 0)
+		patchID = w.setDesiredWorkerState(0)
+		assert.False(t, w.dirty)
 		assert.Equal(t, 0, patchID) // forcing the state
-		assert.Equal(t, 1, w.lastPatch)
+		assert.Equal(t, 1, w.targetRunners)
 		assert.Equal(t, 2, w.patchSeq)
 	})
-
 }
 
 func TestSetDesiredWorkerState_MaxSet(t *testing.T) {
-	logger := logr.Discard()
-	newEmptyWorker := func() *Worker {
-		return &Worker{
+	newEmptyWorker := func() *Scaler {
+		return &Scaler{
 			config: Config{
 				MinRunners: 0,
 				MaxRunners: 5,
 			},
-			lastPatch: -1,
-			patchSeq:  -1,
-			logger:    &logger,
+			targetRunners: -1,
+			patchSeq:      -1,
+			logger:        discardLogger,
 		}
 	}
 
 	t.Run("initial scale when acquired == 0 and completed == 0", func(t *testing.T) {
 		w := newEmptyWorker()
-		patchID := w.setDesiredWorkerState(0, 0)
+		patchID := w.setDesiredWorkerState(0)
+		assert.False(t, w.dirty)
 		assert.Equal(t, 0, patchID)
-		assert.Equal(t, 0, w.lastPatch)
+		assert.Equal(t, 0, w.targetRunners)
 		assert.Equal(t, 0, w.patchSeq)
 	})
 
-	t.Run("re-use the old state on count == 0 and completed == 0", func(t *testing.T) {
-		w := newEmptyWorker()
-		patchID := w.setDesiredWorkerState(2, 0)
-		assert.Equal(t, 0, patchID)
-		patchID = w.setDesiredWorkerState(0, 0)
-		assert.Equal(t, 1, patchID)
-		assert.Equal(t, 2, w.lastPatch)
-		assert.Equal(t, 1, w.patchSeq)
-	})
-
 	t.Run("request back to 0 on job done", func(t *testing.T) {
 		w := newEmptyWorker()
-		patchID := w.setDesiredWorkerState(2, 0)
+		patchID := w.setDesiredWorkerState(2)
+		assert.False(t, w.dirty)
 		assert.Equal(t, 0, patchID)
-		patchID = w.setDesiredWorkerState(0, 1)
+
+		w.dirty = true
+		patchID = w.setDesiredWorkerState(0)
+		assert.False(t, w.dirty)
 		assert.Equal(t, 1, patchID)
-		assert.Equal(t, 0, w.lastPatch)
+		assert.Equal(t, 0, w.targetRunners)
 		assert.Equal(t, 1, w.patchSeq)
 	})
 
 	t.Run("scale up to max when count > max", func(t *testing.T) {
 		w := newEmptyWorker()
-		patchID := w.setDesiredWorkerState(6, 0)
+		patchID := w.setDesiredWorkerState(6)
+		assert.False(t, w.dirty)
 		assert.Equal(t, 0, patchID)
-		assert.Equal(t, 5, w.lastPatch)
+		assert.Equal(t, 5, w.targetRunners)
 		assert.Equal(t, 0, w.patchSeq)
 	})
 
 	t.Run("scale to max when count == max", func(t *testing.T) {
 		w := newEmptyWorker()
-		w.setDesiredWorkerState(5, 0)
-		assert.Equal(t, 5, w.lastPatch)
+		w.setDesiredWorkerState(5)
+		assert.False(t, w.dirty)
+		assert.Equal(t, 5, w.targetRunners)
 		assert.Equal(t, 0, w.patchSeq)
 	})
 
 	t.Run("scale to max when count > max and completed > 0", func(t *testing.T) {
 		w := newEmptyWorker()
-		patchID := w.setDesiredWorkerState(1, 0)
+		patchID := w.setDesiredWorkerState(1)
+		assert.False(t, w.dirty)
 		assert.Equal(t, 0, patchID)
-		patchID = w.setDesiredWorkerState(6, 1)
+
+		w.dirty = true
+		patchID = w.setDesiredWorkerState(6)
+		assert.False(t, w.dirty)
 		assert.Equal(t, 1, patchID)
-		assert.Equal(t, 5, w.lastPatch)
+		assert.Equal(t, 5, w.targetRunners)
 		assert.Equal(t, 1, w.patchSeq)
 	})
 
 	t.Run("scale back to 0 when count was > max", func(t *testing.T) {
 		w := newEmptyWorker()
-		patchID := w.setDesiredWorkerState(6, 0)
+		patchID := w.setDesiredWorkerState(6)
+		assert.False(t, w.dirty)
 		assert.Equal(t, 0, patchID)
-		patchID = w.setDesiredWorkerState(0, 1)
+
+		w.dirty = true
+		patchID = w.setDesiredWorkerState(0)
+		assert.False(t, w.dirty)
 		assert.Equal(t, 1, patchID)
-		assert.Equal(t, 0, w.lastPatch)
+		assert.Equal(t, 0, w.targetRunners)
 		assert.Equal(t, 1, w.patchSeq)
 	})
 
 	t.Run("force 0 on empty batch and last patch == min runners", func(t *testing.T) {
 		w := newEmptyWorker()
-		patchID := w.setDesiredWorkerState(3, 0)
+		patchID := w.setDesiredWorkerState(3)
 		assert.Equal(t, 0, patchID)
-		assert.Equal(t, 3, w.lastPatch)
+		assert.Equal(t, 3, w.targetRunners)
 		assert.Equal(t, 0, w.patchSeq)
 
-		patchID = w.setDesiredWorkerState(0, 3)
+		w.dirty = true
+		patchID = w.setDesiredWorkerState(0)
 		assert.Equal(t, 1, patchID)
-		assert.Equal(t, 0, w.lastPatch)
+		assert.Equal(t, 0, w.targetRunners)
 		assert.Equal(t, 1, w.patchSeq)
 
 		// Empty batch on min runners
-		patchID = w.setDesiredWorkerState(0, 0)
+		patchID = w.setDesiredWorkerState(0)
 		assert.Equal(t, 0, patchID) // forcing the state
-		assert.Equal(t, 0, w.lastPatch)
+		assert.Equal(t, 0, w.targetRunners)
 		assert.Equal(t, 2, w.patchSeq)
 	})
 }
 
 func TestSetDesiredWorkerState_MinMaxSet(t *testing.T) {
-	logger := logr.Discard()
-	newEmptyWorker := func() *Worker {
-		return &Worker{
+	newEmptyWorker := func() *Scaler {
+		return &Scaler{
 			config: Config{
 				MinRunners: 1,
 				MaxRunners: 3,
 			},
-			lastPatch: -1,
-			patchSeq:  -1,
-			logger:    &logger,
+			targetRunners: -1,
+			patchSeq:      -1,
+			logger:        discardLogger,
 		}
 	}
 
 	t.Run("initial scale when acquired == 0 and completed == 0", func(t *testing.T) {
 		w := newEmptyWorker()
-		patchID := w.setDesiredWorkerState(0, 0)
+		patchID := w.setDesiredWorkerState(0)
+		assert.False(t, w.dirty)
 		assert.Equal(t, 0, patchID)
-		assert.Equal(t, 1, w.lastPatch)
+		assert.Equal(t, 1, w.targetRunners)
 		assert.Equal(t, 0, w.patchSeq)
 	})
 
-	t.Run("re-use the old state on count == 0 and completed == 0", func(t *testing.T) {
-		w := newEmptyWorker()
-		patchID := w.setDesiredWorkerState(2, 0)
-		assert.Equal(t, 0, patchID)
-		patchID = w.setDesiredWorkerState(0, 0)
-		assert.Equal(t, 1, patchID)
-		assert.Equal(t, 3, w.lastPatch)
-		assert.Equal(t, 1, w.patchSeq)
-	})
-
 	t.Run("scale to min when count == 0", func(t *testing.T) {
 		w := newEmptyWorker()
-		patchID := w.setDesiredWorkerState(2, 0)
+		patchID := w.setDesiredWorkerState(2)
+		assert.False(t, w.dirty)
 		assert.Equal(t, 0, patchID)
-		patchID = w.setDesiredWorkerState(0, 1)
+
+		w.dirty = true
+		patchID = w.setDesiredWorkerState(0)
+		assert.False(t, w.dirty)
 		assert.Equal(t, 1, patchID)
-		assert.Equal(t, 1, w.lastPatch)
+		assert.Equal(t, 1, w.targetRunners)
 		assert.Equal(t, 1, w.patchSeq)
 	})
 
 	t.Run("scale up to max when count > max", func(t *testing.T) {
 		w := newEmptyWorker()
-		patchID := w.setDesiredWorkerState(4, 0)
+		patchID := w.setDesiredWorkerState(4)
+		assert.False(t, w.dirty)
 		assert.Equal(t, 0, patchID)
-		assert.Equal(t, 3, w.lastPatch)
+		assert.Equal(t, 3, w.targetRunners)
 		assert.Equal(t, 0, w.patchSeq)
 	})
 
 	t.Run("scale to max when count == max", func(t *testing.T) {
 		w := newEmptyWorker()
-		patchID := w.setDesiredWorkerState(3, 0)
+		patchID := w.setDesiredWorkerState(3)
+		assert.False(t, w.dirty)
 		assert.Equal(t, 0, patchID)
-		assert.Equal(t, 3, w.lastPatch)
+		assert.Equal(t, 3, w.targetRunners)
 		assert.Equal(t, 0, w.patchSeq)
 	})
 
 	t.Run("force 0 on empty batch and last patch == min runners", func(t *testing.T) {
 		w := newEmptyWorker()
-		patchID := w.setDesiredWorkerState(3, 0)
+		patchID := w.setDesiredWorkerState(3)
+		assert.False(t, w.dirty)
 		assert.Equal(t, 0, patchID)
-		assert.Equal(t, 3, w.lastPatch)
+		assert.Equal(t, 3, w.targetRunners)
 		assert.Equal(t, 0, w.patchSeq)
 
-		patchID = w.setDesiredWorkerState(0, 3)
+		w.dirty = true
+		patchID = w.setDesiredWorkerState(0)
+		assert.False(t, w.dirty)
 		assert.Equal(t, 1, patchID)
-		assert.Equal(t, 1, w.lastPatch)
+		assert.Equal(t, 1, w.targetRunners)
 		assert.Equal(t, 1, w.patchSeq)
 
 		// Empty batch on min runners
-		patchID = w.setDesiredWorkerState(0, 0)
+		patchID = w.setDesiredWorkerState(0)
+		assert.False(t, w.dirty)
 		assert.Equal(t, 0, patchID) // forcing the state
-		assert.Equal(t, 1, w.lastPatch)
+		assert.Equal(t, 1, w.targetRunners)
 		assert.Equal(t, 2, w.patchSeq)
 	})
 }

config/crd/bases/actions.github.com_ephemeralrunners.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.17.2
+    controller-gen.kubebuilder.io/version: v0.19.0
   name: ephemeralrunners.actions.github.com
 spec:
   group: actions.github.com
@@ -36,6 +36,9 @@ spec:
         - jsonPath: .status.jobDisplayName
           name: JobDisplayName
           type: string
+        - jsonPath: .status.jobId
+          name: JobId
+          type: string
         - jsonPath: .status.message
           name: Message
           type: string
@@ -427,7 +430,6 @@ spec:
                                           pod labels will be ignored. The default value is empty.
                                           The same key is forbidden to exist in both matchLabelKeys and labelSelector.
                                           Also, matchLabelKeys cannot be set when labelSelector isn't set.
-                                          This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                         items:
                                           type: string
                                         type: array
@@ -442,7 +444,6 @@ spec:
                                           pod labels will be ignored. The default value is empty.
                                           The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
                                           Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
-                                          This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                         items:
                                           type: string
                                         type: array
@@ -603,7 +604,6 @@ spec:
                                       pod labels will be ignored. The default value is empty.
                                       The same key is forbidden to exist in both matchLabelKeys and labelSelector.
                                       Also, matchLabelKeys cannot be set when labelSelector isn't set.
-                                      This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                     items:
                                       type: string
                                     type: array
@@ -618,7 +618,6 @@ spec:
                                       pod labels will be ignored. The default value is empty.
                                       The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
                                       Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
-                                      This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                     items:
                                       type: string
                                     type: array
@@ -707,8 +706,8 @@ spec:
                                 most preferred is the one with the greatest sum of weights, i.e.
                                 for each node that meets all of the scheduling requirements (resource
                                 request, requiredDuringScheduling anti-affinity expressions, etc.),
-                                compute a sum by iterating through the elements of this field and adding
-                                "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+                                compute a sum by iterating through the elements of this field and subtracting
+                                "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the
                                 node(s) with the highest sum are the most preferred.
                               items:
                                 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
@@ -772,7 +771,6 @@ spec:
                                           pod labels will be ignored. The default value is empty.
                                           The same key is forbidden to exist in both matchLabelKeys and labelSelector.
                                           Also, matchLabelKeys cannot be set when labelSelector isn't set.
-                                          This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                         items:
                                           type: string
                                         type: array
@@ -787,7 +785,6 @@ spec:
                                           pod labels will be ignored. The default value is empty.
                                           The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
                                           Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
-                                          This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                         items:
                                           type: string
                                         type: array
@@ -948,7 +945,6 @@ spec:
                                       pod labels will be ignored. The default value is empty.
                                       The same key is forbidden to exist in both matchLabelKeys and labelSelector.
                                       Also, matchLabelKeys cannot be set when labelSelector isn't set.
-                                      This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                     items:
                                       type: string
                                     type: array
@@ -963,7 +959,6 @@ spec:
                                       pod labels will be ignored. The default value is empty.
                                       The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
                                       Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
-                                      This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                     items:
                                       type: string
                                     type: array
@@ -1090,7 +1085,9 @@ spec:
                               description: EnvVar represents an environment variable present in a Container.
                               properties:
                                 name:
-                                  description: Name of the environment variable. Must be a C_IDENTIFIER.
+                                  description: |-
+                                    Name of the environment variable.
+                                    May consist of any printable ASCII characters except '='.
                                   type: string
                                 value:
                                   description: |-
@@ -1144,6 +1141,42 @@ spec:
                                         - fieldPath
                                       type: object
                                       x-kubernetes-map-type: atomic
+                                    fileKeyRef:
+                                      description: |-
+                                        FileKeyRef selects a key of the env file.
+                                        Requires the EnvFiles feature gate to be enabled.
+                                      properties:
+                                        key:
+                                          description: |-
+                                            The key within the env file. An invalid key will prevent the pod from starting.
+                                            The keys defined within a source may consist of any printable ASCII characters except '='.
+                                            During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters.
+                                          type: string
+                                        optional:
+                                          default: false
+                                          description: |-
+                                            Specify whether the file or its key must be defined. If the file or key
+                                            does not exist, then the env var is not published.
+                                            If optional is set to true and the specified key does not exist,
+                                            the environment variable will not be set in the Pod's containers.
+
+                                            If optional is set to false and the specified key does not exist,
+                                            an error will be returned during Pod creation.
+                                          type: boolean
+                                        path:
+                                          description: |-
+                                            The path within the volume from which to select the file.
+                                            Must be relative and may not contain the '..' path or start with '..'.
+                                          type: string
+                                        volumeName:
+                                          description: The name of the volume mount containing the env file.
+                                          type: string
+                                      required:
+                                        - key
+                                        - path
+                                        - volumeName
+                                      type: object
+                                      x-kubernetes-map-type: atomic
                                     resourceFieldRef:
                                       description: |-
                                         Selects a resource of the container: only resources limits and requests
@@ -1199,13 +1232,13 @@ spec:
                           envFrom:
                             description: |-
                               List of sources to populate environment variables in the container.
-                              The keys defined within a source must be a C_IDENTIFIER. All invalid keys
-                              will be reported as an event when the container is starting. When a key exists in multiple
+                              The keys defined within a source may consist of any printable ASCII characters except '='.
+                              When a key exists in multiple
                               sources, the value associated with the last source will take precedence.
                               Values defined by an Env with a duplicate key will take precedence.
                               Cannot be updated.
                             items:
-                              description: EnvFromSource represents the source of a set of ConfigMaps
+                              description: EnvFromSource represents the source of a set of ConfigMaps or Secrets
                               properties:
                                 configMapRef:
                                   description: The ConfigMap to select from
@@ -1225,7 +1258,9 @@ spec:
                                   type: object
                                   x-kubernetes-map-type: atomic
                                 prefix:
-                                  description: An optional identifier to prepend to each key in the ConfigMap. Must be a C_IDENTIFIER.
+                                  description: |-
+                                    Optional text to prepend to the name of each environment variable.
+                                    May consist of any printable ASCII characters except '='.
                                   type: string
                                 secretRef:
                                   description: The Secret to select from
@@ -1474,6 +1509,12 @@ spec:
                                       - port
                                     type: object
                                 type: object
+                              stopSignal:
+                                description: |-
+                                  StopSignal defines which signal will be sent to a container when it is being stopped.
+                                  If not specified, the default is defined by the container runtime in use.
+                                  StopSignal can only be set for Pods with a non-empty .spec.os.name
+                                type: string
                             type: object
                           livenessProbe:
                             description: |-
@@ -1864,7 +1905,7 @@ spec:
                                   Claims lists the names of resources, defined in spec.resourceClaims,
                                   that are used by this container.
 
-                                  This is an alpha field and requires enabling the
+                                  This field depends on the
                                   DynamicResourceAllocation feature gate.
 
                                   This field is immutable. It can only be set for containers.
@@ -1915,10 +1956,10 @@ spec:
                           restartPolicy:
                             description: |-
                               RestartPolicy defines the restart behavior of individual containers in a pod.
-                              This field may only be set for init containers, and the only allowed value is "Always".
-                              For non-init containers or when this field is not specified,
+                              This overrides the pod-level restart policy. When this field is not specified,
                               the restart behavior is defined by the Pod's restart policy and the container type.
-                              Setting the RestartPolicy as "Always" for the init container will have the following effect:
+                              Additionally, setting the RestartPolicy as "Always" for the init container will
+                              have the following effect:
                               this init container will be continually restarted on
                               exit until all regular containers have terminated. Once all regular
                               containers have completed, all init containers with restartPolicy "Always"
@@ -1930,6 +1971,57 @@ spec:
                               init container is started, or after any startupProbe has successfully
                               completed.
                             type: string
+                          restartPolicyRules:
+                            description: |-
+                              Represents a list of rules to be checked to determine if the
+                              container should be restarted on exit. The rules are evaluated in
+                              order. Once a rule matches a container exit condition, the remaining
+                              rules are ignored. If no rule matches the container exit condition,
+                              the Container-level restart policy determines the whether the container
+                              is restarted or not. Constraints on the rules:
+                              - At most 20 rules are allowed.
+                              - Rules can have the same action.
+                              - Identical rules are not forbidden in validations.
+                              When rules are specified, container MUST set RestartPolicy explicitly
+                              even it if matches the Pod's RestartPolicy.
+                            items:
+                              description: ContainerRestartRule describes how a container exit is handled.
+                              properties:
+                                action:
+                                  description: |-
+                                    Specifies the action taken on a container exit if the requirements
+                                    are satisfied. The only possible value is "Restart" to restart the
+                                    container.
+                                  type: string
+                                exitCodes:
+                                  description: Represents the exit codes to check on container exits.
+                                  properties:
+                                    operator:
+                                      description: |-
+                                        Represents the relationship between the container exit code(s) and the
+                                        specified values. Possible values are:
+                                        - In: the requirement is satisfied if the container exit code is in the
+                                          set of specified values.
+                                        - NotIn: the requirement is satisfied if the container exit code is
+                                          not in the set of specified values.
+                                      type: string
+                                    values:
+                                      description: |-
+                                        Specifies the set of values to check for container exit codes.
+                                        At most 255 elements are allowed.
+                                      items:
+                                        format: int32
+                                        type: integer
+                                      type: array
+                                      x-kubernetes-list-type: set
+                                  required:
+                                    - operator
+                                  type: object
+                              required:
+                                - action
+                              type: object
+                            type: array
+                            x-kubernetes-list-type: atomic
                           securityContext:
                             description: |-
                               SecurityContext defines the security options the container should be run with.
@@ -2527,7 +2619,9 @@ spec:
                               description: EnvVar represents an environment variable present in a Container.
                               properties:
                                 name:
-                                  description: Name of the environment variable. Must be a C_IDENTIFIER.
+                                  description: |-
+                                    Name of the environment variable.
+                                    May consist of any printable ASCII characters except '='.
                                   type: string
                                 value:
                                   description: |-
@@ -2581,6 +2675,42 @@ spec:
                                         - fieldPath
                                       type: object
                                       x-kubernetes-map-type: atomic
+                                    fileKeyRef:
+                                      description: |-
+                                        FileKeyRef selects a key of the env file.
+                                        Requires the EnvFiles feature gate to be enabled.
+                                      properties:
+                                        key:
+                                          description: |-
+                                            The key within the env file. An invalid key will prevent the pod from starting.
+                                            The keys defined within a source may consist of any printable ASCII characters except '='.
+                                            During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters.
+                                          type: string
+                                        optional:
+                                          default: false
+                                          description: |-
+                                            Specify whether the file or its key must be defined. If the file or key
+                                            does not exist, then the env var is not published.
+                                            If optional is set to true and the specified key does not exist,
+                                            the environment variable will not be set in the Pod's containers.
+
+                                            If optional is set to false and the specified key does not exist,
+                                            an error will be returned during Pod creation.
+                                          type: boolean
+                                        path:
+                                          description: |-
+                                            The path within the volume from which to select the file.
+                                            Must be relative and may not contain the '..' path or start with '..'.
+                                          type: string
+                                        volumeName:
+                                          description: The name of the volume mount containing the env file.
+                                          type: string
+                                      required:
+                                        - key
+                                        - path
+                                        - volumeName
+                                      type: object
+                                      x-kubernetes-map-type: atomic
                                     resourceFieldRef:
                                       description: |-
                                         Selects a resource of the container: only resources limits and requests
@@ -2636,13 +2766,13 @@ spec:
                           envFrom:
                             description: |-
                               List of sources to populate environment variables in the container.
-                              The keys defined within a source must be a C_IDENTIFIER. All invalid keys
-                              will be reported as an event when the container is starting. When a key exists in multiple
+                              The keys defined within a source may consist of any printable ASCII characters except '='.
+                              When a key exists in multiple
                               sources, the value associated with the last source will take precedence.
                               Values defined by an Env with a duplicate key will take precedence.
                               Cannot be updated.
                             items:
-                              description: EnvFromSource represents the source of a set of ConfigMaps
+                              description: EnvFromSource represents the source of a set of ConfigMaps or Secrets
                               properties:
                                 configMapRef:
                                   description: The ConfigMap to select from
@@ -2662,7 +2792,9 @@ spec:
                                   type: object
                                   x-kubernetes-map-type: atomic
                                 prefix:
-                                  description: An optional identifier to prepend to each key in the ConfigMap. Must be a C_IDENTIFIER.
+                                  description: |-
+                                    Optional text to prepend to the name of each environment variable.
+                                    May consist of any printable ASCII characters except '='.
                                   type: string
                                 secretRef:
                                   description: The Secret to select from
@@ -2907,6 +3039,12 @@ spec:
                                       - port
                                     type: object
                                 type: object
+                              stopSignal:
+                                description: |-
+                                  StopSignal defines which signal will be sent to a container when it is being stopped.
+                                  If not specified, the default is defined by the container runtime in use.
+                                  StopSignal can only be set for Pods with a non-empty .spec.os.name
+                                type: string
                             type: object
                           livenessProbe:
                             description: Probes are not allowed for ephemeral containers.
@@ -3280,7 +3418,7 @@ spec:
                                   Claims lists the names of resources, defined in spec.resourceClaims,
                                   that are used by this container.
 
-                                  This is an alpha field and requires enabling the
+                                  This field depends on the
                                   DynamicResourceAllocation feature gate.
 
                                   This field is immutable. It can only be set for containers.
@@ -3332,9 +3470,51 @@ spec:
                             description: |-
                               Restart policy for the container to manage the restart behavior of each
                               container within a pod.
-                              This may only be set for init containers. You cannot set this field on
-                              ephemeral containers.
+                              You cannot set this field on ephemeral containers.
                             type: string
+                          restartPolicyRules:
+                            description: |-
+                              Represents a list of rules to be checked to determine if the
+                              container should be restarted on exit. You cannot set this field on
+                              ephemeral containers.
+                            items:
+                              description: ContainerRestartRule describes how a container exit is handled.
+                              properties:
+                                action:
+                                  description: |-
+                                    Specifies the action taken on a container exit if the requirements
+                                    are satisfied. The only possible value is "Restart" to restart the
+                                    container.
+                                  type: string
+                                exitCodes:
+                                  description: Represents the exit codes to check on container exits.
+                                  properties:
+                                    operator:
+                                      description: |-
+                                        Represents the relationship between the container exit code(s) and the
+                                        specified values. Possible values are:
+                                        - In: the requirement is satisfied if the container exit code is in the
+                                          set of specified values.
+                                        - NotIn: the requirement is satisfied if the container exit code is
+                                          not in the set of specified values.
+                                      type: string
+                                    values:
+                                      description: |-
+                                        Specifies the set of values to check for container exit codes.
+                                        At most 255 elements are allowed.
+                                      items:
+                                        format: int32
+                                        type: integer
+                                      type: array
+                                      x-kubernetes-list-type: set
+                                  required:
+                                    - operator
+                                  type: object
+                              required:
+                                - action
+                              type: object
+                            type: array
+                            x-kubernetes-list-type: atomic
                           securityContext:
                             description: |-
                               Optional: SecurityContext defines the security options the ephemeral container should be run with.
@@ -3853,7 +4033,9 @@ spec:
                     hostNetwork:
                       description: |-
                         Host networking requested for this pod. Use the host's network namespace.
-                        If this option is set, the ports that will be used must be specified.
+                        When using HostNetwork you should specify ports so the scheduler is aware.
+                        When `hostNetwork` is true, specified `hostPort` fields in port definitions must match `containerPort`,
+                        and unspecified `hostPort` fields in port definitions are defaulted to match `containerPort`.
                         Default to false.
                       type: boolean
                     hostPID:
@@ -3878,6 +4060,19 @@ spec:
                         Specifies the hostname of the Pod
                         If not specified, the pod's hostname will be set to a system-defined value.
                       type: string
+                    hostnameOverride:
+                      description: |-
+                        HostnameOverride specifies an explicit override for the pod's hostname as perceived by the pod.
+                        This field only specifies the pod's hostname and does not affect its DNS records.
+                        When this field is set to a non-empty string:
+                        - It takes precedence over the values set in `hostname` and `subdomain`.
+                        - The Pod's hostname will be set to this value.
+                        - `setHostnameAsFQDN` must be nil or set to false.
+                        - `hostNetwork` must be set to false.
+
+                        This field must be a valid DNS subdomain as defined in RFC 1123 and contain at most 64 characters.
+                        Requires the HostnameOverride feature gate to be enabled.
+                      type: string
                     imagePullSecrets:
                       description: |-
                         ImagePullSecrets is an optional list of references to secrets in the same namespace to use for pulling any of the images used by this PodSpec.
@@ -3913,7 +4108,7 @@ spec:
                         Init containers may not have Lifecycle actions, Readiness probes, Liveness probes, or Startup probes.
                         The resourceRequirements of an init container are taken into account during scheduling
                         by finding the highest request/limit for each resource type, and then using the max of
-                        of that value or the sum of the normal containers. Limits are applied to init containers
+                        that value or the sum of the normal containers. Limits are applied to init containers
                         in a similar fashion.
                         Init containers cannot currently be added or removed.
                         Cannot be updated.
@@ -3957,7 +4152,9 @@ spec:
                               description: EnvVar represents an environment variable present in a Container.
                               properties:
                                 name:
-                                  description: Name of the environment variable. Must be a C_IDENTIFIER.
+                                  description: |-
+                                    Name of the environment variable.
+                                    May consist of any printable ASCII characters except '='.
                                   type: string
                                 value:
                                   description: |-
@@ -4011,6 +4208,42 @@ spec:
                                         - fieldPath
                                       type: object
                                       x-kubernetes-map-type: atomic
+                                    fileKeyRef:
+                                      description: |-
+                                        FileKeyRef selects a key of the env file.
+                                        Requires the EnvFiles feature gate to be enabled.
+                                      properties:
+                                        key:
+                                          description: |-
+                                            The key within the env file. An invalid key will prevent the pod from starting.
+                                            The keys defined within a source may consist of any printable ASCII characters except '='.
+                                            During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters.
+                                          type: string
+                                        optional:
+                                          default: false
+                                          description: |-
+                                            Specify whether the file or its key must be defined. If the file or key
+                                            does not exist, then the env var is not published.
+                                            If optional is set to true and the specified key does not exist,
+                                            the environment variable will not be set in the Pod's containers.
+
+                                            If optional is set to false and the specified key does not exist,
+                                            an error will be returned during Pod creation.
+                                          type: boolean
+                                        path:
+                                          description: |-
+                                            The path within the volume from which to select the file.
+                                            Must be relative and may not contain the '..' path or start with '..'.
+                                          type: string
+                                        volumeName:
+                                          description: The name of the volume mount containing the env file.
+                                          type: string
+                                      required:
+                                        - key
+                                        - path
+                                        - volumeName
+                                      type: object
+                                      x-kubernetes-map-type: atomic
                                     resourceFieldRef:
                                       description: |-
                                         Selects a resource of the container: only resources limits and requests
@@ -4066,13 +4299,13 @@ spec:
                           envFrom:
                             description: |-
                               List of sources to populate environment variables in the container.
-                              The keys defined within a source must be a C_IDENTIFIER. All invalid keys
-                              will be reported as an event when the container is starting. When a key exists in multiple
+                              The keys defined within a source may consist of any printable ASCII characters except '='.
+                              When a key exists in multiple
                               sources, the value associated with the last source will take precedence.
                               Values defined by an Env with a duplicate key will take precedence.
                               Cannot be updated.
                             items:
-                              description: EnvFromSource represents the source of a set of ConfigMaps
+                              description: EnvFromSource represents the source of a set of ConfigMaps or Secrets
                               properties:
                                 configMapRef:
                                   description: The ConfigMap to select from
@@ -4092,7 +4325,9 @@ spec:
                                   type: object
                                   x-kubernetes-map-type: atomic
                                 prefix:
-                                  description: An optional identifier to prepend to each key in the ConfigMap. Must be a C_IDENTIFIER.
+                                  description: |-
+                                    Optional text to prepend to the name of each environment variable.
+                                    May consist of any printable ASCII characters except '='.
                                   type: string
                                 secretRef:
                                   description: The Secret to select from
@@ -4341,6 +4576,12 @@ spec:
                                       - port
                                     type: object
                                 type: object
+                              stopSignal:
+                                description: |-
+                                  StopSignal defines which signal will be sent to a container when it is being stopped.
+                                  If not specified, the default is defined by the container runtime in use.
+                                  StopSignal can only be set for Pods with a non-empty .spec.os.name
+                                type: string
                             type: object
                           livenessProbe:
                             description: |-
@@ -4731,7 +4972,7 @@ spec:
                                   Claims lists the names of resources, defined in spec.resourceClaims,
                                   that are used by this container.
 
-                                  This is an alpha field and requires enabling the
+                                  This field depends on the
                                   DynamicResourceAllocation feature gate.
 
                                   This field is immutable. It can only be set for containers.
@@ -4782,10 +5023,10 @@ spec:
                           restartPolicy:
                             description: |-
                               RestartPolicy defines the restart behavior of individual containers in a pod.
-                              This field may only be set for init containers, and the only allowed value is "Always".
-                              For non-init containers or when this field is not specified,
+                              This overrides the pod-level restart policy. When this field is not specified,
                               the restart behavior is defined by the Pod's restart policy and the container type.
-                              Setting the RestartPolicy as "Always" for the init container will have the following effect:
+                              Additionally, setting the RestartPolicy as "Always" for the init container will
+                              have the following effect:
                               this init container will be continually restarted on
                               exit until all regular containers have terminated. Once all regular
                               containers have completed, all init containers with restartPolicy "Always"
@@ -4797,6 +5038,57 @@ spec:
                               init container is started, or after any startupProbe has successfully
                               completed.
                             type: string
+                          restartPolicyRules:
+                            description: |-
+                              Represents a list of rules to be checked to determine if the
+                              container should be restarted on exit. The rules are evaluated in
+                              order. Once a rule matches a container exit condition, the remaining
+                              rules are ignored. If no rule matches the container exit condition,
+                              the Container-level restart policy determines the whether the container
+                              is restarted or not. Constraints on the rules:
+                              - At most 20 rules are allowed.
+                              - Rules can have the same action.
+                              - Identical rules are not forbidden in validations.
+                              When rules are specified, container MUST set RestartPolicy explicitly
+                              even it if matches the Pod's RestartPolicy.
+                            items:
+                              description: ContainerRestartRule describes how a container exit is handled.
+                              properties:
+                                action:
+                                  description: |-
+                                    Specifies the action taken on a container exit if the requirements
+                                    are satisfied. The only possible value is "Restart" to restart the
+                                    container.
+                                  type: string
+                                exitCodes:
+                                  description: Represents the exit codes to check on container exits.
+                                  properties:
+                                    operator:
+                                      description: |-
+                                        Represents the relationship between the container exit code(s) and the
+                                        specified values. Possible values are:
+                                        - In: the requirement is satisfied if the container exit code is in the
+                                          set of specified values.
+                                        - NotIn: the requirement is satisfied if the container exit code is
+                                          not in the set of specified values.
+                                      type: string
+                                    values:
+                                      description: |-
+                                        Specifies the set of values to check for container exit codes.
+                                        At most 255 elements are allowed.
+                                      items:
+                                        format: int32
+                                        type: integer
+                                      type: array
+                                      x-kubernetes-list-type: set
+                                  required:
+                                    - operator
+                                  type: object
+                              required:
+                                - action
+                              type: object
+                            type: array
+                            x-kubernetes-list-type: atomic
                           securityContext:
                             description: |-
                               SecurityContext defines the security options the container should be run with.
@@ -5310,6 +5602,7 @@ spec:
                         - spec.hostPID
                         - spec.hostIPC
                         - spec.hostUsers
+                        - spec.resources
                         - spec.securityContext.appArmorProfile
                         - spec.securityContext.seLinuxOptions
                         - spec.securityContext.seccompProfile
@@ -5461,7 +5754,7 @@ spec:
                       description: |-
                         Resources is the total amount of CPU and Memory resources required by all
                         containers in the pod. It supports specifying Requests and Limits for
-                        "cpu" and "memory" resource names only. ResourceClaims are not supported.
+                        "cpu", "memory" and "hugepages-" resource names only. ResourceClaims are not supported.
 
                         This field enables fine-grained control over resource allocation for the
                         entire pod, allowing resource sharing among containers in a pod.
@@ -5474,7 +5767,7 @@ spec:
                             Claims lists the names of resources, defined in spec.resourceClaims,
                             that are used by this container.
 
-                            This is an alpha field and requires enabling the
+                            This field depends on the
                             DynamicResourceAllocation feature gate.
 
                             This field is immutable. It can only be set for containers.
@@ -6002,7 +6295,6 @@ spec:
                               - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.
 
                               If this value is nil, the behavior is equivalent to the Honor policy.
-                              This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
                             type: string
                           nodeTaintsPolicy:
                             description: |-
@@ -6013,7 +6305,6 @@ spec:
                               - Ignore: node taints are ignored. All nodes are included.
 
                               If this value is nil, the behavior is equivalent to the Ignore policy.
-                              This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
                             type: string
                           topologyKey:
                             description: |-
@@ -6719,15 +7010,13 @@ spec:
                                           volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim.
                                           If specified, the CSI driver will create or update the volume with the attributes defined
                                           in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName,
-                                          it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass
-                                          will be applied to the claim but it's not allowed to reset this field to empty string once it is set.
-                                          If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass
-                                          will be set by the persistentvolume controller if it exists.
+                                          it can be changed after the claim is created. An empty string or nil value indicates that no
+                                          VolumeAttributesClass will be applied to the claim. If the claim enters an Infeasible error state,
+                                          this field can be reset to its previous value (including nil) to cancel the modification.
                                           If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be
                                           set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource
                                           exists.
                                           More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/
-                                          (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default).
                                         type: string
                                       volumeMode:
                                         description: |-
@@ -6901,12 +7190,9 @@ spec:
                             description: |-
                               glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime.
                               Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported.
-                              More info: https://examples.k8s.io/volumes/glusterfs/README.md
                             properties:
                               endpoints:
-                                description: |-
-                                  endpoints is the endpoint name that details Glusterfs topology.
-                                  More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
+                                description: endpoints is the endpoint name that details Glusterfs topology.
                                 type: string
                               path:
                                 description: |-
@@ -6960,7 +7246,7 @@ spec:
                               The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field.
                               The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images.
                               The volume will be mounted read-only (ro) and non-executable files (noexec).
-                              Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath).
+                              Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath) before 1.33.
                               The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type.
                             properties:
                               pullPolicy:
@@ -6985,7 +7271,7 @@ spec:
                             description: |-
                               iscsi represents an ISCSI Disk resource that is attached to a
                               kubelet's host machine and then exposed to the pod.
-                              More info: https://examples.k8s.io/volumes/iscsi/README.md
+                              More info: https://kubernetes.io/docs/concepts/storage/volumes/#iscsi
                             properties:
                               chapAuthDiscovery:
                                 description: chapAuthDiscovery defines whether support iSCSI Discovery CHAP authentication
@@ -7375,6 +7661,110 @@ spec:
                                           type: array
                                           x-kubernetes-list-type: atomic
                                       type: object
+                                    podCertificate:
+                                      description: |-
+                                        Projects an auto-rotating credential bundle (private key and certificate
+                                        chain) that the pod can use either as a TLS client or server.
+
+                                        Kubelet generates a private key and uses it to send a
+                                        PodCertificateRequest to the named signer.  Once the signer approves the
+                                        request and issues a certificate chain, Kubelet writes the key and
+                                        certificate chain to the pod filesystem.  The pod does not start until
+                                        certificates have been issued for each podCertificate projected volume
+                                        source in its spec.
+
+                                        Kubelet will begin trying to rotate the certificate at the time indicated
+                                        by the signer using the PodCertificateRequest.Status.BeginRefreshAt
+                                        timestamp.
+
+                                        Kubelet can write a single file, indicated by the credentialBundlePath
+                                        field, or separate files, indicated by the keyPath and
+                                        certificateChainPath fields.
+
+                                        The credential bundle is a single file in PEM format.  The first PEM
+                                        entry is the private key (in PKCS#8 format), and the remaining PEM
+                                        entries are the certificate chain issued by the signer (typically,
+                                        signers will return their certificate chain in leaf-to-root order).
+
+                                        Prefer using the credential bundle format, since your application code
+                                        can read it atomically.  If you use keyPath and certificateChainPath,
+                                        your application must make two separate file reads. If these coincide
+                                        with a certificate rotation, it is possible that the private key and leaf
+                                        certificate you read may not correspond to each other.  Your application
+                                        will need to check for this condition, and re-read until they are
+                                        consistent.
+
+                                        The named signer controls chooses the format of the certificate it
+                                        issues; consult the signer implementation's documentation to learn how to
+                                        use the certificates it issues.
+                                      properties:
+                                        certificateChainPath:
+                                          description: |-
+                                            Write the certificate chain at this path in the projected volume.
+
+                                            Most applications should use credentialBundlePath.  When using keyPath
+                                            and certificateChainPath, your application needs to check that the key
+                                            and leaf certificate are consistent, because it is possible to read the
+                                            files mid-rotation.
+                                          type: string
+                                        credentialBundlePath:
+                                          description: |-
+                                            Write the credential bundle at this path in the projected volume.
+
+                                            The credential bundle is a single file that contains multiple PEM blocks.
+                                            The first PEM block is a PRIVATE KEY block, containing a PKCS#8 private
+                                            key.
+
+                                            The remaining blocks are CERTIFICATE blocks, containing the issued
+                                            certificate chain from the signer (leaf and any intermediates).
+
+                                            Using credentialBundlePath lets your Pod's application code make a single
+                                            atomic read that retrieves a consistent key and certificate chain.  If you
+                                            project them to separate files, your application code will need to
+                                            additionally check that the leaf certificate was issued to the key.
+                                          type: string
+                                        keyPath:
+                                          description: |-
+                                            Write the key at this path in the projected volume.
+
+                                            Most applications should use credentialBundlePath.  When using keyPath
+                                            and certificateChainPath, your application needs to check that the key
+                                            and leaf certificate are consistent, because it is possible to read the
+                                            files mid-rotation.
+                                          type: string
+                                        keyType:
+                                          description: |-
+                                            The type of keypair Kubelet will generate for the pod.
+
+                                            Valid values are "RSA3072", "RSA4096", "ECDSAP256", "ECDSAP384",
+                                            "ECDSAP521", and "ED25519".
+                                          type: string
+                                        maxExpirationSeconds:
+                                          description: |-
+                                            maxExpirationSeconds is the maximum lifetime permitted for the
+                                            certificate.
+
+                                            Kubelet copies this value verbatim into the PodCertificateRequests it
+                                            generates for this projection.
+
+                                            If omitted, kube-apiserver will set it to 86400(24 hours). kube-apiserver
+                                            will reject values shorter than 3600 (1 hour).  The maximum allowable
+                                            value is 7862400 (91 days).
+
+                                            The signer implementation is then free to issue a certificate with any
+                                            lifetime *shorter* than MaxExpirationSeconds, but no shorter than 3600
+                                            seconds (1 hour).  This constraint is enforced by kube-apiserver.
+                                            `kubernetes.io` signers will never issue certificates with a lifetime
+                                            longer than 24 hours.
+                                          format: int32
+                                          type: integer
+                                        signerName:
+                                          description: Kubelet's generated CSRs will be addressed to this signer.
+                                          type: string
+                                      required:
+                                        - keyType
+                                        - signerName
+                                      type: object
                                     secret:
                                       description: secret information about the secret data to project
                                       properties:
@@ -7504,7 +7894,6 @@ spec:
                             description: |-
                               rbd represents a Rados Block Device mount on the host that shares a pod's lifetime.
                               Deprecated: RBD is deprecated and the in-tree rbd type is no longer supported.
-                              More info: https://examples.k8s.io/volumes/rbd/README.md
                             properties:
                               fsType:
                                 description: |-
@@ -7784,6 +8173,53 @@ spec:
                   required:
                     - containers
                   type: object
+                vaultConfig:
+                  properties:
+                    azureKeyVault:
+                      properties:
+                        certificatePath:
+                          type: string
+                        clientId:
+                          type: string
+                        tenantId:
+                          type: string
+                        url:
+                          type: string
+                      required:
+                        - certificatePath
+                        - clientId
+                        - tenantId
+                        - url
+                      type: object
+                    proxy:
+                      properties:
+                        http:
+                          properties:
+                            credentialSecretRef:
+                              type: string
+                            url:
+                              description: Required
+                              type: string
+                          type: object
+                        https:
+                          properties:
+                            credentialSecretRef:
+                              type: string
+                            url:
+                              description: Required
+                              type: string
+                          type: object
+                        noProxy:
+                          items:
+                            type: string
+                          type: array
+                      type: object
+                    type:
+                      description: |-
+                        VaultType represents the type of vault that can be used in the application.
+                        It is used to identify which vault integration should be used to resolve secrets.
+                      type: string
+                  type: object
               required:
                 - githubConfigSecret
                 - githubConfigUrl
@@ -7794,10 +8230,13 @@ spec:
               properties:
                 failures:
                   additionalProperties:
-                    type: boolean
+                    format: date-time
+                    type: string
                   type: object
                 jobDisplayName:
                   type: string
+                jobId:
+                  type: string
                 jobRepositoryName:
                   type: string
                 jobRequestId:
@@ -7826,8 +8265,6 @@ spec:
                   type: string
                 runnerId:
                   type: integer
-                runnerJITConfig:
-                  type: string
                 runnerName:
                   type: string
                 workflowRunId:
@@ -7839,4 +8276,3 @@ spec:
       storage: true
       subresources:
         status: {}
-  preserveUnknownFields: false

config/crd/bases/actions.github.com_ephemeralrunnersets.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.17.2
+    controller-gen.kubebuilder.io/version: v0.19.0
   name: ephemeralrunnersets.actions.github.com
 spec:
   group: actions.github.com
@@ -421,7 +421,6 @@ spec:
                                               pod labels will be ignored. The default value is empty.
                                               The same key is forbidden to exist in both matchLabelKeys and labelSelector.
                                               Also, matchLabelKeys cannot be set when labelSelector isn't set.
-                                              This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                             items:
                                               type: string
                                             type: array
@@ -436,7 +435,6 @@ spec:
                                               pod labels will be ignored. The default value is empty.
                                               The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
                                               Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
-                                              This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                             items:
                                               type: string
                                             type: array
@@ -597,7 +595,6 @@ spec:
                                           pod labels will be ignored. The default value is empty.
                                           The same key is forbidden to exist in both matchLabelKeys and labelSelector.
                                           Also, matchLabelKeys cannot be set when labelSelector isn't set.
-                                          This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                         items:
                                           type: string
                                         type: array
@@ -612,7 +609,6 @@ spec:
                                           pod labels will be ignored. The default value is empty.
                                           The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
                                           Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
-                                          This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                         items:
                                           type: string
                                         type: array
@@ -701,8 +697,8 @@ spec:
                                     most preferred is the one with the greatest sum of weights, i.e.
                                     for each node that meets all of the scheduling requirements (resource
                                     request, requiredDuringScheduling anti-affinity expressions, etc.),
-                                    compute a sum by iterating through the elements of this field and adding
-                                    "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+                                    compute a sum by iterating through the elements of this field and subtracting
+                                    "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the
                                     node(s) with the highest sum are the most preferred.
                                   items:
                                     description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
@@ -766,7 +762,6 @@ spec:
                                               pod labels will be ignored. The default value is empty.
                                               The same key is forbidden to exist in both matchLabelKeys and labelSelector.
                                               Also, matchLabelKeys cannot be set when labelSelector isn't set.
-                                              This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                             items:
                                               type: string
                                             type: array
@@ -781,7 +776,6 @@ spec:
                                               pod labels will be ignored. The default value is empty.
                                               The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
                                               Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
-                                              This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                             items:
                                               type: string
                                             type: array
@@ -942,7 +936,6 @@ spec:
                                           pod labels will be ignored. The default value is empty.
                                           The same key is forbidden to exist in both matchLabelKeys and labelSelector.
                                           Also, matchLabelKeys cannot be set when labelSelector isn't set.
-                                          This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                         items:
                                           type: string
                                         type: array
@@ -957,7 +950,6 @@ spec:
                                           pod labels will be ignored. The default value is empty.
                                           The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
                                           Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
-                                          This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                         items:
                                           type: string
                                         type: array
@@ -1084,7 +1076,9 @@ spec:
                                   description: EnvVar represents an environment variable present in a Container.
                                   properties:
                                     name:
-                                      description: Name of the environment variable. Must be a C_IDENTIFIER.
+                                      description: |-
+                                        Name of the environment variable.
+                                        May consist of any printable ASCII characters except '='.
                                       type: string
                                     value:
                                       description: |-
@@ -1138,6 +1132,42 @@ spec:
                                             - fieldPath
                                           type: object
                                           x-kubernetes-map-type: atomic
+                                        fileKeyRef:
+                                          description: |-
+                                            FileKeyRef selects a key of the env file.
+                                            Requires the EnvFiles feature gate to be enabled.
+                                          properties:
+                                            key:
+                                              description: |-
+                                                The key within the env file. An invalid key will prevent the pod from starting.
+                                                The keys defined within a source may consist of any printable ASCII characters except '='.
+                                                During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters.
+                                              type: string
+                                            optional:
+                                              default: false
+                                              description: |-
+                                                Specify whether the file or its key must be defined. If the file or key
+                                                does not exist, then the env var is not published.
+                                                If optional is set to true and the specified key does not exist,
+                                                the environment variable will not be set in the Pod's containers.
+
+                                                If optional is set to false and the specified key does not exist,
+                                                an error will be returned during Pod creation.
+                                              type: boolean
+                                            path:
+                                              description: |-
+                                                The path within the volume from which to select the file.
+                                                Must be relative and may not contain the '..' path or start with '..'.
+                                              type: string
+                                            volumeName:
+                                              description: The name of the volume mount containing the env file.
+                                              type: string
+                                          required:
+                                            - key
+                                            - path
+                                            - volumeName
+                                          type: object
+                                          x-kubernetes-map-type: atomic
                                         resourceFieldRef:
                                           description: |-
                                             Selects a resource of the container: only resources limits and requests
@@ -1193,13 +1223,13 @@ spec:
                               envFrom:
                                 description: |-
                                   List of sources to populate environment variables in the container.
-                                  The keys defined within a source must be a C_IDENTIFIER. All invalid keys
-                                  will be reported as an event when the container is starting. When a key exists in multiple
+                                  The keys defined within a source may consist of any printable ASCII characters except '='.
+                                  When a key exists in multiple
                                   sources, the value associated with the last source will take precedence.
                                   Values defined by an Env with a duplicate key will take precedence.
                                   Cannot be updated.
                                 items:
-                                  description: EnvFromSource represents the source of a set of ConfigMaps
+                                  description: EnvFromSource represents the source of a set of ConfigMaps or Secrets
                                   properties:
                                     configMapRef:
                                       description: The ConfigMap to select from
@@ -1219,7 +1249,9 @@ spec:
                                       type: object
                                       x-kubernetes-map-type: atomic
                                     prefix:
-                                      description: An optional identifier to prepend to each key in the ConfigMap. Must be a C_IDENTIFIER.
+                                      description: |-
+                                        Optional text to prepend to the name of each environment variable.
+                                        May consist of any printable ASCII characters except '='.
                                       type: string
                                     secretRef:
                                       description: The Secret to select from
@@ -1468,6 +1500,12 @@ spec:
                                           - port
                                         type: object
                                     type: object
+                                  stopSignal:
+                                    description: |-
+                                      StopSignal defines which signal will be sent to a container when it is being stopped.
+                                      If not specified, the default is defined by the container runtime in use.
+                                      StopSignal can only be set for Pods with a non-empty .spec.os.name
+                                    type: string
                                 type: object
                               livenessProbe:
                                 description: |-
@@ -1858,7 +1896,7 @@ spec:
                                       Claims lists the names of resources, defined in spec.resourceClaims,
                                       that are used by this container.
 
-                                      This is an alpha field and requires enabling the
+                                      This field depends on the
                                       DynamicResourceAllocation feature gate.
 
                                       This field is immutable. It can only be set for containers.
@@ -1909,10 +1947,10 @@ spec:
                               restartPolicy:
                                 description: |-
                                   RestartPolicy defines the restart behavior of individual containers in a pod.
-                                  This field may only be set for init containers, and the only allowed value is "Always".
-                                  For non-init containers or when this field is not specified,
+                                  This overrides the pod-level restart policy. When this field is not specified,
                                   the restart behavior is defined by the Pod's restart policy and the container type.
-                                  Setting the RestartPolicy as "Always" for the init container will have the following effect:
+                                  Additionally, setting the RestartPolicy as "Always" for the init container will
+                                  have the following effect:
                                   this init container will be continually restarted on
                                   exit until all regular containers have terminated. Once all regular
                                   containers have completed, all init containers with restartPolicy "Always"
@@ -1924,6 +1962,57 @@ spec:
                                   init container is started, or after any startupProbe has successfully
                                   completed.
                                 type: string
+                              restartPolicyRules:
+                                description: |-
+                                  Represents a list of rules to be checked to determine if the
+                                  container should be restarted on exit. The rules are evaluated in
+                                  order. Once a rule matches a container exit condition, the remaining
+                                  rules are ignored. If no rule matches the container exit condition,
+                                  the Container-level restart policy determines the whether the container
+                                  is restarted or not. Constraints on the rules:
+                                  - At most 20 rules are allowed.
+                                  - Rules can have the same action.
+                                  - Identical rules are not forbidden in validations.
+                                  When rules are specified, container MUST set RestartPolicy explicitly
+                                  even it if matches the Pod's RestartPolicy.
+                                items:
+                                  description: ContainerRestartRule describes how a container exit is handled.
+                                  properties:
+                                    action:
+                                      description: |-
+                                        Specifies the action taken on a container exit if the requirements
+                                        are satisfied. The only possible value is "Restart" to restart the
+                                        container.
+                                      type: string
+                                    exitCodes:
+                                      description: Represents the exit codes to check on container exits.
+                                      properties:
+                                        operator:
+                                          description: |-
+                                            Represents the relationship between the container exit code(s) and the
+                                            specified values. Possible values are:
+                                            - In: the requirement is satisfied if the container exit code is in the
+                                              set of specified values.
+                                            - NotIn: the requirement is satisfied if the container exit code is
+                                              not in the set of specified values.
+                                          type: string
+                                        values:
+                                          description: |-
+                                            Specifies the set of values to check for container exit codes.
+                                            At most 255 elements are allowed.
+                                          items:
+                                            format: int32
+                                            type: integer
+                                          type: array
+                                          x-kubernetes-list-type: set
+                                      required:
+                                        - operator
+                                      type: object
+                                  required:
+                                    - action
+                                  type: object
+                                type: array
+                                x-kubernetes-list-type: atomic
                               securityContext:
                                 description: |-
                                   SecurityContext defines the security options the container should be run with.
@@ -2521,7 +2610,9 @@ spec:
                                   description: EnvVar represents an environment variable present in a Container.
                                   properties:
                                     name:
-                                      description: Name of the environment variable. Must be a C_IDENTIFIER.
+                                      description: |-
+                                        Name of the environment variable.
+                                        May consist of any printable ASCII characters except '='.
                                       type: string
                                     value:
                                       description: |-
@@ -2575,6 +2666,42 @@ spec:
                                             - fieldPath
                                           type: object
                                           x-kubernetes-map-type: atomic
+                                        fileKeyRef:
+                                          description: |-
+                                            FileKeyRef selects a key of the env file.
+                                            Requires the EnvFiles feature gate to be enabled.
+                                          properties:
+                                            key:
+                                              description: |-
+                                                The key within the env file. An invalid key will prevent the pod from starting.
+                                                The keys defined within a source may consist of any printable ASCII characters except '='.
+                                                During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters.
+                                              type: string
+                                            optional:
+                                              default: false
+                                              description: |-
+                                                Specify whether the file or its key must be defined. If the file or key
+                                                does not exist, then the env var is not published.
+                                                If optional is set to true and the specified key does not exist,
+                                                the environment variable will not be set in the Pod's containers.
+
+                                                If optional is set to false and the specified key does not exist,
+                                                an error will be returned during Pod creation.
+                                              type: boolean
+                                            path:
+                                              description: |-
+                                                The path within the volume from which to select the file.
+                                                Must be relative and may not contain the '..' path or start with '..'.
+                                              type: string
+                                            volumeName:
+                                              description: The name of the volume mount containing the env file.
+                                              type: string
+                                          required:
+                                            - key
+                                            - path
+                                            - volumeName
+                                          type: object
+                                          x-kubernetes-map-type: atomic
                                         resourceFieldRef:
                                           description: |-
                                             Selects a resource of the container: only resources limits and requests
@@ -2630,13 +2757,13 @@ spec:
                               envFrom:
                                 description: |-
                                   List of sources to populate environment variables in the container.
-                                  The keys defined within a source must be a C_IDENTIFIER. All invalid keys
-                                  will be reported as an event when the container is starting. When a key exists in multiple
+                                  The keys defined within a source may consist of any printable ASCII characters except '='.
+                                  When a key exists in multiple
                                   sources, the value associated with the last source will take precedence.
                                   Values defined by an Env with a duplicate key will take precedence.
                                   Cannot be updated.
                                 items:
-                                  description: EnvFromSource represents the source of a set of ConfigMaps
+                                  description: EnvFromSource represents the source of a set of ConfigMaps or Secrets
                                   properties:
                                     configMapRef:
                                       description: The ConfigMap to select from
@@ -2656,7 +2783,9 @@ spec:
                                       type: object
                                       x-kubernetes-map-type: atomic
                                     prefix:
-                                      description: An optional identifier to prepend to each key in the ConfigMap. Must be a C_IDENTIFIER.
+                                      description: |-
+                                        Optional text to prepend to the name of each environment variable.
+                                        May consist of any printable ASCII characters except '='.
                                       type: string
                                     secretRef:
                                       description: The Secret to select from
@@ -2901,6 +3030,12 @@ spec:
                                           - port
                                         type: object
                                     type: object
+                                  stopSignal:
+                                    description: |-
+                                      StopSignal defines which signal will be sent to a container when it is being stopped.
+                                      If not specified, the default is defined by the container runtime in use.
+                                      StopSignal can only be set for Pods with a non-empty .spec.os.name
+                                    type: string
                                 type: object
                               livenessProbe:
                                 description: Probes are not allowed for ephemeral containers.
@@ -3274,7 +3409,7 @@ spec:
                                       Claims lists the names of resources, defined in spec.resourceClaims,
                                       that are used by this container.
 
-                                      This is an alpha field and requires enabling the
+                                      This field depends on the
                                       DynamicResourceAllocation feature gate.
 
                                       This field is immutable. It can only be set for containers.
@@ -3326,9 +3461,51 @@ spec:
                                 description: |-
                                   Restart policy for the container to manage the restart behavior of each
                                   container within a pod.
-                                  This may only be set for init containers. You cannot set this field on
-                                  ephemeral containers.
+                                  You cannot set this field on ephemeral containers.
                                 type: string
+                              restartPolicyRules:
+                                description: |-
+                                  Represents a list of rules to be checked to determine if the
+                                  container should be restarted on exit. You cannot set this field on
+                                  ephemeral containers.
+                                items:
+                                  description: ContainerRestartRule describes how a container exit is handled.
+                                  properties:
+                                    action:
+                                      description: |-
+                                        Specifies the action taken on a container exit if the requirements
+                                        are satisfied. The only possible value is "Restart" to restart the
+                                        container.
+                                      type: string
+                                    exitCodes:
+                                      description: Represents the exit codes to check on container exits.
+                                      properties:
+                                        operator:
+                                          description: |-
+                                            Represents the relationship between the container exit code(s) and the
+                                            specified values. Possible values are:
+                                            - In: the requirement is satisfied if the container exit code is in the
+                                              set of specified values.
+                                            - NotIn: the requirement is satisfied if the container exit code is
+                                              not in the set of specified values.
+                                          type: string
+                                        values:
+                                          description: |-
+                                            Specifies the set of values to check for container exit codes.
+                                            At most 255 elements are allowed.
+                                          items:
+                                            format: int32
+                                            type: integer
+                                          type: array
+                                          x-kubernetes-list-type: set
+                                      required:
+                                        - operator
+                                      type: object
+                                  required:
+                                    - action
+                                  type: object
+                                type: array
+                                x-kubernetes-list-type: atomic
                               securityContext:
                                 description: |-
                                   Optional: SecurityContext defines the security options the ephemeral container should be run with.
@@ -3847,7 +4024,9 @@ spec:
                         hostNetwork:
                           description: |-
                             Host networking requested for this pod. Use the host's network namespace.
-                            If this option is set, the ports that will be used must be specified.
+                            When using HostNetwork you should specify ports so the scheduler is aware.
+                            When `hostNetwork` is true, specified `hostPort` fields in port definitions must match `containerPort`,
+                            and unspecified `hostPort` fields in port definitions are defaulted to match `containerPort`.
                             Default to false.
                           type: boolean
                         hostPID:
@@ -3872,6 +4051,19 @@ spec:
                             Specifies the hostname of the Pod
                             If not specified, the pod's hostname will be set to a system-defined value.
                           type: string
+                        hostnameOverride:
+                          description: |-
+                            HostnameOverride specifies an explicit override for the pod's hostname as perceived by the pod.
+                            This field only specifies the pod's hostname and does not affect its DNS records.
+                            When this field is set to a non-empty string:
+                            - It takes precedence over the values set in `hostname` and `subdomain`.
+                            - The Pod's hostname will be set to this value.
+                            - `setHostnameAsFQDN` must be nil or set to false.
+                            - `hostNetwork` must be set to false.
+
+                            This field must be a valid DNS subdomain as defined in RFC 1123 and contain at most 64 characters.
+                            Requires the HostnameOverride feature gate to be enabled.
+                          type: string
                         imagePullSecrets:
                           description: |-
                             ImagePullSecrets is an optional list of references to secrets in the same namespace to use for pulling any of the images used by this PodSpec.
@@ -3907,7 +4099,7 @@ spec:
                             Init containers may not have Lifecycle actions, Readiness probes, Liveness probes, or Startup probes.
                             The resourceRequirements of an init container are taken into account during scheduling
                             by finding the highest request/limit for each resource type, and then using the max of
-                            of that value or the sum of the normal containers. Limits are applied to init containers
+                            that value or the sum of the normal containers. Limits are applied to init containers
                             in a similar fashion.
                             Init containers cannot currently be added or removed.
                             Cannot be updated.
@@ -3951,7 +4143,9 @@ spec:
                                   description: EnvVar represents an environment variable present in a Container.
                                   properties:
                                     name:
-                                      description: Name of the environment variable. Must be a C_IDENTIFIER.
+                                      description: |-
+                                        Name of the environment variable.
+                                        May consist of any printable ASCII characters except '='.
                                       type: string
                                     value:
                                       description: |-
@@ -4005,6 +4199,42 @@ spec:
                                             - fieldPath
                                           type: object
                                           x-kubernetes-map-type: atomic
+                                        fileKeyRef:
+                                          description: |-
+                                            FileKeyRef selects a key of the env file.
+                                            Requires the EnvFiles feature gate to be enabled.
+                                          properties:
+                                            key:
+                                              description: |-
+                                                The key within the env file. An invalid key will prevent the pod from starting.
+                                                The keys defined within a source may consist of any printable ASCII characters except '='.
+                                                During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters.
+                                              type: string
+                                            optional:
+                                              default: false
+                                              description: |-
+                                                Specify whether the file or its key must be defined. If the file or key
+                                                does not exist, then the env var is not published.
+                                                If optional is set to true and the specified key does not exist,
+                                                the environment variable will not be set in the Pod's containers.
+
+                                                If optional is set to false and the specified key does not exist,
+                                                an error will be returned during Pod creation.
+                                              type: boolean
+                                            path:
+                                              description: |-
+                                                The path within the volume from which to select the file.
+                                                Must be relative and may not contain the '..' path or start with '..'.
+                                              type: string
+                                            volumeName:
+                                              description: The name of the volume mount containing the env file.
+                                              type: string
+                                          required:
+                                            - key
+                                            - path
+                                            - volumeName
+                                          type: object
+                                          x-kubernetes-map-type: atomic
                                         resourceFieldRef:
                                           description: |-
                                             Selects a resource of the container: only resources limits and requests
@@ -4060,13 +4290,13 @@ spec:
                               envFrom:
                                 description: |-
                                   List of sources to populate environment variables in the container.
-                                  The keys defined within a source must be a C_IDENTIFIER. All invalid keys
-                                  will be reported as an event when the container is starting. When a key exists in multiple
+                                  The keys defined within a source may consist of any printable ASCII characters except '='.
+                                  When a key exists in multiple
                                   sources, the value associated with the last source will take precedence.
                                   Values defined by an Env with a duplicate key will take precedence.
                                   Cannot be updated.
                                 items:
-                                  description: EnvFromSource represents the source of a set of ConfigMaps
+                                  description: EnvFromSource represents the source of a set of ConfigMaps or Secrets
                                   properties:
                                     configMapRef:
                                       description: The ConfigMap to select from
@@ -4086,7 +4316,9 @@ spec:
                                       type: object
                                       x-kubernetes-map-type: atomic
                                     prefix:
-                                      description: An optional identifier to prepend to each key in the ConfigMap. Must be a C_IDENTIFIER.
+                                      description: |-
+                                        Optional text to prepend to the name of each environment variable.
+                                        May consist of any printable ASCII characters except '='.
                                       type: string
                                     secretRef:
                                       description: The Secret to select from
@@ -4335,6 +4567,12 @@ spec:
                                           - port
                                         type: object
                                     type: object
+                                  stopSignal:
+                                    description: |-
+                                      StopSignal defines which signal will be sent to a container when it is being stopped.
+                                      If not specified, the default is defined by the container runtime in use.
+                                      StopSignal can only be set for Pods with a non-empty .spec.os.name
+                                    type: string
                                 type: object
                               livenessProbe:
                                 description: |-
@@ -4725,7 +4963,7 @@ spec:
                                       Claims lists the names of resources, defined in spec.resourceClaims,
                                       that are used by this container.
 
-                                      This is an alpha field and requires enabling the
+                                      This field depends on the
                                       DynamicResourceAllocation feature gate.
 
                                       This field is immutable. It can only be set for containers.
@@ -4776,10 +5014,10 @@ spec:
                               restartPolicy:
                                 description: |-
                                   RestartPolicy defines the restart behavior of individual containers in a pod.
-                                  This field may only be set for init containers, and the only allowed value is "Always".
-                                  For non-init containers or when this field is not specified,
+                                  This overrides the pod-level restart policy. When this field is not specified,
                                   the restart behavior is defined by the Pod's restart policy and the container type.
-                                  Setting the RestartPolicy as "Always" for the init container will have the following effect:
+                                  Additionally, setting the RestartPolicy as "Always" for the init container will
+                                  have the following effect:
                                   this init container will be continually restarted on
                                   exit until all regular containers have terminated. Once all regular
                                   containers have completed, all init containers with restartPolicy "Always"
@@ -4791,6 +5029,57 @@ spec:
                                   init container is started, or after any startupProbe has successfully
                                   completed.
                                 type: string
+                              restartPolicyRules:
+                                description: |-
+                                  Represents a list of rules to be checked to determine if the
+                                  container should be restarted on exit. The rules are evaluated in
+                                  order. Once a rule matches a container exit condition, the remaining
+                                  rules are ignored. If no rule matches the container exit condition,
+                                  the Container-level restart policy determines the whether the container
+                                  is restarted or not. Constraints on the rules:
+                                  - At most 20 rules are allowed.
+                                  - Rules can have the same action.
+                                  - Identical rules are not forbidden in validations.
+                                  When rules are specified, container MUST set RestartPolicy explicitly
+                                  even it if matches the Pod's RestartPolicy.
+                                items:
+                                  description: ContainerRestartRule describes how a container exit is handled.
+                                  properties:
+                                    action:
+                                      description: |-
+                                        Specifies the action taken on a container exit if the requirements
+                                        are satisfied. The only possible value is "Restart" to restart the
+                                        container.
+                                      type: string
+                                    exitCodes:
+                                      description: Represents the exit codes to check on container exits.
+                                      properties:
+                                        operator:
+                                          description: |-
+                                            Represents the relationship between the container exit code(s) and the
+                                            specified values. Possible values are:
+                                            - In: the requirement is satisfied if the container exit code is in the
+                                              set of specified values.
+                                            - NotIn: the requirement is satisfied if the container exit code is
+                                              not in the set of specified values.
+                                          type: string
+                                        values:
+                                          description: |-
+                                            Specifies the set of values to check for container exit codes.
+                                            At most 255 elements are allowed.
+                                          items:
+                                            format: int32
+                                            type: integer
+                                          type: array
+                                          x-kubernetes-list-type: set
+                                      required:
+                                        - operator
+                                      type: object
+                                  required:
+                                    - action
+                                  type: object
+                                type: array
+                                x-kubernetes-list-type: atomic
                               securityContext:
                                 description: |-
                                   SecurityContext defines the security options the container should be run with.
@@ -5304,6 +5593,7 @@ spec:
                             - spec.hostPID
                             - spec.hostIPC
                             - spec.hostUsers
+                            - spec.resources
                             - spec.securityContext.appArmorProfile
                             - spec.securityContext.seLinuxOptions
                             - spec.securityContext.seccompProfile
@@ -5455,7 +5745,7 @@ spec:
                           description: |-
                             Resources is the total amount of CPU and Memory resources required by all
                             containers in the pod. It supports specifying Requests and Limits for
-                            "cpu" and "memory" resource names only. ResourceClaims are not supported.
+                            "cpu", "memory" and "hugepages-" resource names only. ResourceClaims are not supported.
 
                             This field enables fine-grained control over resource allocation for the
                             entire pod, allowing resource sharing among containers in a pod.
@@ -5468,7 +5758,7 @@ spec:
                                 Claims lists the names of resources, defined in spec.resourceClaims,
                                 that are used by this container.
 
-                                This is an alpha field and requires enabling the
+                                This field depends on the
                                 DynamicResourceAllocation feature gate.
 
                                 This field is immutable. It can only be set for containers.
@@ -5996,7 +6286,6 @@ spec:
                                   - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.
 
                                   If this value is nil, the behavior is equivalent to the Honor policy.
-                                  This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
                                 type: string
                               nodeTaintsPolicy:
                                 description: |-
@@ -6007,7 +6296,6 @@ spec:
                                   - Ignore: node taints are ignored. All nodes are included.
 
                                   If this value is nil, the behavior is equivalent to the Ignore policy.
-                                  This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
                                 type: string
                               topologyKey:
                                 description: |-
@@ -6713,15 +7001,13 @@ spec:
                                               volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim.
                                               If specified, the CSI driver will create or update the volume with the attributes defined
                                               in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName,
-                                              it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass
-                                              will be applied to the claim but it's not allowed to reset this field to empty string once it is set.
-                                              If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass
-                                              will be set by the persistentvolume controller if it exists.
+                                              it can be changed after the claim is created. An empty string or nil value indicates that no
+                                              VolumeAttributesClass will be applied to the claim. If the claim enters an Infeasible error state,
+                                              this field can be reset to its previous value (including nil) to cancel the modification.
                                               If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be
                                               set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource
                                               exists.
                                               More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/
-                                              (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default).
                                             type: string
                                           volumeMode:
                                             description: |-
@@ -6895,12 +7181,9 @@ spec:
                                 description: |-
                                   glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime.
                                   Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported.
-                                  More info: https://examples.k8s.io/volumes/glusterfs/README.md
                                 properties:
                                   endpoints:
-                                    description: |-
-                                      endpoints is the endpoint name that details Glusterfs topology.
-                                      More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
+                                    description: endpoints is the endpoint name that details Glusterfs topology.
                                     type: string
                                   path:
                                     description: |-
@@ -6954,7 +7237,7 @@ spec:
                                   The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field.
                                   The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images.
                                   The volume will be mounted read-only (ro) and non-executable files (noexec).
-                                  Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath).
+                                  Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath) before 1.33.
                                   The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type.
                                 properties:
                                   pullPolicy:
@@ -6979,7 +7262,7 @@ spec:
                                 description: |-
                                   iscsi represents an ISCSI Disk resource that is attached to a
                                   kubelet's host machine and then exposed to the pod.
-                                  More info: https://examples.k8s.io/volumes/iscsi/README.md
+                                  More info: https://kubernetes.io/docs/concepts/storage/volumes/#iscsi
                                 properties:
                                   chapAuthDiscovery:
                                     description: chapAuthDiscovery defines whether support iSCSI Discovery CHAP authentication
@@ -7369,6 +7652,110 @@ spec:
                                               type: array
                                               x-kubernetes-list-type: atomic
                                           type: object
+                                        podCertificate:
+                                          description: |-
+                                            Projects an auto-rotating credential bundle (private key and certificate
+                                            chain) that the pod can use either as a TLS client or server.
+
+                                            Kubelet generates a private key and uses it to send a
+                                            PodCertificateRequest to the named signer.  Once the signer approves the
+                                            request and issues a certificate chain, Kubelet writes the key and
+                                            certificate chain to the pod filesystem.  The pod does not start until
+                                            certificates have been issued for each podCertificate projected volume
+                                            source in its spec.
+
+                                            Kubelet will begin trying to rotate the certificate at the time indicated
+                                            by the signer using the PodCertificateRequest.Status.BeginRefreshAt
+                                            timestamp.
+
+                                            Kubelet can write a single file, indicated by the credentialBundlePath
+                                            field, or separate files, indicated by the keyPath and
+                                            certificateChainPath fields.
+
+                                            The credential bundle is a single file in PEM format.  The first PEM
+                                            entry is the private key (in PKCS#8 format), and the remaining PEM
+                                            entries are the certificate chain issued by the signer (typically,
+                                            signers will return their certificate chain in leaf-to-root order).
+
+                                            Prefer using the credential bundle format, since your application code
+                                            can read it atomically.  If you use keyPath and certificateChainPath,
+                                            your application must make two separate file reads. If these coincide
+                                            with a certificate rotation, it is possible that the private key and leaf
+                                            certificate you read may not correspond to each other.  Your application
+                                            will need to check for this condition, and re-read until they are
+                                            consistent.
+
+                                            The named signer controls chooses the format of the certificate it
+                                            issues; consult the signer implementation's documentation to learn how to
+                                            use the certificates it issues.
+                                          properties:
+                                            certificateChainPath:
+                                              description: |-
+                                                Write the certificate chain at this path in the projected volume.
+
+                                                Most applications should use credentialBundlePath.  When using keyPath
+                                                and certificateChainPath, your application needs to check that the key
+                                                and leaf certificate are consistent, because it is possible to read the
+                                                files mid-rotation.
+                                              type: string
+                                            credentialBundlePath:
+                                              description: |-
+                                                Write the credential bundle at this path in the projected volume.
+
+                                                The credential bundle is a single file that contains multiple PEM blocks.
+                                                The first PEM block is a PRIVATE KEY block, containing a PKCS#8 private
+                                                key.
+
+                                                The remaining blocks are CERTIFICATE blocks, containing the issued
+                                                certificate chain from the signer (leaf and any intermediates).
+
+                                                Using credentialBundlePath lets your Pod's application code make a single
+                                                atomic read that retrieves a consistent key and certificate chain.  If you
+                                                project them to separate files, your application code will need to
+                                                additionally check that the leaf certificate was issued to the key.
+                                              type: string
+                                            keyPath:
+                                              description: |-
+                                                Write the key at this path in the projected volume.
+
+                                                Most applications should use credentialBundlePath.  When using keyPath
+                                                and certificateChainPath, your application needs to check that the key
+                                                and leaf certificate are consistent, because it is possible to read the
+                                                files mid-rotation.
+                                              type: string
+                                            keyType:
+                                              description: |-
+                                                The type of keypair Kubelet will generate for the pod.
+
+                                                Valid values are "RSA3072", "RSA4096", "ECDSAP256", "ECDSAP384",
+                                                "ECDSAP521", and "ED25519".
+                                              type: string
+                                            maxExpirationSeconds:
+                                              description: |-
+                                                maxExpirationSeconds is the maximum lifetime permitted for the
+                                                certificate.
+
+                                                Kubelet copies this value verbatim into the PodCertificateRequests it
+                                                generates for this projection.
+
+                                                If omitted, kube-apiserver will set it to 86400(24 hours). kube-apiserver
+                                                will reject values shorter than 3600 (1 hour).  The maximum allowable
+                                                value is 7862400 (91 days).
+
+                                                The signer implementation is then free to issue a certificate with any
+                                                lifetime *shorter* than MaxExpirationSeconds, but no shorter than 3600
+                                                seconds (1 hour).  This constraint is enforced by kube-apiserver.
+                                                `kubernetes.io` signers will never issue certificates with a lifetime
+                                                longer than 24 hours.
+                                              format: int32
+                                              type: integer
+                                            signerName:
+                                              description: Kubelet's generated CSRs will be addressed to this signer.
+                                              type: string
+                                          required:
+                                            - keyType
+                                            - signerName
+                                          type: object
                                         secret:
                                           description: secret information about the secret data to project
                                           properties:
@@ -7498,7 +7885,6 @@ spec:
                                 description: |-
                                   rbd represents a Rados Block Device mount on the host that shares a pod's lifetime.
                                   Deprecated: RBD is deprecated and the in-tree rbd type is no longer supported.
-                                  More info: https://examples.k8s.io/volumes/rbd/README.md
                                 properties:
                                   fsType:
                                     description: |-
@@ -7778,6 +8164,53 @@ spec:
                       required:
                         - containers
                       type: object
+                    vaultConfig:
+                      properties:
+                        azureKeyVault:
+                          properties:
+                            certificatePath:
+                              type: string
+                            clientId:
+                              type: string
+                            tenantId:
+                              type: string
+                            url:
+                              type: string
+                          required:
+                            - certificatePath
+                            - clientId
+                            - tenantId
+                            - url
+                          type: object
+                        proxy:
+                          properties:
+                            http:
+                              properties:
+                                credentialSecretRef:
+                                  type: string
+                                url:
+                                  description: Required
+                                  type: string
+                              type: object
+                            https:
+                              properties:
+                                credentialSecretRef:
+                                  type: string
+                                url:
+                                  description: Required
+                                  type: string
+                              type: object
+                            noProxy:
+                              items:
+                                type: string
+                              type: array
+                          type: object
+                        type:
+                          description: |-
+                            VaultType represents the type of vault that can be used in the application.
+                            It is used to identify which vault integration should be used to resolve secrets.
+                          type: string
+                      type: object
                   required:
                     - githubConfigSecret
                     - githubConfigUrl
@@ -7812,4 +8245,3 @@ spec:
       storage: true
       subresources:
         status: {}
-  preserveUnknownFields: false

config/crd/bases/actions.summerwind.dev_horizontalrunnerautoscalers.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.17.2
+    controller-gen.kubebuilder.io/version: v0.19.0
   name: horizontalrunnerautoscalers.actions.summerwind.dev
 spec:
   group: actions.summerwind.dev
@@ -12,306 +12,313 @@ spec:
     listKind: HorizontalRunnerAutoscalerList
     plural: horizontalrunnerautoscalers
     shortNames:
-      - hra
+    - hra
     singular: horizontalrunnerautoscaler
   scope: Namespaced
   versions:
-    - additionalPrinterColumns:
-        - jsonPath: .spec.minReplicas
-          name: Min
-          type: number
-        - jsonPath: .spec.maxReplicas
-          name: Max
-          type: number
-        - jsonPath: .status.desiredReplicas
-          name: Desired
-          type: number
-        - jsonPath: .status.scheduledOverridesSummary
-          name: Schedule
-          type: string
-      name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          description: HorizontalRunnerAutoscaler is the Schema for the horizontalrunnerautoscaler API
-          properties:
-            apiVersion:
-              description: |-
-                APIVersion defines the versioned schema of this representation of an object.
-                Servers should convert recognized schemas to the latest internal value, and
-                may reject unrecognized values.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-              type: string
-            kind:
-              description: |-
-                Kind is a string value representing the REST resource this object represents.
-                Servers may infer this from the endpoint the client submits requests to.
-                Cannot be updated.
-                In CamelCase.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: HorizontalRunnerAutoscalerSpec defines the desired state of HorizontalRunnerAutoscaler
-              properties:
-                capacityReservations:
-                  items:
-                    description: |-
-                      CapacityReservation specifies the number of replicas temporarily added
-                      to the scale target until ExpirationTime.
-                    properties:
-                      effectiveTime:
-                        format: date-time
-                        type: string
-                      expirationTime:
-                        format: date-time
-                        type: string
-                      name:
-                        type: string
-                      replicas:
-                        type: integer
-                    type: object
-                  type: array
-                githubAPICredentialsFrom:
-                  properties:
-                    secretRef:
-                      properties:
-                        name:
-                          type: string
-                      required:
-                        - name
-                      type: object
-                  type: object
-                maxReplicas:
-                  description: MaxReplicas is the maximum number of replicas the deployment is allowed to scale
-                  type: integer
-                metrics:
-                  description: Metrics is the collection of various metric targets to calculate desired number of runners
-                  items:
-                    properties:
-                      repositoryNames:
-                        description: |-
-                          RepositoryNames is the list of repository names to be used for calculating the metric.
-                          For example, a repository name is the REPO part of `github.com/USER/REPO`.
-                        items:
-                          type: string
-                        type: array
-                      scaleDownAdjustment:
-                        description: |-
-                          ScaleDownAdjustment is the number of runners removed on scale-down.
-                          You can only specify either ScaleDownFactor or ScaleDownAdjustment.
-                        type: integer
-                      scaleDownFactor:
-                        description: |-
-                          ScaleDownFactor is the multiplicative factor applied to the current number of runners used
-                          to determine how many pods should be removed.
-                        type: string
-                      scaleDownThreshold:
-                        description: |-
-                          ScaleDownThreshold is the percentage of busy runners less than which will
-                          trigger the hpa to scale the runners down.
-                        type: string
-                      scaleUpAdjustment:
-                        description: |-
-                          ScaleUpAdjustment is the number of runners added on scale-up.
-                          You can only specify either ScaleUpFactor or ScaleUpAdjustment.
-                        type: integer
-                      scaleUpFactor:
-                        description: |-
-                          ScaleUpFactor is the multiplicative factor applied to the current number of runners used
-                          to determine how many pods should be added.
-                        type: string
-                      scaleUpThreshold:
-                        description: |-
-                          ScaleUpThreshold is the percentage of busy runners greater than which will
-                          trigger the hpa to scale runners up.
-                        type: string
-                      type:
-                        description: |-
-                          Type is the type of metric to be used for autoscaling.
-                          It can be TotalNumberOfQueuedAndInProgressWorkflowRuns or PercentageRunnersBusy.
-                        type: string
-                    type: object
-                  type: array
-                minReplicas:
-                  description: MinReplicas is the minimum number of replicas the deployment is allowed to scale
-                  type: integer
-                scaleDownDelaySecondsAfterScaleOut:
+  - additionalPrinterColumns:
+    - jsonPath: .spec.minReplicas
+      name: Min
+      type: number
+    - jsonPath: .spec.maxReplicas
+      name: Max
+      type: number
+    - jsonPath: .status.desiredReplicas
+      name: Desired
+      type: number
+    - jsonPath: .status.scheduledOverridesSummary
+      name: Schedule
+      type: string
+    name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: HorizontalRunnerAutoscaler is the Schema for the horizontalrunnerautoscaler
+          API
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: HorizontalRunnerAutoscalerSpec defines the desired state
+              of HorizontalRunnerAutoscaler
+            properties:
+              capacityReservations:
+                items:
                   description: |-
-                    ScaleDownDelaySecondsAfterScaleUp is the approximate delay for a scale down followed by a scale up
-                    Used to prevent flapping (down->up->down->... loop)
-                  type: integer
-                scaleTargetRef:
-                  description: ScaleTargetRef is the reference to scaled resource like RunnerDeployment
+                    CapacityReservation specifies the number of replicas temporarily added
+                    to the scale target until ExpirationTime.
                   properties:
-                    kind:
-                      description: Kind is the type of resource being referenced
-                      enum:
-                        - RunnerDeployment
-                        - RunnerSet
+                    effectiveTime:
+                      format: date-time
+                      type: string
+                    expirationTime:
+                      format: date-time
                       type: string
                     name:
-                      description: Name is the name of resource being referenced
                       type: string
+                    replicas:
+                      type: integer
                   type: object
-                scaleUpTriggers:
-                  description: |-
-                    ScaleUpTriggers is an experimental feature to increase the desired replicas by 1
-                    on each webhook requested received by the webhookBasedAutoscaler.
-
-                    This feature requires you to also enable and deploy the webhookBasedAutoscaler onto your cluster.
-
-                    Note that the added runners remain until the next sync period at least,
-                    and they may or may not be used by GitHub Actions depending on the timing.
-                    They are intended to be used to gain "resource slack" immediately after you
-                    receive a webhook from GitHub, so that you can loosely expect MinReplicas runners to be always available.
-                  items:
+                type: array
+              githubAPICredentialsFrom:
+                properties:
+                  secretRef:
                     properties:
-                      amount:
-                        type: integer
-                      duration:
-                        type: string
-                      githubEvent:
-                        properties:
-                          checkRun:
-                            description: https://docs.github.com/en/actions/reference/events-that-trigger-workflows#check_run
-                            properties:
-                              names:
-                                description: |-
-                                  Names is a list of GitHub Actions glob patterns.
-                                  Any check_run event whose name matches one of patterns in the list can trigger autoscaling.
-                                  Note that check_run name seem to equal to the job name you've defined in your actions workflow yaml file.
-                                  So it is very likely that you can utilize this to trigger depending on the job.
-                                items:
-                                  type: string
-                                type: array
-                              repositories:
-                                description: |-
-                                  Repositories is a list of GitHub repositories.
-                                  Any check_run event whose repository matches one of repositories in the list can trigger autoscaling.
-                                items:
-                                  type: string
-                                type: array
-                              status:
-                                type: string
-                              types:
-                                description: 'One of: created, rerequested, or completed'
-                                items:
-                                  type: string
-                                type: array
-                            type: object
-                          pullRequest:
-                            description: https://docs.github.com/en/actions/reference/events-that-trigger-workflows#pull_request
-                            properties:
-                              branches:
-                                items:
-                                  type: string
-                                type: array
-                              types:
-                                items:
-                                  type: string
-                                type: array
-                            type: object
-                          push:
-                            description: |-
-                              PushSpec is the condition for triggering scale-up on push event
-                              Also see https://docs.github.com/en/actions/reference/events-that-trigger-workflows#push
-                            type: object
-                          workflowJob:
-                            description: https://docs.github.com/en/developers/webhooks-and-events/webhooks/webhook-events-and-payloads#workflow_job
-                            type: object
-                        type: object
-                    type: object
-                  type: array
-                scheduledOverrides:
-                  description: |-
-                    ScheduledOverrides is the list of ScheduledOverride.
-                    It can be used to override a few fields of HorizontalRunnerAutoscalerSpec on schedule.
-                    The earlier a scheduled override is, the higher it is prioritized.
-                  items:
-                    description: |-
-                      ScheduledOverride can be used to override a few fields of HorizontalRunnerAutoscalerSpec on schedule.
-                      A schedule can optionally be recurring, so that the corresponding override happens every day, week, month, or year.
-                    properties:
-                      endTime:
-                        description: EndTime is the time at which the first override ends.
-                        format: date-time
-                        type: string
-                      minReplicas:
-                        description: |-
-                          MinReplicas is the number of runners while overriding.
-                          If omitted, it doesn't override minReplicas.
-                        minimum: 0
-                        nullable: true
-                        type: integer
-                      recurrenceRule:
-                        properties:
-                          frequency:
-                            description: |-
-                              Frequency is the name of a predefined interval of each recurrence.
-                              The valid values are "Daily", "Weekly", "Monthly", and "Yearly".
-                              If empty, the corresponding override happens only once.
-                            enum:
-                              - Daily
-                              - Weekly
-                              - Monthly
-                              - Yearly
-                            type: string
-                          untilTime:
-                            description: |-
-                              UntilTime is the time of the final recurrence.
-                              If empty, the schedule recurs forever.
-                            format: date-time
-                            type: string
-                        type: object
-                      startTime:
-                        description: StartTime is the time at which the first override starts.
-                        format: date-time
+                      name:
                         type: string
                     required:
-                      - endTime
-                      - startTime
+                    - name
                     type: object
-                  type: array
-              type: object
-            status:
-              properties:
-                cacheEntries:
-                  items:
-                    properties:
-                      expirationTime:
-                        format: date-time
+                type: object
+              maxReplicas:
+                description: MaxReplicas is the maximum number of replicas the deployment
+                  is allowed to scale
+                type: integer
+              metrics:
+                description: Metrics is the collection of various metric targets to
+                  calculate desired number of runners
+                items:
+                  properties:
+                    repositoryNames:
+                      description: |-
+                        RepositoryNames is the list of repository names to be used for calculating the metric.
+                        For example, a repository name is the REPO part of `github.com/USER/REPO`.
+                      items:
                         type: string
-                      key:
-                        type: string
-                      value:
-                        type: integer
-                    type: object
-                  type: array
-                desiredReplicas:
+                      type: array
+                    scaleDownAdjustment:
+                      description: |-
+                        ScaleDownAdjustment is the number of runners removed on scale-down.
+                        You can only specify either ScaleDownFactor or ScaleDownAdjustment.
+                      type: integer
+                    scaleDownFactor:
+                      description: |-
+                        ScaleDownFactor is the multiplicative factor applied to the current number of runners used
+                        to determine how many pods should be removed.
+                      type: string
+                    scaleDownThreshold:
+                      description: |-
+                        ScaleDownThreshold is the percentage of busy runners less than which will
+                        trigger the hpa to scale the runners down.
+                      type: string
+                    scaleUpAdjustment:
+                      description: |-
+                        ScaleUpAdjustment is the number of runners added on scale-up.
+                        You can only specify either ScaleUpFactor or ScaleUpAdjustment.
+                      type: integer
+                    scaleUpFactor:
+                      description: |-
+                        ScaleUpFactor is the multiplicative factor applied to the current number of runners used
+                        to determine how many pods should be added.
+                      type: string
+                    scaleUpThreshold:
+                      description: |-
+                        ScaleUpThreshold is the percentage of busy runners greater than which will
+                        trigger the hpa to scale runners up.
+                      type: string
+                    type:
+                      description: |-
+                        Type is the type of metric to be used for autoscaling.
+                        It can be TotalNumberOfQueuedAndInProgressWorkflowRuns or PercentageRunnersBusy.
+                      type: string
+                  type: object
+                type: array
+              minReplicas:
+                description: MinReplicas is the minimum number of replicas the deployment
+                  is allowed to scale
+                type: integer
+              scaleDownDelaySecondsAfterScaleOut:
+                description: |-
+                  ScaleDownDelaySecondsAfterScaleUp is the approximate delay for a scale down followed by a scale up
+                  Used to prevent flapping (down->up->down->... loop)
+                type: integer
+              scaleTargetRef:
+                description: ScaleTargetRef is the reference to scaled resource like
+                  RunnerDeployment
+                properties:
+                  kind:
+                    description: Kind is the type of resource being referenced
+                    enum:
+                    - RunnerDeployment
+                    - RunnerSet
+                    type: string
+                  name:
+                    description: Name is the name of resource being referenced
+                    type: string
+                type: object
+              scaleUpTriggers:
+                description: |-
+                  ScaleUpTriggers is an experimental feature to increase the desired replicas by 1
+                  on each webhook requested received by the webhookBasedAutoscaler.
+
+                  This feature requires you to also enable and deploy the webhookBasedAutoscaler onto your cluster.
+
+                  Note that the added runners remain until the next sync period at least,
+                  and they may or may not be used by GitHub Actions depending on the timing.
+                  They are intended to be used to gain "resource slack" immediately after you
+                  receive a webhook from GitHub, so that you can loosely expect MinReplicas runners to be always available.
+                items:
+                  properties:
+                    amount:
+                      type: integer
+                    duration:
+                      type: string
+                    githubEvent:
+                      properties:
+                        checkRun:
+                          description: https://docs.github.com/en/actions/reference/events-that-trigger-workflows#check_run
+                          properties:
+                            names:
+                              description: |-
+                                Names is a list of GitHub Actions glob patterns.
+                                Any check_run event whose name matches one of patterns in the list can trigger autoscaling.
+                                Note that check_run name seem to equal to the job name you've defined in your actions workflow yaml file.
+                                So it is very likely that you can utilize this to trigger depending on the job.
+                              items:
+                                type: string
+                              type: array
+                            repositories:
+                              description: |-
+                                Repositories is a list of GitHub repositories.
+                                Any check_run event whose repository matches one of repositories in the list can trigger autoscaling.
+                              items:
+                                type: string
+                              type: array
+                            status:
+                              type: string
+                            types:
+                              description: 'One of: created, rerequested, or completed'
+                              items:
+                                type: string
+                              type: array
+                          type: object
+                        pullRequest:
+                          description: https://docs.github.com/en/actions/reference/events-that-trigger-workflows#pull_request
+                          properties:
+                            branches:
+                              items:
+                                type: string
+                              type: array
+                            types:
+                              items:
+                                type: string
+                              type: array
+                          type: object
+                        push:
+                          description: |-
+                            PushSpec is the condition for triggering scale-up on push event
+                            Also see https://docs.github.com/en/actions/reference/events-that-trigger-workflows#push
+                          type: object
+                        workflowJob:
+                          description: https://docs.github.com/en/developers/webhooks-and-events/webhooks/webhook-events-and-payloads#workflow_job
+                          type: object
+                      type: object
+                  type: object
+                type: array
+              scheduledOverrides:
+                description: |-
+                  ScheduledOverrides is the list of ScheduledOverride.
+                  It can be used to override a few fields of HorizontalRunnerAutoscalerSpec on schedule.
+                  The earlier a scheduled override is, the higher it is prioritized.
+                items:
                   description: |-
-                    DesiredReplicas is the total number of desired, non-terminated and latest pods to be set for the primary RunnerSet
-                    This doesn't include outdated pods while upgrading the deployment and replacing the runnerset.
-                  type: integer
-                lastSuccessfulScaleOutTime:
-                  format: date-time
-                  nullable: true
-                  type: string
-                observedGeneration:
-                  description: |-
-                    ObservedGeneration is the most recent generation observed for the target. It corresponds to e.g.
-                    RunnerDeployment's generation, which is updated on mutation by the API Server.
-                  format: int64
-                  type: integer
-                scheduledOverridesSummary:
-                  description: |-
-                    ScheduledOverridesSummary is the summary of active and upcoming scheduled overrides to be shown in e.g. a column of a `kubectl get hra` output
-                    for observability.
-                  type: string
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  preserveUnknownFields: false
+                    ScheduledOverride can be used to override a few fields of HorizontalRunnerAutoscalerSpec on schedule.
+                    A schedule can optionally be recurring, so that the corresponding override happens every day, week, month, or year.
+                  properties:
+                    endTime:
+                      description: EndTime is the time at which the first override
+                        ends.
+                      format: date-time
+                      type: string
+                    minReplicas:
+                      description: |-
+                        MinReplicas is the number of runners while overriding.
+                        If omitted, it doesn't override minReplicas.
+                      minimum: 0
+                      nullable: true
+                      type: integer
+                    recurrenceRule:
+                      properties:
+                        frequency:
+                          description: |-
+                            Frequency is the name of a predefined interval of each recurrence.
+                            The valid values are "Daily", "Weekly", "Monthly", and "Yearly".
+                            If empty, the corresponding override happens only once.
+                          enum:
+                          - Daily
+                          - Weekly
+                          - Monthly
+                          - Yearly
+                          type: string
+                        untilTime:
+                          description: |-
+                            UntilTime is the time of the final recurrence.
+                            If empty, the schedule recurs forever.
+                          format: date-time
+                          type: string
+                      type: object
+                    startTime:
+                      description: StartTime is the time at which the first override
+                        starts.
+                      format: date-time
+                      type: string
+                  required:
+                  - endTime
+                  - startTime
+                  type: object
+                type: array
+            type: object
+          status:
+            properties:
+              cacheEntries:
+                items:
+                  properties:
+                    expirationTime:
+                      format: date-time
+                      type: string
+                    key:
+                      type: string
+                    value:
+                      type: integer
+                  type: object
+                type: array
+              desiredReplicas:
+                description: |-
+                  DesiredReplicas is the total number of desired, non-terminated and latest pods to be set for the primary RunnerSet
+                  This doesn't include outdated pods while upgrading the deployment and replacing the runnerset.
+                type: integer
+              lastSuccessfulScaleOutTime:
+                format: date-time
+                nullable: true
+                type: string
+              observedGeneration:
+                description: |-
+                  ObservedGeneration is the most recent generation observed for the target. It corresponds to e.g.
+                  RunnerDeployment's generation, which is updated on mutation by the API Server.
+                format: int64
+                type: integer
+              scheduledOverridesSummary:
+                description: |-
+                  ScheduledOverridesSummary is the summary of active and upcoming scheduled overrides to be shown in e.g. a column of a `kubectl get hra` output
+                  for observability.
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}

config/crd/bases/actions.summerwind.dev_runnersets.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.17.2
+    controller-gen.kubebuilder.io/version: v0.19.0
   name: runnersets.actions.summerwind.dev
 spec:
   group: actions.summerwind.dev
@@ -554,7 +554,6 @@ spec:
                                               pod labels will be ignored. The default value is empty.
                                               The same key is forbidden to exist in both matchLabelKeys and labelSelector.
                                               Also, matchLabelKeys cannot be set when labelSelector isn't set.
-                                              This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                             items:
                                               type: string
                                             type: array
@@ -569,7 +568,6 @@ spec:
                                               pod labels will be ignored. The default value is empty.
                                               The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
                                               Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
-                                              This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                             items:
                                               type: string
                                             type: array
@@ -730,7 +728,6 @@ spec:
                                           pod labels will be ignored. The default value is empty.
                                           The same key is forbidden to exist in both matchLabelKeys and labelSelector.
                                           Also, matchLabelKeys cannot be set when labelSelector isn't set.
-                                          This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                         items:
                                           type: string
                                         type: array
@@ -745,7 +742,6 @@ spec:
                                           pod labels will be ignored. The default value is empty.
                                           The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
                                           Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
-                                          This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                         items:
                                           type: string
                                         type: array
@@ -834,8 +830,8 @@ spec:
                                     most preferred is the one with the greatest sum of weights, i.e.
                                     for each node that meets all of the scheduling requirements (resource
                                     request, requiredDuringScheduling anti-affinity expressions, etc.),
-                                    compute a sum by iterating through the elements of this field and adding
-                                    "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+                                    compute a sum by iterating through the elements of this field and subtracting
+                                    "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the
                                     node(s) with the highest sum are the most preferred.
                                   items:
                                     description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
@@ -899,7 +895,6 @@ spec:
                                               pod labels will be ignored. The default value is empty.
                                               The same key is forbidden to exist in both matchLabelKeys and labelSelector.
                                               Also, matchLabelKeys cannot be set when labelSelector isn't set.
-                                              This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                             items:
                                               type: string
                                             type: array
@@ -914,7 +909,6 @@ spec:
                                               pod labels will be ignored. The default value is empty.
                                               The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
                                               Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
-                                              This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                             items:
                                               type: string
                                             type: array
@@ -1075,7 +1069,6 @@ spec:
                                           pod labels will be ignored. The default value is empty.
                                           The same key is forbidden to exist in both matchLabelKeys and labelSelector.
                                           Also, matchLabelKeys cannot be set when labelSelector isn't set.
-                                          This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                         items:
                                           type: string
                                         type: array
@@ -1090,7 +1083,6 @@ spec:
                                           pod labels will be ignored. The default value is empty.
                                           The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
                                           Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
-                                          This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                         items:
                                           type: string
                                         type: array
@@ -1217,7 +1209,9 @@ spec:
                                   description: EnvVar represents an environment variable present in a Container.
                                   properties:
                                     name:
-                                      description: Name of the environment variable. Must be a C_IDENTIFIER.
+                                      description: |-
+                                        Name of the environment variable.
+                                        May consist of any printable ASCII characters except '='.
                                       type: string
                                     value:
                                       description: |-
@@ -1271,6 +1265,42 @@ spec:
                                             - fieldPath
                                           type: object
                                           x-kubernetes-map-type: atomic
+                                        fileKeyRef:
+                                          description: |-
+                                            FileKeyRef selects a key of the env file.
+                                            Requires the EnvFiles feature gate to be enabled.
+                                          properties:
+                                            key:
+                                              description: |-
+                                                The key within the env file. An invalid key will prevent the pod from starting.
+                                                The keys defined within a source may consist of any printable ASCII characters except '='.
+                                                During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters.
+                                              type: string
+                                            optional:
+                                              default: false
+                                              description: |-
+                                                Specify whether the file or its key must be defined. If the file or key
+                                                does not exist, then the env var is not published.
+                                                If optional is set to true and the specified key does not exist,
+                                                the environment variable will not be set in the Pod's containers.
+
+                                                If optional is set to false and the specified key does not exist,
+                                                an error will be returned during Pod creation.
+                                              type: boolean
+                                            path:
+                                              description: |-
+                                                The path within the volume from which to select the file.
+                                                Must be relative and may not contain the '..' path or start with '..'.
+                                              type: string
+                                            volumeName:
+                                              description: The name of the volume mount containing the env file.
+                                              type: string
+                                          required:
+                                            - key
+                                            - path
+                                            - volumeName
+                                          type: object
+                                          x-kubernetes-map-type: atomic
                                         resourceFieldRef:
                                           description: |-
                                             Selects a resource of the container: only resources limits and requests
@@ -1326,13 +1356,13 @@ spec:
                               envFrom:
                                 description: |-
                                   List of sources to populate environment variables in the container.
-                                  The keys defined within a source must be a C_IDENTIFIER. All invalid keys
-                                  will be reported as an event when the container is starting. When a key exists in multiple
+                                  The keys defined within a source may consist of any printable ASCII characters except '='.
+                                  When a key exists in multiple
                                   sources, the value associated with the last source will take precedence.
                                   Values defined by an Env with a duplicate key will take precedence.
                                   Cannot be updated.
                                 items:
-                                  description: EnvFromSource represents the source of a set of ConfigMaps
+                                  description: EnvFromSource represents the source of a set of ConfigMaps or Secrets
                                   properties:
                                     configMapRef:
                                       description: The ConfigMap to select from
@@ -1352,7 +1382,9 @@ spec:
                                       type: object
                                       x-kubernetes-map-type: atomic
                                     prefix:
-                                      description: An optional identifier to prepend to each key in the ConfigMap. Must be a C_IDENTIFIER.
+                                      description: |-
+                                        Optional text to prepend to the name of each environment variable.
+                                        May consist of any printable ASCII characters except '='.
                                       type: string
                                     secretRef:
                                       description: The Secret to select from
@@ -1601,6 +1633,12 @@ spec:
                                           - port
                                         type: object
                                     type: object
+                                  stopSignal:
+                                    description: |-
+                                      StopSignal defines which signal will be sent to a container when it is being stopped.
+                                      If not specified, the default is defined by the container runtime in use.
+                                      StopSignal can only be set for Pods with a non-empty .spec.os.name
+                                    type: string
                                 type: object
                               livenessProbe:
                                 description: |-
@@ -1991,7 +2029,7 @@ spec:
                                       Claims lists the names of resources, defined in spec.resourceClaims,
                                       that are used by this container.
 
-                                      This is an alpha field and requires enabling the
+                                      This field depends on the
                                       DynamicResourceAllocation feature gate.
 
                                       This field is immutable. It can only be set for containers.
@@ -2042,10 +2080,10 @@ spec:
                               restartPolicy:
                                 description: |-
                                   RestartPolicy defines the restart behavior of individual containers in a pod.
-                                  This field may only be set for init containers, and the only allowed value is "Always".
-                                  For non-init containers or when this field is not specified,
+                                  This overrides the pod-level restart policy. When this field is not specified,
                                   the restart behavior is defined by the Pod's restart policy and the container type.
-                                  Setting the RestartPolicy as "Always" for the init container will have the following effect:
+                                  Additionally, setting the RestartPolicy as "Always" for the init container will
+                                  have the following effect:
                                   this init container will be continually restarted on
                                   exit until all regular containers have terminated. Once all regular
                                   containers have completed, all init containers with restartPolicy "Always"
@@ -2057,6 +2095,57 @@ spec:
                                   init container is started, or after any startupProbe has successfully
                                   completed.
                                 type: string
+                              restartPolicyRules:
+                                description: |-
+                                  Represents a list of rules to be checked to determine if the
+                                  container should be restarted on exit. The rules are evaluated in
+                                  order. Once a rule matches a container exit condition, the remaining
+                                  rules are ignored. If no rule matches the container exit condition,
+                                  the Container-level restart policy determines the whether the container
+                                  is restarted or not. Constraints on the rules:
+                                  - At most 20 rules are allowed.
+                                  - Rules can have the same action.
+                                  - Identical rules are not forbidden in validations.
+                                  When rules are specified, container MUST set RestartPolicy explicitly
+                                  even it if matches the Pod's RestartPolicy.
+                                items:
+                                  description: ContainerRestartRule describes how a container exit is handled.
+                                  properties:
+                                    action:
+                                      description: |-
+                                        Specifies the action taken on a container exit if the requirements
+                                        are satisfied. The only possible value is "Restart" to restart the
+                                        container.
+                                      type: string
+                                    exitCodes:
+                                      description: Represents the exit codes to check on container exits.
+                                      properties:
+                                        operator:
+                                          description: |-
+                                            Represents the relationship between the container exit code(s) and the
+                                            specified values. Possible values are:
+                                            - In: the requirement is satisfied if the container exit code is in the
+                                              set of specified values.
+                                            - NotIn: the requirement is satisfied if the container exit code is
+                                              not in the set of specified values.
+                                          type: string
+                                        values:
+                                          description: |-
+                                            Specifies the set of values to check for container exit codes.
+                                            At most 255 elements are allowed.
+                                          items:
+                                            format: int32
+                                            type: integer
+                                          type: array
+                                          x-kubernetes-list-type: set
+                                      required:
+                                        - operator
+                                      type: object
+                                  required:
+                                    - action
+                                  type: object
+                                type: array
+                                x-kubernetes-list-type: atomic
                               securityContext:
                                 description: |-
                                   SecurityContext defines the security options the container should be run with.
@@ -2654,7 +2743,9 @@ spec:
                                   description: EnvVar represents an environment variable present in a Container.
                                   properties:
                                     name:
-                                      description: Name of the environment variable. Must be a C_IDENTIFIER.
+                                      description: |-
+                                        Name of the environment variable.
+                                        May consist of any printable ASCII characters except '='.
                                       type: string
                                     value:
                                       description: |-
@@ -2708,6 +2799,42 @@ spec:
                                             - fieldPath
                                           type: object
                                           x-kubernetes-map-type: atomic
+                                        fileKeyRef:
+                                          description: |-
+                                            FileKeyRef selects a key of the env file.
+                                            Requires the EnvFiles feature gate to be enabled.
+                                          properties:
+                                            key:
+                                              description: |-
+                                                The key within the env file. An invalid key will prevent the pod from starting.
+                                                The keys defined within a source may consist of any printable ASCII characters except '='.
+                                                During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters.
+                                              type: string
+                                            optional:
+                                              default: false
+                                              description: |-
+                                                Specify whether the file or its key must be defined. If the file or key
+                                                does not exist, then the env var is not published.
+                                                If optional is set to true and the specified key does not exist,
+                                                the environment variable will not be set in the Pod's containers.
+
+                                                If optional is set to false and the specified key does not exist,
+                                                an error will be returned during Pod creation.
+                                              type: boolean
+                                            path:
+                                              description: |-
+                                                The path within the volume from which to select the file.
+                                                Must be relative and may not contain the '..' path or start with '..'.
+                                              type: string
+                                            volumeName:
+                                              description: The name of the volume mount containing the env file.
+                                              type: string
+                                          required:
+                                            - key
+                                            - path
+                                            - volumeName
+                                          type: object
+                                          x-kubernetes-map-type: atomic
                                         resourceFieldRef:
                                           description: |-
                                             Selects a resource of the container: only resources limits and requests
@@ -2763,13 +2890,13 @@ spec:
                               envFrom:
                                 description: |-
                                   List of sources to populate environment variables in the container.
-                                  The keys defined within a source must be a C_IDENTIFIER. All invalid keys
-                                  will be reported as an event when the container is starting. When a key exists in multiple
+                                  The keys defined within a source may consist of any printable ASCII characters except '='.
+                                  When a key exists in multiple
                                   sources, the value associated with the last source will take precedence.
                                   Values defined by an Env with a duplicate key will take precedence.
                                   Cannot be updated.
                                 items:
-                                  description: EnvFromSource represents the source of a set of ConfigMaps
+                                  description: EnvFromSource represents the source of a set of ConfigMaps or Secrets
                                   properties:
                                     configMapRef:
                                       description: The ConfigMap to select from
@@ -2789,7 +2916,9 @@ spec:
                                       type: object
                                       x-kubernetes-map-type: atomic
                                     prefix:
-                                      description: An optional identifier to prepend to each key in the ConfigMap. Must be a C_IDENTIFIER.
+                                      description: |-
+                                        Optional text to prepend to the name of each environment variable.
+                                        May consist of any printable ASCII characters except '='.
                                       type: string
                                     secretRef:
                                       description: The Secret to select from
@@ -3034,6 +3163,12 @@ spec:
                                           - port
                                         type: object
                                     type: object
+                                  stopSignal:
+                                    description: |-
+                                      StopSignal defines which signal will be sent to a container when it is being stopped.
+                                      If not specified, the default is defined by the container runtime in use.
+                                      StopSignal can only be set for Pods with a non-empty .spec.os.name
+                                    type: string
                                 type: object
                               livenessProbe:
                                 description: Probes are not allowed for ephemeral containers.
@@ -3407,7 +3542,7 @@ spec:
                                       Claims lists the names of resources, defined in spec.resourceClaims,
                                       that are used by this container.
 
-                                      This is an alpha field and requires enabling the
+                                      This field depends on the
                                       DynamicResourceAllocation feature gate.
 
                                       This field is immutable. It can only be set for containers.
@@ -3459,9 +3594,51 @@ spec:
                                 description: |-
                                   Restart policy for the container to manage the restart behavior of each
                                   container within a pod.
-                                  This may only be set for init containers. You cannot set this field on
-                                  ephemeral containers.
+                                  You cannot set this field on ephemeral containers.
                                 type: string
+                              restartPolicyRules:
+                                description: |-
+                                  Represents a list of rules to be checked to determine if the
+                                  container should be restarted on exit. You cannot set this field on
+                                  ephemeral containers.
+                                items:
+                                  description: ContainerRestartRule describes how a container exit is handled.
+                                  properties:
+                                    action:
+                                      description: |-
+                                        Specifies the action taken on a container exit if the requirements
+                                        are satisfied. The only possible value is "Restart" to restart the
+                                        container.
+                                      type: string
+                                    exitCodes:
+                                      description: Represents the exit codes to check on container exits.
+                                      properties:
+                                        operator:
+                                          description: |-
+                                            Represents the relationship between the container exit code(s) and the
+                                            specified values. Possible values are:
+                                            - In: the requirement is satisfied if the container exit code is in the
+                                              set of specified values.
+                                            - NotIn: the requirement is satisfied if the container exit code is
+                                              not in the set of specified values.
+                                          type: string
+                                        values:
+                                          description: |-
+                                            Specifies the set of values to check for container exit codes.
+                                            At most 255 elements are allowed.
+                                          items:
+                                            format: int32
+                                            type: integer
+                                          type: array
+                                          x-kubernetes-list-type: set
+                                      required:
+                                        - operator
+                                      type: object
+                                  required:
+                                    - action
+                                  type: object
+                                type: array
+                                x-kubernetes-list-type: atomic
                               securityContext:
                                 description: |-
                                   Optional: SecurityContext defines the security options the ephemeral container should be run with.
@@ -3980,7 +4157,9 @@ spec:
                         hostNetwork:
                           description: |-
                             Host networking requested for this pod. Use the host's network namespace.
-                            If this option is set, the ports that will be used must be specified.
+                            When using HostNetwork you should specify ports so the scheduler is aware.
+                            When `hostNetwork` is true, specified `hostPort` fields in port definitions must match `containerPort`,
+                            and unspecified `hostPort` fields in port definitions are defaulted to match `containerPort`.
                             Default to false.
                           type: boolean
                         hostPID:
@@ -4005,6 +4184,19 @@ spec:
                             Specifies the hostname of the Pod
                             If not specified, the pod's hostname will be set to a system-defined value.
                           type: string
+                        hostnameOverride:
+                          description: |-
+                            HostnameOverride specifies an explicit override for the pod's hostname as perceived by the pod.
+                            This field only specifies the pod's hostname and does not affect its DNS records.
+                            When this field is set to a non-empty string:
+                            - It takes precedence over the values set in `hostname` and `subdomain`.
+                            - The Pod's hostname will be set to this value.
+                            - `setHostnameAsFQDN` must be nil or set to false.
+                            - `hostNetwork` must be set to false.
+
+                            This field must be a valid DNS subdomain as defined in RFC 1123 and contain at most 64 characters.
+                            Requires the HostnameOverride feature gate to be enabled.
+                          type: string
                         imagePullSecrets:
                           description: |-
                             ImagePullSecrets is an optional list of references to secrets in the same namespace to use for pulling any of the images used by this PodSpec.
@@ -4040,7 +4232,7 @@ spec:
                             Init containers may not have Lifecycle actions, Readiness probes, Liveness probes, or Startup probes.
                             The resourceRequirements of an init container are taken into account during scheduling
                             by finding the highest request/limit for each resource type, and then using the max of
-                            of that value or the sum of the normal containers. Limits are applied to init containers
+                            that value or the sum of the normal containers. Limits are applied to init containers
                             in a similar fashion.
                             Init containers cannot currently be added or removed.
                             Cannot be updated.
@@ -4084,7 +4276,9 @@ spec:
                                   description: EnvVar represents an environment variable present in a Container.
                                   properties:
                                     name:
-                                      description: Name of the environment variable. Must be a C_IDENTIFIER.
+                                      description: |-
+                                        Name of the environment variable.
+                                        May consist of any printable ASCII characters except '='.
                                       type: string
                                     value:
                                       description: |-
@@ -4138,6 +4332,42 @@ spec:
                                             - fieldPath
                                           type: object
                                           x-kubernetes-map-type: atomic
+                                        fileKeyRef:
+                                          description: |-
+                                            FileKeyRef selects a key of the env file.
+                                            Requires the EnvFiles feature gate to be enabled.
+                                          properties:
+                                            key:
+                                              description: |-
+                                                The key within the env file. An invalid key will prevent the pod from starting.
+                                                The keys defined within a source may consist of any printable ASCII characters except '='.
+                                                During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters.
+                                              type: string
+                                            optional:
+                                              default: false
+                                              description: |-
+                                                Specify whether the file or its key must be defined. If the file or key
+                                                does not exist, then the env var is not published.
+                                                If optional is set to true and the specified key does not exist,
+                                                the environment variable will not be set in the Pod's containers.
+
+                                                If optional is set to false and the specified key does not exist,
+                                                an error will be returned during Pod creation.
+                                              type: boolean
+                                            path:
+                                              description: |-
+                                                The path within the volume from which to select the file.
+                                                Must be relative and may not contain the '..' path or start with '..'.
+                                              type: string
+                                            volumeName:
+                                              description: The name of the volume mount containing the env file.
+                                              type: string
+                                          required:
+                                            - key
+                                            - path
+                                            - volumeName
+                                          type: object
+                                          x-kubernetes-map-type: atomic
                                         resourceFieldRef:
                                           description: |-
                                             Selects a resource of the container: only resources limits and requests
@@ -4193,13 +4423,13 @@ spec:
                               envFrom:
                                 description: |-
                                   List of sources to populate environment variables in the container.
-                                  The keys defined within a source must be a C_IDENTIFIER. All invalid keys
-                                  will be reported as an event when the container is starting. When a key exists in multiple
+                                  The keys defined within a source may consist of any printable ASCII characters except '='.
+                                  When a key exists in multiple
                                   sources, the value associated with the last source will take precedence.
                                   Values defined by an Env with a duplicate key will take precedence.
                                   Cannot be updated.
                                 items:
-                                  description: EnvFromSource represents the source of a set of ConfigMaps
+                                  description: EnvFromSource represents the source of a set of ConfigMaps or Secrets
                                   properties:
                                     configMapRef:
                                       description: The ConfigMap to select from
@@ -4219,7 +4449,9 @@ spec:
                                       type: object
                                       x-kubernetes-map-type: atomic
                                     prefix:
-                                      description: An optional identifier to prepend to each key in the ConfigMap. Must be a C_IDENTIFIER.
+                                      description: |-
+                                        Optional text to prepend to the name of each environment variable.
+                                        May consist of any printable ASCII characters except '='.
                                       type: string
                                     secretRef:
                                       description: The Secret to select from
@@ -4468,6 +4700,12 @@ spec:
                                           - port
                                         type: object
                                     type: object
+                                  stopSignal:
+                                    description: |-
+                                      StopSignal defines which signal will be sent to a container when it is being stopped.
+                                      If not specified, the default is defined by the container runtime in use.
+                                      StopSignal can only be set for Pods with a non-empty .spec.os.name
+                                    type: string
                                 type: object
                               livenessProbe:
                                 description: |-
@@ -4858,7 +5096,7 @@ spec:
                                       Claims lists the names of resources, defined in spec.resourceClaims,
                                       that are used by this container.
 
-                                      This is an alpha field and requires enabling the
+                                      This field depends on the
                                       DynamicResourceAllocation feature gate.
 
                                       This field is immutable. It can only be set for containers.
@@ -4909,10 +5147,10 @@ spec:
                               restartPolicy:
                                 description: |-
                                   RestartPolicy defines the restart behavior of individual containers in a pod.
-                                  This field may only be set for init containers, and the only allowed value is "Always".
-                                  For non-init containers or when this field is not specified,
+                                  This overrides the pod-level restart policy. When this field is not specified,
                                   the restart behavior is defined by the Pod's restart policy and the container type.
-                                  Setting the RestartPolicy as "Always" for the init container will have the following effect:
+                                  Additionally, setting the RestartPolicy as "Always" for the init container will
+                                  have the following effect:
                                   this init container will be continually restarted on
                                   exit until all regular containers have terminated. Once all regular
                                   containers have completed, all init containers with restartPolicy "Always"
@@ -4924,6 +5162,57 @@ spec:
                                   init container is started, or after any startupProbe has successfully
                                   completed.
                                 type: string
+                              restartPolicyRules:
+                                description: |-
+                                  Represents a list of rules to be checked to determine if the
+                                  container should be restarted on exit. The rules are evaluated in
+                                  order. Once a rule matches a container exit condition, the remaining
+                                  rules are ignored. If no rule matches the container exit condition,
+                                  the Container-level restart policy determines the whether the container
+                                  is restarted or not. Constraints on the rules:
+                                  - At most 20 rules are allowed.
+                                  - Rules can have the same action.
+                                  - Identical rules are not forbidden in validations.
+                                  When rules are specified, container MUST set RestartPolicy explicitly
+                                  even it if matches the Pod's RestartPolicy.
+                                items:
+                                  description: ContainerRestartRule describes how a container exit is handled.
+                                  properties:
+                                    action:
+                                      description: |-
+                                        Specifies the action taken on a container exit if the requirements
+                                        are satisfied. The only possible value is "Restart" to restart the
+                                        container.
+                                      type: string
+                                    exitCodes:
+                                      description: Represents the exit codes to check on container exits.
+                                      properties:
+                                        operator:
+                                          description: |-
+                                            Represents the relationship between the container exit code(s) and the
+                                            specified values. Possible values are:
+                                            - In: the requirement is satisfied if the container exit code is in the
+                                              set of specified values.
+                                            - NotIn: the requirement is satisfied if the container exit code is
+                                              not in the set of specified values.
+                                          type: string
+                                        values:
+                                          description: |-
+                                            Specifies the set of values to check for container exit codes.
+                                            At most 255 elements are allowed.
+                                          items:
+                                            format: int32
+                                            type: integer
+                                          type: array
+                                          x-kubernetes-list-type: set
+                                      required:
+                                        - operator
+                                      type: object
+                                  required:
+                                    - action
+                                  type: object
+                                type: array
+                                x-kubernetes-list-type: atomic
                               securityContext:
                                 description: |-
                                   SecurityContext defines the security options the container should be run with.
@@ -5437,6 +5726,7 @@ spec:
                             - spec.hostPID
                             - spec.hostIPC
                             - spec.hostUsers
+                            - spec.resources
                             - spec.securityContext.appArmorProfile
                             - spec.securityContext.seLinuxOptions
                             - spec.securityContext.seccompProfile
@@ -5588,7 +5878,7 @@ spec:
                           description: |-
                             Resources is the total amount of CPU and Memory resources required by all
                             containers in the pod. It supports specifying Requests and Limits for
-                            "cpu" and "memory" resource names only. ResourceClaims are not supported.
+                            "cpu", "memory" and "hugepages-" resource names only. ResourceClaims are not supported.
 
                             This field enables fine-grained control over resource allocation for the
                             entire pod, allowing resource sharing among containers in a pod.
@@ -5601,7 +5891,7 @@ spec:
                                 Claims lists the names of resources, defined in spec.resourceClaims,
                                 that are used by this container.
 
-                                This is an alpha field and requires enabling the
+                                This field depends on the
                                 DynamicResourceAllocation feature gate.
 
                                 This field is immutable. It can only be set for containers.
@@ -6126,7 +6416,6 @@ spec:
                                   - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.
 
                                   If this value is nil, the behavior is equivalent to the Honor policy.
-                                  This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
                                 type: string
                               nodeTaintsPolicy:
                                 description: |-
@@ -6137,7 +6426,6 @@ spec:
                                   - Ignore: node taints are ignored. All nodes are included.
 
                                   If this value is nil, the behavior is equivalent to the Ignore policy.
-                                  This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
                                 type: string
                               topologyKey:
                                 description: |-
@@ -6843,15 +7131,13 @@ spec:
                                               volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim.
                                               If specified, the CSI driver will create or update the volume with the attributes defined
                                               in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName,
-                                              it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass
-                                              will be applied to the claim but it's not allowed to reset this field to empty string once it is set.
-                                              If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass
-                                              will be set by the persistentvolume controller if it exists.
+                                              it can be changed after the claim is created. An empty string or nil value indicates that no
+                                              VolumeAttributesClass will be applied to the claim. If the claim enters an Infeasible error state,
+                                              this field can be reset to its previous value (including nil) to cancel the modification.
                                               If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be
                                               set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource
                                               exists.
                                               More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/
-                                              (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default).
                                             type: string
                                           volumeMode:
                                             description: |-
@@ -7025,12 +7311,9 @@ spec:
                                 description: |-
                                   glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime.
                                   Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported.
-                                  More info: https://examples.k8s.io/volumes/glusterfs/README.md
                                 properties:
                                   endpoints:
-                                    description: |-
-                                      endpoints is the endpoint name that details Glusterfs topology.
-                                      More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
+                                    description: endpoints is the endpoint name that details Glusterfs topology.
                                     type: string
                                   path:
                                     description: |-
@@ -7084,7 +7367,7 @@ spec:
                                   The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field.
                                   The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images.
                                   The volume will be mounted read-only (ro) and non-executable files (noexec).
-                                  Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath).
+                                  Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath) before 1.33.
                                   The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type.
                                 properties:
                                   pullPolicy:
@@ -7109,7 +7392,7 @@ spec:
                                 description: |-
                                   iscsi represents an ISCSI Disk resource that is attached to a
                                   kubelet's host machine and then exposed to the pod.
-                                  More info: https://examples.k8s.io/volumes/iscsi/README.md
+                                  More info: https://kubernetes.io/docs/concepts/storage/volumes/#iscsi
                                 properties:
                                   chapAuthDiscovery:
                                     description: chapAuthDiscovery defines whether support iSCSI Discovery CHAP authentication
@@ -7499,6 +7782,110 @@ spec:
                                               type: array
                                               x-kubernetes-list-type: atomic
                                           type: object
+                                        podCertificate:
+                                          description: |-
+                                            Projects an auto-rotating credential bundle (private key and certificate
+                                            chain) that the pod can use either as a TLS client or server.
+
+                                            Kubelet generates a private key and uses it to send a
+                                            PodCertificateRequest to the named signer.  Once the signer approves the
+                                            request and issues a certificate chain, Kubelet writes the key and
+                                            certificate chain to the pod filesystem.  The pod does not start until
+                                            certificates have been issued for each podCertificate projected volume
+                                            source in its spec.
+
+                                            Kubelet will begin trying to rotate the certificate at the time indicated
+                                            by the signer using the PodCertificateRequest.Status.BeginRefreshAt
+                                            timestamp.
+
+                                            Kubelet can write a single file, indicated by the credentialBundlePath
+                                            field, or separate files, indicated by the keyPath and
+                                            certificateChainPath fields.
+
+                                            The credential bundle is a single file in PEM format.  The first PEM
+                                            entry is the private key (in PKCS#8 format), and the remaining PEM
+                                            entries are the certificate chain issued by the signer (typically,
+                                            signers will return their certificate chain in leaf-to-root order).
+
+                                            Prefer using the credential bundle format, since your application code
+                                            can read it atomically.  If you use keyPath and certificateChainPath,
+                                            your application must make two separate file reads. If these coincide
+                                            with a certificate rotation, it is possible that the private key and leaf
+                                            certificate you read may not correspond to each other.  Your application
+                                            will need to check for this condition, and re-read until they are
+                                            consistent.
+
+                                            The named signer controls chooses the format of the certificate it
+                                            issues; consult the signer implementation's documentation to learn how to
+                                            use the certificates it issues.
+                                          properties:
+                                            certificateChainPath:
+                                              description: |-
+                                                Write the certificate chain at this path in the projected volume.
+
+                                                Most applications should use credentialBundlePath.  When using keyPath
+                                                and certificateChainPath, your application needs to check that the key
+                                                and leaf certificate are consistent, because it is possible to read the
+                                                files mid-rotation.
+                                              type: string
+                                            credentialBundlePath:
+                                              description: |-
+                                                Write the credential bundle at this path in the projected volume.
+
+                                                The credential bundle is a single file that contains multiple PEM blocks.
+                                                The first PEM block is a PRIVATE KEY block, containing a PKCS#8 private
+                                                key.
+
+                                                The remaining blocks are CERTIFICATE blocks, containing the issued
+                                                certificate chain from the signer (leaf and any intermediates).
+
+                                                Using credentialBundlePath lets your Pod's application code make a single
+                                                atomic read that retrieves a consistent key and certificate chain.  If you
+                                                project them to separate files, your application code will need to
+                                                additionally check that the leaf certificate was issued to the key.
+                                              type: string
+                                            keyPath:
+                                              description: |-
+                                                Write the key at this path in the projected volume.
+
+                                                Most applications should use credentialBundlePath.  When using keyPath
+                                                and certificateChainPath, your application needs to check that the key
+                                                and leaf certificate are consistent, because it is possible to read the
+                                                files mid-rotation.
+                                              type: string
+                                            keyType:
+                                              description: |-
+                                                The type of keypair Kubelet will generate for the pod.
+
+                                                Valid values are "RSA3072", "RSA4096", "ECDSAP256", "ECDSAP384",
+                                                "ECDSAP521", and "ED25519".
+                                              type: string
+                                            maxExpirationSeconds:
+                                              description: |-
+                                                maxExpirationSeconds is the maximum lifetime permitted for the
+                                                certificate.
+
+                                                Kubelet copies this value verbatim into the PodCertificateRequests it
+                                                generates for this projection.
+
+                                                If omitted, kube-apiserver will set it to 86400(24 hours). kube-apiserver
+                                                will reject values shorter than 3600 (1 hour).  The maximum allowable
+                                                value is 7862400 (91 days).
+
+                                                The signer implementation is then free to issue a certificate with any
+                                                lifetime *shorter* than MaxExpirationSeconds, but no shorter than 3600
+                                                seconds (1 hour).  This constraint is enforced by kube-apiserver.
+                                                `kubernetes.io` signers will never issue certificates with a lifetime
+                                                longer than 24 hours.
+                                              format: int32
+                                              type: integer
+                                            signerName:
+                                              description: Kubelet's generated CSRs will be addressed to this signer.
+                                              type: string
+                                          required:
+                                            - keyType
+                                            - signerName
+                                          type: object
                                         secret:
                                           description: secret information about the secret data to project
                                           properties:
@@ -7628,7 +8015,6 @@ spec:
                                 description: |-
                                   rbd represents a Rados Block Device mount on the host that shares a pod's lifetime.
                                   Deprecated: RBD is deprecated and the in-tree rbd type is no longer supported.
-                                  More info: https://examples.k8s.io/volumes/rbd/README.md
                                 properties:
                                   fsType:
                                     description: |-
@@ -8170,15 +8556,13 @@ spec:
                               volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim.
                               If specified, the CSI driver will create or update the volume with the attributes defined
                               in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName,
-                              it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass
-                              will be applied to the claim but it's not allowed to reset this field to empty string once it is set.
-                              If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass
-                              will be set by the persistentvolume controller if it exists.
+                              it can be changed after the claim is created. An empty string or nil value indicates that no
+                              VolumeAttributesClass will be applied to the claim. If the claim enters an Infeasible error state,
+                              this field can be reset to its previous value (including nil) to cancel the modification.
                               If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be
                               set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource
                               exists.
                               More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/
-                              (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default).
                             type: string
                           volumeMode:
                             description: |-
@@ -8278,13 +8662,11 @@ spec:
                             description: |-
                               currentVolumeAttributesClassName is the current name of the VolumeAttributesClass the PVC is using.
                               When unset, there is no VolumeAttributeClass applied to this PersistentVolumeClaim
-                              This is a beta field and requires enabling VolumeAttributesClass feature (off by default).
                             type: string
                           modifyVolumeStatus:
                             description: |-
                               ModifyVolumeStatus represents the status object of ControllerModifyVolume operation.
                               When this is unset, there is no ModifyVolume operation being attempted.
-                              This is a beta field and requires enabling VolumeAttributesClass feature (off by default).
                             properties:
                               status:
                                 description: "status is the status of the ControllerModifyVolume operation. It can be in any of following states:\n - Pending\n   Pending indicates that the PersistentVolumeClaim cannot be modified due to unmet requirements, such as\n   the specified VolumeAttributesClass not existing.\n - InProgress\n   InProgress indicates that the volume is being modified.\n - Infeasible\n  Infeasible indicates that the request has been rejected as invalid by the CSI driver. To\n\t  resolve the error, a valid VolumeAttributesClass needs to be specified.\nNote: New statuses can be added in the future. Consumers should check for unknown statuses and fail appropriately."
@@ -8355,7 +8737,6 @@ spec:
                   type: object
               required:
                 - selector
-                - serviceName
                 - template
               type: object
             status:
@@ -8389,4 +8770,3 @@ spec:
       storage: true
       subresources:
         status: {}
-  preserveUnknownFields: false

controllers/actions.github.com/autoscalinglistener_controller.go

@@ -19,6 +19,7 @@ package actionsgithubcom
 import (
 	"context"
 	"fmt"
+	"time"
 
 	"github.com/go-logr/logr"
 	kerrors "k8s.io/apimachinery/pkg/api/errors"
@@ -32,6 +33,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 
 	v1alpha1 "github.com/actions/actions-runner-controller/apis/actions.github.com/v1alpha1"
+	"github.com/actions/actions-runner-controller/apis/actions.github.com/v1alpha1/appconfig"
 	"github.com/actions/actions-runner-controller/controllers/actions.github.com/metrics"
 	"github.com/actions/actions-runner-controller/github/actions"
 	hash "github.com/actions/actions-runner-controller/hash"
@@ -83,14 +85,14 @@ func (r *AutoscalingListenerReconciler) Reconcile(ctx context.Context, req ctrl.
 		}
 
 		log.Info("Deleting resources")
-		done, err := r.cleanupResources(ctx, autoscalingListener, log)
+		requeue, err := r.cleanupResources(ctx, autoscalingListener, log)
 		if err != nil {
 			log.Error(err, "Failed to cleanup resources after deletion")
 			return ctrl.Result{}, err
 		}
-		if !done {
+		if requeue {
 			log.Info("Waiting for resources to be deleted before removing finalizer")
-			return ctrl.Result{Requeue: true}, nil
+			return ctrl.Result{Requeue: true, RequeueAfter: time.Second}, nil
 		}
 
 		log.Info("Removing finalizer")
@@ -128,41 +130,24 @@ func (r *AutoscalingListenerReconciler) Reconcile(ctx context.Context, req ctrl.
 		return ctrl.Result{}, err
 	}
 
-	// Check if the GitHub config secret exists
-	secret := new(corev1.Secret)
-	if err := r.Get(ctx, types.NamespacedName{Namespace: autoscalingListener.Spec.AutoscalingRunnerSetNamespace, Name: autoscalingListener.Spec.GitHubConfigSecret}, secret); err != nil {
-		log.Error(err, "Failed to find GitHub config secret.",
-			"namespace", autoscalingListener.Spec.AutoscalingRunnerSetNamespace,
-			"name", autoscalingListener.Spec.GitHubConfigSecret)
+	appConfig, err := r.GetAppConfig(ctx, &autoscalingRunnerSet)
+	if err != nil {
+		log.Error(
+			err,
+			"Failed to get app config for AutoscalingRunnerSet.",
+			"namespace",
+			autoscalingRunnerSet.Namespace,
+			"name",
+			autoscalingRunnerSet.GitHubConfigSecret,
+		)
 		return ctrl.Result{}, err
 	}
 
-	// Create a mirror secret in the same namespace as the AutoscalingListener
-	mirrorSecret := new(corev1.Secret)
-	if err := r.Get(ctx, types.NamespacedName{Namespace: autoscalingListener.Namespace, Name: scaleSetListenerSecretMirrorName(autoscalingListener)}, mirrorSecret); err != nil {
-		if !kerrors.IsNotFound(err) {
-			log.Error(err, "Unable to get listener secret mirror", "namespace", autoscalingListener.Namespace, "name", scaleSetListenerSecretMirrorName(autoscalingListener))
-			return ctrl.Result{}, err
-		}
-
-		// Create a mirror secret for the listener pod in the Controller namespace for listener pod to use
-		log.Info("Creating a mirror listener secret for the listener pod")
-		return r.createSecretsForListener(ctx, autoscalingListener, secret, log)
-	}
-
-	// make sure the mirror secret is up to date
-	mirrorSecretDataHash := mirrorSecret.Labels["secret-data-hash"]
-	secretDataHash := hash.ComputeTemplateHash(secret.Data)
-	if mirrorSecretDataHash != secretDataHash {
-		log.Info("Updating mirror listener secret for the listener pod", "mirrorSecretDataHash", mirrorSecretDataHash, "secretDataHash", secretDataHash)
-		return r.updateSecretsForListener(ctx, secret, mirrorSecret, log)
-	}
-
 	// Make sure the runner scale set listener service account is created for the listener pod in the controller namespace
 	serviceAccount := new(corev1.ServiceAccount)
-	if err := r.Get(ctx, types.NamespacedName{Namespace: autoscalingListener.Namespace, Name: scaleSetListenerServiceAccountName(autoscalingListener)}, serviceAccount); err != nil {
+	if err := r.Get(ctx, types.NamespacedName{Namespace: autoscalingListener.Namespace, Name: autoscalingListener.Name}, serviceAccount); err != nil {
 		if !kerrors.IsNotFound(err) {
-			log.Error(err, "Unable to get listener service accounts", "namespace", autoscalingListener.Namespace, "name", scaleSetListenerServiceAccountName(autoscalingListener))
+			log.Error(err, "Unable to get listener service accounts", "namespace", autoscalingListener.Namespace, "name", autoscalingListener.Name)
 			return ctrl.Result{}, err
 		}
 
@@ -175,9 +160,9 @@ func (r *AutoscalingListenerReconciler) Reconcile(ctx context.Context, req ctrl.
 
 	// Make sure the runner scale set listener role is created in the AutoscalingRunnerSet namespace
 	listenerRole := new(rbacv1.Role)
-	if err := r.Get(ctx, types.NamespacedName{Namespace: autoscalingListener.Spec.AutoscalingRunnerSetNamespace, Name: scaleSetListenerRoleName(autoscalingListener)}, listenerRole); err != nil {
+	if err := r.Get(ctx, types.NamespacedName{Namespace: autoscalingListener.Spec.AutoscalingRunnerSetNamespace, Name: autoscalingListener.Name}, listenerRole); err != nil {
 		if !kerrors.IsNotFound(err) {
-			log.Error(err, "Unable to get listener role", "namespace", autoscalingListener.Spec.AutoscalingRunnerSetNamespace, "name", scaleSetListenerRoleName(autoscalingListener))
+			log.Error(err, "Unable to get listener role", "namespace", autoscalingListener.Spec.AutoscalingRunnerSetNamespace, "name", autoscalingListener.Name)
 			return ctrl.Result{}, err
 		}
 
@@ -197,9 +182,9 @@ func (r *AutoscalingListenerReconciler) Reconcile(ctx context.Context, req ctrl.
 
 	// Make sure the runner scale set listener role binding is created
 	listenerRoleBinding := new(rbacv1.RoleBinding)
-	if err := r.Get(ctx, types.NamespacedName{Namespace: autoscalingListener.Spec.AutoscalingRunnerSetNamespace, Name: scaleSetListenerRoleName(autoscalingListener)}, listenerRoleBinding); err != nil {
+	if err := r.Get(ctx, types.NamespacedName{Namespace: autoscalingListener.Spec.AutoscalingRunnerSetNamespace, Name: autoscalingListener.Name}, listenerRoleBinding); err != nil {
 		if !kerrors.IsNotFound(err) {
-			log.Error(err, "Unable to get listener role binding", "namespace", autoscalingListener.Spec.AutoscalingRunnerSetNamespace, "name", scaleSetListenerRoleName(autoscalingListener))
+			log.Error(err, "Unable to get listener role binding", "namespace", autoscalingListener.Spec.AutoscalingRunnerSetNamespace, "name", autoscalingListener.Name)
 			return ctrl.Result{}, err
 		}
 
@@ -226,7 +211,14 @@ func (r *AutoscalingListenerReconciler) Reconcile(ctx context.Context, req ctrl.
 	// TODO: make sure the role binding has the up-to-date role and service account
 
 	listenerPod := new(corev1.Pod)
-	if err := r.Get(ctx, client.ObjectKey{Namespace: autoscalingListener.Namespace, Name: autoscalingListener.Name}, listenerPod); err != nil {
+	if err := r.Get(
+		ctx,
+		client.ObjectKey{
+			Namespace: autoscalingListener.Namespace,
+			Name:      autoscalingListener.Name,
+		},
+		listenerPod,
+	); err != nil {
 		if !kerrors.IsNotFound(err) {
 			log.Error(err, "Unable to get listener pod", "namespace", autoscalingListener.Namespace, "name", autoscalingListener.Name)
 			return ctrl.Result{}, err
@@ -239,29 +231,35 @@ func (r *AutoscalingListenerReconciler) Reconcile(ctx context.Context, req ctrl.
 
 		// Create a listener pod in the controller namespace
 		log.Info("Creating a listener pod")
-		return r.createListenerPod(ctx, &autoscalingRunnerSet, autoscalingListener, serviceAccount, mirrorSecret, log)
+		return r.createListenerPod(ctx, &autoscalingRunnerSet, autoscalingListener, serviceAccount, appConfig, log)
 	}
 
 	cs := listenerContainerStatus(listenerPod)
 	switch {
+	case listenerPod.Status.Reason == "Evicted":
+		log.Info(
+			"Listener pod is evicted",
+			"phase", listenerPod.Status.Phase,
+			"reason", listenerPod.Status.Reason,
+			"message", listenerPod.Status.Message,
+		)
+
+		return ctrl.Result{}, r.deleteListenerPod(ctx, autoscalingListener, listenerPod, log)
+
 	case cs == nil:
 		log.Info("Listener pod is not ready", "namespace", listenerPod.Namespace, "name", listenerPod.Name)
 		return ctrl.Result{}, nil
 	case cs.State.Terminated != nil:
-		log.Info("Listener pod is terminated", "namespace", listenerPod.Namespace, "name", listenerPod.Name, "reason", cs.State.Terminated.Reason, "message", cs.State.Terminated.Message)
+		log.Info(
+			"Listener pod is terminated",
+			"namespace", listenerPod.Namespace,
+			"name", listenerPod.Name,
+			"reason", cs.State.Terminated.Reason,
+			"message", cs.State.Terminated.Message,
+		)
 
-		if err := r.publishRunningListener(autoscalingListener, false); err != nil {
-			log.Error(err, "Unable to publish runner listener down metric", "namespace", listenerPod.Namespace, "name", listenerPod.Name)
-		}
+		return ctrl.Result{}, r.deleteListenerPod(ctx, autoscalingListener, listenerPod, log)
 
-		if listenerPod.DeletionTimestamp.IsZero() {
-			log.Info("Deleting the listener pod", "namespace", listenerPod.Namespace, "name", listenerPod.Name)
-			if err := r.Delete(ctx, listenerPod); err != nil && !kerrors.IsNotFound(err) {
-				log.Error(err, "Unable to delete the listener pod", "namespace", listenerPod.Namespace, "name", listenerPod.Name)
-				return ctrl.Result{}, err
-			}
-		}
-		return ctrl.Result{}, nil
 	case cs.State.Running != nil:
 		if err := r.publishRunningListener(autoscalingListener, true); err != nil {
 			log.Error(err, "Unable to publish running listener", "namespace", listenerPod.Namespace, "name", listenerPod.Name)
@@ -271,11 +269,40 @@ func (r *AutoscalingListenerReconciler) Reconcile(ctx context.Context, req ctrl.
 			return ctrl.Result{}, nil
 		}
 		return ctrl.Result{}, nil
+
 	}
 	return ctrl.Result{}, nil
 }
 
-func (r *AutoscalingListenerReconciler) cleanupResources(ctx context.Context, autoscalingListener *v1alpha1.AutoscalingListener, logger logr.Logger) (done bool, err error) {
+func (r *AutoscalingListenerReconciler) deleteListenerPod(ctx context.Context, autoscalingListener *v1alpha1.AutoscalingListener, listenerPod *corev1.Pod, log logr.Logger) error {
+	if err := r.publishRunningListener(autoscalingListener, false); err != nil {
+		log.Error(err, "Unable to publish runner listener down metric", "namespace", listenerPod.Namespace, "name", listenerPod.Name)
+	}
+
+	if listenerPod.DeletionTimestamp.IsZero() {
+		log.Info("Deleting the listener pod", "namespace", listenerPod.Namespace, "name", listenerPod.Name)
+		if err := r.Delete(ctx, listenerPod); err != nil && !kerrors.IsNotFound(err) {
+			log.Error(err, "Unable to delete the listener pod", "namespace", listenerPod.Namespace, "name", listenerPod.Name)
+			return err
+		}
+
+		// delete the listener config secret as well, so it gets recreated when the listener pod is recreated, with any new data if it exists
+		var configSecret corev1.Secret
+		err := r.Get(ctx, types.NamespacedName{Namespace: autoscalingListener.Namespace, Name: scaleSetListenerConfigName(autoscalingListener)}, &configSecret)
+		switch {
+		case err == nil && configSecret.DeletionTimestamp.IsZero():
+			log.Info("Deleting the listener config secret")
+			if err := r.Delete(ctx, &configSecret); err != nil {
+				return fmt.Errorf("failed to delete listener config secret: %w", err)
+			}
+		case !kerrors.IsNotFound(err):
+			return fmt.Errorf("failed to get the listener config secret: %w", err)
+		}
+	}
+	return nil
+}
+
+func (r *AutoscalingListenerReconciler) cleanupResources(ctx context.Context, autoscalingListener *v1alpha1.AutoscalingListener, logger logr.Logger) (requeue bool, err error) {
 	logger.Info("Cleaning up the listener pod")
 	listenerPod := new(corev1.Pod)
 	err = r.Get(ctx, types.NamespacedName{Name: autoscalingListener.Name, Namespace: autoscalingListener.Namespace}, listenerPod)
@@ -287,7 +314,7 @@ func (r *AutoscalingListenerReconciler) cleanupResources(ctx context.Context, au
 				return false, fmt.Errorf("failed to delete listener pod: %w", err)
 			}
 		}
-		return false, nil
+		requeue = true
 	case kerrors.IsNotFound(err):
 		_ = r.publishRunningListener(autoscalingListener, false) // If error is returned, we never published metrics so it is safe to ignore
 	default:
@@ -305,7 +332,7 @@ func (r *AutoscalingListenerReconciler) cleanupResources(ctx context.Context, au
 				return false, fmt.Errorf("failed to delete listener config secret: %w", err)
 			}
 		}
-		return false, nil
+		requeue = true
 	case !kerrors.IsNotFound(err):
 		return false, fmt.Errorf("failed to get listener config secret: %w", err)
 	}
@@ -322,7 +349,7 @@ func (r *AutoscalingListenerReconciler) cleanupResources(ctx context.Context, au
 					return false, fmt.Errorf("failed to delete listener proxy secret: %w", err)
 				}
 			}
-			return false, nil
+			requeue = true
 		case !kerrors.IsNotFound(err):
 			return false, fmt.Errorf("failed to get listener proxy secret: %w", err)
 		}
@@ -330,7 +357,7 @@ func (r *AutoscalingListenerReconciler) cleanupResources(ctx context.Context, au
 	}
 
 	listenerRoleBinding := new(rbacv1.RoleBinding)
-	err = r.Get(ctx, types.NamespacedName{Namespace: autoscalingListener.Spec.AutoscalingRunnerSetNamespace, Name: scaleSetListenerRoleName(autoscalingListener)}, listenerRoleBinding)
+	err = r.Get(ctx, types.NamespacedName{Namespace: autoscalingListener.Spec.AutoscalingRunnerSetNamespace, Name: autoscalingListener.Name}, listenerRoleBinding)
 	switch {
 	case err == nil:
 		if listenerRoleBinding.DeletionTimestamp.IsZero() {
@@ -339,14 +366,14 @@ func (r *AutoscalingListenerReconciler) cleanupResources(ctx context.Context, au
 				return false, fmt.Errorf("failed to delete listener role binding: %w", err)
 			}
 		}
-		return false, nil
+		requeue = true
 	case !kerrors.IsNotFound(err):
 		return false, fmt.Errorf("failed to get listener role binding: %w", err)
 	}
 	logger.Info("Listener role binding is deleted")
 
 	listenerRole := new(rbacv1.Role)
-	err = r.Get(ctx, types.NamespacedName{Namespace: autoscalingListener.Spec.AutoscalingRunnerSetNamespace, Name: scaleSetListenerRoleName(autoscalingListener)}, listenerRole)
+	err = r.Get(ctx, types.NamespacedName{Namespace: autoscalingListener.Spec.AutoscalingRunnerSetNamespace, Name: autoscalingListener.Name}, listenerRole)
 	switch {
 	case err == nil:
 		if listenerRole.DeletionTimestamp.IsZero() {
@@ -355,7 +382,7 @@ func (r *AutoscalingListenerReconciler) cleanupResources(ctx context.Context, au
 				return false, fmt.Errorf("failed to delete listener role: %w", err)
 			}
 		}
-		return false, nil
+		requeue = true
 	case !kerrors.IsNotFound(err):
 		return false, fmt.Errorf("failed to get listener role: %w", err)
 	}
@@ -363,7 +390,7 @@ func (r *AutoscalingListenerReconciler) cleanupResources(ctx context.Context, au
 
 	logger.Info("Cleaning up the listener service account")
 	listenerSa := new(corev1.ServiceAccount)
-	err = r.Get(ctx, types.NamespacedName{Name: scaleSetListenerServiceAccountName(autoscalingListener), Namespace: autoscalingListener.Namespace}, listenerSa)
+	err = r.Get(ctx, types.NamespacedName{Name: autoscalingListener.Name, Namespace: autoscalingListener.Namespace}, listenerSa)
 	switch {
 	case err == nil:
 		if listenerSa.DeletionTimestamp.IsZero() {
@@ -372,13 +399,13 @@ func (r *AutoscalingListenerReconciler) cleanupResources(ctx context.Context, au
 				return false, fmt.Errorf("failed to delete listener service account: %w", err)
 			}
 		}
-		return false, nil
+		requeue = true
 	case !kerrors.IsNotFound(err):
 		return false, fmt.Errorf("failed to get listener service account: %w", err)
 	}
 	logger.Info("Listener service account is deleted")
 
-	return true, nil
+	return requeue, nil
 }
 
 func (r *AutoscalingListenerReconciler) createServiceAccountForListener(ctx context.Context, autoscalingListener *v1alpha1.AutoscalingListener, logger logr.Logger) (ctrl.Result, error) {
@@ -398,7 +425,7 @@ func (r *AutoscalingListenerReconciler) createServiceAccountForListener(ctx cont
 	return ctrl.Result{}, nil
 }
 
-func (r *AutoscalingListenerReconciler) createListenerPod(ctx context.Context, autoscalingRunnerSet *v1alpha1.AutoscalingRunnerSet, autoscalingListener *v1alpha1.AutoscalingListener, serviceAccount *corev1.ServiceAccount, secret *corev1.Secret, logger logr.Logger) (ctrl.Result, error) {
+func (r *AutoscalingListenerReconciler) createListenerPod(ctx context.Context, autoscalingRunnerSet *v1alpha1.AutoscalingRunnerSet, autoscalingListener *v1alpha1.AutoscalingListener, serviceAccount *corev1.ServiceAccount, appConfig *appconfig.AppConfig, logger logr.Logger) (ctrl.Result, error) {
 	var envs []corev1.EnvVar
 	if autoscalingListener.Spec.Proxy != nil {
 		httpURL := corev1.EnvVar{
@@ -467,7 +494,7 @@ func (r *AutoscalingListenerReconciler) createListenerPod(ctx context.Context, a
 
 		logger.Info("Creating listener config secret")
 
-		podConfig, err := r.newScaleSetListenerConfig(autoscalingListener, secret, metricsConfig, cert)
+		podConfig, err := r.newScaleSetListenerConfig(autoscalingListener, appConfig, metricsConfig, cert)
 		if err != nil {
 			logger.Error(err, "Failed to build listener config secret")
 			return ctrl.Result{}, err
@@ -486,7 +513,7 @@ func (r *AutoscalingListenerReconciler) createListenerPod(ctx context.Context, a
 		return ctrl.Result{Requeue: true}, nil
 	}
 
-	newPod, err := r.newScaleSetListenerPod(autoscalingListener, &podConfig, serviceAccount, secret, metricsConfig, envs...)
+	newPod, err := r.newScaleSetListenerPod(autoscalingListener, &podConfig, serviceAccount, metricsConfig, envs...)
 	if err != nil {
 		logger.Error(err, "Failed to build listener pod")
 		return ctrl.Result{}, err
@@ -545,23 +572,6 @@ func (r *AutoscalingListenerReconciler) certificate(ctx context.Context, autosca
 	return certificate, nil
 }
 
-func (r *AutoscalingListenerReconciler) createSecretsForListener(ctx context.Context, autoscalingListener *v1alpha1.AutoscalingListener, secret *corev1.Secret, logger logr.Logger) (ctrl.Result, error) {
-	newListenerSecret := r.newScaleSetListenerSecretMirror(autoscalingListener, secret)
-
-	if err := ctrl.SetControllerReference(autoscalingListener, newListenerSecret, r.Scheme); err != nil {
-		return ctrl.Result{}, err
-	}
-
-	logger.Info("Creating listener secret", "namespace", newListenerSecret.Namespace, "name", newListenerSecret.Name)
-	if err := r.Create(ctx, newListenerSecret); err != nil {
-		logger.Error(err, "Unable to create listener secret", "namespace", newListenerSecret.Namespace, "name", newListenerSecret.Name)
-		return ctrl.Result{}, err
-	}
-
-	logger.Info("Created listener secret", "namespace", newListenerSecret.Namespace, "name", newListenerSecret.Name)
-	return ctrl.Result{Requeue: true}, nil
-}
-
 func (r *AutoscalingListenerReconciler) createProxySecret(ctx context.Context, autoscalingListener *v1alpha1.AutoscalingListener, logger logr.Logger) (ctrl.Result, error) {
 	data, err := autoscalingListener.Spec.Proxy.ToSecretData(func(s string) (*corev1.Secret, error) {
 		var secret corev1.Secret
@@ -601,22 +611,6 @@ func (r *AutoscalingListenerReconciler) createProxySecret(ctx context.Context, a
 	return ctrl.Result{Requeue: true}, nil
 }
 
-func (r *AutoscalingListenerReconciler) updateSecretsForListener(ctx context.Context, secret *corev1.Secret, mirrorSecret *corev1.Secret, logger logr.Logger) (ctrl.Result, error) {
-	dataHash := hash.ComputeTemplateHash(secret.Data)
-	updatedMirrorSecret := mirrorSecret.DeepCopy()
-	updatedMirrorSecret.Labels["secret-data-hash"] = dataHash
-	updatedMirrorSecret.Data = secret.Data
-
-	logger.Info("Updating listener mirror secret", "namespace", updatedMirrorSecret.Namespace, "name", updatedMirrorSecret.Name, "hash", dataHash)
-	if err := r.Update(ctx, updatedMirrorSecret); err != nil {
-		logger.Error(err, "Unable to update listener mirror secret", "namespace", updatedMirrorSecret.Namespace, "name", updatedMirrorSecret.Name)
-		return ctrl.Result{}, err
-	}
-
-	logger.Info("Updated listener mirror secret", "namespace", updatedMirrorSecret.Namespace, "name", updatedMirrorSecret.Name, "hash", dataHash)
-	return ctrl.Result{Requeue: true}, nil
-}
-
 func (r *AutoscalingListenerReconciler) createRoleForListener(ctx context.Context, autoscalingListener *v1alpha1.AutoscalingListener, logger logr.Logger) (ctrl.Result, error) {
 	newRole := r.newScaleSetListenerRole(autoscalingListener)
 

controllers/actions.github.com/autoscalinglistener_controller_test.go

@@ -14,7 +14,8 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	logf "sigs.k8s.io/controller-runtime/pkg/log"
 
-	listenerconfig "github.com/actions/actions-runner-controller/cmd/ghalistener/config"
+	ghalistenerconfig "github.com/actions/actions-runner-controller/cmd/ghalistener/config"
+	"github.com/actions/actions-runner-controller/github/actions/fake"
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
 	kerrors "k8s.io/apimachinery/pkg/api/errors"
@@ -25,9 +26,8 @@ import (
 )
 
 const (
-	autoscalingListenerTestTimeout     = time.Second * 20
-	autoscalingListenerTestInterval    = time.Millisecond * 250
-	autoscalingListenerTestGitHubToken = "gh_token"
+	autoscalingListenerTestTimeout  = time.Second * 20
+	autoscalingListenerTestInterval = time.Millisecond * 250
 )
 
 var _ = Describe("Test AutoScalingListener controller", func() {
@@ -43,10 +43,17 @@ var _ = Describe("Test AutoScalingListener controller", func() {
 		autoscalingNS, mgr = createNamespace(GinkgoT(), k8sClient)
 		configSecret = createDefaultSecret(GinkgoT(), k8sClient, autoscalingNS.Name)
 
+		secretResolver := NewSecretResolver(mgr.GetClient(), fake.NewMultiClient())
+
+		rb := ResourceBuilder{
+			SecretResolver: secretResolver,
+		}
+
 		controller := &AutoscalingListenerReconciler{
-			Client: mgr.GetClient(),
-			Scheme: mgr.GetScheme(),
-			Log:    logf.Log,
+			Client:          mgr.GetClient(),
+			Scheme:          mgr.GetScheme(),
+			Log:             logf.Log,
+			ResourceBuilder: rb,
 		}
 		err := controller.SetupWithManager(mgr)
 		Expect(err).NotTo(HaveOccurred(), "failed to setup controller")
@@ -134,37 +141,25 @@ var _ = Describe("Test AutoScalingListener controller", func() {
 				autoscalingListenerTestTimeout,
 				autoscalingListenerTestInterval).Should(BeEquivalentTo(autoscalingListenerFinalizerName), "AutoScalingListener should have a finalizer")
 
-			// Check if secret is created
-			mirrorSecret := new(corev1.Secret)
-			Eventually(
-				func() (string, error) {
-					err := k8sClient.Get(ctx, client.ObjectKey{Name: scaleSetListenerSecretMirrorName(autoscalingListener), Namespace: autoscalingListener.Namespace}, mirrorSecret)
-					if err != nil {
-						return "", err
-					}
-					return string(mirrorSecret.Data["github_token"]), nil
-				},
-				autoscalingListenerTestTimeout,
-				autoscalingListenerTestInterval).Should(BeEquivalentTo(autoscalingListenerTestGitHubToken), "Mirror secret should be created")
-
 			// Check if service account is created
 			serviceAccount := new(corev1.ServiceAccount)
 			Eventually(
 				func() (string, error) {
-					err := k8sClient.Get(ctx, client.ObjectKey{Name: scaleSetListenerServiceAccountName(autoscalingListener), Namespace: autoscalingListener.Namespace}, serviceAccount)
+					err := k8sClient.Get(ctx, client.ObjectKey{Name: autoscalingListener.Name, Namespace: autoscalingListener.Namespace}, serviceAccount)
 					if err != nil {
 						return "", err
 					}
 					return serviceAccount.Name, nil
 				},
 				autoscalingListenerTestTimeout,
-				autoscalingListenerTestInterval).Should(BeEquivalentTo(scaleSetListenerServiceAccountName(autoscalingListener)), "Service account should be created")
+				autoscalingListenerTestInterval,
+			).Should(BeEquivalentTo(autoscalingListener.Name), "Service account should be created")
 
 			// Check if role is created
 			role := new(rbacv1.Role)
 			Eventually(
 				func() ([]rbacv1.PolicyRule, error) {
-					err := k8sClient.Get(ctx, client.ObjectKey{Name: scaleSetListenerRoleName(autoscalingListener), Namespace: autoscalingListener.Spec.AutoscalingRunnerSetNamespace}, role)
+					err := k8sClient.Get(ctx, client.ObjectKey{Name: autoscalingListener.Name, Namespace: autoscalingListener.Spec.AutoscalingRunnerSetNamespace}, role)
 					if err != nil {
 						return nil, err
 					}
@@ -178,7 +173,7 @@ var _ = Describe("Test AutoScalingListener controller", func() {
 			roleBinding := new(rbacv1.RoleBinding)
 			Eventually(
 				func() (string, error) {
-					err := k8sClient.Get(ctx, client.ObjectKey{Name: scaleSetListenerRoleName(autoscalingListener), Namespace: autoscalingListener.Spec.AutoscalingRunnerSetNamespace}, roleBinding)
+					err := k8sClient.Get(ctx, client.ObjectKey{Name: autoscalingListener.Name, Namespace: autoscalingListener.Spec.AutoscalingRunnerSetNamespace}, roleBinding)
 					if err != nil {
 						return "", err
 					}
@@ -186,7 +181,7 @@ var _ = Describe("Test AutoScalingListener controller", func() {
 					return roleBinding.RoleRef.Name, nil
 				},
 				autoscalingListenerTestTimeout,
-				autoscalingListenerTestInterval).Should(BeEquivalentTo(scaleSetListenerRoleName(autoscalingListener)), "Rolebinding should be created")
+				autoscalingListenerTestInterval).Should(BeEquivalentTo(autoscalingListener.Name), "Rolebinding should be created")
 
 			// Check if pod is created
 			pod := new(corev1.Pod)
@@ -248,7 +243,7 @@ var _ = Describe("Test AutoScalingListener controller", func() {
 			Eventually(
 				func() bool {
 					roleBinding := new(rbacv1.RoleBinding)
-					err := k8sClient.Get(ctx, client.ObjectKey{Name: scaleSetListenerRoleName(autoscalingListener), Namespace: autoscalingListener.Spec.AutoscalingRunnerSetNamespace}, roleBinding)
+					err := k8sClient.Get(ctx, client.ObjectKey{Name: autoscalingListener.Name, Namespace: autoscalingListener.Spec.AutoscalingRunnerSetNamespace}, roleBinding)
 					return kerrors.IsNotFound(err)
 				},
 				autoscalingListenerTestTimeout,
@@ -259,7 +254,7 @@ var _ = Describe("Test AutoScalingListener controller", func() {
 			Eventually(
 				func() bool {
 					role := new(rbacv1.Role)
-					err := k8sClient.Get(ctx, client.ObjectKey{Name: scaleSetListenerRoleName(autoscalingListener), Namespace: autoscalingListener.Spec.AutoscalingRunnerSetNamespace}, role)
+					err := k8sClient.Get(ctx, client.ObjectKey{Name: autoscalingListener.Name, Namespace: autoscalingListener.Spec.AutoscalingRunnerSetNamespace}, role)
 					return kerrors.IsNotFound(err)
 				},
 				autoscalingListenerTestTimeout,
@@ -340,7 +335,7 @@ var _ = Describe("Test AutoScalingListener controller", func() {
 			role := new(rbacv1.Role)
 			Eventually(
 				func() ([]rbacv1.PolicyRule, error) {
-					err := k8sClient.Get(ctx, client.ObjectKey{Name: scaleSetListenerRoleName(autoscalingListener), Namespace: autoscalingListener.Spec.AutoscalingRunnerSetNamespace}, role)
+					err := k8sClient.Get(ctx, client.ObjectKey{Name: autoscalingListener.Name, Namespace: autoscalingListener.Spec.AutoscalingRunnerSetNamespace}, role)
 					if err != nil {
 						return nil, err
 					}
@@ -351,7 +346,7 @@ var _ = Describe("Test AutoScalingListener controller", func() {
 				autoscalingListenerTestInterval).Should(BeEquivalentTo(rulesForListenerRole([]string{updated.Spec.EphemeralRunnerSetName})), "Role should be updated")
 		})
 
-		It("It should re-create pod whenever listener container is terminated", func() {
+		It("It should re-create pod and config secret whenever listener container is terminated", func() {
 			// Waiting for the pod is created
 			pod := new(corev1.Pod)
 			Eventually(
@@ -367,7 +362,18 @@ var _ = Describe("Test AutoScalingListener controller", func() {
 				autoscalingListenerTestInterval,
 			).Should(BeEquivalentTo(autoscalingListener.Name), "Pod should be created")
 
+			secret := new(corev1.Secret)
+			Eventually(
+				func() error {
+					return k8sClient.Get(ctx, client.ObjectKey{Name: scaleSetListenerConfigName(autoscalingListener), Namespace: autoscalingListener.Namespace}, secret)
+				},
+				autoscalingListenerTestTimeout,
+				autoscalingListenerTestInterval,
+			).Should(Succeed(), "Config secret should be created")
+
 			oldPodUID := string(pod.UID)
+			oldSecretUID := string(secret.UID)
+
 			updated := pod.DeepCopy()
 			updated.Status.ContainerStatuses = []corev1.ContainerStatus{
 				{
@@ -396,75 +402,21 @@ var _ = Describe("Test AutoScalingListener controller", func() {
 				autoscalingListenerTestTimeout,
 				autoscalingListenerTestInterval,
 			).ShouldNot(BeEquivalentTo(oldPodUID), "Pod should be re-created")
-		})
 
-		It("It should update mirror secrets to match secret used by AutoScalingRunnerSet", func() {
-			// Waiting for the pod is created
-			pod := new(corev1.Pod)
+			// Check if config secret is re-created
 			Eventually(
 				func() (string, error) {
-					err := k8sClient.Get(ctx, client.ObjectKey{Name: autoscalingListener.Name, Namespace: autoscalingListener.Namespace}, pod)
+					secret := new(corev1.Secret)
+					err := k8sClient.Get(ctx, client.ObjectKey{Name: scaleSetListenerConfigName(autoscalingListener), Namespace: autoscalingListener.Namespace}, secret)
 					if err != nil {
 						return "", err
 					}
 
-					return pod.Name, nil
+					return string(secret.UID), nil
 				},
 				autoscalingListenerTestTimeout,
-				autoscalingListenerTestInterval).Should(BeEquivalentTo(autoscalingListener.Name), "Pod should be created")
-
-			// Update the secret
-			updatedSecret := configSecret.DeepCopy()
-			updatedSecret.Data["github_token"] = []byte(autoscalingListenerTestGitHubToken + "_updated")
-			err := k8sClient.Update(ctx, updatedSecret)
-			Expect(err).NotTo(HaveOccurred(), "failed to update test secret")
-
-			updatedPod := pod.DeepCopy()
-			// Ignore status running and consult the container state
-			updatedPod.Status.Phase = corev1.PodRunning
-			updatedPod.Status.ContainerStatuses = []corev1.ContainerStatus{
-				{
-					Name: autoscalingListenerContainerName,
-					State: corev1.ContainerState{
-						Terminated: &corev1.ContainerStateTerminated{
-							ExitCode: 1,
-						},
-					},
-				},
-			}
-			err = k8sClient.Status().Update(ctx, updatedPod)
-			Expect(err).NotTo(HaveOccurred(), "failed to update test pod to failed")
-
-			// Check if mirror secret is updated with right data
-			mirrorSecret := new(corev1.Secret)
-			Eventually(
-				func() (map[string][]byte, error) {
-					err := k8sClient.Get(ctx, client.ObjectKey{Name: scaleSetListenerSecretMirrorName(autoscalingListener), Namespace: autoscalingListener.Namespace}, mirrorSecret)
-					if err != nil {
-						return nil, err
-					}
-
-					return mirrorSecret.Data, nil
-				},
-				autoscalingListenerTestTimeout,
-				autoscalingListenerTestInterval).Should(BeEquivalentTo(updatedSecret.Data), "Mirror secret should be updated")
-
-			// Check if we re-created a new pod
-			Eventually(
-				func() error {
-					latestPod := new(corev1.Pod)
-					err := k8sClient.Get(ctx, client.ObjectKey{Name: autoscalingListener.Name, Namespace: autoscalingListener.Namespace}, latestPod)
-					if err != nil {
-						return err
-					}
-					if latestPod.UID == pod.UID {
-						return fmt.Errorf("Pod should be recreated")
-					}
-
-					return nil
-				},
-				autoscalingListenerTestTimeout,
-				autoscalingListenerTestInterval).Should(Succeed(), "Pod should be recreated")
+				autoscalingListenerTestInterval,
+			).ShouldNot(BeEquivalentTo(oldSecretUID), "Config secret should be re-created")
 		})
 	})
 })
@@ -507,10 +459,17 @@ var _ = Describe("Test AutoScalingListener customization", func() {
 		autoscalingNS, mgr = createNamespace(GinkgoT(), k8sClient)
 		configSecret = createDefaultSecret(GinkgoT(), k8sClient, autoscalingNS.Name)
 
+		secretResolver := NewSecretResolver(mgr.GetClient(), fake.NewMultiClient())
+
+		rb := ResourceBuilder{
+			SecretResolver: secretResolver,
+		}
+
 		controller := &AutoscalingListenerReconciler{
-			Client: mgr.GetClient(),
-			Scheme: mgr.GetScheme(),
-			Log:    logf.Log,
+			Client:          mgr.GetClient(),
+			Scheme:          mgr.GetScheme(),
+			Log:             logf.Log,
+			ResourceBuilder: rb,
 		}
 		err := controller.SetupWithManager(mgr)
 		Expect(err).NotTo(HaveOccurred(), "failed to setup controller")
@@ -712,6 +671,55 @@ var _ = Describe("Test AutoScalingListener customization", func() {
 				autoscalingListenerTestInterval,
 			).ShouldNot(BeEquivalentTo(oldPodUID), "Pod should be created")
 		})
+
+		It("Should re-create pod when the listener pod is evicted", func() {
+			pod := new(corev1.Pod)
+			Eventually(
+				func() (string, error) {
+					err := k8sClient.Get(
+						ctx,
+						client.ObjectKey{
+							Name:      autoscalingListener.Name,
+							Namespace: autoscalingListener.Namespace,
+						},
+						pod,
+					)
+					if err != nil {
+						return "", err
+					}
+
+					return pod.Name, nil
+				},
+				autoscalingListenerTestTimeout,
+				autoscalingListenerTestInterval,
+			).Should(
+				BeEquivalentTo(autoscalingListener.Name),
+				"Pod should be created",
+			)
+
+			updated := pod.DeepCopy()
+			oldPodUID := string(pod.UID)
+			updated.Status.Reason = "Evicted"
+			err := k8sClient.Status().Update(ctx, updated)
+			Expect(err).NotTo(HaveOccurred(), "failed to update pod status")
+
+			pod = new(corev1.Pod)
+			Eventually(
+				func() (string, error) {
+					err := k8sClient.Get(ctx, client.ObjectKey{Name: autoscalingListener.Name, Namespace: autoscalingListener.Namespace}, pod)
+					if err != nil {
+						return "", err
+					}
+
+					return string(pod.UID), nil
+				},
+				autoscalingListenerTestTimeout,
+				autoscalingListenerTestInterval,
+			).ShouldNot(
+				BeEquivalentTo(oldPodUID),
+				"Pod should be created",
+			)
+		})
 	})
 })
 
@@ -780,11 +788,17 @@ var _ = Describe("Test AutoScalingListener controller with proxy", func() {
 		ctx = context.Background()
 		autoscalingNS, mgr = createNamespace(GinkgoT(), k8sClient)
 		configSecret = createDefaultSecret(GinkgoT(), k8sClient, autoscalingNS.Name)
+		secretResolver := NewSecretResolver(mgr.GetClient(), fake.NewMultiClient())
+
+		rb := ResourceBuilder{
+			SecretResolver: secretResolver,
+		}
 
 		controller := &AutoscalingListenerReconciler{
-			Client: mgr.GetClient(),
-			Scheme: mgr.GetScheme(),
-			Log:    logf.Log,
+			Client:          mgr.GetClient(),
+			Scheme:          mgr.GetScheme(),
+			Log:             logf.Log,
+			ResourceBuilder: rb,
 		}
 		err := controller.SetupWithManager(mgr)
 		Expect(err).NotTo(HaveOccurred(), "failed to setup controller")
@@ -977,10 +991,17 @@ var _ = Describe("Test AutoScalingListener controller with template modification
 		autoscalingNS, mgr = createNamespace(GinkgoT(), k8sClient)
 		configSecret = createDefaultSecret(GinkgoT(), k8sClient, autoscalingNS.Name)
 
+		secretResolver := NewSecretResolver(mgr.GetClient(), fake.NewMultiClient())
+
+		rb := ResourceBuilder{
+			SecretResolver: secretResolver,
+		}
+
 		controller := &AutoscalingListenerReconciler{
-			Client: mgr.GetClient(),
-			Scheme: mgr.GetScheme(),
-			Log:    logf.Log,
+			Client:          mgr.GetClient(),
+			Scheme:          mgr.GetScheme(),
+			Log:             logf.Log,
+			ResourceBuilder: rb,
 		}
 		err := controller.SetupWithManager(mgr)
 		Expect(err).NotTo(HaveOccurred(), "failed to setup controller")
@@ -1073,6 +1094,12 @@ var _ = Describe("Test GitHub Server TLS configuration", func() {
 		autoscalingNS, mgr = createNamespace(GinkgoT(), k8sClient)
 		configSecret = createDefaultSecret(GinkgoT(), k8sClient, autoscalingNS.Name)
 
+		secretResolver := NewSecretResolver(mgr.GetClient(), fake.NewMultiClient())
+
+		rb := ResourceBuilder{
+			SecretResolver: secretResolver,
+		}
+
 		cert, err := os.ReadFile(filepath.Join(
 			"../../",
 			"github",
@@ -1094,9 +1121,10 @@ var _ = Describe("Test GitHub Server TLS configuration", func() {
 		Expect(err).NotTo(HaveOccurred(), "failed to create configmap with root CAs")
 
 		controller := &AutoscalingListenerReconciler{
-			Client: mgr.GetClient(),
-			Scheme: mgr.GetScheme(),
-			Log:    logf.Log,
+			Client:          mgr.GetClient(),
+			Scheme:          mgr.GetScheme(),
+			Log:             logf.Log,
+			ResourceBuilder: rb,
 		}
 		err = controller.SetupWithManager(mgr)
 		Expect(err).NotTo(HaveOccurred(), "failed to setup controller")
@@ -1111,7 +1139,7 @@ var _ = Describe("Test GitHub Server TLS configuration", func() {
 			Spec: v1alpha1.AutoscalingRunnerSetSpec{
 				GitHubConfigUrl:    "https://github.com/owner/repo",
 				GitHubConfigSecret: configSecret.Name,
-				GitHubServerTLS: &v1alpha1.GitHubServerTLSConfig{
+				GitHubServerTLS: &v1alpha1.TLSConfig{
 					CertificateFrom: &v1alpha1.TLSCertificateSource{
 						ConfigMapKeyRef: &corev1.ConfigMapKeySelector{
 							LocalObjectReference: corev1.LocalObjectReference{
@@ -1147,7 +1175,7 @@ var _ = Describe("Test GitHub Server TLS configuration", func() {
 			Spec: v1alpha1.AutoscalingListenerSpec{
 				GitHubConfigUrl:    "https://github.com/owner/repo",
 				GitHubConfigSecret: configSecret.Name,
-				GitHubServerTLS: &v1alpha1.GitHubServerTLSConfig{
+				GitHubServerTLS: &v1alpha1.TLSConfig{
 					CertificateFrom: &v1alpha1.TLSCertificateSource{
 						ConfigMapKeyRef: &corev1.ConfigMapKeySelector{
 							LocalObjectReference: corev1.LocalObjectReference{
@@ -1191,7 +1219,7 @@ var _ = Describe("Test GitHub Server TLS configuration", func() {
 
 					g.Expect(config.Data["config.json"]).ToNot(BeEmpty(), "listener configuration file should not be empty")
 
-					var listenerConfig listenerconfig.Config
+					var listenerConfig ghalistenerconfig.Config
 					err = json.Unmarshal(config.Data["config.json"], &listenerConfig)
 					g.Expect(err).NotTo(HaveOccurred(), "failed to parse listener configuration file")
 

controllers/actions.github.com/autoscalingrunnerset_controller.go

@@ -48,7 +48,7 @@ const (
 	annotationKeyValuesHash = "actions.github.com/values-hash"
 
 	autoscalingRunnerSetFinalizerName = "autoscalingrunnerset.actions.github.com/finalizer"
-	runnerScaleSetIdAnnotationKey     = "runner-scale-set-id"
+	runnerScaleSetIDAnnotationKey     = "runner-scale-set-id"
 )
 
 type UpdateStrategy string
@@ -151,7 +151,7 @@ func (r *AutoscalingRunnerSetReconciler) Reconcile(ctx context.Context, req ctrl
 		return ctrl.Result{}, nil
 	}
 
-	if autoscalingRunnerSet.Labels[LabelKeyKubernetesVersion] != build.Version {
+	if !v1alpha1.IsVersionAllowed(autoscalingRunnerSet.Labels[LabelKeyKubernetesVersion], build.Version) {
 		if err := r.Delete(ctx, autoscalingRunnerSet); err != nil {
 			log.Error(err, "Failed to delete autoscaling runner set on version mismatch",
 				"buildVersion", build.Version,
@@ -180,14 +180,14 @@ func (r *AutoscalingRunnerSetReconciler) Reconcile(ctx context.Context, req ctrl
 		return ctrl.Result{}, nil
 	}
 
-	scaleSetIdRaw, ok := autoscalingRunnerSet.Annotations[runnerScaleSetIdAnnotationKey]
+	scaleSetIDRaw, ok := autoscalingRunnerSet.Annotations[runnerScaleSetIDAnnotationKey]
 	if !ok {
 		// Need to create a new runner scale set on Actions service
 		log.Info("Runner scale set id annotation does not exist. Creating a new runner scale set.")
 		return r.createRunnerScaleSet(ctx, autoscalingRunnerSet, log)
 	}
 
-	if id, err := strconv.Atoi(scaleSetIdRaw); err != nil || id <= 0 {
+	if id, err := strconv.Atoi(scaleSetIDRaw); err != nil || id <= 0 {
 		log.Info("Runner scale set id annotation is not an id, or is <= 0. Creating a new runner scale set.")
 		// something modified the scaleSetId. Try to create one
 		return r.createRunnerScaleSet(ctx, autoscalingRunnerSet, log)
@@ -207,14 +207,6 @@ func (r *AutoscalingRunnerSetReconciler) Reconcile(ctx context.Context, req ctrl
 		return r.updateRunnerScaleSetName(ctx, autoscalingRunnerSet, log)
 	}
 
-	secret := new(corev1.Secret)
-	if err := r.Get(ctx, types.NamespacedName{Namespace: autoscalingRunnerSet.Namespace, Name: autoscalingRunnerSet.Spec.GitHubConfigSecret}, secret); err != nil {
-		log.Error(err, "Failed to find GitHub config secret.",
-			"namespace", autoscalingRunnerSet.Namespace,
-			"name", autoscalingRunnerSet.Spec.GitHubConfigSecret)
-		return ctrl.Result{}, err
-	}
-
 	existingRunnerSets, err := r.listEphemeralRunnerSets(ctx, autoscalingRunnerSet)
 	if err != nil {
 		log.Error(err, "Failed to list existing ephemeral runner sets")
@@ -402,16 +394,16 @@ func (r *AutoscalingRunnerSetReconciler) removeFinalizersFromDependentResources(
 
 func (r *AutoscalingRunnerSetReconciler) createRunnerScaleSet(ctx context.Context, autoscalingRunnerSet *v1alpha1.AutoscalingRunnerSet, logger logr.Logger) (ctrl.Result, error) {
 	logger.Info("Creating a new runner scale set")
-	actionsClient, err := r.actionsClientFor(ctx, autoscalingRunnerSet)
+	actionsClient, err := r.GetActionsService(ctx, autoscalingRunnerSet)
 	if len(autoscalingRunnerSet.Spec.RunnerScaleSetName) == 0 {
 		autoscalingRunnerSet.Spec.RunnerScaleSetName = autoscalingRunnerSet.Name
 	}
 	if err != nil {
-		logger.Error(err, "Failed to initialize Actions service client for creating a new runner scale set")
+		logger.Error(err, "Failed to initialize Actions service client for creating a new runner scale set", "error", err.Error())
 		return ctrl.Result{}, err
 	}
 
-	runnerGroupId := 1
+	runnerGroupID := 1
 	if len(autoscalingRunnerSet.Spec.RunnerGroup) > 0 {
 		runnerGroup, err := actionsClient.GetRunnerGroupByName(ctx, autoscalingRunnerSet.Spec.RunnerGroup)
 		if err != nil {
@@ -419,14 +411,14 @@ func (r *AutoscalingRunnerSetReconciler) createRunnerScaleSet(ctx context.Contex
 			return ctrl.Result{}, err
 		}
 
-		runnerGroupId = int(runnerGroup.ID)
+		runnerGroupID = int(runnerGroup.ID)
 	}
 
-	runnerScaleSet, err := actionsClient.GetRunnerScaleSet(ctx, runnerGroupId, autoscalingRunnerSet.Spec.RunnerScaleSetName)
+	runnerScaleSet, err := actionsClient.GetRunnerScaleSet(ctx, runnerGroupID, autoscalingRunnerSet.Spec.RunnerScaleSetName)
 	if err != nil {
 		logger.Error(err, "Failed to get runner scale set from Actions service",
 			"runnerGroupId",
-			strconv.Itoa(runnerGroupId),
+			strconv.Itoa(runnerGroupID),
 			"runnerScaleSetName",
 			autoscalingRunnerSet.Spec.RunnerScaleSetName)
 		return ctrl.Result{}, err
@@ -437,7 +429,7 @@ func (r *AutoscalingRunnerSetReconciler) createRunnerScaleSet(ctx context.Contex
 			ctx,
 			&actions.RunnerScaleSet{
 				Name:          autoscalingRunnerSet.Spec.RunnerScaleSetName,
-				RunnerGroupId: runnerGroupId,
+				RunnerGroupId: runnerGroupID,
 				Labels: []actions.Label{
 					{
 						Name: autoscalingRunnerSet.Spec.RunnerScaleSetName,
@@ -474,7 +466,7 @@ func (r *AutoscalingRunnerSetReconciler) createRunnerScaleSet(ctx context.Contex
 	logger.Info("Adding runner scale set ID, name and runner group name as an annotation and url labels")
 	if err = patch(ctx, r.Client, autoscalingRunnerSet, func(obj *v1alpha1.AutoscalingRunnerSet) {
 		obj.Annotations[AnnotationKeyGitHubRunnerScaleSetName] = runnerScaleSet.Name
-		obj.Annotations[runnerScaleSetIdAnnotationKey] = strconv.Itoa(runnerScaleSet.Id)
+		obj.Annotations[runnerScaleSetIDAnnotationKey] = strconv.Itoa(runnerScaleSet.Id)
 		obj.Annotations[AnnotationKeyGitHubRunnerGroupName] = runnerScaleSet.RunnerGroupName
 		if err := applyGitHubURLLabels(obj.Spec.GitHubConfigUrl, obj.Labels); err != nil { // should never happen
 			logger.Error(err, "Failed to apply GitHub URL labels")
@@ -492,19 +484,19 @@ func (r *AutoscalingRunnerSetReconciler) createRunnerScaleSet(ctx context.Contex
 }
 
 func (r *AutoscalingRunnerSetReconciler) updateRunnerScaleSetRunnerGroup(ctx context.Context, autoscalingRunnerSet *v1alpha1.AutoscalingRunnerSet, logger logr.Logger) (ctrl.Result, error) {
-	runnerScaleSetId, err := strconv.Atoi(autoscalingRunnerSet.Annotations[runnerScaleSetIdAnnotationKey])
+	runnerScaleSetID, err := strconv.Atoi(autoscalingRunnerSet.Annotations[runnerScaleSetIDAnnotationKey])
 	if err != nil {
 		logger.Error(err, "Failed to parse runner scale set ID")
 		return ctrl.Result{}, err
 	}
 
-	actionsClient, err := r.actionsClientFor(ctx, autoscalingRunnerSet)
+	actionsClient, err := r.GetActionsService(ctx, autoscalingRunnerSet)
 	if err != nil {
 		logger.Error(err, "Failed to initialize Actions service client for updating a existing runner scale set")
 		return ctrl.Result{}, err
 	}
 
-	runnerGroupId := 1
+	runnerGroupID := 1
 	if len(autoscalingRunnerSet.Spec.RunnerGroup) > 0 {
 		runnerGroup, err := actionsClient.GetRunnerGroupByName(ctx, autoscalingRunnerSet.Spec.RunnerGroup)
 		if err != nil {
@@ -512,12 +504,12 @@ func (r *AutoscalingRunnerSetReconciler) updateRunnerScaleSetRunnerGroup(ctx con
 			return ctrl.Result{}, err
 		}
 
-		runnerGroupId = int(runnerGroup.ID)
+		runnerGroupID = int(runnerGroup.ID)
 	}
 
-	updatedRunnerScaleSet, err := actionsClient.UpdateRunnerScaleSet(ctx, runnerScaleSetId, &actions.RunnerScaleSet{RunnerGroupId: runnerGroupId})
+	updatedRunnerScaleSet, err := actionsClient.UpdateRunnerScaleSet(ctx, runnerScaleSetID, &actions.RunnerScaleSet{RunnerGroupId: runnerGroupID})
 	if err != nil {
-		logger.Error(err, "Failed to update runner scale set", "runnerScaleSetId", runnerScaleSetId)
+		logger.Error(err, "Failed to update runner scale set", "runnerScaleSetId", runnerScaleSetID)
 		return ctrl.Result{}, err
 	}
 
@@ -535,7 +527,7 @@ func (r *AutoscalingRunnerSetReconciler) updateRunnerScaleSetRunnerGroup(ctx con
 }
 
 func (r *AutoscalingRunnerSetReconciler) updateRunnerScaleSetName(ctx context.Context, autoscalingRunnerSet *v1alpha1.AutoscalingRunnerSet, logger logr.Logger) (ctrl.Result, error) {
-	runnerScaleSetId, err := strconv.Atoi(autoscalingRunnerSet.Annotations[runnerScaleSetIdAnnotationKey])
+	runnerScaleSetID, err := strconv.Atoi(autoscalingRunnerSet.Annotations[runnerScaleSetIDAnnotationKey])
 	if err != nil {
 		logger.Error(err, "Failed to parse runner scale set ID")
 		return ctrl.Result{}, err
@@ -546,15 +538,15 @@ func (r *AutoscalingRunnerSetReconciler) updateRunnerScaleSetName(ctx context.Co
 		return ctrl.Result{}, nil
 	}
 
-	actionsClient, err := r.actionsClientFor(ctx, autoscalingRunnerSet)
+	actionsClient, err := r.GetActionsService(ctx, autoscalingRunnerSet)
 	if err != nil {
 		logger.Error(err, "Failed to initialize Actions service client for updating a existing runner scale set")
 		return ctrl.Result{}, err
 	}
 
-	updatedRunnerScaleSet, err := actionsClient.UpdateRunnerScaleSet(ctx, runnerScaleSetId, &actions.RunnerScaleSet{Name: autoscalingRunnerSet.Spec.RunnerScaleSetName})
+	updatedRunnerScaleSet, err := actionsClient.UpdateRunnerScaleSet(ctx, runnerScaleSetID, &actions.RunnerScaleSet{Name: autoscalingRunnerSet.Spec.RunnerScaleSetName})
 	if err != nil {
-		logger.Error(err, "Failed to update runner scale set", "runnerScaleSetId", runnerScaleSetId)
+		logger.Error(err, "Failed to update runner scale set", "runnerScaleSetId", runnerScaleSetID)
 		return ctrl.Result{}, err
 	}
 
@@ -571,7 +563,7 @@ func (r *AutoscalingRunnerSetReconciler) updateRunnerScaleSetName(ctx context.Co
 }
 
 func (r *AutoscalingRunnerSetReconciler) deleteRunnerScaleSet(ctx context.Context, autoscalingRunnerSet *v1alpha1.AutoscalingRunnerSet, logger logr.Logger) error {
-	scaleSetId, ok := autoscalingRunnerSet.Annotations[runnerScaleSetIdAnnotationKey]
+	scaleSetID, ok := autoscalingRunnerSet.Annotations[runnerScaleSetIDAnnotationKey]
 	if !ok {
 		// Annotation not being present can occur in 3 scenarios
 		// 1. Scale set is never created.
@@ -588,7 +580,7 @@ func (r *AutoscalingRunnerSetReconciler) deleteRunnerScaleSet(ctx context.Contex
 		return nil
 	}
 	logger.Info("Deleting the runner scale set from Actions service")
-	runnerScaleSetId, err := strconv.Atoi(scaleSetId)
+	runnerScaleSetID, err := strconv.Atoi(scaleSetID)
 	if err != nil {
 		// If the annotation is not set correctly, we are going to get stuck in a loop trying to parse the scale set id.
 		// If the configuration is invalid (secret does not exist for example), we never got to the point to create runner set.
@@ -597,23 +589,23 @@ func (r *AutoscalingRunnerSetReconciler) deleteRunnerScaleSet(ctx context.Contex
 		return nil
 	}
 
-	actionsClient, err := r.actionsClientFor(ctx, autoscalingRunnerSet)
+	actionsClient, err := r.GetActionsService(ctx, autoscalingRunnerSet)
 	if err != nil {
 		logger.Error(err, "Failed to initialize Actions service client for updating a existing runner scale set")
 		return err
 	}
 
-	err = actionsClient.DeleteRunnerScaleSet(ctx, runnerScaleSetId)
+	err = actionsClient.DeleteRunnerScaleSet(ctx, runnerScaleSetID)
 	if err != nil {
-		logger.Error(err, "Failed to delete runner scale set", "runnerScaleSetId", runnerScaleSetId)
+		logger.Error(err, "Failed to delete runner scale set", "runnerScaleSetId", runnerScaleSetID)
 		return err
 	}
 
 	err = patch(ctx, r.Client, autoscalingRunnerSet, func(obj *v1alpha1.AutoscalingRunnerSet) {
-		delete(obj.Annotations, runnerScaleSetIdAnnotationKey)
+		delete(obj.Annotations, runnerScaleSetIDAnnotationKey)
 	})
 	if err != nil {
-		logger.Error(err, "Failed to patch autoscaling runner set with annotation removed", "annotation", runnerScaleSetIdAnnotationKey)
+		logger.Error(err, "Failed to patch autoscaling runner set with annotation removed", "annotation", runnerScaleSetIDAnnotationKey)
 		return err
 	}
 
@@ -676,74 +668,6 @@ func (r *AutoscalingRunnerSetReconciler) listEphemeralRunnerSets(ctx context.Con
 	return &EphemeralRunnerSets{list: list}, nil
 }
 
-func (r *AutoscalingRunnerSetReconciler) actionsClientFor(ctx context.Context, autoscalingRunnerSet *v1alpha1.AutoscalingRunnerSet) (actions.ActionsService, error) {
-	var configSecret corev1.Secret
-	if err := r.Get(ctx, types.NamespacedName{Namespace: autoscalingRunnerSet.Namespace, Name: autoscalingRunnerSet.Spec.GitHubConfigSecret}, &configSecret); err != nil {
-		return nil, fmt.Errorf("failed to find GitHub config secret: %w", err)
-	}
-
-	opts, err := r.actionsClientOptionsFor(ctx, autoscalingRunnerSet)
-	if err != nil {
-		return nil, fmt.Errorf("failed to get actions client options: %w", err)
-	}
-
-	return r.ActionsClient.GetClientFromSecret(
-		ctx,
-		autoscalingRunnerSet.Spec.GitHubConfigUrl,
-		autoscalingRunnerSet.Namespace,
-		configSecret.Data,
-		opts...,
-	)
-}
-
-func (r *AutoscalingRunnerSetReconciler) actionsClientOptionsFor(ctx context.Context, autoscalingRunnerSet *v1alpha1.AutoscalingRunnerSet) ([]actions.ClientOption, error) {
-	var options []actions.ClientOption
-
-	if autoscalingRunnerSet.Spec.Proxy != nil {
-		proxyFunc, err := autoscalingRunnerSet.Spec.Proxy.ProxyFunc(func(s string) (*corev1.Secret, error) {
-			var secret corev1.Secret
-			err := r.Get(ctx, types.NamespacedName{Namespace: autoscalingRunnerSet.Namespace, Name: s}, &secret)
-			if err != nil {
-				return nil, fmt.Errorf("failed to get proxy secret %s: %w", s, err)
-			}
-
-			return &secret, nil
-		})
-		if err != nil {
-			return nil, fmt.Errorf("failed to get proxy func: %w", err)
-		}
-
-		options = append(options, actions.WithProxy(proxyFunc))
-	}
-
-	tlsConfig := autoscalingRunnerSet.Spec.GitHubServerTLS
-	if tlsConfig != nil {
-		pool, err := tlsConfig.ToCertPool(func(name, key string) ([]byte, error) {
-			var configmap corev1.ConfigMap
-			err := r.Get(
-				ctx,
-				types.NamespacedName{
-					Namespace: autoscalingRunnerSet.Namespace,
-					Name:      name,
-				},
-				&configmap,
-			)
-			if err != nil {
-				return nil, fmt.Errorf("failed to get configmap %s: %w", name, err)
-			}
-
-			return []byte(configmap.Data[key]), nil
-		})
-		if err != nil {
-			return nil, fmt.Errorf("failed to get tls config: %w", err)
-		}
-
-		options = append(options, actions.WithRootCAs(pool))
-	}
-
-	return options, nil
-}
-
 // SetupWithManager sets up the controller with the Manager.
 func (r *AutoscalingRunnerSetReconciler) SetupWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewControllerManagedBy(mgr).
@@ -1082,6 +1006,7 @@ func (c *autoscalingRunnerSetFinalizerDependencyCleaner) removeManagerRoleFinali
 
 // NOTE: if this is logic should be used for other resources,
 // consider using generics
+
 type EphemeralRunnerSets struct {
 	list   *v1alpha1.EphemeralRunnerSetList
 	sorted bool

controllers/actions.github.com/autoscalingrunnerset_controller_test.go

@@ -34,9 +34,8 @@ import (
 )
 
 const (
-	autoscalingRunnerSetTestTimeout     = time.Second * 20
-	autoscalingRunnerSetTestInterval    = time.Millisecond * 250
-	autoscalingRunnerSetTestGitHubToken = "gh_token"
+	autoscalingRunnerSetTestTimeout  = time.Second * 20
+	autoscalingRunnerSetTestInterval = time.Millisecond * 250
 )
 
 var _ = Describe("Test AutoScalingRunnerSet controller", Ordered, func() {
@@ -70,7 +69,12 @@ var _ = Describe("Test AutoScalingRunnerSet controller", Ordered, func() {
 			Log:                                logf.Log,
 			ControllerNamespace:                autoscalingNS.Name,
 			DefaultRunnerScaleSetListenerImage: "ghcr.io/actions/arc",
-			ActionsClient:                      fake.NewMultiClient(),
+			ResourceBuilder: ResourceBuilder{
+				SecretResolver: &SecretResolver{
+					k8sClient:   k8sClient,
+					multiClient: fake.NewMultiClient(),
+				},
+			},
 		}
 		err := controller.SetupWithManager(mgr)
 		Expect(err).NotTo(HaveOccurred(), "failed to setup controller")
@@ -136,7 +140,7 @@ var _ = Describe("Test AutoScalingRunnerSet controller", Ordered, func() {
 						return "", err
 					}
 
-					if _, ok := created.Annotations[runnerScaleSetIdAnnotationKey]; !ok {
+					if _, ok := created.Annotations[runnerScaleSetIDAnnotationKey]; !ok {
 						return "", nil
 					}
 
@@ -144,7 +148,7 @@ var _ = Describe("Test AutoScalingRunnerSet controller", Ordered, func() {
 						return "", nil
 					}
 
-					return fmt.Sprintf("%s_%s", created.Annotations[runnerScaleSetIdAnnotationKey], created.Annotations[AnnotationKeyGitHubRunnerGroupName]), nil
+					return fmt.Sprintf("%s_%s", created.Annotations[runnerScaleSetIDAnnotationKey], created.Annotations[AnnotationKeyGitHubRunnerGroupName]), nil
 				},
 				autoscalingRunnerSetTestTimeout,
 				autoscalingRunnerSetTestInterval).Should(BeEquivalentTo("1_testgroup"), "RunnerScaleSet should be created/fetched and update the AutoScalingRunnerSet's annotation")
@@ -677,33 +681,40 @@ var _ = Describe("Test AutoScalingController updates", Ordered, func() {
 			autoscalingNS, mgr = createNamespace(GinkgoT(), k8sClient)
 			configSecret = createDefaultSecret(GinkgoT(), k8sClient, autoscalingNS.Name)
 
+			multiClient := fake.NewMultiClient(
+				fake.WithDefaultClient(
+					fake.NewFakeClient(
+						fake.WithUpdateRunnerScaleSet(
+							&actions.RunnerScaleSet{
+								Id:                 1,
+								Name:               "testset_update",
+								RunnerGroupId:      1,
+								RunnerGroupName:    "testgroup",
+								Labels:             []actions.Label{{Type: "test", Name: "test"}},
+								RunnerSetting:      actions.RunnerSetting{},
+								CreatedOn:          time.Now(),
+								RunnerJitConfigUrl: "test.test.test",
+								Statistics:         nil,
+							},
+							nil,
+						),
+					),
+					nil,
+				),
+			)
+
 			controller := &AutoscalingRunnerSetReconciler{
 				Client:                             mgr.GetClient(),
 				Scheme:                             mgr.GetScheme(),
 				Log:                                logf.Log,
 				ControllerNamespace:                autoscalingNS.Name,
 				DefaultRunnerScaleSetListenerImage: "ghcr.io/actions/arc",
-				ActionsClient: fake.NewMultiClient(
-					fake.WithDefaultClient(
-						fake.NewFakeClient(
-							fake.WithUpdateRunnerScaleSet(
-								&actions.RunnerScaleSet{
-									Id:                 1,
-									Name:               "testset_update",
-									RunnerGroupId:      1,
-									RunnerGroupName:    "testgroup",
-									Labels:             []actions.Label{{Type: "test", Name: "test"}},
-									RunnerSetting:      actions.RunnerSetting{},
-									CreatedOn:          time.Now(),
-									RunnerJitConfigUrl: "test.test.test",
-									Statistics:         nil,
-								},
-								nil,
-							),
-						),
-						nil,
-					),
-				),
+				ResourceBuilder: ResourceBuilder{
+					SecretResolver: &SecretResolver{
+						k8sClient:   k8sClient,
+						multiClient: multiClient,
+					},
+				},
 			}
 			err := controller.SetupWithManager(mgr)
 			Expect(err).NotTo(HaveOccurred(), "failed to setup controller")
@@ -818,7 +829,12 @@ var _ = Describe("Test AutoscalingController creation failures", Ordered, func()
 				Log:                                logf.Log,
 				ControllerNamespace:                autoscalingNS.Name,
 				DefaultRunnerScaleSetListenerImage: "ghcr.io/actions/arc",
-				ActionsClient:                      fake.NewMultiClient(),
+				ResourceBuilder: ResourceBuilder{
+					SecretResolver: &SecretResolver{
+						k8sClient:   k8sClient,
+						multiClient: fake.NewMultiClient(),
+					},
+				},
 			}
 			err := controller.SetupWithManager(mgr)
 			Expect(err).NotTo(HaveOccurred(), "failed to setup controller")
@@ -937,14 +953,19 @@ var _ = Describe("Test client optional configuration", Ordered, func() {
 			ctx = context.Background()
 			autoscalingNS, mgr = createNamespace(GinkgoT(), k8sClient)
 			configSecret = createDefaultSecret(GinkgoT(), k8sClient, autoscalingNS.Name)
-
+			multiClient := actions.NewMultiClient(logr.Discard())
 			controller = &AutoscalingRunnerSetReconciler{
 				Client:                             mgr.GetClient(),
 				Scheme:                             mgr.GetScheme(),
 				Log:                                logf.Log,
 				ControllerNamespace:                autoscalingNS.Name,
 				DefaultRunnerScaleSetListenerImage: "ghcr.io/actions/arc",
-				ActionsClient:                      actions.NewMultiClient(logr.Discard()),
+				ResourceBuilder: ResourceBuilder{
+					SecretResolver: &SecretResolver{
+						k8sClient:   k8sClient,
+						multiClient: multiClient,
+					},
+				},
 			}
 
 			err := controller.SetupWithManager(mgr)
@@ -1127,7 +1148,12 @@ var _ = Describe("Test client optional configuration", Ordered, func() {
 				Log:                                logf.Log,
 				ControllerNamespace:                autoscalingNS.Name,
 				DefaultRunnerScaleSetListenerImage: "ghcr.io/actions/arc",
-				ActionsClient:                      fake.NewMultiClient(),
+				ResourceBuilder: ResourceBuilder{
+					SecretResolver: &SecretResolver{
+						k8sClient:   k8sClient,
+						multiClient: fake.NewMultiClient(),
+					},
+				},
 			}
 			err = controller.SetupWithManager(mgr)
 			Expect(err).NotTo(HaveOccurred(), "failed to setup controller")
@@ -1136,7 +1162,10 @@ var _ = Describe("Test client optional configuration", Ordered, func() {
 		})
 
 		It("should be able to make requests to a server using root CAs", func() {
-			controller.ActionsClient = actions.NewMultiClient(logr.Discard())
+			controller.SecretResolver = &SecretResolver{
+				k8sClient:   k8sClient,
+				multiClient: actions.NewMultiClient(logr.Discard()),
+			}
 
 			certsFolder := filepath.Join(
 				"../../",
@@ -1171,7 +1200,7 @@ var _ = Describe("Test client optional configuration", Ordered, func() {
 				Spec: v1alpha1.AutoscalingRunnerSetSpec{
 					GitHubConfigUrl:    server.ConfigURLForOrg("my-org"),
 					GitHubConfigSecret: configSecret.Name,
-					GitHubServerTLS: &v1alpha1.GitHubServerTLSConfig{
+					GitHubServerTLS: &v1alpha1.TLSConfig{
 						CertificateFrom: &v1alpha1.TLSCertificateSource{
 							ConfigMapKeyRef: &corev1.ConfigMapKeySelector{
 								LocalObjectReference: corev1.LocalObjectReference{
@@ -1224,7 +1253,7 @@ var _ = Describe("Test client optional configuration", Ordered, func() {
 				Spec: v1alpha1.AutoscalingRunnerSetSpec{
 					GitHubConfigUrl:    "https://github.com/owner/repo",
 					GitHubConfigSecret: configSecret.Name,
-					GitHubServerTLS: &v1alpha1.GitHubServerTLSConfig{
+					GitHubServerTLS: &v1alpha1.TLSConfig{
 						CertificateFrom: &v1alpha1.TLSCertificateSource{
 							ConfigMapKeyRef: &corev1.ConfigMapKeySelector{
 								LocalObjectReference: corev1.LocalObjectReference{
@@ -1288,7 +1317,7 @@ var _ = Describe("Test client optional configuration", Ordered, func() {
 				Spec: v1alpha1.AutoscalingRunnerSetSpec{
 					GitHubConfigUrl:    "https://github.com/owner/repo",
 					GitHubConfigSecret: configSecret.Name,
-					GitHubServerTLS: &v1alpha1.GitHubServerTLSConfig{
+					GitHubServerTLS: &v1alpha1.TLSConfig{
 						CertificateFrom: &v1alpha1.TLSCertificateSource{
 							ConfigMapKeyRef: &corev1.ConfigMapKeySelector{
 								LocalObjectReference: corev1.LocalObjectReference{
@@ -1361,7 +1390,12 @@ var _ = Describe("Test external permissions cleanup", Ordered, func() {
 			Log:                                logf.Log,
 			ControllerNamespace:                autoscalingNS.Name,
 			DefaultRunnerScaleSetListenerImage: "ghcr.io/actions/arc",
-			ActionsClient:                      fake.NewMultiClient(),
+			ResourceBuilder: ResourceBuilder{
+				SecretResolver: &SecretResolver{
+					k8sClient:   k8sClient,
+					multiClient: fake.NewMultiClient(),
+				},
+			},
 		}
 		err := controller.SetupWithManager(mgr)
 		Expect(err).NotTo(HaveOccurred(), "failed to setup controller")
@@ -1519,7 +1553,12 @@ var _ = Describe("Test external permissions cleanup", Ordered, func() {
 			Log:                                logf.Log,
 			ControllerNamespace:                autoscalingNS.Name,
 			DefaultRunnerScaleSetListenerImage: "ghcr.io/actions/arc",
-			ActionsClient:                      fake.NewMultiClient(),
+			ResourceBuilder: ResourceBuilder{
+				SecretResolver: &SecretResolver{
+					k8sClient:   k8sClient,
+					multiClient: fake.NewMultiClient(),
+				},
+			},
 		}
 		err := controller.SetupWithManager(mgr)
 		Expect(err).NotTo(HaveOccurred(), "failed to setup controller")
@@ -1727,7 +1766,12 @@ var _ = Describe("Test resource version and build version mismatch", func() {
 			Log:                                logf.Log,
 			ControllerNamespace:                autoscalingNS.Name,
 			DefaultRunnerScaleSetListenerImage: "ghcr.io/actions/arc",
-			ActionsClient:                      fake.NewMultiClient(),
+			ResourceBuilder: ResourceBuilder{
+				SecretResolver: &SecretResolver{
+					k8sClient:   k8sClient,
+					multiClient: fake.NewMultiClient(),
+				},
+			},
 		}
 		err := controller.SetupWithManager(mgr)
 		Expect(err).NotTo(HaveOccurred(), "failed to setup controller")

controllers/actions.github.com/constants.go

@@ -28,6 +28,9 @@ const (
 	LabelKeyKubernetesComponent = "app.kubernetes.io/component"
 	LabelKeyKubernetesVersion   = "app.kubernetes.io/version"
 
+	// Well-known Kubernetes node labels
+	LabelKeyKubernetesOS = "kubernetes.io/os"
+
 	// Github labels
 	LabelKeyGitHubScaleSetName      = "actions.github.com/scale-set-name"
 	LabelKeyGitHubScaleSetNamespace = "actions.github.com/scale-set-namespace"
@@ -36,7 +39,8 @@ const (
 	LabelKeyGitHubRepository        = "actions.github.com/repository"
 )
 
-// Finalizer used to protect resources from deletion while AutoscalingRunnerSet is running
+// AutoscalingRunnerSetCleanupFinalizerName is a finalizer used to protect resources
+// from deletion while AutoscalingRunnerSet is running
 const AutoscalingRunnerSetCleanupFinalizerName = "actions.github.com/cleanup-protection"
 
 const (

controllers/actions.github.com/ephemeralrunner_controller.go

@@ -21,6 +21,8 @@ import (
 	"errors"
 	"fmt"
 	"net/http"
+	"strconv"
+	"strings"
 	"time"
 
 	"github.com/actions/actions-runner-controller/apis/actions.github.com/v1alpha1"
@@ -28,6 +30,7 @@ import (
 	"github.com/go-logr/logr"
 	corev1 "k8s.io/api/core/v1"
 	kerrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
 	ctrl "sigs.k8s.io/controller-runtime"
@@ -44,12 +47,24 @@ const (
 // EphemeralRunnerReconciler reconciles a EphemeralRunner object
 type EphemeralRunnerReconciler struct {
 	client.Client
-	Log           logr.Logger
-	Scheme        *runtime.Scheme
-	ActionsClient actions.MultiClient
+	Log    logr.Logger
+	Scheme *runtime.Scheme
 	ResourceBuilder
 }
 
+// precompute backoff durations for failed ephemeral runners
+// the len(failedRunnerBackoff) must be equal to maxFailures + 1
+var failedRunnerBackoff = []time.Duration{
+	0,
+	5 * time.Second,
+	10 * time.Second,
+	20 * time.Second,
+	40 * time.Second,
+	80 * time.Second,
+}
+
+const maxFailures = 5
+
 // +kubebuilder:rbac:groups=actions.github.com,resources=ephemeralrunners,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=actions.github.com,resources=ephemeralrunners/status,verbs=get;update;patch
 // +kubebuilder:rbac:groups=actions.github.com,resources=ephemeralrunners/finalizers,verbs=get;list;watch;create;update;patch;delete
@@ -139,38 +154,17 @@ func (r *EphemeralRunnerReconciler) Reconcile(ctx context.Context, req ctrl.Requ
 		return ctrl.Result{}, nil
 	}
 
-	if !controllerutil.ContainsFinalizer(ephemeralRunner, ephemeralRunnerFinalizerName) {
-		log.Info("Adding finalizer")
+	addFinalizers := !controllerutil.ContainsFinalizer(ephemeralRunner, ephemeralRunnerFinalizerName) || !controllerutil.ContainsFinalizer(ephemeralRunner, ephemeralRunnerActionsFinalizerName)
+	if addFinalizers {
+		log.Info("Adding finalizers")
 		if err := patch(ctx, r.Client, ephemeralRunner, func(obj *v1alpha1.EphemeralRunner) {
 			controllerutil.AddFinalizer(obj, ephemeralRunnerFinalizerName)
+			controllerutil.AddFinalizer(obj, ephemeralRunnerActionsFinalizerName)
 		}); err != nil {
 			log.Error(err, "Failed to update with finalizer set")
 			return ctrl.Result{}, err
 		}
-
-		log.Info("Successfully added finalizer")
-		return ctrl.Result{}, nil
-	}
-
-	if !controllerutil.ContainsFinalizer(ephemeralRunner, ephemeralRunnerActionsFinalizerName) {
-		log.Info("Adding runner registration finalizer")
-		err := patch(ctx, r.Client, ephemeralRunner, func(obj *v1alpha1.EphemeralRunner) {
-			controllerutil.AddFinalizer(obj, ephemeralRunnerActionsFinalizerName)
-		})
-		if err != nil {
-			log.Error(err, "Failed to update with runner registration finalizer set")
-			return ctrl.Result{}, err
-		}
-
-		log.Info("Successfully added runner registration finalizer")
-		return ctrl.Result{}, nil
-	}
-
-	if ephemeralRunner.Status.RunnerId == 0 {
-		log.Info("Creating new ephemeral runner registration and updating status with runner config")
-		if r, err := r.updateStatusWithRunnerConfig(ctx, ephemeralRunner, log); r != nil {
-			return *r, err
-		}
+		log.Info("Successfully added finalizers")
 	}
 
 	secret := new(corev1.Secret)
@@ -179,81 +173,185 @@ func (r *EphemeralRunnerReconciler) Reconcile(ctx context.Context, req ctrl.Requ
 			log.Error(err, "Failed to fetch secret")
 			return ctrl.Result{}, err
 		}
-		// create secret if not created
-		log.Info("Creating new ephemeral runner secret for jitconfig.")
-		if r, err := r.createSecret(ctx, ephemeralRunner, log); r != nil {
-			return *r, err
-		}
 
-		// Retry to get the secret that was just created.
-		// Otherwise, even though we want to continue to create the pod,
-		// it fails due to the missing secret resulting in an invalid pod spec.
-		if err := r.Get(ctx, req.NamespacedName, secret); err != nil {
-			log.Error(err, "Failed to fetch secret")
+		jitConfig, err := r.createRunnerJitConfig(ctx, ephemeralRunner, log)
+		switch {
+		case err == nil:
+			// create secret if not created
+			log.Info("Creating new ephemeral runner secret for jitconfig.")
+			jitSecret, err := r.createSecret(ctx, ephemeralRunner, jitConfig, log)
+			if err != nil {
+				return ctrl.Result{}, fmt.Errorf("failed to create secret: %w", err)
+			}
+			log.Info("Created new ephemeral runner secret for jitconfig.")
+			secret = jitSecret
+
+		case errors.Is(err, retryableError):
+			log.Info("Encountered retryable error, requeueing", "error", err.Error())
+			return ctrl.Result{Requeue: true}, nil
+		case errors.Is(err, fatalError):
+			log.Info("JIT config cannot be created for this ephemeral runner, issuing delete", "error", err.Error())
+			if err := r.Delete(ctx, ephemeralRunner); err != nil {
+				return ctrl.Result{}, fmt.Errorf("failed to delete the ephemeral runner: %w", err)
+			}
+			log.Info("Request to delete ephemeral runner has been issued")
+			return ctrl.Result{}, nil
+		default:
+			log.Error(err, "Failed to create ephemeral runners secret", "error", err.Error())
 			return ctrl.Result{}, err
 		}
 	}
 
+	if ephemeralRunner.Status.RunnerId == 0 {
+		log.Info("Updating ephemeral runner status with runnerId and runnerName")
+		runnerID, err := strconv.Atoi(string(secret.Data["runnerId"]))
+		if err != nil {
+			log.Error(err, "Runner config secret is corrupted: missing runnerId")
+			log.Info("Deleting corrupted runner config secret")
+			if err := r.Delete(ctx, secret); err != nil {
+				return ctrl.Result{}, fmt.Errorf("failed to delete the corrupted runner config secret")
+			}
+			log.Info("Corrupted runner config secret has been deleted")
+			return ctrl.Result{Requeue: true}, nil
+		}
+
+		runnerName := string(secret.Data["runnerName"])
+		if err := patchSubResource(ctx, r.Status(), ephemeralRunner, func(obj *v1alpha1.EphemeralRunner) {
+			obj.Status.RunnerId = runnerID
+			obj.Status.RunnerName = runnerName
+		}); err != nil {
+			return ctrl.Result{}, fmt.Errorf("failed to update runner status for RunnerId/RunnerName/RunnerJITConfig: %w", err)
+		}
+		ephemeralRunner.Status.RunnerId = runnerID
+		ephemeralRunner.Status.RunnerName = runnerName
+		log.Info("Updated ephemeral runner status with runnerId and runnerName")
+	}
+
+	if len(ephemeralRunner.Status.Failures) > maxFailures {
+		log.Info(fmt.Sprintf("EphemeralRunner has failed more than %d times. Deleting ephemeral runner so it can be re-created", maxFailures))
+		if err := r.Delete(ctx, ephemeralRunner); err != nil {
+			log.Error(fmt.Errorf("failed to delete ephemeral runner after %d failures: %w", maxFailures, err), "Failed to delete ephemeral runner")
+			return ctrl.Result{}, err
+		}
+
+		return ctrl.Result{}, nil
+	}
+
+	now := metav1.Now()
+	lastFailure := ephemeralRunner.Status.LastFailure()
+	backoffDuration := failedRunnerBackoff[len(ephemeralRunner.Status.Failures)]
+	nextReconciliation := lastFailure.Add(backoffDuration)
+	if !lastFailure.IsZero() && now.Before(&metav1.Time{Time: nextReconciliation}) {
+		requeueAfter := nextReconciliation.Sub(now.Time)
+		log.Info("Backing off the next reconciliation due to failure",
+			"lastFailure", lastFailure,
+			"nextReconciliation", nextReconciliation,
+			"requeueAfter", requeueAfter,
+		)
+		return ctrl.Result{
+			Requeue:      true,
+			RequeueAfter: requeueAfter,
+		}, nil
+	}
+
 	pod := new(corev1.Pod)
 	if err := r.Get(ctx, req.NamespacedName, pod); err != nil {
-		switch {
-		case !kerrors.IsNotFound(err):
+		if !kerrors.IsNotFound(err) {
 			log.Error(err, "Failed to fetch the pod")
 			return ctrl.Result{}, err
+		}
+		log.Info("Ephemeral runner pod does not exist. Creating new ephemeral runner")
 
-		case len(ephemeralRunner.Status.Failures) > 5:
-			log.Info("EphemeralRunner has failed more than 5 times. Marking it as failed")
-			errMessage := fmt.Sprintf("Pod has failed to start more than 5 times: %s", pod.Status.Message)
-			if err := r.markAsFailed(ctx, ephemeralRunner, errMessage, ReasonTooManyPodFailures, log); err != nil {
+		result, err := r.createPod(ctx, ephemeralRunner, secret, log)
+		switch {
+		case err == nil:
+			return result, nil
+		case kerrors.IsAlreadyExists(err):
+			log.Info("Runner pod already exists. Waiting for the pod event to be received")
+			return ctrl.Result{Requeue: true, RequeueAfter: 5 * time.Second}, nil
+		case kerrors.IsInvalid(err):
+			log.Error(err, "Failed to create a pod due to unrecoverable failure")
+			errMessage := fmt.Sprintf("Failed to create the pod: %v", err)
+			if err := r.markAsFailed(ctx, ephemeralRunner, errMessage, ReasonInvalidPodFailure, log); err != nil {
 				log.Error(err, "Failed to set ephemeral runner to phase Failed")
 				return ctrl.Result{}, err
 			}
 			return ctrl.Result{}, nil
-
-		default:
-			// Pod was not found. Create if the pod has never been created
-			log.Info("Creating new EphemeralRunner pod.")
-			result, err := r.createPod(ctx, ephemeralRunner, secret, log)
-			switch {
-			case err == nil:
-				return result, nil
-			case kerrors.IsInvalid(err) || kerrors.IsForbidden(err):
-				log.Error(err, "Failed to create a pod due to unrecoverable failure")
-				errMessage := fmt.Sprintf("Failed to create the pod: %v", err)
-				if err := r.markAsFailed(ctx, ephemeralRunner, errMessage, ReasonInvalidPodFailure, log); err != nil {
-					log.Error(err, "Failed to set ephemeral runner to phase Failed")
-					return ctrl.Result{}, err
+		case kerrors.IsForbidden(err):
+			if status, ok := err.(kerrors.APIStatus); ok || errors.As(err, &status) {
+				isResourceQuotaExceeded := strings.Contains(status.Status().Message, "exceeded quota:")
+				isAboutToExpire := ephemeralRunner.CreationTimestamp.Time.Add(10 * time.Minute).Before(time.Now())
+				switch {
+				case isResourceQuotaExceeded && isAboutToExpire:
+					log.Error(err, "Failed to create a pod due to resource quota exceeded and the ephemeral runner is about to expire; re-creating the ephemeral runner")
+					if err := r.Delete(ctx, ephemeralRunner); err != nil {
+						log.Error(err, "Failed to delete the ephemeral runner")
+						return ctrl.Result{}, err
+					}
+					return ctrl.Result{}, nil
+				case isResourceQuotaExceeded:
+					log.Error(err, "Resource quota is exceeded; requeue in 30s to retry pod creation")
+					return ctrl.Result{RequeueAfter: 30 * time.Second}, nil
+				default:
+					// other forbidden errors
+					// fallthrough to the default handling below
 				}
-				return ctrl.Result{}, nil
-			default:
-				log.Error(err, "Failed to create the pod")
+			}
+			log.Error(err, "Failed to create a pod due to unrecoverable failure")
+			errMessage := fmt.Sprintf("Failed to create the pod: %v", err)
+			if err := r.markAsFailed(ctx, ephemeralRunner, errMessage, ReasonInvalidPodFailure, log); err != nil {
+				log.Error(err, "Failed to set ephemeral runner to phase Failed")
 				return ctrl.Result{}, err
 			}
+			return ctrl.Result{}, nil
+		default:
+			log.Error(err, "Failed to create the pod")
+			return ctrl.Result{}, err
 		}
 	}
 
 	cs := runnerContainerStatus(pod)
 	switch {
-	case cs == nil:
-		// starting, no container state yet
-		log.Info("Waiting for runner container status to be available")
-		return ctrl.Result{}, nil
-	case cs.State.Terminated == nil: // still running or evicted
-		if pod.Status.Phase == corev1.PodFailed && pod.Status.Reason == "Evicted" {
-			log.Info("Pod set the termination phase, but container state is not terminated. Deleting pod",
-				"PodPhase", pod.Status.Phase,
-				"PodReason", pod.Status.Reason,
-				"PodMessage", pod.Status.Message,
-			)
+	case pod.Status.Phase == corev1.PodFailed: // All containers are stopped
+		log.Info("Pod is in failed phase, inspecting runner container status",
+			"podReason", pod.Status.Reason,
+			"podMessage", pod.Status.Message,
+			"podConditions", pod.Status.Conditions,
+		)
+		// If the runner pod did not have chance to start, terminated state may not be set.
+		// Therefore, we should try to restart it.
+		if cs == nil || cs.State.Terminated == nil {
+			log.Info("Runner container does not have state set, deleting pod as failed so it can be restarted")
+			return ctrl.Result{}, r.deleteEphemeralRunnerOrPod(ctx, ephemeralRunner, pod, log)
+		}
 
-			if err := r.deletePodAsFailed(ctx, ephemeralRunner, pod, log); err != nil {
-				log.Error(err, "failed to delete pod as failed on pod.Status.Phase: Failed")
+		if cs.State.Terminated.ExitCode == 0 {
+			log.Info("Runner container has succeeded but pod is in failed phase; Assume successful exit")
+			// If the pod is in a failed state, that means that at least one container exited with non-zero exit code.
+			// If the runner container exits with 0, we assume that the runner has finished successfully.
+			// If side-car container exits with non-zero, it shouldn't affect the runner. Runner exit code
+			// drives the controller's inference of whether the job has succeeded or failed.
+			if err := r.Delete(ctx, ephemeralRunner); err != nil {
+				log.Error(err, "Failed to delete ephemeral runner after successful completion")
 				return ctrl.Result{}, err
 			}
 			return ctrl.Result{}, nil
 		}
 
-		log.Info("Ephemeral runner container is still running")
+		log.Error(
+			errors.New("ephemeral runner container has failed, with runner container exit code non-zero"),
+			"Ephemeral runner container has failed, and runner container termination exit code is non-zero",
+			"containerTerminatedState", cs.State.Terminated,
+		)
+		return ctrl.Result{}, r.deleteEphemeralRunnerOrPod(ctx, ephemeralRunner, pod, log)
+
+	case cs == nil:
+		// starting, no container state yet
+		log.Info("Waiting for runner container status to be available")
+		return ctrl.Result{}, nil
+
+	case cs.State.Terminated == nil: // container is not terminated and pod phase is not failed, so runner is still running
+		log.Info("Runner container is still running; updating ephemeral runner status")
 		if err := r.updateRunStatusFromPod(ctx, ephemeralRunner, pod, log); err != nil {
 			log.Info("Failed to update ephemeral runner status. Requeue to not miss this event")
 			return ctrl.Result{}, err
@@ -262,40 +360,53 @@ func (r *EphemeralRunnerReconciler) Reconcile(ctx context.Context, req ctrl.Requ
 
 	case cs.State.Terminated.ExitCode != 0: // failed
 		log.Info("Ephemeral runner container failed", "exitCode", cs.State.Terminated.ExitCode)
-		if err := r.deletePodAsFailed(ctx, ephemeralRunner, pod, log); err != nil {
-			log.Error(err, "Failed to delete runner pod on failure")
-			return ctrl.Result{}, err
-		}
-		return ctrl.Result{}, nil
+		return ctrl.Result{}, r.deleteEphemeralRunnerOrPod(ctx, ephemeralRunner, pod, log)
 
-	default:
-		// pod succeeded. We double-check with the service if the runner exists.
-		// The reason is that image can potentially finish with status 0, but not pick up the job.
-		existsInService, err := r.runnerRegisteredWithService(ctx, ephemeralRunner.DeepCopy(), log)
-		if err != nil {
-			log.Error(err, "Failed to check if runner is registered with the service")
-			return ctrl.Result{}, err
-		}
-		if !existsInService {
-			// the runner does not exist in the service, so it must be done
-			log.Info("Ephemeral runner has finished since it does not exist in the service anymore")
-			if err := r.markAsFinished(ctx, ephemeralRunner, log); err != nil {
-				log.Error(err, "Failed to mark ephemeral runner as finished")
-				return ctrl.Result{}, err
-			}
-			return ctrl.Result{}, nil
-		}
-
-		// The runner still exists. This can happen if the pod exited with 0 but fails to start
-		log.Info("Ephemeral runner pod has finished, but the runner still exists in the service. Deleting the pod to restart it.")
-		if err := r.deletePodAsFailed(ctx, ephemeralRunner, pod, log); err != nil {
-			log.Error(err, "failed to delete a pod that still exists in the service")
+	default: // succeeded
+		log.Info("Ephemeral runner has finished successfully, deleting ephemeral runner", "exitCode", cs.State.Terminated.ExitCode)
+		if err := r.Delete(ctx, ephemeralRunner); err != nil {
+			log.Error(err, "Failed to delete ephemeral runner after successful completion")
 			return ctrl.Result{}, err
 		}
 		return ctrl.Result{}, nil
 	}
 }
 
+func (r *EphemeralRunnerReconciler) deleteEphemeralRunnerOrPod(ctx context.Context, ephemeralRunner *v1alpha1.EphemeralRunner, pod *corev1.Pod, log logr.Logger) error {
+	if ephemeralRunner.HasJob() {
+		log.Error(
+			errors.New("ephemeral runner has a job assigned, but the pod has failed"),
+			"Ephemeral runner either has faulty entrypoint or something external killing the runner",
+		)
+		log.Info("Deleting the ephemeral runner that has a job assigned but the pod has failed")
+		if err := r.Delete(ctx, ephemeralRunner); err != nil {
+			log.Error(err, "Failed to delete the ephemeral runner that has a job assigned but the pod has failed")
+			return err
+		}
+
+		log.Info("Deleted the ephemeral runner that has a job assigned but the pod has failed")
+		log.Info("Trying to remove the runner from the service")
+		actionsClient, err := r.GetActionsService(ctx, ephemeralRunner)
+		if err != nil {
+			log.Error(err, "Failed to get actions client for removing the runner from the service")
+			return nil
+		}
+		if err := actionsClient.RemoveRunner(ctx, int64(ephemeralRunner.Status.RunnerId)); err != nil {
+			log.Error(err, "Failed to remove the runner from the service")
+			return nil
+		}
+		log.Info("Removed the runner from the service")
+		return nil
+	}
+
+	if err := r.deletePodAsFailed(ctx, ephemeralRunner, pod, log); err != nil {
+		log.Error(err, "Failed to delete runner pod on failure")
+		return err
+	}
+
+	return nil
+}
+
 func (r *EphemeralRunnerReconciler) cleanupRunnerFromService(ctx context.Context, ephemeralRunner *v1alpha1.EphemeralRunner, log logr.Logger) (ok bool, err error) {
 	if err := r.deleteRunnerFromService(ctx, ephemeralRunner, log); err != nil {
 		actionsError := &actions.ActionsError{}
@@ -459,20 +570,10 @@ func (r *EphemeralRunnerReconciler) markAsFailed(ctx context.Context, ephemeralR
 	return nil
 }
 
-func (r *EphemeralRunnerReconciler) markAsFinished(ctx context.Context, ephemeralRunner *v1alpha1.EphemeralRunner, log logr.Logger) error {
-	log.Info("Updating ephemeral runner status to Finished")
-	if err := patchSubResource(ctx, r.Status(), ephemeralRunner, func(obj *v1alpha1.EphemeralRunner) {
-		obj.Status.Phase = corev1.PodSucceeded
-	}); err != nil {
-		return fmt.Errorf("failed to update ephemeral runner with status finished: %w", err)
-	}
-
-	log.Info("EphemeralRunner status is marked as Finished")
-	return nil
-}
-
 // deletePodAsFailed is responsible for deleting the pod and updating the .Status.Failures for tracking failure count.
 // It should not be responsible for setting the status to Failed.
+//
+// It should be called by deleteEphemeralRunnerOrPod which is responsible for deciding whether to delete the EphemeralRunner or just the Pod.
 func (r *EphemeralRunnerReconciler) deletePodAsFailed(ctx context.Context, ephemeralRunner *v1alpha1.EphemeralRunner, pod *corev1.Pod, log logr.Logger) error {
 	if pod.DeletionTimestamp.IsZero() {
 		log.Info("Deleting the ephemeral runner pod", "podId", pod.UID)
@@ -484,9 +585,9 @@ func (r *EphemeralRunnerReconciler) deletePodAsFailed(ctx context.Context, ephem
 	log.Info("Updating ephemeral runner status to track the failure count")
 	if err := patchSubResource(ctx, r.Status(), ephemeralRunner, func(obj *v1alpha1.EphemeralRunner) {
 		if obj.Status.Failures == nil {
-			obj.Status.Failures = make(map[string]bool)
+			obj.Status.Failures = make(map[string]metav1.Time)
 		}
-		obj.Status.Failures[string(pod.UID)] = true
+		obj.Status.Failures[string(pod.UID)] = metav1.Now()
 		obj.Status.Ready = false
 		obj.Status.Reason = pod.Status.Reason
 		obj.Status.Message = pod.Status.Message
@@ -498,14 +599,12 @@ func (r *EphemeralRunnerReconciler) deletePodAsFailed(ctx context.Context, ephem
 	return nil
 }
 
-// updateStatusWithRunnerConfig fetches runtime configuration needed by the runner
-// This method should always set .status.runnerId and .status.runnerJITConfig
-func (r *EphemeralRunnerReconciler) updateStatusWithRunnerConfig(ctx context.Context, ephemeralRunner *v1alpha1.EphemeralRunner, log logr.Logger) (*ctrl.Result, error) {
+func (r *EphemeralRunnerReconciler) createRunnerJitConfig(ctx context.Context, ephemeralRunner *v1alpha1.EphemeralRunner, log logr.Logger) (*actions.RunnerScaleSetJitRunnerConfig, error) {
 	// Runner is not registered with the service. We need to register it first
 	log.Info("Creating ephemeral runner JIT config")
-	actionsClient, err := r.actionsClientFor(ctx, ephemeralRunner)
+	actionsClient, err := r.GetActionsService(ctx, ephemeralRunner)
 	if err != nil {
-		return &ctrl.Result{}, fmt.Errorf("failed to get actions client for generating JIT config: %w", err)
+		return nil, fmt.Errorf("failed to get actions client for generating JIT config: %w", err)
 	}
 
 	jitSettings := &actions.RunnerScaleSetJitRunnerSetting{
@@ -520,74 +619,52 @@ func (r *EphemeralRunnerReconciler) updateStatusWithRunnerConfig(ctx context.Con
 	}
 
 	jitConfig, err := actionsClient.GenerateJitRunnerConfig(ctx, jitSettings, ephemeralRunner.Spec.RunnerScaleSetId)
+	if err == nil { // if NO error
+		log.Info("Created ephemeral runner JIT config", "runnerId", jitConfig.Runner.Id)
+		return jitConfig, nil
+	}
+
+	actionsError := &actions.ActionsError{}
+	if !errors.As(err, &actionsError) {
+		return nil, fmt.Errorf("failed to generate JIT config with generic error: %w", err)
+	}
+
+	if actionsError.StatusCode != http.StatusConflict ||
+		!actionsError.IsException("AgentExistsException") {
+		return nil, fmt.Errorf("failed to generate JIT config with Actions service error: %w", err)
+	}
+
+	// If the runner with the name we want already exists it means:
+	// - We might have a name collision.
+	// - Our previous reconciliation loop failed to update the
+	//   status with the runnerId and runnerJITConfig after the `GenerateJitRunnerConfig`
+	//   created the runner registration on the service.
+	// We will try to get the runner and see if it's belong to this AutoScalingRunnerSet,
+	// if so, we can simply delete the runner registration and create a new one.
+	log.Info("Getting runner jit config failed with conflict error, trying to get the runner by name", "runnerName", ephemeralRunner.Name)
+	existingRunner, err := actionsClient.GetRunnerByName(ctx, ephemeralRunner.Name)
 	if err != nil {
-		actionsError := &actions.ActionsError{}
-		if !errors.As(err, &actionsError) {
-			return &ctrl.Result{}, fmt.Errorf("failed to generate JIT config with generic error: %w", err)
-		}
+		return nil, fmt.Errorf("failed to get runner by name: %w", err)
+	}
 
-		if actionsError.StatusCode != http.StatusConflict ||
-			!actionsError.IsException("AgentExistsException") {
-			return &ctrl.Result{}, fmt.Errorf("failed to generate JIT config with Actions service error: %w", err)
-		}
+	if existingRunner == nil {
+		log.Info("Runner with the same name does not exist anymore, re-queuing the reconciliation")
+		return nil, fmt.Errorf("%w: runner existed, retry configuration", retryableError)
+	}
 
-		// If the runner with the name we want already exists it means:
-		// - We might have a name collision.
-		// - Our previous reconciliation loop failed to update the
-		//   status with the runnerId and runnerJITConfig after the `GenerateJitRunnerConfig`
-		//   created the runner registration on the service.
-		// We will try to get the runner and see if it's belong to this AutoScalingRunnerSet,
-		// if so, we can simply delete the runner registration and create a new one.
-		log.Info("Getting runner jit config failed with conflict error, trying to get the runner by name", "runnerName", ephemeralRunner.Name)
-		existingRunner, err := actionsClient.GetRunnerByName(ctx, ephemeralRunner.Name)
+	log.Info("Found the runner with the same name", "runnerId", existingRunner.Id, "runnerScaleSetId", existingRunner.RunnerScaleSetId)
+	if existingRunner.RunnerScaleSetId == ephemeralRunner.Spec.RunnerScaleSetId {
+		log.Info("Removing the runner with the same name")
+		err := actionsClient.RemoveRunner(ctx, int64(existingRunner.Id))
 		if err != nil {
-			return &ctrl.Result{}, fmt.Errorf("failed to get runner by name: %w", err)
+			return nil, fmt.Errorf("failed to remove runner from the service: %w", err)
 		}
 
-		if existingRunner == nil {
-			log.Info("Runner with the same name does not exist, re-queuing the reconciliation")
-			return &ctrl.Result{Requeue: true}, nil
-		}
-
-		log.Info("Found the runner with the same name", "runnerId", existingRunner.Id, "runnerScaleSetId", existingRunner.RunnerScaleSetId)
-		if existingRunner.RunnerScaleSetId == ephemeralRunner.Spec.RunnerScaleSetId {
-			log.Info("Removing the runner with the same name")
-			err := actionsClient.RemoveRunner(ctx, int64(existingRunner.Id))
-			if err != nil {
-				return &ctrl.Result{}, fmt.Errorf("failed to remove runner from the service: %w", err)
-			}
-
-			log.Info("Removed the runner with the same name, re-queuing the reconciliation")
-			return &ctrl.Result{Requeue: true}, nil
-		}
-
-		// TODO: Do we want to mark the ephemeral runner as failed, and let EphemeralRunnerSet to clean it up, so we can recover from this situation?
-		// The situation is that the EphemeralRunner's name is already used by something else to register a runner, and we can't take the control back.
-		return &ctrl.Result{}, fmt.Errorf("runner with the same name but doesn't belong to this RunnerScaleSet: %w", err)
-	}
-	log.Info("Created ephemeral runner JIT config", "runnerId", jitConfig.Runner.Id)
-
-	log.Info("Updating ephemeral runner status with runnerId and runnerJITConfig")
-	err = patchSubResource(ctx, r.Status(), ephemeralRunner, func(obj *v1alpha1.EphemeralRunner) {
-		obj.Status.RunnerId = jitConfig.Runner.Id
-		obj.Status.RunnerName = jitConfig.Runner.Name
-		obj.Status.RunnerJITConfig = jitConfig.EncodedJITConfig
-	})
-	if err != nil {
-		return &ctrl.Result{}, fmt.Errorf("failed to update runner status for RunnerId/RunnerName/RunnerJITConfig: %w", err)
+		log.Info("Removed the runner with the same name, re-queuing the reconciliation")
+		return nil, fmt.Errorf("%w: runner existed belonging to the scale set, retry configuration", retryableError)
 	}
 
-	// We want to continue without a requeue for faster pod creation.
-	//
-	// To do so, we update the status in-place, so that both continuing the loop and
-	// and requeuing and skipping updateStatusWithRunnerConfig in the next loop, will
-	// have the same effect.
-	ephemeralRunner.Status.RunnerId = jitConfig.Runner.Id
-	ephemeralRunner.Status.RunnerName = jitConfig.Runner.Name
-	ephemeralRunner.Status.RunnerJITConfig = jitConfig.EncodedJITConfig
-
-	log.Info("Updated ephemeral runner status with runnerId and runnerJITConfig")
-	return nil, nil
+	return nil, fmt.Errorf("%w: runner with the same name but doesn't belong to this RunnerScaleSet: %w", fatalError, err)
 }
 
 func (r *EphemeralRunnerReconciler) createPod(ctx context.Context, runner *v1alpha1.EphemeralRunner, secret *corev1.Secret, log logr.Logger) (ctrl.Result, error) {
@@ -640,7 +717,7 @@ func (r *EphemeralRunnerReconciler) createPod(ctx context.Context, runner *v1alp
 	}
 
 	log.Info("Creating new pod for ephemeral runner")
-	newPod := r.newEphemeralRunnerPod(ctx, runner, secret, envs...)
+	newPod := r.newEphemeralRunnerPod(runner, secret, envs...)
 
 	if err := ctrl.SetControllerReference(runner, newPod, r.Scheme); err != nil {
 		log.Error(err, "Failed to set controller reference to a new pod")
@@ -663,21 +740,21 @@ func (r *EphemeralRunnerReconciler) createPod(ctx context.Context, runner *v1alp
 	return ctrl.Result{}, nil
 }
 
-func (r *EphemeralRunnerReconciler) createSecret(ctx context.Context, runner *v1alpha1.EphemeralRunner, log logr.Logger) (*ctrl.Result, error) {
+func (r *EphemeralRunnerReconciler) createSecret(ctx context.Context, runner *v1alpha1.EphemeralRunner, jitConfig *actions.RunnerScaleSetJitRunnerConfig, log logr.Logger) (*corev1.Secret, error) {
 	log.Info("Creating new secret for ephemeral runner")
-	jitSecret := r.newEphemeralRunnerJitSecret(runner)
+	jitSecret := r.newEphemeralRunnerJitSecret(runner, jitConfig)
 
 	if err := ctrl.SetControllerReference(runner, jitSecret, r.Scheme); err != nil {
-		return &ctrl.Result{}, fmt.Errorf("failed to set controller reference: %w", err)
+		return nil, fmt.Errorf("failed to set controller reference: %w", err)
 	}
 
 	log.Info("Created new secret spec for ephemeral runner")
 	if err := r.Create(ctx, jitSecret); err != nil {
-		return &ctrl.Result{}, fmt.Errorf("failed to create jit secret: %w", err)
+		return nil, fmt.Errorf("failed to create jit secret: %w", err)
 	}
 
 	log.Info("Created ephemeral runner secret", "secretName", jitSecret.Name)
-	return nil, nil
+	return jitSecret, nil
 }
 
 // updateRunStatusFromPod is responsible for updating non-exiting statuses.
@@ -727,104 +804,8 @@ func (r *EphemeralRunnerReconciler) updateRunStatusFromPod(ctx context.Context,
 	return nil
 }
 
-func (r *EphemeralRunnerReconciler) actionsClientFor(ctx context.Context, runner *v1alpha1.EphemeralRunner) (actions.ActionsService, error) {
-	secret := new(corev1.Secret)
-	if err := r.Get(ctx, types.NamespacedName{Namespace: runner.Namespace, Name: runner.Spec.GitHubConfigSecret}, secret); err != nil {
-		return nil, fmt.Errorf("failed to get secret: %w", err)
-	}
-
-	opts, err := r.actionsClientOptionsFor(ctx, runner)
-	if err != nil {
-		return nil, fmt.Errorf("failed to get actions client options: %w", err)
-	}
-
-	return r.ActionsClient.GetClientFromSecret(
-		ctx,
-		runner.Spec.GitHubConfigUrl,
-		runner.Namespace,
-		secret.Data,
-		opts...,
-	)
-}
-
-func (r *EphemeralRunnerReconciler) actionsClientOptionsFor(ctx context.Context, runner *v1alpha1.EphemeralRunner) ([]actions.ClientOption, error) {
-	var opts []actions.ClientOption
-	if runner.Spec.Proxy != nil {
-		proxyFunc, err := runner.Spec.Proxy.ProxyFunc(func(s string) (*corev1.Secret, error) {
-			var secret corev1.Secret
-			err := r.Get(ctx, types.NamespacedName{Namespace: runner.Namespace, Name: s}, &secret)
-			if err != nil {
-				return nil, fmt.Errorf("failed to get proxy secret %s: %w", s, err)
-			}
-
-			return &secret, nil
-		})
-		if err != nil {
-			return nil, fmt.Errorf("failed to get proxy func: %w", err)
-		}
-
-		opts = append(opts, actions.WithProxy(proxyFunc))
-	}
-
-	tlsConfig := runner.Spec.GitHubServerTLS
-	if tlsConfig != nil {
-		pool, err := tlsConfig.ToCertPool(func(name, key string) ([]byte, error) {
-			var configmap corev1.ConfigMap
-			err := r.Get(
-				ctx,
-				types.NamespacedName{
-					Namespace: runner.Namespace,
-					Name:      name,
-				},
-				&configmap,
-			)
-			if err != nil {
-				return nil, fmt.Errorf("failed to get configmap %s: %w", name, err)
-			}
-
-			return []byte(configmap.Data[key]), nil
-		})
-		if err != nil {
-			return nil, fmt.Errorf("failed to get tls config: %w", err)
-		}
-
-		opts = append(opts, actions.WithRootCAs(pool))
-	}
-
-	return opts, nil
-}
-
-// runnerRegisteredWithService checks if the runner is still registered with the service
-// Returns found=false and err=nil if ephemeral runner does not exist in GitHub service and should be deleted
-func (r EphemeralRunnerReconciler) runnerRegisteredWithService(ctx context.Context, runner *v1alpha1.EphemeralRunner, log logr.Logger) (found bool, err error) {
-	actionsClient, err := r.actionsClientFor(ctx, runner)
-	if err != nil {
-		return false, fmt.Errorf("failed to get Actions client for ScaleSet: %w", err)
-	}
-
-	log.Info("Checking if runner exists in GitHub service", "runnerId", runner.Status.RunnerId)
-	_, err = actionsClient.GetRunner(ctx, int64(runner.Status.RunnerId))
-	if err != nil {
-		actionsError := &actions.ActionsError{}
-		if !errors.As(err, &actionsError) {
-			return false, err
-		}
-
-		if actionsError.StatusCode != http.StatusNotFound ||
-			!actionsError.IsException("AgentNotFoundException") {
-			return false, fmt.Errorf("failed to check if runner exists in GitHub service: %w", err)
-		}
-
-		log.Info("Runner does not exist in GitHub service", "runnerId", runner.Status.RunnerId)
-		return false, nil
-	}
-
-	log.Info("Runner exists in GitHub service", "runnerId", runner.Status.RunnerId)
-	return true, nil
-}
-
 func (r *EphemeralRunnerReconciler) deleteRunnerFromService(ctx context.Context, ephemeralRunner *v1alpha1.EphemeralRunner, log logr.Logger) error {
-	client, err := r.actionsClientFor(ctx, ephemeralRunner)
+	client, err := r.GetActionsService(ctx, ephemeralRunner)
 	if err != nil {
 		return fmt.Errorf("failed to get actions client for runner: %w", err)
 	}