remove mirror secret

pull in updated listener
Re-create the listener when GitHub secret is updated
2025-12-10 19:50:30 +00:00 · 2025-04-17 13:30:33 +02:00 · 2025-04-14 11:00:15 +02:00 · 2025-04-14 10:35:52 +02:00
57 changed files with 801 additions and 694 deletions
--- a/.github/actions/setup-arc-e2e/action.yaml
+++ b/.github/actions/setup-arc-e2e/action.yaml
@@ -1,9 +1,9 @@
-name: "Setup ARC E2E Test Action"
-description: "Build controller image, create kind cluster, load the image, and exchange ARC configure token."
+name: 'Setup ARC E2E Test Action'
+description: 'Build controller image, create kind cluster, load the image, and exchange ARC configure token.'

 inputs:
  app-id:
-    description: "GitHub App Id for exchange access token"
+    description: 'GitHub App Id for exchange access token'
    required: true
  app-pk:
    description: "GitHub App private key for exchange access token"
@@ -20,31 +20,30 @@ inputs:

 outputs:
  token:
-    description: "Token to use for configure ARC"
+    description: 'Token to use for configure ARC'
    value: ${{steps.config-token.outputs.token}}

 runs:
  using: "composite"
  steps:
    - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2
+      uses: docker/setup-buildx-action@v3
      with:
-        # Pinning v0.9.1 for Buildx and BuildKit v0.10.6
-        # BuildKit v0.11 which has a bug causing intermittent
-        # failures pushing images to GHCR
-        version: v0.9.1
-        driver-opts: image=moby/buildkit:v0.10.6
+          # Pinning v0.9.1 for Buildx and BuildKit v0.10.6
+          # BuildKit v0.11 which has a bug causing intermittent 
+          # failures pushing images to GHCR
+          version: v0.9.1
+          driver-opts: image=moby/buildkit:v0.10.6

    - name: Build controller image
-      # https://github.com/docker/build-push-action/releases/tag/v6.15.0
-      uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4
+      uses: docker/build-push-action@v5
      with:
        file: Dockerfile
        platforms: linux/amd64
        load: true
        build-args: |
          DOCKER_IMAGE_NAME=${{inputs.image-name}}
-          VERSION=${{inputs.image-tag}}
+          VERSION=${{inputs.image-tag}} 
        tags: |
          ${{inputs.image-name}}:${{inputs.image-tag}}
        no-cache: true
@@ -57,9 +56,8 @@ runs:

    - name: Get configure token
      id: config-token
-      # https://github.com/peter-murray/workflow-application-token-action/releases/tag/v3.0.0
      uses: peter-murray/workflow-application-token-action@dc0413987a085fa17d19df9e47d4677cf81ffef3
      with:
        application_id: ${{ inputs.app-id }}
        application_private_key: ${{ inputs.app-pk }}
-        organization: ${{ inputs.target-org}}
+        organization: ${{ inputs.target-org}}
--- a/.github/actions/setup-docker-environment/action.yaml
+++ b/.github/actions/setup-docker-environment/action.yaml
@@ -24,27 +24,23 @@ runs:
      shell: bash

    - name: Set up QEMU
-      # https://github.com/docker/setup-qemu-action/releases/tag/v3.6.0
-      uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392
+      uses: docker/setup-qemu-action@v3

    - name: Set up Docker Buildx
-      # https://github.com/docker/setup-buildx-action/releases/tag/v3.10.0
-      uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2
+      uses: docker/setup-buildx-action@v3
      with:
        version: latest

    - name: Login to DockerHub
      if: ${{ github.event_name == 'release' || github.event_name == 'push' && github.ref == 'refs/heads/master' && inputs.password != ''  }}
-      # https://github.com/docker/login-action/releases/tag/v3.4.0
-      uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772
+      uses: docker/login-action@v3
      with:
        username: ${{ inputs.username }}
        password: ${{ inputs.password }}

    - name: Login to GitHub Container Registry
      if: ${{ github.event_name == 'release' || github.event_name == 'push' && github.ref == 'refs/heads/master' && inputs.ghcr_password != ''  }}
-      # https://github.com/docker/login-action/releases/tag/v3.4.0
-      uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772
+      uses: docker/login-action@v3
      with:
        registry: ghcr.io
        username: ${{ inputs.ghcr_username }}
--- a/.github/workflows/arc-publish-chart.yaml
+++ b/.github/workflows/arc-publish-chart.yaml
@@ -5,18 +5,18 @@ name: Publish ARC Helm Charts
 on:
  push:
    branches:
-      - master
+    - master
    paths:
-      - "charts/**"
-      - ".github/workflows/arc-publish-chart.yaml"
-      - "!charts/actions-runner-controller/docs/**"
-      - "!charts/gha-runner-scale-set-controller/**"
-      - "!charts/gha-runner-scale-set/**"
-      - "!**.md"
+    - 'charts/**'
+    - '.github/workflows/arc-publish-chart.yaml'
+    - '!charts/actions-runner-controller/docs/**'
+    - '!charts/gha-runner-scale-set-controller/**'
+    - '!charts/gha-runner-scale-set/**'
+    - '!**.md'
  workflow_dispatch:
    inputs:
      force:
-        description: "Force publish even if the chart version is not bumped"
+        description: 'Force publish even if the chart version is not bumped'
        type: boolean
        required: true
        default: false
@@ -39,89 +39,86 @@ jobs:
    outputs:
      publish-chart: ${{ steps.publish-chart-step.outputs.publish }}
    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
+    - name: Checkout
+      uses: actions/checkout@v4
+      with:
+        fetch-depth: 0

-      - name: Set up Helm
-        # Using https://github.com/Azure/setup-helm/releases/tag/v4.2.0
-        uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814
-        with:
-          version: ${{ env.HELM_VERSION }}
+    - name: Set up Helm
+      uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814
+      with:
+        version: ${{ env.HELM_VERSION }}

-      - name: Set up kube-score
-        run: |
-          wget https://github.com/zegl/kube-score/releases/download/v${{ env.KUBE_SCORE_VERSION }}/kube-score_${{ env.KUBE_SCORE_VERSION }}_linux_amd64 -O kube-score
-          chmod 755 kube-score
+    - name: Set up kube-score
+      run: |
+        wget https://github.com/zegl/kube-score/releases/download/v${{ env.KUBE_SCORE_VERSION }}/kube-score_${{ env.KUBE_SCORE_VERSION }}_linux_amd64 -O kube-score
+        chmod 755 kube-score

-      - name: Kube-score generated manifests
-        run: helm template  --values charts/.ci/values-kube-score.yaml charts/* | ./kube-score score - --ignore-test pod-networkpolicy --ignore-test deployment-has-poddisruptionbudget --ignore-test deployment-has-host-podantiaffinity --ignore-test container-security-context --ignore-test pod-probes --ignore-test container-image-tag --enable-optional-test container-security-context-privileged --enable-optional-test container-security-context-readonlyrootfilesystem
+    - name: Kube-score generated manifests
+      run: helm template  --values charts/.ci/values-kube-score.yaml charts/* | ./kube-score score - --ignore-test pod-networkpolicy --ignore-test deployment-has-poddisruptionbudget --ignore-test deployment-has-host-podantiaffinity --ignore-test container-security-context --ignore-test pod-probes --ignore-test container-image-tag --enable-optional-test container-security-context-privileged --enable-optional-test container-security-context-readonlyrootfilesystem

-      # python is a requirement for the chart-testing action below (supports yamllint among other tests)
-      - uses: actions/setup-python@v5
-        with:
-          python-version: "3.11"
+    # python is a requirement for the chart-testing action below (supports yamllint among other tests)
+    - uses: actions/setup-python@v5
+      with:
+        python-version: '3.11'

-      - name: Set up chart-testing
-        # https://github.com/helm/chart-testing-action/releases/tag/v2.7.0
-        uses: helm/chart-testing-action@0d28d3144d3a25ea2cc349d6e59901c4ff469b3b
+    - name: Set up chart-testing
+      uses: helm/chart-testing-action@v2.6.0

-      - name: Run chart-testing (list-changed)
-        id: list-changed
-        run: |
-          changed=$(ct list-changed --config charts/.ci/ct-config.yaml)
-          if [[ -n "$changed" ]]; then
-            echo "changed=true" >> $GITHUB_OUTPUT
-          fi
+    - name: Run chart-testing (list-changed)
+      id: list-changed
+      run: |
+        changed=$(ct list-changed --config charts/.ci/ct-config.yaml)
+        if [[ -n "$changed" ]]; then
+          echo "changed=true" >> $GITHUB_OUTPUT
+        fi

-      - name: Run chart-testing (lint)
-        run: |
-          ct lint --config charts/.ci/ct-config.yaml
+    - name: Run chart-testing (lint)
+      run: |
+        ct lint --config charts/.ci/ct-config.yaml

-      - name: Create kind cluster
-        if: steps.list-changed.outputs.changed == 'true'
-        # https://github.com/helm/kind-action/releases/tag/v1.12.0
-        uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3
+    - name: Create kind cluster
+      if: steps.list-changed.outputs.changed == 'true'
+      uses: helm/kind-action@v1.4.0

-      # We need cert-manager already installed in the cluster because we assume the CRDs exist
-      - name: Install cert-manager
-        if: steps.list-changed.outputs.changed == 'true'
-        run: |
-          helm repo add jetstack https://charts.jetstack.io --force-update
-          helm install cert-manager jetstack/cert-manager --set installCRDs=true --wait
+    # We need cert-manager already installed in the cluster because we assume the CRDs exist
+    - name: Install cert-manager
+      if: steps.list-changed.outputs.changed == 'true'
+      run: |
+        helm repo add jetstack https://charts.jetstack.io --force-update
+        helm install cert-manager jetstack/cert-manager --set installCRDs=true --wait

-      - name: Run chart-testing (install)
-        if: steps.list-changed.outputs.changed == 'true'
-        run: ct install --config charts/.ci/ct-config.yaml
+    - name: Run chart-testing (install)
+      if: steps.list-changed.outputs.changed == 'true'
+      run: ct install --config charts/.ci/ct-config.yaml

-      # WARNING: This relies on the latest release being at the top of the JSON from GitHub and a clean chart.yaml
-      - name: Check if Chart Publish is Needed
-        id: publish-chart-step
-        run: |
-          CHART_TEXT=$(curl -fs https://raw.githubusercontent.com/${{ github.repository }}/master/charts/actions-runner-controller/Chart.yaml)
-          NEW_CHART_VERSION=$(echo "$CHART_TEXT" | grep version: | cut -d ' ' -f 2)
-          RELEASE_LIST=$(curl -fs https://api.github.com/repos/${{ github.repository }}/releases  | jq .[].tag_name | grep actions-runner-controller | cut -d '"' -f 2 | cut -d '-' -f 4)
-          LATEST_RELEASED_CHART_VERSION=$(echo $RELEASE_LIST | cut -d ' ' -f 1)
+    # WARNING: This relies on the latest release being at the top of the JSON from GitHub and a clean chart.yaml
+    - name: Check if Chart Publish is Needed
+      id: publish-chart-step
+      run: |
+        CHART_TEXT=$(curl -fs https://raw.githubusercontent.com/${{ github.repository }}/master/charts/actions-runner-controller/Chart.yaml)
+        NEW_CHART_VERSION=$(echo "$CHART_TEXT" | grep version: | cut -d ' ' -f 2)
+        RELEASE_LIST=$(curl -fs https://api.github.com/repos/${{ github.repository }}/releases  | jq .[].tag_name | grep actions-runner-controller | cut -d '"' -f 2 | cut -d '-' -f 4)
+        LATEST_RELEASED_CHART_VERSION=$(echo $RELEASE_LIST | cut -d ' ' -f 1)

-          echo "CHART_VERSION_IN_MASTER=$NEW_CHART_VERSION" >> $GITHUB_ENV
-          echo "LATEST_CHART_VERSION=$LATEST_RELEASED_CHART_VERSION" >> $GITHUB_ENV
+        echo "CHART_VERSION_IN_MASTER=$NEW_CHART_VERSION" >> $GITHUB_ENV
+        echo "LATEST_CHART_VERSION=$LATEST_RELEASED_CHART_VERSION" >> $GITHUB_ENV

-          # Always publish if force is true
-          if [[ $NEW_CHART_VERSION != $LATEST_RELEASED_CHART_VERSION || "${{ inputs.force }}" == "true" ]]; then
-            echo "publish=true" >> $GITHUB_OUTPUT
-          else
-            echo "publish=false" >> $GITHUB_OUTPUT
-          fi
+        # Always publish if force is true
+        if [[ $NEW_CHART_VERSION != $LATEST_RELEASED_CHART_VERSION || "${{ inputs.force }}" == "true" ]]; then
+          echo "publish=true" >> $GITHUB_OUTPUT
+        else
+          echo "publish=false" >> $GITHUB_OUTPUT
+        fi

-      - name: Job summary
-        run: |
-          echo "Chart linting has been completed." >> $GITHUB_STEP_SUMMARY
-          echo "" >> $GITHUB_STEP_SUMMARY
-          echo "**Status:**" >> $GITHUB_STEP_SUMMARY
-          echo "- chart version in master: ${{ env.CHART_VERSION_IN_MASTER }}" >> $GITHUB_STEP_SUMMARY
-          echo "- latest chart version: ${{ env.LATEST_CHART_VERSION }}" >> $GITHUB_STEP_SUMMARY
-          echo "- publish new chart: ${{ steps.publish-chart-step.outputs.publish }}" >> $GITHUB_STEP_SUMMARY
+    - name: Job summary
+      run: |
+        echo "Chart linting has been completed." >> $GITHUB_STEP_SUMMARY
+        echo "" >> $GITHUB_STEP_SUMMARY
+        echo "**Status:**" >> $GITHUB_STEP_SUMMARY
+        echo "- chart version in master: ${{ env.CHART_VERSION_IN_MASTER }}" >> $GITHUB_STEP_SUMMARY
+        echo "- latest chart version: ${{ env.LATEST_CHART_VERSION }}" >> $GITHUB_STEP_SUMMARY
+        echo "- publish new chart: ${{ steps.publish-chart-step.outputs.publish }}" >> $GITHUB_STEP_SUMMARY

  publish-chart:
    if: needs.lint-chart.outputs.publish-chart == 'true'
@@ -136,81 +133,80 @@ jobs:
      CHART_TARGET_BRANCH: master

    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
+    - name: Checkout
+      uses: actions/checkout@v4
+      with:
+        fetch-depth: 0

-      - name: Configure Git
-        run: |
-          git config user.name "$GITHUB_ACTOR"
-          git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
+    - name: Configure Git
+      run: |
+        git config user.name "$GITHUB_ACTOR"
+        git config user.email "$GITHUB_ACTOR@users.noreply.github.com"

-      - name: Get Token
-        id: get_workflow_token
-        # https://github.com/peter-murray/workflow-application-token-action/releases/tag/v3.0.0
-        uses: peter-murray/workflow-application-token-action@dc0413987a085fa17d19df9e47d4677cf81ffef3
-        with:
-          application_id: ${{ secrets.ACTIONS_ACCESS_APP_ID }}
-          application_private_key: ${{ secrets.ACTIONS_ACCESS_PK }}
-          organization: ${{ env.CHART_TARGET_ORG }}
+    - name: Get Token
+      id: get_workflow_token
+      uses: peter-murray/workflow-application-token-action@dc0413987a085fa17d19df9e47d4677cf81ffef3
+      with:
+        application_id: ${{ secrets.ACTIONS_ACCESS_APP_ID }}
+        application_private_key: ${{ secrets.ACTIONS_ACCESS_PK }}
+        organization: ${{ env.CHART_TARGET_ORG }}

-      - name: Install chart-releaser
-        uses: helm/chart-releaser-action@cae68fefc6b5f367a0275617c9f83181ba54714f
-        with:
-          install_only: true
-          install_dir: ${{ github.workspace }}/bin
+    - name: Install chart-releaser
+      uses: helm/chart-releaser-action@v1.4.1
+      with:
+        install_only: true
+        install_dir: ${{ github.workspace }}/bin

-      - name: Package and upload release assets
-        run: |
-          cr package \
-            ${{ github.workspace }}/charts/actions-runner-controller/ \
-            --package-path .cr-release-packages
+    - name: Package and upload release assets
+      run: |
+        cr package \
+          ${{ github.workspace }}/charts/actions-runner-controller/ \
+          --package-path .cr-release-packages

-          cr upload \
-            --owner "$(echo ${{ github.repository }} | cut -d '/' -f 1)" \
-            --git-repo "$(echo ${{ github.repository }} | cut -d '/' -f 2)" \
-            --package-path .cr-release-packages \
-            --token ${{ secrets.GITHUB_TOKEN }}
+        cr upload \
+          --owner "$(echo ${{ github.repository }} | cut -d '/' -f 1)" \
+          --git-repo "$(echo ${{ github.repository }} | cut -d '/' -f 2)" \
+          --package-path .cr-release-packages \
+          --token ${{ secrets.GITHUB_TOKEN }}

-      - name: Generate updated index.yaml
-        run: |
-          cr index \
-            --owner "$(echo ${{ github.repository }} | cut -d '/' -f 1)" \
-            --git-repo "$(echo ${{ github.repository }} | cut -d '/' -f 2)" \
-            --index-path ${{ github.workspace }}/index.yaml \
-            --token ${{ secrets.GITHUB_TOKEN }} \
-            --push \
-            --pages-branch 'gh-pages' \
-            --pages-index-path 'index.yaml'
+    - name: Generate updated index.yaml
+      run: |
+        cr index \
+          --owner "$(echo ${{ github.repository }} | cut -d '/' -f 1)" \
+          --git-repo "$(echo ${{ github.repository }} | cut -d '/' -f 2)" \
+          --index-path ${{ github.workspace }}/index.yaml \
+          --token ${{ secrets.GITHUB_TOKEN }} \
+          --push \
+          --pages-branch 'gh-pages' \
+          --pages-index-path 'index.yaml'

-      # Chart Release was never intended to publish to a different repo
-      # this workaround is intended to move the index.yaml to the target repo
-      # where the github pages are hosted
-      - name: Checkout target repository
-        uses: actions/checkout@v4
-        with:
-          repository: ${{ env.CHART_TARGET_ORG }}/${{ env.CHART_TARGET_REPO }}
-          path: ${{ env.CHART_TARGET_REPO }}
-          ref: ${{ env.CHART_TARGET_BRANCH }}
-          token: ${{ steps.get_workflow_token.outputs.token }}
+    # Chart Release was never intended to publish to a different repo
+    # this workaround is intended to move the index.yaml to the target repo
+    # where the github pages are hosted
+    - name: Checkout target repository
+      uses: actions/checkout@v4
+      with:
+        repository: ${{ env.CHART_TARGET_ORG }}/${{ env.CHART_TARGET_REPO }}
+        path: ${{ env.CHART_TARGET_REPO }}
+        ref: ${{ env.CHART_TARGET_BRANCH }}
+        token: ${{ steps.get_workflow_token.outputs.token }}

-      - name: Copy index.yaml
-        run: |
-          cp ${{ github.workspace }}/index.yaml ${{ env.CHART_TARGET_REPO }}/actions-runner-controller/index.yaml
+    - name: Copy index.yaml
+      run: |
+        cp ${{ github.workspace }}/index.yaml ${{ env.CHART_TARGET_REPO }}/actions-runner-controller/index.yaml

-      - name: Commit and push to target repository
-        run: |
-          git config user.name "$GITHUB_ACTOR"
-          git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
-          git add .
-          git commit -m "Update index.yaml"
-          git push
-        working-directory: ${{ github.workspace }}/${{ env.CHART_TARGET_REPO }}
+    - name: Commit and push to target repository
+      run: |
+        git config user.name "$GITHUB_ACTOR"
+        git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
+        git add .
+        git commit -m "Update index.yaml"
+        git push
+      working-directory: ${{ github.workspace }}/${{ env.CHART_TARGET_REPO }}

-      - name: Job summary
-        run: |
-          echo "New helm chart has been published" >> $GITHUB_STEP_SUMMARY
-          echo "" >> $GITHUB_STEP_SUMMARY
-          echo "**Status:**" >> $GITHUB_STEP_SUMMARY
-          echo "- New [index.yaml](https://github.com/${{ env.CHART_TARGET_ORG }}/${{ env.CHART_TARGET_REPO }}/tree/master/actions-runner-controller) pushed" >> $GITHUB_STEP_SUMMARY
+    - name: Job summary
+      run: |
+        echo "New helm chart has been published" >> $GITHUB_STEP_SUMMARY
+        echo "" >> $GITHUB_STEP_SUMMARY
+        echo "**Status:**" >> $GITHUB_STEP_SUMMARY
+        echo "- New [index.yaml](https://github.com/${{ env.CHART_TARGET_ORG }}/${{ env.CHART_TARGET_REPO }}/tree/master/actions-runner-controller) pushed" >> $GITHUB_STEP_SUMMARY
--- a/.github/workflows/arc-publish.yaml
+++ b/.github/workflows/arc-publish.yaml
@@ -9,17 +9,17 @@ on:
  workflow_dispatch:
    inputs:
      release_tag_name:
-        description: "Tag name of the release to publish"
+        description: 'Tag name of the release to publish'
        required: true
      push_to_registries:
-        description: "Push images to registries"
+        description: 'Push images to registries'
        required: true
        type: boolean
        default: false

 permissions:
-  contents: write
-  packages: write
+ contents: write
+ packages: write

 env:
  TARGET_ORG: actions-runner-controller
@@ -43,7 +43,7 @@ jobs:

      - uses: actions/setup-go@v5
        with:
-          go-version-file: "go.mod"
+          go-version-file: 'go.mod'

      - name: Install tools
        run: |
@@ -73,7 +73,6 @@ jobs:

      - name: Get Token
        id: get_workflow_token
-        # https://github.com/peter-murray/workflow-application-token-action/releases/tag/v3.0.0
        uses: peter-murray/workflow-application-token-action@dc0413987a085fa17d19df9e47d4677cf81ffef3
        with:
          application_id: ${{ secrets.ACTIONS_ACCESS_APP_ID }}
--- a/.github/workflows/arc-release-runners.yaml
+++ b/.github/workflows/arc-release-runners.yaml
@@ -7,10 +7,10 @@ on:
  # are available to the workflow run
  push:
    branches:
-      - "master"
+      - 'master'
    paths:
-      - "runner/VERSION"
-      - ".github/workflows/arc-release-runners.yaml"
+      - 'runner/VERSION'
+      - '.github/workflows/arc-release-runners.yaml'

 env:
  # Safeguard to prevent pushing images to registeries after build
@@ -39,7 +39,6 @@ jobs:

      - name: Get Token
        id: get_workflow_token
-        # https://github.com/peter-murray/workflow-application-token-action/releases/tag/v3.0.0
        uses: peter-murray/workflow-application-token-action@dc0413987a085fa17d19df9e47d4677cf81ffef3
        with:
          application_id: ${{ secrets.ACTIONS_ACCESS_APP_ID }}
--- a/.github/workflows/arc-validate-chart.yaml
+++ b/.github/workflows/arc-validate-chart.yaml
@@ -5,20 +5,20 @@ on:
    branches:
      - master
    paths:
-      - "charts/**"
-      - ".github/workflows/arc-validate-chart.yaml"
-      - "!charts/actions-runner-controller/docs/**"
-      - "!**.md"
-      - "!charts/gha-runner-scale-set-controller/**"
-      - "!charts/gha-runner-scale-set/**"
+      - 'charts/**'
+      - '.github/workflows/arc-validate-chart.yaml'
+      - '!charts/actions-runner-controller/docs/**'
+      - '!**.md'
+      - '!charts/gha-runner-scale-set-controller/**'
+      - '!charts/gha-runner-scale-set/**'
  push:
    paths:
-      - "charts/**"
-      - ".github/workflows/arc-validate-chart.yaml"
-      - "!charts/actions-runner-controller/docs/**"
-      - "!**.md"
-      - "!charts/gha-runner-scale-set-controller/**"
-      - "!charts/gha-runner-scale-set/**"
+      - 'charts/**'
+      - '.github/workflows/arc-validate-chart.yaml'
+      - '!charts/actions-runner-controller/docs/**'
+      - '!**.md'
+      - '!charts/gha-runner-scale-set-controller/**'
+      - '!charts/gha-runner-scale-set/**'
  workflow_dispatch:
 env:
  KUBE_SCORE_VERSION: 1.10.0
@@ -45,19 +45,34 @@ jobs:
          fetch-depth: 0

      - name: Set up Helm
-        # Using https://github.com/Azure/setup-helm/releases/tag/v4.2.0
+        # Using https://github.com/Azure/setup-helm/releases/tag/v4.2
        uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814
        with:
          version: ${{ env.HELM_VERSION }}

+      - name: Set up kube-score
+        run: |
+          wget https://github.com/zegl/kube-score/releases/download/v${{ env.KUBE_SCORE_VERSION }}/kube-score_${{ env.KUBE_SCORE_VERSION }}_linux_amd64 -O kube-score
+          chmod 755 kube-score
+
+      - name: Kube-score generated manifests
+        run: helm template  --values charts/.ci/values-kube-score.yaml charts/* | ./kube-score score -
+              --ignore-test pod-networkpolicy
+              --ignore-test deployment-has-poddisruptionbudget
+              --ignore-test deployment-has-host-podantiaffinity
+              --ignore-test container-security-context
+              --ignore-test pod-probes
+              --ignore-test container-image-tag
+              --enable-optional-test container-security-context-privileged
+              --enable-optional-test container-security-context-readonlyrootfilesystem
+
      # python is a requirement for the chart-testing action below (supports yamllint among other tests)
      - uses: actions/setup-python@v5
        with:
-          python-version: "3.11"
+          python-version: '3.11'

      - name: Set up chart-testing
-        # https://github.com/helm/chart-testing-action/releases/tag/v2.7.0
-        uses: helm/chart-testing-action@0d28d3144d3a25ea2cc349d6e59901c4ff469b3b
+        uses: helm/chart-testing-action@v2.6.0

      - name: Run chart-testing (list-changed)
        id: list-changed
@@ -72,8 +87,7 @@ jobs:
          ct lint --config charts/.ci/ct-config.yaml

      - name: Create kind cluster
-        # https://github.com/helm/kind-action/releases/tag/v1.12.0
-        uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3
+        uses: helm/kind-action@v1.4.0
        if: steps.list-changed.outputs.changed == 'true'

      # We need cert-manager already installed in the cluster because we assume the CRDs exist
--- a/.github/workflows/arc-validate-runners.yaml
+++ b/.github/workflows/arc-validate-runners.yaml
@@ -3,17 +3,17 @@ name: Validate ARC Runners
 on:
  pull_request:
    branches:
-      - "**"
+      - '**'
    paths:
-      - "runner/**"
-      - "test/startup/**"
-      - "!**.md"
+      - 'runner/**'
+      - 'test/startup/**'
+      - '!**.md'

 permissions:
  contents: read

 concurrency:
-  # This will make sure we only apply the concurrency limits on pull requests
+  # This will make sure we only apply the concurrency limits on pull requests 
  # but not pushes to master branch by making the concurrency group name unique
  # for pushes
  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
@@ -25,16 +25,28 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
-      - name: "Run shellcheck"
-        run: make shellcheck
-
+      - name: shellcheck
+        uses: reviewdog/action-shellcheck@v1
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          path: "./runner"
+          pattern: |
+            *.sh
+            *.bash
+            update-status
+          # Make this consistent with `make shellsheck`
+          shellcheck_flags: "--shell bash --source-path runner"
+          exclude: "./.git/*"
+          check_all_files_with_shebangs: "false"
+          # Set this to "true" once we addressed all the shellcheck findings
+          fail_on_error: "false"
  test-runner-entrypoint:
    name: Test entrypoint
    runs-on: ubuntu-latest
    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
+    - name: Checkout
+      uses: actions/checkout@v4

-      - name: Run tests
-        run: |
-          make acceptance/runner/startup
+    - name: Run tests
+      run: |
+        make acceptance/runner/startup
--- a/.github/workflows/gha-publish-chart.yaml
+++ b/.github/workflows/gha-publish-chart.yaml
@@ -4,27 +4,27 @@ on:
  workflow_dispatch:
    inputs:
      ref:
-        description: "The branch, tag or SHA to cut a release from"
+        description: 'The branch, tag or SHA to cut a release from'
        required: false
        type: string
-        default: ""
+        default: ''
      release_tag_name:
-        description: "The name to tag the controller image with"
+        description: 'The name to tag the controller image with'
        required: true
        type: string
-        default: "canary"
+        default: 'canary'
      push_to_registries:
-        description: "Push images to registries"
+        description: 'Push images to registries'
        required: true
        type: boolean
        default: false
      publish_gha_runner_scale_set_controller_chart:
-        description: "Publish new helm chart for gha-runner-scale-set-controller"
+        description: 'Publish new helm chart for gha-runner-scale-set-controller'
        required: true
        type: boolean
        default: false
      publish_gha_runner_scale_set_chart:
-        description: "Publish new helm chart for gha-runner-scale-set"
+        description: 'Publish new helm chart for gha-runner-scale-set'
        required: true
        type: boolean
        default: false
@@ -72,11 +72,10 @@ jobs:
          echo "repository_owner=$(echo ${{ github.repository_owner }} | tr '[:upper:]' '[:lower:]')" >> $GITHUB_OUTPUT

      - name: Set up QEMU
-        # https://github.com/docker/setup-qemu-action/releases/tag/v3.6.0
-        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392
+        uses: docker/setup-qemu-action@v3

      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2
+        uses: docker/setup-buildx-action@v3
        with:
          # Pinning v0.9.1 for Buildx and BuildKit v0.10.6
          # BuildKit v0.11 which has a bug causing intermittent
@@ -85,16 +84,14 @@ jobs:
          driver-opts: image=moby/buildkit:v0.10.6

      - name: Login to GitHub Container Registry
-        # https://github.com/docker/login-action/releases/tag/v3.4.0
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772
+        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Build & push controller image
-        # https://github.com/docker/build-push-action/releases/tag/v6.15.0
-        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4
+        uses: docker/build-push-action@v5
        with:
          file: Dockerfile
          platforms: linux/amd64,linux/arm64
@@ -143,7 +140,7 @@ jobs:
          echo "repository_owner=$(echo ${{ github.repository_owner }} | tr '[:upper:]' '[:lower:]')" >> $GITHUB_OUTPUT

      - name: Set up Helm
-        # Using https://github.com/Azure/setup-helm/releases/tag/v4.2.0
+        # Using https://github.com/Azure/setup-helm/releases/tag/v4.2
        uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814
        with:
          version: ${{ env.HELM_VERSION }}
@@ -191,7 +188,7 @@ jobs:
          echo "repository_owner=$(echo ${{ github.repository_owner }} | tr '[:upper:]' '[:lower:]')" >> $GITHUB_OUTPUT

      - name: Set up Helm
-        # Using https://github.com/Azure/setup-helm/releases/tag/v4.2.0
+        # Using https://github.com/Azure/setup-helm/releases/tag/v4.2
        uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814
        with:
          version: ${{ env.HELM_VERSION }}
--- a/.github/workflows/gha-validate-chart.yaml
+++ b/.github/workflows/gha-validate-chart.yaml
@@ -5,16 +5,16 @@ on:
    branches:
      - master
    paths:
-      - "charts/**"
-      - ".github/workflows/gha-validate-chart.yaml"
-      - "!charts/actions-runner-controller/**"
-      - "!**.md"
+      - 'charts/**'
+      - '.github/workflows/gha-validate-chart.yaml'
+      - '!charts/actions-runner-controller/**'
+      - '!**.md'
  push:
    paths:
-      - "charts/**"
-      - ".github/workflows/gha-validate-chart.yaml"
-      - "!charts/actions-runner-controller/**"
-      - "!**.md"
+      - 'charts/**'
+      - '.github/workflows/gha-validate-chart.yaml'
+      - '!charts/actions-runner-controller/**'
+      - '!**.md'
  workflow_dispatch:
 env:
  KUBE_SCORE_VERSION: 1.16.1
@@ -41,7 +41,7 @@ jobs:
          fetch-depth: 0

      - name: Set up Helm
-        # Using https://github.com/Azure/setup-helm/releases/tag/v4.2.0
+        # Using https://github.com/Azure/setup-helm/releases/tag/v4.2
        uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814
        with:
          version: ${{ env.HELM_VERSION }}
@@ -49,11 +49,10 @@ jobs:
      # python is a requirement for the chart-testing action below (supports yamllint among other tests)
      - uses: actions/setup-python@v5
        with:
-          python-version: "3.11"
+          python-version: '3.11'

      - name: Set up chart-testing
-        # https://github.com/helm/chart-testing-action/releases/tag/v2.7.0
-        uses: helm/chart-testing-action@0d28d3144d3a25ea2cc349d6e59901c4ff469b3b
+        uses: helm/chart-testing-action@v2.6.0

      - name: Run chart-testing (list-changed)
        id: list-changed
@@ -69,14 +68,13 @@ jobs:
          ct lint --config charts/.ci/ct-config-gha.yaml

      - name: Set up docker buildx
-        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2
+        uses: docker/setup-buildx-action@v3
        if: steps.list-changed.outputs.changed == 'true'
        with:
          version: latest

      - name: Build controller image
-        # https://github.com/docker/build-push-action/releases/tag/v6.15.0
-        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4
+        uses: docker/build-push-action@v5
        if: steps.list-changed.outputs.changed == 'true'
        with:
          file: Dockerfile
@@ -91,8 +89,7 @@ jobs:
          cache-to: type=gha,mode=max

      - name: Create kind cluster
-        # https://github.com/helm/kind-action/releases/tag/v1.12.0
-        uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3
+        uses: helm/kind-action@v1.4.0
        if: steps.list-changed.outputs.changed == 'true'
        with:
          cluster_name: chart-testing
@@ -100,11 +97,11 @@ jobs:
      - name: Load image into cluster
        if: steps.list-changed.outputs.changed == 'true'
        run: |
-          export DOCKER_IMAGE_NAME=test-arc
-          export VERSION=dev
-          export IMG_RESULT=load
-          make docker-buildx
-          kind load docker-image test-arc:dev --name chart-testing
+            export DOCKER_IMAGE_NAME=test-arc
+            export VERSION=dev
+            export IMG_RESULT=load
+            make docker-buildx
+            kind load docker-image test-arc:dev --name chart-testing

      - name: Run chart-testing (install)
        if: steps.list-changed.outputs.changed == 'true'
--- a/.github/workflows/global-publish-canary.yaml
+++ b/.github/workflows/global-publish-canary.yaml
@@ -7,30 +7,30 @@ on:
    branches:
      - master
    paths-ignore:
-      - "**.md"
-      - ".github/actions/**"
-      - ".github/ISSUE_TEMPLATE/**"
-      - ".github/workflows/e2e-test-dispatch-workflow.yaml"
-      - ".github/workflows/gha-e2e-tests.yaml"
-      - ".github/workflows/arc-publish.yaml"
-      - ".github/workflows/arc-publish-chart.yaml"
-      - ".github/workflows/gha-publish-chart.yaml"
-      - ".github/workflows/arc-release-runners.yaml"
-      - ".github/workflows/global-run-codeql.yaml"
-      - ".github/workflows/global-run-first-interaction.yaml"
-      - ".github/workflows/global-run-stale.yaml"
-      - ".github/workflows/arc-update-runners-scheduled.yaml"
-      - ".github/workflows/validate-arc.yaml"
-      - ".github/workflows/arc-validate-chart.yaml"
-      - ".github/workflows/gha-validate-chart.yaml"
-      - ".github/workflows/arc-validate-runners.yaml"
-      - ".github/dependabot.yml"
-      - ".github/RELEASE_NOTE_TEMPLATE.md"
-      - "runner/**"
-      - ".gitignore"
-      - "PROJECT"
-      - "LICENSE"
-      - "Makefile"
+      - '**.md'
+      - '.github/actions/**'
+      - '.github/ISSUE_TEMPLATE/**'
+      - '.github/workflows/e2e-test-dispatch-workflow.yaml'
+      - '.github/workflows/gha-e2e-tests.yaml'
+      - '.github/workflows/arc-publish.yaml'
+      - '.github/workflows/arc-publish-chart.yaml'
+      - '.github/workflows/gha-publish-chart.yaml'
+      - '.github/workflows/arc-release-runners.yaml'
+      - '.github/workflows/global-run-codeql.yaml'
+      - '.github/workflows/global-run-first-interaction.yaml'
+      - '.github/workflows/global-run-stale.yaml'
+      - '.github/workflows/arc-update-runners-scheduled.yaml'
+      - '.github/workflows/validate-arc.yaml'
+      - '.github/workflows/arc-validate-chart.yaml'
+      - '.github/workflows/gha-validate-chart.yaml'
+      - '.github/workflows/arc-validate-runners.yaml'
+      - '.github/dependabot.yml'
+      - '.github/RELEASE_NOTE_TEMPLATE.md'
+      - 'runner/**'
+      - '.gitignore'
+      - 'PROJECT'
+      - 'LICENSE'
+      - 'Makefile'

 # https://docs.github.com/en/rest/overview/permissions-required-for-github-apps
 permissions:
@@ -59,7 +59,6 @@ jobs:

      - name: Get Token
        id: get_workflow_token
-        # https://github.com/peter-murray/workflow-application-token-action/releases/tag/v3.0.0
        uses: peter-murray/workflow-application-token-action@dc0413987a085fa17d19df9e47d4677cf81ffef3
        with:
          application_id: ${{ secrets.ACTIONS_ACCESS_APP_ID }}
@@ -94,8 +93,7 @@ jobs:
        uses: actions/checkout@v4

      - name: Login to GitHub Container Registry
-        # https://github.com/docker/login-action/releases/tag/v3.4.0
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772
+        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
@@ -112,19 +110,16 @@ jobs:
          echo "repository_owner=$(echo ${{ github.repository_owner }} | tr '[:upper:]' '[:lower:]')" >> $GITHUB_OUTPUT

      - name: Set up QEMU
-        # https://github.com/docker/setup-qemu-action/releases/tag/v3.6.0
-        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392
+        uses: docker/setup-qemu-action@v3

      - name: Set up Docker Buildx
-        # https://github.com/docker/setup-buildx-action/releases/tag/v3.10.0
-        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2
+        uses: docker/setup-buildx-action@v3
        with:
          version: latest

      # Unstable builds - run at your own risk
      - name: Build and Push
-        # https://github.com/docker/build-push-action/releases/tag/v6.15.0
-        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4
+        uses: docker/build-push-action@v5
        with:
          context: .
          file: ./Dockerfile
--- a/.github/workflows/go.yaml
+++ b/.github/workflows/go.yaml
@@ -4,16 +4,16 @@ on:
    branches:
      - master
    paths:
-      - ".github/workflows/go.yaml"
-      - "**.go"
-      - "go.mod"
-      - "go.sum"
+      - '.github/workflows/go.yaml'
+      - '**.go'
+      - 'go.mod'
+      - 'go.sum'
  pull_request:
    paths:
-      - ".github/workflows/go.yaml"
-      - "**.go"
-      - "go.mod"
-      - "go.sum"
+      - '.github/workflows/go.yaml'
+      - '**.go'
+      - 'go.mod'
+      - 'go.sum'

 permissions:
  contents: read
@@ -32,7 +32,7 @@ jobs:
      - uses: actions/checkout@v4
      - uses: actions/setup-go@v5
        with:
-          go-version-file: "go.mod"
+          go-version-file: 'go.mod'
          cache: false
      - name: fmt
        run: go fmt ./...
@@ -45,14 +45,13 @@ jobs:
      - uses: actions/checkout@v4
      - uses: actions/setup-go@v5
        with:
-          go-version-file: "go.mod"
+          go-version-file: 'go.mod'
          cache: false
      - name: golangci-lint
-        # https://github.com/golangci/golangci-lint-action/releases/tag/v7.0.0
-        uses: golangci/golangci-lint-action@1481404843c368bc19ca9406f87d6e0fc97bdcfd
+        uses: golangci/golangci-lint-action@v6
        with:
          only-new-issues: true
-          version: v2.1.2
+          version: v1.55.2

  generate:
    runs-on: ubuntu-latest
@@ -60,7 +59,7 @@ jobs:
      - uses: actions/checkout@v4
      - uses: actions/setup-go@v5
        with:
-          go-version-file: "go.mod"
+          go-version-file: 'go.mod'
          cache: false
      - name: Generate
        run: make generate
@@ -73,7 +72,7 @@ jobs:
      - uses: actions/checkout@v4
      - uses: actions/setup-go@v5
        with:
-          go-version-file: "go.mod"
+          go-version-file: 'go.mod'
      - run: make manifests
      - name: Check diff
        run: git diff --exit-code
--- a/.golangci.yaml
+++ b/.golangci.yaml
@@ -1,14 +1,19 @@
-version: "2"
 run:
-  timeout: 5m
-linters:
-  settings:
-    errcheck:
-      exclude-functions:
-        - (net/http.ResponseWriter).Write
-        - (*net/http.Server).Shutdown
-        - (*github.com/actions/actions-runner-controller/simulator.VisibleRunnerGroups).Add
-        - (*github.com/actions/actions-runner-controller/testing.Kind).Stop
-  exclusions:
-    presets:
-      - std-error-handling
+  timeout: 3m
+output:
+  formats:
+    - format: github-actions
+      path: stdout
+linters-settings:
+  errcheck:
+    exclude-functions:
+      - (net/http.ResponseWriter).Write
+      - (*net/http.Server).Shutdown
+      - (*github.com/actions/actions-runner-controller/simulator.VisibleRunnerGroups).Add
+      - (*github.com/actions/actions-runner-controller/testing.Kind).Stop
+issues:
+  exclude-rules:
+    - path: controllers/suite_test.go
+      linters:
+        - staticcheck
+      text: "SA1019"
--- a/8
+++ b/8
@@ -20,7 +20,7 @@ KUBECONTEXT ?= kind-acceptance
 CLUSTER ?= acceptance
 CERT_MANAGER_VERSION ?= v1.1.1
 KUBE_RBAC_PROXY_VERSION ?= v0.11.0
-SHELLCHECK_VERSION ?= 0.10.0
+SHELLCHECK_VERSION ?= 0.8.0

 # Produce CRDs that work back to Kubernetes 1.11 (no version conversion)
 CRD_OPTIONS ?= "crd:generateEmbeddedObjectMeta=true,allowDangerousTypes=true"
@@ -68,7 +68,7 @@ endif
 all: manager

 lint:
-	docker run --rm -v $(PWD):/app -w /app golangci/golangci-lint:v2.1.2 golangci-lint run
+	docker run --rm -v $(PWD):/app -w /app golangci/golangci-lint:v1.57.2 golangci-lint run

 GO_TEST_ARGS ?= -short

@@ -204,7 +204,7 @@ generate: controller-gen

 # Run shellcheck on runner scripts
 shellcheck: shellcheck-install
-	$(TOOLS_PATH)/shellcheck --shell bash --source-path runner runner/*.sh runner/update-status hack/*.sh
+	$(TOOLS_PATH)/shellcheck --shell bash --source-path runner runner/*.sh hack/*.sh

 docker-buildx:
 	export DOCKER_CLI_EXPERIMENTAL=enabled ;\
@@ -310,7 +310,7 @@ github-release: release
 # Otherwise we get errors like the below:
 #   Error: failed to install CRD crds/actions.summerwind.dev_runnersets.yaml: CustomResourceDefinition.apiextensions.k8s.io "runnersets.actions.summerwind.dev" is invalid: [spec.validation.openAPIV3Schema.properties[spec].properties[template].properties[spec].properties[containers].items.properties[ports].items.properties[protocol].default: Required value: this property is in x-kubernetes-list-map-keys, so it must have a default or be a required property, spec.validation.openAPIV3Schema.properties[spec].properties[template].properties[spec].properties[initContainers].items.properties[ports].items.properties[protocol].default: Required value: this property is in x-kubernetes-list-map-keys, so it must have a default or be a required property]
 #
-# Note that controller-gen newer than 0.7.0 is needed due to https://github.com/kubernetes-sigs/controller-tools/issues/448
+# Note that controller-gen newer than 0.6.2 is needed due to https://github.com/kubernetes-sigs/controller-tools/issues/448
 # Otherwise ObjectMeta embedded in Spec results in empty on the storage.
 controller-gen:
 ifeq (, $(shell which controller-gen))
--- a/acceptance/pipelines/eks-integration-tests.yaml
+++ b/acceptance/pipelines/eks-integration-tests.yaml
@@ -5,23 +5,22 @@ on:

 env:
  IRSA_ROLE_ARN:
-  ASSUME_ROLE_ARN:
-  AWS_REGION:
+  ASSUME_ROLE_ARN: 
+  AWS_REGION: 

 jobs:
  assume-role-in-runner-test:
-    runs-on: ["self-hosted", "Linux"]
+    runs-on: ['self-hosted', 'Linux']
    steps:
      - name: Test aws-actions/configure-aws-credentials Action
-        # https://github.com/aws-actions/configure-aws-credentials/releases/tag/v4.1.0
-        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722
+        uses: aws-actions/configure-aws-credentials@v1
        with:
          aws-region: ${{ env.AWS_REGION }}
          role-to-assume: ${{ env.ASSUME_ROLE_ARN }}
          role-duration-seconds: 900
  assume-role-in-container-test:
-    runs-on: ["self-hosted", "Linux"]
-    container:
+    runs-on: ['self-hosted', 'Linux']
+    container: 
      image: amazon/aws-cli
      env:
        AWS_WEB_IDENTITY_TOKEN_FILE: /var/run/secrets/eks.amazonaws.com/serviceaccount/token
@@ -30,8 +29,7 @@ jobs:
        - /var/run/secrets/eks.amazonaws.com/serviceaccount/token:/var/run/secrets/eks.amazonaws.com/serviceaccount/token
    steps:
      - name: Test aws-actions/configure-aws-credentials Action in container
-        # https://github.com/aws-actions/configure-aws-credentials/releases/tag/v4.1.0
-        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722
+        uses: aws-actions/configure-aws-credentials@v1
        with:
          aws-region: ${{ env.AWS_REGION }}
          role-to-assume: ${{ env.ASSUME_ROLE_ARN }}
--- a/acceptance/pipelines/runner-integration-tests.yaml
+++ b/acceptance/pipelines/runner-integration-tests.yaml
@@ -8,8 +8,8 @@ env:

 jobs:
  run-step-in-container-test:
-    runs-on: ["self-hosted", "Linux"]
-    container:
+    runs-on: ['self-hosted', 'Linux']
+    container: 
      image: alpine
    steps:
      - name: Test we are working in the container
@@ -21,7 +21,7 @@ jobs:
              exit 1
          fi
  setup-python-test:
-    runs-on: ["self-hosted", "Linux"]
+    runs-on: ['self-hosted', 'Linux']
    steps:
      - name: Print native Python environment
        run: |
@@ -41,12 +41,12 @@ jobs:
            echo "Python version detected : $(python --version 2>&1)"
          fi
  setup-node-test:
-    runs-on: ["self-hosted", "Linux"]
+    runs-on: ['self-hosted', 'Linux']
    steps:
      - uses: actions/setup-node@v2
        with:
-          node-version: "12"
-      - name: Test actions/setup-node works
+          node-version: '12'
+      - name: Test actions/setup-node works 
        run: |
          VERSION=$(node --version | cut -c 2- | cut -d '.' -f1)
          if [[ $VERSION != '12' ]]; then
@@ -57,14 +57,13 @@ jobs:
            echo "Node version detected : $(node --version 2>&1)"
          fi
  setup-ruby-test:
-    runs-on: ["self-hosted", "Linux"]
+    runs-on: ['self-hosted', 'Linux']
    steps:
-      # https://github.com/ruby/setup-ruby/releases/tag/v1.227.0
-      - uses: ruby/setup-ruby@1a615958ad9d422dd932dc1d5823942ee002799f
+      - uses: ruby/setup-ruby@v1
        with:
          ruby-version: 3.0
          bundler-cache: true
-      - name: Test ruby/setup-ruby works
+      - name: Test ruby/setup-ruby works 
        run: |
          VERSION=$(ruby --version | cut -d ' ' -f2 | cut -d '.' -f1-2)
          if [[ $VERSION != '3.0' ]]; then
@@ -75,8 +74,8 @@ jobs:
              echo "Ruby version detected : $(ruby --version 2>&1)"
          fi
  python-shell-test:
-    runs-on: ["self-hosted", "Linux"]
-    steps:
+    runs-on: ['self-hosted', 'Linux']
+    steps:      
      - name: Test Python shell works
        run: |
          import os
--- a/apis/actions.github.com/v1alpha1/autoscalingrunnerset_types.go
+++ b/apis/actions.github.com/v1alpha1/autoscalingrunnerset_types.go
@@ -279,10 +279,10 @@ type AutoscalingRunnerSetStatus struct {
 	FailedEphemeralRunners int `json:"failedEphemeralRunners"`
 }

-func (ars *AutoscalingRunnerSet) ListenerSpecHash() string {
+func (ars *AutoscalingRunnerSet) ListenerSpecHash(githubSecret *corev1.Secret) string {
 	arsSpec := ars.Spec.DeepCopy()
-	spec := arsSpec
-	return hash.ComputeTemplateHash(&spec)
+	secret := githubSecret.DeepCopy()
+	return hash.ComputeCombinedObjectsHash(&arsSpec, &secret)
 }

 func (ars *AutoscalingRunnerSet) RunnerSetSpecHash() string {
--- a/apis/actions.summerwind.net/v1alpha1/runner_types.go
+++ b/apis/actions.summerwind.net/v1alpha1/runner_types.go
@@ -215,10 +215,10 @@ func (rs *RunnerSpec) validateRepository() error {
 		foundCount += 1
 	}
 	if foundCount == 0 {
-		return errors.New("spec needs enterprise, organization or repository")
+		return errors.New("Spec needs enterprise, organization or repository")
 	}
 	if foundCount > 1 {
-		return errors.New("spec cannot have many fields defined enterprise, organization and repository")
+		return errors.New("Spec cannot have many fields defined enterprise, organization and repository")
 	}

 	return nil
--- a/charts/.ci/ct-config-gha.yaml
+++ b/charts/.ci/ct-config-gha.yaml
@@ -1,11 +1,9 @@
 # This file defines the config for "ct" (chart tester) used by the helm linting GitHub workflow
-remote: origin
-target-branch: master
 lint-conf: charts/.ci/lint-config.yaml
 chart-repos:
  - jetstack=https://charts.jetstack.io
 check-version-increment: false # Disable checking that the chart version has been bumped
 charts:
-  - charts/gha-runner-scale-set-controller
-  - charts/gha-runner-scale-set
+- charts/gha-runner-scale-set-controller
+- charts/gha-runner-scale-set
 skip-clean-up: true
--- a/charts/.ci/ct-config.yaml
+++ b/charts/.ci/ct-config.yaml
@@ -1,9 +1,7 @@
 # This file defines the config for "ct" (chart tester) used by the helm linting GitHub workflow
-remote: origin
-target-branch: master
 lint-conf: charts/.ci/lint-config.yaml
 chart-repos:
  - jetstack=https://charts.jetstack.io
 check-version-increment: false # Disable checking that the chart version has been bumped
 charts:
-  - charts/actions-runner-controller
+- charts/actions-runner-controller
--- a/charts/.ci/scripts/local-kube-score.sh
+++ b/charts/.ci/scripts/local-kube-score.sh
@@ -1,5 +1,6 @@
 #!/bin/bash

+
 for chart in `ls charts`;
 do
 helm template --values charts/$chart/ci/ci-values.yaml charts/$chart | kube-score score - \
@@ -11,4 +12,4 @@ helm template --values charts/$chart/ci/ci-values.yaml charts/$chart | kube-scor
    --enable-optional-test container-security-context-privileged \
    --enable-optional-test container-security-context-readonlyrootfilesystem \
    --ignore-test container-security-context
-done
+done
--- a/charts/gha-runner-scale-set/tests/template_test.go
+++ b/charts/gha-runner-scale-set/tests/template_test.go
@@ -1178,7 +1178,7 @@ func TestTemplateRenderedWithTLS(t *testing.T) {
 				}
 			}
 			require.NotNil(t, volume)
-			assert.Equal(t, "certs-configmap", volume.ConfigMap.Name)
+			assert.Equal(t, "certs-configmap", volume.ConfigMap.LocalObjectReference.Name)
 			assert.Equal(t, "cert.pem", volume.ConfigMap.Items[0].Key)
 			assert.Equal(t, "cert.pem", volume.ConfigMap.Items[0].Path)

@@ -1238,7 +1238,7 @@ func TestTemplateRenderedWithTLS(t *testing.T) {
 				}
 			}
 			require.NotNil(t, volume)
-			assert.Equal(t, "certs-configmap", volume.ConfigMap.Name)
+			assert.Equal(t, "certs-configmap", volume.ConfigMap.LocalObjectReference.Name)
 			assert.Equal(t, "cert.pem", volume.ConfigMap.Items[0].Key)
 			assert.Equal(t, "cert.pem", volume.ConfigMap.Items[0].Path)

@@ -1298,7 +1298,7 @@ func TestTemplateRenderedWithTLS(t *testing.T) {
 				}
 			}
 			require.NotNil(t, volume)
-			assert.Equal(t, "certs-configmap", volume.ConfigMap.Name)
+			assert.Equal(t, "certs-configmap", volume.ConfigMap.LocalObjectReference.Name)
 			assert.Equal(t, "cert.pem", volume.ConfigMap.Items[0].Key)
 			assert.Equal(t, "cert.pem", volume.ConfigMap.Items[0].Path)

--- a/cmd/ghalistener/metrics/metrics.go
+++ b/cmd/ghalistener/metrics/metrics.go
@@ -287,7 +287,7 @@ func (e *exporter) ListenAndServe(ctx context.Context) error {
 }

 func (e *exporter) setGauge(name string, allLabels prometheus.Labels, val float64) {
-	m, ok := e.gauges[name]
+	m, ok := e.metrics.gauges[name]
 	if !ok {
 		return
 	}
@@ -299,7 +299,7 @@ func (e *exporter) setGauge(name string, allLabels prometheus.Labels, val float6
 }

 func (e *exporter) incCounter(name string, allLabels prometheus.Labels) {
-	m, ok := e.counters[name]
+	m, ok := e.metrics.counters[name]
 	if !ok {
 		return
 	}
@@ -311,7 +311,7 @@ func (e *exporter) incCounter(name string, allLabels prometheus.Labels) {
 }

 func (e *exporter) observeHistogram(name string, allLabels prometheus.Labels, val float64) {
-	m, ok := e.histograms[name]
+	m, ok := e.metrics.histograms[name]
 	if !ok {
 		return
 	}
@@ -339,7 +339,7 @@ func (e *exporter) PublishJobStarted(msg *actions.JobStarted) {
 	l := e.startedJobLabels(msg)
 	e.incCounter(MetricStartedJobsTotal, l)

-	startupDuration := msg.RunnerAssignTime.Unix() - msg.ScaleSetAssignTime.Unix()
+	startupDuration := msg.JobMessageBase.RunnerAssignTime.Unix() - msg.JobMessageBase.ScaleSetAssignTime.Unix()
 	e.observeHistogram(MetricJobStartupDurationSeconds, l, float64(startupDuration))
 }

@@ -347,7 +347,7 @@ func (e *exporter) PublishJobCompleted(msg *actions.JobCompleted) {
 	l := e.completedJobLabels(msg)
 	e.incCounter(MetricCompletedJobsTotal, l)

-	executionDuration := msg.FinishTime.Unix() - msg.RunnerAssignTime.Unix()
+	executionDuration := msg.JobMessageBase.FinishTime.Unix() - msg.JobMessageBase.RunnerAssignTime.Unix()
 	e.observeHistogram(MetricJobExecutionDurationSeconds, l, float64(executionDuration))
 }

--- a/controllers/actions.github.com/autoscalinglistener_controller.go
+++ b/controllers/actions.github.com/autoscalinglistener_controller.go
@@ -77,7 +77,7 @@ func (r *AutoscalingListenerReconciler) Reconcile(ctx context.Context, req ctrl.
 		return ctrl.Result{}, client.IgnoreNotFound(err)
 	}

-	if !autoscalingListener.DeletionTimestamp.IsZero() {
+	if !autoscalingListener.ObjectMeta.DeletionTimestamp.IsZero() {
 		if !controllerutil.ContainsFinalizer(autoscalingListener, autoscalingListenerFinalizerName) {
 			return ctrl.Result{}, nil
 		}
@@ -137,27 +137,6 @@ func (r *AutoscalingListenerReconciler) Reconcile(ctx context.Context, req ctrl.
 		return ctrl.Result{}, err
 	}

-	// Create a mirror secret in the same namespace as the AutoscalingListener
-	mirrorSecret := new(corev1.Secret)
-	if err := r.Get(ctx, types.NamespacedName{Namespace: autoscalingListener.Namespace, Name: scaleSetListenerSecretMirrorName(autoscalingListener)}, mirrorSecret); err != nil {
-		if !kerrors.IsNotFound(err) {
-			log.Error(err, "Unable to get listener secret mirror", "namespace", autoscalingListener.Namespace, "name", scaleSetListenerSecretMirrorName(autoscalingListener))
-			return ctrl.Result{}, err
-		}
-
-		// Create a mirror secret for the listener pod in the Controller namespace for listener pod to use
-		log.Info("Creating a mirror listener secret for the listener pod")
-		return r.createSecretsForListener(ctx, autoscalingListener, secret, log)
-	}
-
-	// make sure the mirror secret is up to date
-	mirrorSecretDataHash := mirrorSecret.Labels["secret-data-hash"]
-	secretDataHash := hash.ComputeTemplateHash(secret.Data)
-	if mirrorSecretDataHash != secretDataHash {
-		log.Info("Updating mirror listener secret for the listener pod", "mirrorSecretDataHash", mirrorSecretDataHash, "secretDataHash", secretDataHash)
-		return r.updateSecretsForListener(ctx, secret, mirrorSecret, log)
-	}
-
 	// Make sure the runner scale set listener service account is created for the listener pod in the controller namespace
 	serviceAccount := new(corev1.ServiceAccount)
 	if err := r.Get(ctx, types.NamespacedName{Namespace: autoscalingListener.Namespace, Name: scaleSetListenerServiceAccountName(autoscalingListener)}, serviceAccount); err != nil {
@@ -239,7 +218,7 @@ func (r *AutoscalingListenerReconciler) Reconcile(ctx context.Context, req ctrl.

 		// Create a listener pod in the controller namespace
 		log.Info("Creating a listener pod")
-		return r.createListenerPod(ctx, &autoscalingRunnerSet, autoscalingListener, serviceAccount, mirrorSecret, log)
+		return r.createListenerPod(ctx, &autoscalingRunnerSet, autoscalingListener, serviceAccount, secret, log)
 	}

 	cs := listenerContainerStatus(listenerPod)
@@ -281,7 +260,7 @@ func (r *AutoscalingListenerReconciler) cleanupResources(ctx context.Context, au
 	err = r.Get(ctx, types.NamespacedName{Name: autoscalingListener.Name, Namespace: autoscalingListener.Namespace}, listenerPod)
 	switch {
 	case err == nil:
-		if listenerPod.DeletionTimestamp.IsZero() {
+		if listenerPod.ObjectMeta.DeletionTimestamp.IsZero() {
 			logger.Info("Deleting the listener pod")
 			if err := r.Delete(ctx, listenerPod); err != nil {
 				return false, fmt.Errorf("failed to delete listener pod: %w", err)
@@ -299,7 +278,7 @@ func (r *AutoscalingListenerReconciler) cleanupResources(ctx context.Context, au
 	err = r.Get(ctx, types.NamespacedName{Namespace: autoscalingListener.Namespace, Name: scaleSetListenerConfigName(autoscalingListener)}, &secret)
 	switch {
 	case err == nil:
-		if secret.DeletionTimestamp.IsZero() {
+		if secret.ObjectMeta.DeletionTimestamp.IsZero() {
 			logger.Info("Deleting the listener config secret")
 			if err := r.Delete(ctx, &secret); err != nil {
 				return false, fmt.Errorf("failed to delete listener config secret: %w", err)
@@ -316,7 +295,7 @@ func (r *AutoscalingListenerReconciler) cleanupResources(ctx context.Context, au
 		err = r.Get(ctx, types.NamespacedName{Name: proxyListenerSecretName(autoscalingListener), Namespace: autoscalingListener.Namespace}, proxySecret)
 		switch {
 		case err == nil:
-			if proxySecret.DeletionTimestamp.IsZero() {
+			if proxySecret.ObjectMeta.DeletionTimestamp.IsZero() {
 				logger.Info("Deleting the listener proxy secret")
 				if err := r.Delete(ctx, proxySecret); err != nil {
 					return false, fmt.Errorf("failed to delete listener proxy secret: %w", err)
@@ -333,7 +312,7 @@ func (r *AutoscalingListenerReconciler) cleanupResources(ctx context.Context, au
 	err = r.Get(ctx, types.NamespacedName{Namespace: autoscalingListener.Spec.AutoscalingRunnerSetNamespace, Name: scaleSetListenerRoleName(autoscalingListener)}, listenerRoleBinding)
 	switch {
 	case err == nil:
-		if listenerRoleBinding.DeletionTimestamp.IsZero() {
+		if listenerRoleBinding.ObjectMeta.DeletionTimestamp.IsZero() {
 			logger.Info("Deleting the listener role binding")
 			if err := r.Delete(ctx, listenerRoleBinding); err != nil {
 				return false, fmt.Errorf("failed to delete listener role binding: %w", err)
@@ -349,7 +328,7 @@ func (r *AutoscalingListenerReconciler) cleanupResources(ctx context.Context, au
 	err = r.Get(ctx, types.NamespacedName{Namespace: autoscalingListener.Spec.AutoscalingRunnerSetNamespace, Name: scaleSetListenerRoleName(autoscalingListener)}, listenerRole)
 	switch {
 	case err == nil:
-		if listenerRole.DeletionTimestamp.IsZero() {
+		if listenerRole.ObjectMeta.DeletionTimestamp.IsZero() {
 			logger.Info("Deleting the listener role")
 			if err := r.Delete(ctx, listenerRole); err != nil {
 				return false, fmt.Errorf("failed to delete listener role: %w", err)
@@ -366,7 +345,7 @@ func (r *AutoscalingListenerReconciler) cleanupResources(ctx context.Context, au
 	err = r.Get(ctx, types.NamespacedName{Name: scaleSetListenerServiceAccountName(autoscalingListener), Namespace: autoscalingListener.Namespace}, listenerSa)
 	switch {
 	case err == nil:
-		if listenerSa.DeletionTimestamp.IsZero() {
+		if listenerSa.ObjectMeta.DeletionTimestamp.IsZero() {
 			logger.Info("Deleting the listener service account")
 			if err := r.Delete(ctx, listenerSa); err != nil {
 				return false, fmt.Errorf("failed to delete listener service account: %w", err)
@@ -382,7 +361,7 @@ func (r *AutoscalingListenerReconciler) cleanupResources(ctx context.Context, au
 }

 func (r *AutoscalingListenerReconciler) createServiceAccountForListener(ctx context.Context, autoscalingListener *v1alpha1.AutoscalingListener, logger logr.Logger) (ctrl.Result, error) {
-	newServiceAccount := r.newScaleSetListenerServiceAccount(autoscalingListener)
+	newServiceAccount := r.ResourceBuilder.newScaleSetListenerServiceAccount(autoscalingListener)

 	if err := ctrl.SetControllerReference(autoscalingListener, newServiceAccount, r.Scheme); err != nil {
 		return ctrl.Result{}, err
@@ -467,7 +446,7 @@ func (r *AutoscalingListenerReconciler) createListenerPod(ctx context.Context, a

 		logger.Info("Creating listener config secret")

-		podConfig, err := r.newScaleSetListenerConfig(autoscalingListener, secret, metricsConfig, cert)
+		podConfig, err := r.ResourceBuilder.newScaleSetListenerConfig(autoscalingListener, secret, metricsConfig, cert)
 		if err != nil {
 			logger.Error(err, "Failed to build listener config secret")
 			return ctrl.Result{}, err
@@ -486,7 +465,7 @@ func (r *AutoscalingListenerReconciler) createListenerPod(ctx context.Context, a
 		return ctrl.Result{Requeue: true}, nil
 	}

-	newPod, err := r.newScaleSetListenerPod(autoscalingListener, &podConfig, serviceAccount, secret, metricsConfig, envs...)
+	newPod, err := r.ResourceBuilder.newScaleSetListenerPod(autoscalingListener, &podConfig, serviceAccount, secret, metricsConfig, envs...)
 	if err != nil {
 		logger.Error(err, "Failed to build listener pod")
 		return ctrl.Result{}, err
@@ -546,7 +525,7 @@ func (r *AutoscalingListenerReconciler) certificate(ctx context.Context, autosca
 }

 func (r *AutoscalingListenerReconciler) createSecretsForListener(ctx context.Context, autoscalingListener *v1alpha1.AutoscalingListener, secret *corev1.Secret, logger logr.Logger) (ctrl.Result, error) {
-	newListenerSecret := r.newScaleSetListenerSecretMirror(autoscalingListener, secret)
+	newListenerSecret := r.ResourceBuilder.newScaleSetListenerSecretMirror(autoscalingListener, secret)

 	if err := ctrl.SetControllerReference(autoscalingListener, newListenerSecret, r.Scheme); err != nil {
 		return ctrl.Result{}, err
@@ -601,24 +580,8 @@ func (r *AutoscalingListenerReconciler) createProxySecret(ctx context.Context, a
 	return ctrl.Result{Requeue: true}, nil
 }

-func (r *AutoscalingListenerReconciler) updateSecretsForListener(ctx context.Context, secret *corev1.Secret, mirrorSecret *corev1.Secret, logger logr.Logger) (ctrl.Result, error) {
-	dataHash := hash.ComputeTemplateHash(secret.Data)
-	updatedMirrorSecret := mirrorSecret.DeepCopy()
-	updatedMirrorSecret.Labels["secret-data-hash"] = dataHash
-	updatedMirrorSecret.Data = secret.Data
-
-	logger.Info("Updating listener mirror secret", "namespace", updatedMirrorSecret.Namespace, "name", updatedMirrorSecret.Name, "hash", dataHash)
-	if err := r.Update(ctx, updatedMirrorSecret); err != nil {
-		logger.Error(err, "Unable to update listener mirror secret", "namespace", updatedMirrorSecret.Namespace, "name", updatedMirrorSecret.Name)
-		return ctrl.Result{}, err
-	}
-
-	logger.Info("Updated listener mirror secret", "namespace", updatedMirrorSecret.Namespace, "name", updatedMirrorSecret.Name, "hash", dataHash)
-	return ctrl.Result{Requeue: true}, nil
-}
-
 func (r *AutoscalingListenerReconciler) createRoleForListener(ctx context.Context, autoscalingListener *v1alpha1.AutoscalingListener, logger logr.Logger) (ctrl.Result, error) {
-	newRole := r.newScaleSetListenerRole(autoscalingListener)
+	newRole := r.ResourceBuilder.newScaleSetListenerRole(autoscalingListener)

 	logger.Info("Creating listener role", "namespace", newRole.Namespace, "name", newRole.Name, "rules", newRole.Rules)
 	if err := r.Create(ctx, newRole); err != nil {
@@ -646,7 +609,7 @@ func (r *AutoscalingListenerReconciler) updateRoleForListener(ctx context.Contex
 }

 func (r *AutoscalingListenerReconciler) createRoleBindingForListener(ctx context.Context, autoscalingListener *v1alpha1.AutoscalingListener, listenerRole *rbacv1.Role, serviceAccount *corev1.ServiceAccount, logger logr.Logger) (ctrl.Result, error) {
-	newRoleBinding := r.newScaleSetListenerRoleBinding(autoscalingListener, listenerRole, serviceAccount)
+	newRoleBinding := r.ResourceBuilder.newScaleSetListenerRoleBinding(autoscalingListener, listenerRole, serviceAccount)

 	logger.Info("Creating listener role binding",
 		"namespace", newRoleBinding.Namespace,
--- a/controllers/actions.github.com/autoscalinglistener_controller_test.go
+++ b/controllers/actions.github.com/autoscalinglistener_controller_test.go
@@ -104,7 +104,7 @@ var _ = Describe("Test AutoScalingListener controller", func() {
 	})

 	Context("When creating a new AutoScalingListener", func() {
-		It("It should create/add all required resources for a new AutoScalingListener (finalizer, secret, service account, role, rolebinding, pod)", func() {
+		It("It should create/add all required resources for a new AutoScalingListener (finalizer, service account, role, rolebinding, config, pod)", func() {
 			config := new(corev1.Secret)
 			Eventually(
 				func() error {
@@ -134,19 +134,6 @@ var _ = Describe("Test AutoScalingListener controller", func() {
 				autoscalingListenerTestTimeout,
 				autoscalingListenerTestInterval).Should(BeEquivalentTo(autoscalingListenerFinalizerName), "AutoScalingListener should have a finalizer")

-			// Check if secret is created
-			mirrorSecret := new(corev1.Secret)
-			Eventually(
-				func() (string, error) {
-					err := k8sClient.Get(ctx, client.ObjectKey{Name: scaleSetListenerSecretMirrorName(autoscalingListener), Namespace: autoscalingListener.Namespace}, mirrorSecret)
-					if err != nil {
-						return "", err
-					}
-					return string(mirrorSecret.Data["github_token"]), nil
-				},
-				autoscalingListenerTestTimeout,
-				autoscalingListenerTestInterval).Should(BeEquivalentTo(autoscalingListenerTestGitHubToken), "Mirror secret should be created")
-
 			// Check if service account is created
 			serviceAccount := new(corev1.ServiceAccount)
 			Eventually(
@@ -188,6 +175,22 @@ var _ = Describe("Test AutoScalingListener controller", func() {
 				autoscalingListenerTestTimeout,
 				autoscalingListenerTestInterval).Should(BeEquivalentTo(scaleSetListenerRoleName(autoscalingListener)), "Rolebinding should be created")

+			listenerConfig := new(corev1.Secret)
+			Eventually(
+				func() error {
+					return k8sClient.Get(
+						ctx,
+						client.ObjectKey{
+							Name:      scaleSetListenerConfigName(autoscalingListener),
+							Namespace: autoscalingListener.Namespace,
+						},
+						listenerConfig,
+					)
+				},
+				autoscalingListenerTestTimeout,
+				autoscalingListenerTestInterval,
+			).Should(Succeed(), "Listener config should be created")
+
 			// Check if pod is created
 			pod := new(corev1.Pod)
 			Eventually(
@@ -397,75 +400,6 @@ var _ = Describe("Test AutoScalingListener controller", func() {
 				autoscalingListenerTestInterval,
 			).ShouldNot(BeEquivalentTo(oldPodUID), "Pod should be re-created")
 		})
-
-		It("It should update mirror secrets to match secret used by AutoScalingRunnerSet", func() {
-			// Waiting for the pod is created
-			pod := new(corev1.Pod)
-			Eventually(
-				func() (string, error) {
-					err := k8sClient.Get(ctx, client.ObjectKey{Name: autoscalingListener.Name, Namespace: autoscalingListener.Namespace}, pod)
-					if err != nil {
-						return "", err
-					}
-
-					return pod.Name, nil
-				},
-				autoscalingListenerTestTimeout,
-				autoscalingListenerTestInterval).Should(BeEquivalentTo(autoscalingListener.Name), "Pod should be created")
-
-			// Update the secret
-			updatedSecret := configSecret.DeepCopy()
-			updatedSecret.Data["github_token"] = []byte(autoscalingListenerTestGitHubToken + "_updated")
-			err := k8sClient.Update(ctx, updatedSecret)
-			Expect(err).NotTo(HaveOccurred(), "failed to update test secret")
-
-			updatedPod := pod.DeepCopy()
-			// Ignore status running and consult the container state
-			updatedPod.Status.Phase = corev1.PodRunning
-			updatedPod.Status.ContainerStatuses = []corev1.ContainerStatus{
-				{
-					Name: autoscalingListenerContainerName,
-					State: corev1.ContainerState{
-						Terminated: &corev1.ContainerStateTerminated{
-							ExitCode: 1,
-						},
-					},
-				},
-			}
-			err = k8sClient.Status().Update(ctx, updatedPod)
-			Expect(err).NotTo(HaveOccurred(), "failed to update test pod to failed")
-
-			// Check if mirror secret is updated with right data
-			mirrorSecret := new(corev1.Secret)
-			Eventually(
-				func() (map[string][]byte, error) {
-					err := k8sClient.Get(ctx, client.ObjectKey{Name: scaleSetListenerSecretMirrorName(autoscalingListener), Namespace: autoscalingListener.Namespace}, mirrorSecret)
-					if err != nil {
-						return nil, err
-					}
-
-					return mirrorSecret.Data, nil
-				},
-				autoscalingListenerTestTimeout,
-				autoscalingListenerTestInterval).Should(BeEquivalentTo(updatedSecret.Data), "Mirror secret should be updated")
-
-			// Check if we re-created a new pod
-			Eventually(
-				func() error {
-					latestPod := new(corev1.Pod)
-					err := k8sClient.Get(ctx, client.ObjectKey{Name: autoscalingListener.Name, Namespace: autoscalingListener.Namespace}, latestPod)
-					if err != nil {
-						return err
-					}
-					if latestPod.UID == pod.UID {
-						return fmt.Errorf("Pod should be recreated")
-					}
-
-					return nil
-				},
-				autoscalingListenerTestTimeout,
-				autoscalingListenerTestInterval).Should(Succeed(), "Pod should be recreated")
-		})
 	})
 })

--- a/controllers/actions.github.com/autoscalingrunnerset_controller.go
+++ b/controllers/actions.github.com/autoscalingrunnerset_controller.go
@@ -99,7 +99,7 @@ func (r *AutoscalingRunnerSetReconciler) Reconcile(ctx context.Context, req ctrl
 		return ctrl.Result{}, client.IgnoreNotFound(err)
 	}

-	if !autoscalingRunnerSet.DeletionTimestamp.IsZero() {
+	if !autoscalingRunnerSet.ObjectMeta.DeletionTimestamp.IsZero() {
 		if !controllerutil.ContainsFinalizer(autoscalingRunnerSet, autoscalingRunnerSetFinalizerName) {
 			return ctrl.Result{}, nil
 		}
@@ -246,7 +246,7 @@ func (r *AutoscalingRunnerSetReconciler) Reconcile(ctx context.Context, req ctrl

 	// Our listener pod is out of date, so we need to delete it to get a new recreate.
 	listenerValuesHashChanged := listener.Annotations[annotationKeyValuesHash] != autoscalingRunnerSet.Annotations[annotationKeyValuesHash]
-	listenerSpecHashChanged := listener.Annotations[annotationKeyRunnerSpecHash] != autoscalingRunnerSet.ListenerSpecHash()
+	listenerSpecHashChanged := listener.Annotations[annotationKeyRunnerSpecHash] != autoscalingRunnerSet.ListenerSpecHash(secret)
 	if listenerFound && (listenerValuesHashChanged || listenerSpecHashChanged) {
 		log.Info("RunnerScaleSetListener is out of date. Deleting it so that it is recreated", "name", listener.Name)
 		if err := r.Delete(ctx, listener); err != nil {
@@ -297,7 +297,7 @@ func (r *AutoscalingRunnerSetReconciler) Reconcile(ctx context.Context, req ctrl
 			return ctrl.Result{}, nil
 		}
 		log.Info("Creating a new AutoscalingListener for the runner set", "ephemeralRunnerSetName", latestRunnerSet.Name)
-		return r.createAutoScalingListenerForRunnerSet(ctx, autoscalingRunnerSet, latestRunnerSet, log)
+		return r.createAutoScalingListenerForRunnerSet(ctx, autoscalingRunnerSet, latestRunnerSet, secret, log)
 	}

 	// Update the status of autoscaling runner set.
@@ -332,7 +332,7 @@ func (r *AutoscalingRunnerSetReconciler) cleanupListener(ctx context.Context, au
 	err = r.Get(ctx, client.ObjectKey{Namespace: r.ControllerNamespace, Name: scaleSetListenerName(autoscalingRunnerSet)}, &listener)
 	switch {
 	case err == nil:
-		if listener.DeletionTimestamp.IsZero() {
+		if listener.ObjectMeta.DeletionTimestamp.IsZero() {
 			logger.Info("Deleting the listener")
 			if err := r.Delete(ctx, &listener); err != nil {
 				return false, fmt.Errorf("failed to delete listener: %w", err)
@@ -369,7 +369,7 @@ func (r *AutoscalingRunnerSetReconciler) deleteEphemeralRunnerSets(ctx context.C
 	for i := range oldRunnerSets {
 		rs := &oldRunnerSets[i]
 		// already deleted but contains finalizer so it still exists
-		if !rs.DeletionTimestamp.IsZero() {
+		if !rs.ObjectMeta.DeletionTimestamp.IsZero() {
 			logger.Info("Skip ephemeral runner set since it is already marked for deletion", "name", rs.Name)
 			continue
 		}
@@ -622,7 +622,7 @@ func (r *AutoscalingRunnerSetReconciler) deleteRunnerScaleSet(ctx context.Contex
 }

 func (r *AutoscalingRunnerSetReconciler) createEphemeralRunnerSet(ctx context.Context, autoscalingRunnerSet *v1alpha1.AutoscalingRunnerSet, log logr.Logger) (ctrl.Result, error) {
-	desiredRunnerSet, err := r.newEphemeralRunnerSet(autoscalingRunnerSet)
+	desiredRunnerSet, err := r.ResourceBuilder.newEphemeralRunnerSet(autoscalingRunnerSet)
 	if err != nil {
 		log.Error(err, "Could not create EphemeralRunnerSet")
 		return ctrl.Result{}, err
@@ -643,7 +643,13 @@ func (r *AutoscalingRunnerSetReconciler) createEphemeralRunnerSet(ctx context.Co
 	return ctrl.Result{}, nil
 }

-func (r *AutoscalingRunnerSetReconciler) createAutoScalingListenerForRunnerSet(ctx context.Context, autoscalingRunnerSet *v1alpha1.AutoscalingRunnerSet, ephemeralRunnerSet *v1alpha1.EphemeralRunnerSet, log logr.Logger) (ctrl.Result, error) {
+func (r *AutoscalingRunnerSetReconciler) createAutoScalingListenerForRunnerSet(
+	ctx context.Context,
+	autoscalingRunnerSet *v1alpha1.AutoscalingRunnerSet,
+	ephemeralRunnerSet *v1alpha1.EphemeralRunnerSet,
+	githubSecret *corev1.Secret,
+	log logr.Logger,
+) (ctrl.Result, error) {
 	var imagePullSecrets []corev1.LocalObjectReference
 	for _, imagePullSecret := range r.DefaultRunnerScaleSetListenerImagePullSecrets {
 		imagePullSecrets = append(imagePullSecrets, corev1.LocalObjectReference{
@@ -651,7 +657,14 @@ func (r *AutoscalingRunnerSetReconciler) createAutoScalingListenerForRunnerSet(c
 		})
 	}

-	autoscalingListener, err := r.newAutoScalingListener(autoscalingRunnerSet, ephemeralRunnerSet, r.ControllerNamespace, r.DefaultRunnerScaleSetListenerImage, imagePullSecrets)
+	autoscalingListener, err := r.ResourceBuilder.newAutoScalingListener(
+		autoscalingRunnerSet,
+		ephemeralRunnerSet,
+		githubSecret,
+		r.ControllerNamespace,
+		r.DefaultRunnerScaleSetListenerImage,
+		imagePullSecrets,
+	)
 	if err != nil {
 		log.Error(err, "Could not create AutoscalingListener spec")
 		return ctrl.Result{}, err
--- a/controllers/actions.github.com/autoscalingrunnerset_controller_test.go
+++ b/controllers/actions.github.com/autoscalingrunnerset_controller_test.go
@@ -280,10 +280,10 @@ var _ = Describe("Test AutoScalingRunnerSet controller", Ordered, func() {
 			// This should trigger re-creation of EphemeralRunnerSet and Listener
 			patched := autoscalingRunnerSet.DeepCopy()
 			patched.Spec.Template.Spec.PriorityClassName = "test-priority-class"
-			if patched.Annotations == nil {
-				patched.Annotations = make(map[string]string)
+			if patched.ObjectMeta.Annotations == nil {
+				patched.ObjectMeta.Annotations = make(map[string]string)
 			}
-			patched.Annotations[annotationKeyValuesHash] = "test-hash"
+			patched.ObjectMeta.Annotations[annotationKeyValuesHash] = "test-hash"
 			err = k8sClient.Patch(ctx, patched, client.MergeFrom(autoscalingRunnerSet))
 			Expect(err).NotTo(HaveOccurred(), "failed to patch AutoScalingRunnerSet")
 			autoscalingRunnerSet = patched.DeepCopy()
@@ -383,7 +383,7 @@ var _ = Describe("Test AutoScalingRunnerSet controller", Ordered, func() {
 			Expect(err).NotTo(HaveOccurred(), "failed to get Listener")

 			patched = autoscalingRunnerSet.DeepCopy()
-			patched.Annotations[annotationKeyValuesHash] = "hash-changes"
+			patched.ObjectMeta.Annotations[annotationKeyValuesHash] = "hash-changes"
 			err = k8sClient.Patch(ctx, patched, client.MergeFrom(autoscalingRunnerSet))
 			Expect(err).NotTo(HaveOccurred(), "failed to patch AutoScalingRunnerSet")

@@ -476,6 +476,101 @@ var _ = Describe("Test AutoScalingRunnerSet controller", Ordered, func() {
 				autoscalingRunnerSetTestInterval,
 			).Should(BeEquivalentTo("testgroup2"), "AutoScalingRunnerSet should have the runner group in its annotation")
 		})
+
+		It("should re-create the listener when the github secret changes", func() {
+			// Wait till the listener is created
+			listener := new(v1alpha1.AutoscalingListener)
+			Eventually(
+				func() error {
+					return k8sClient.Get(ctx, client.ObjectKey{Name: scaleSetListenerName(autoscalingRunnerSet), Namespace: autoscalingRunnerSet.Namespace}, listener)
+				},
+				autoscalingRunnerSetTestTimeout,
+				autoscalingRunnerSetTestInterval,
+			).Should(Succeed(), "Listener should be created")
+
+			actionsClient, err := controller.actionsClientFor(ctx, autoscalingRunnerSet)
+			Expect(err).NotTo(HaveOccurred(), "failed to get actions client")
+
+			listenerCreationTimestamp := listener.ObjectMeta.CreationTimestamp
+			listenerHash := listener.ObjectMeta.Annotations[annotationKeyRunnerSpecHash]
+
+			githubSecret := new(corev1.Secret)
+			Eventually(
+				func() error {
+					return k8sClient.Get(
+						ctx,
+						client.ObjectKey{
+							Name:      configSecret.ObjectMeta.Name,
+							Namespace: configSecret.ObjectMeta.Namespace,
+						},
+						githubSecret,
+					)
+				},
+				autoscalingRunnerSetTestTimeout,
+				autoscalingRunnerSetTestInterval,
+			).Should(Succeed(), "Failed to fetch the github secret")
+
+			githubSecret.Data["update"] = []byte("update")
+			err = k8sClient.Update(ctx, githubSecret)
+			Expect(err).NotTo(HaveOccurred(), "failed to update the github secret")
+
+			updatedGitHubSecret := new(corev1.Secret)
+			Eventually(
+				func() error {
+					err := k8sClient.Get(
+						ctx,
+						client.ObjectKey{
+							Name:      configSecret.ObjectMeta.Name,
+							Namespace: configSecret.ObjectMeta.Namespace,
+						},
+						updatedGitHubSecret,
+					)
+					if err != nil {
+						return err
+					}
+
+					if _, ok := updatedGitHubSecret.Data["update"]; !ok {
+						return fmt.Errorf("secret update not yet present")
+					}
+					return nil
+				},
+				autoscalingRunnerSetTestTimeout,
+				autoscalingRunnerSetTestInterval,
+			).Should(Succeed(), "Failed to eventually figure out github secret data update")
+
+			Eventually(
+				func() error {
+					updatedListener := new(v1alpha1.AutoscalingListener)
+					err := k8sClient.Get(
+						ctx,
+						client.ObjectKey{
+							Name:      scaleSetListenerName(autoscalingRunnerSet),
+							Namespace: autoscalingRunnerSet.Namespace,
+						},
+						listener,
+					)
+					if err != nil {
+						return err
+					}
+
+					if updatedListener.CreationTimestamp == listenerCreationTimestamp {
+						return fmt.Errorf("creation timestamp not updated yet")
+					}
+					if updatedListener.Annotations[annotationKeyRunnerSpecHash] == listenerHash {
+						return fmt.Errorf("hash not updated yet")
+					}
+
+					return nil
+				},
+				autoscalingRunnerSetTestTimeout,
+				autoscalingRunnerSetTestInterval,
+			).Should(Succeed(), "Listener should be re-created")
+
+			actionsClientAfterUpdate, err := controller.actionsClientFor(ctx, autoscalingRunnerSet)
+			Expect(err).NotTo(HaveOccurred(), "failed to get actions client")
+
+			Expect(actionsClientAfterUpdate.(*fake.FakeClient).ID).NotTo(BeEquivalentTo(actionsClient.(*fake.FakeClient).ID), "expected new client to be used")
+		})
 	})

 	Context("When updating an AutoscalingRunnerSet with running or pending jobs", func() {
@@ -546,10 +641,10 @@ var _ = Describe("Test AutoScalingRunnerSet controller", Ordered, func() {
 			// Patch the AutoScalingRunnerSet image which should trigger
 			// the recreation of the Listener and EphemeralRunnerSet
 			patched := autoscalingRunnerSet.DeepCopy()
-			if patched.Annotations == nil {
-				patched.Annotations = make(map[string]string)
+			if patched.ObjectMeta.Annotations == nil {
+				patched.ObjectMeta.Annotations = make(map[string]string)
 			}
-			patched.Annotations[annotationKeyValuesHash] = "testgroup2"
+			patched.ObjectMeta.Annotations[annotationKeyValuesHash] = "testgroup2"
 			patched.Spec.Template.Spec = corev1.PodSpec{
 				Containers: []corev1.Container{
 					{
@@ -875,7 +970,7 @@ var _ = Describe("Test AutoscalingController creation failures", Ordered, func()
 				autoscalingRunnerSetTestInterval,
 			).Should(BeEquivalentTo(autoscalingRunnerSetFinalizerName), "AutoScalingRunnerSet should have a finalizer")

-			ars.Annotations = make(map[string]string)
+			ars.ObjectMeta.Annotations = make(map[string]string)
 			err = k8sClient.Update(ctx, ars)
 			Expect(err).NotTo(HaveOccurred(), "Update autoscaling runner set without annotation should be successful")

--- a/controllers/actions.github.com/ephemeralrunner_controller.go
+++ b/controllers/actions.github.com/ephemeralrunner_controller.go
@@ -70,7 +70,7 @@ func (r *EphemeralRunnerReconciler) Reconcile(ctx context.Context, req ctrl.Requ
 		return ctrl.Result{}, client.IgnoreNotFound(err)
 	}

-	if !ephemeralRunner.DeletionTimestamp.IsZero() {
+	if !ephemeralRunner.ObjectMeta.DeletionTimestamp.IsZero() {
 		if !controllerutil.ContainsFinalizer(ephemeralRunner, ephemeralRunnerFinalizerName) {
 			return ctrl.Result{}, nil
 		}
@@ -319,7 +319,7 @@ func (r *EphemeralRunnerReconciler) cleanupResources(ctx context.Context, epheme
 	err := r.Get(ctx, types.NamespacedName{Namespace: ephemeralRunner.Namespace, Name: ephemeralRunner.Name}, pod)
 	switch {
 	case err == nil:
-		if pod.DeletionTimestamp.IsZero() {
+		if pod.ObjectMeta.DeletionTimestamp.IsZero() {
 			log.Info("Deleting the runner pod")
 			if err := r.Delete(ctx, pod); err != nil && !kerrors.IsNotFound(err) {
 				return fmt.Errorf("failed to delete pod: %w", err)
@@ -339,7 +339,7 @@ func (r *EphemeralRunnerReconciler) cleanupResources(ctx context.Context, epheme
 	err = r.Get(ctx, types.NamespacedName{Namespace: ephemeralRunner.Namespace, Name: ephemeralRunner.Name}, secret)
 	switch {
 	case err == nil:
-		if secret.DeletionTimestamp.IsZero() {
+		if secret.ObjectMeta.DeletionTimestamp.IsZero() {
 			log.Info("Deleting the jitconfig secret")
 			if err := r.Delete(ctx, secret); err != nil && !kerrors.IsNotFound(err) {
 				return fmt.Errorf("failed to delete secret: %w", err)
@@ -393,7 +393,7 @@ func (r *EphemeralRunnerReconciler) cleanupRunnerLinkedPods(ctx context.Context,
 	var errs []error
 	for i := range runnerLinkedPodList.Items {
 		linkedPod := &runnerLinkedPodList.Items[i]
-		if !linkedPod.DeletionTimestamp.IsZero() {
+		if !linkedPod.ObjectMeta.DeletionTimestamp.IsZero() {
 			continue
 		}

@@ -409,7 +409,7 @@ func (r *EphemeralRunnerReconciler) cleanupRunnerLinkedPods(ctx context.Context,
 func (r *EphemeralRunnerReconciler) cleanupRunnerLinkedSecrets(ctx context.Context, ephemeralRunner *v1alpha1.EphemeralRunner, log logr.Logger) error {
 	runnerLinkedLabels := client.MatchingLabels(
 		map[string]string{
-			"runner-pod": ephemeralRunner.Name,
+			"runner-pod": ephemeralRunner.ObjectMeta.Name,
 		},
 	)
 	var runnerLinkedSecretList corev1.SecretList
@@ -427,7 +427,7 @@ func (r *EphemeralRunnerReconciler) cleanupRunnerLinkedSecrets(ctx context.Conte
 	var errs []error
 	for i := range runnerLinkedSecretList.Items {
 		s := &runnerLinkedSecretList.Items[i]
-		if !s.DeletionTimestamp.IsZero() {
+		if !s.ObjectMeta.DeletionTimestamp.IsZero() {
 			continue
 		}

@@ -474,7 +474,7 @@ func (r *EphemeralRunnerReconciler) markAsFinished(ctx context.Context, ephemera
 // deletePodAsFailed is responsible for deleting the pod and updating the .Status.Failures for tracking failure count.
 // It should not be responsible for setting the status to Failed.
 func (r *EphemeralRunnerReconciler) deletePodAsFailed(ctx context.Context, ephemeralRunner *v1alpha1.EphemeralRunner, pod *corev1.Pod, log logr.Logger) error {
-	if pod.DeletionTimestamp.IsZero() {
+	if pod.ObjectMeta.DeletionTimestamp.IsZero() {
 		log.Info("Deleting the ephemeral runner pod", "podId", pod.UID)
 		if err := r.Delete(ctx, pod); err != nil && !kerrors.IsNotFound(err) {
 			return fmt.Errorf("failed to delete pod with status failed: %w", err)
@@ -640,7 +640,7 @@ func (r *EphemeralRunnerReconciler) createPod(ctx context.Context, runner *v1alp
 	}

 	log.Info("Creating new pod for ephemeral runner")
-	newPod := r.newEphemeralRunnerPod(ctx, runner, secret, envs...)
+	newPod := r.ResourceBuilder.newEphemeralRunnerPod(ctx, runner, secret, envs...)

 	if err := ctrl.SetControllerReference(runner, newPod, r.Scheme); err != nil {
 		log.Error(err, "Failed to set controller reference to a new pod")
@@ -665,7 +665,7 @@ func (r *EphemeralRunnerReconciler) createPod(ctx context.Context, runner *v1alp

 func (r *EphemeralRunnerReconciler) createSecret(ctx context.Context, runner *v1alpha1.EphemeralRunner, log logr.Logger) (*ctrl.Result, error) {
 	log.Info("Creating new secret for ephemeral runner")
-	jitSecret := r.newEphemeralRunnerJitSecret(runner)
+	jitSecret := r.ResourceBuilder.newEphemeralRunnerJitSecret(runner)

 	if err := ctrl.SetControllerReference(runner, jitSecret, r.Scheme); err != nil {
 		return &ctrl.Result{}, fmt.Errorf("failed to set controller reference: %w", err)
--- a/controllers/actions.github.com/ephemeralrunnerset_controller.go
+++ b/controllers/actions.github.com/ephemeralrunnerset_controller.go
@@ -83,7 +83,7 @@ func (r *EphemeralRunnerSetReconciler) Reconcile(ctx context.Context, req ctrl.R
 	}

 	// Requested deletion does not need reconciled.
-	if !ephemeralRunnerSet.DeletionTimestamp.IsZero() {
+	if !ephemeralRunnerSet.ObjectMeta.DeletionTimestamp.IsZero() {
 		if !controllerutil.ContainsFinalizer(ephemeralRunnerSet, ephemeralRunnerSetFinalizerName) {
 			return ctrl.Result{}, nil
 		}
@@ -360,7 +360,7 @@ func (r *EphemeralRunnerSetReconciler) createEphemeralRunners(ctx context.Contex
 	// Track multiple errors at once and return the bundle.
 	errs := make([]error, 0)
 	for i := 0; i < count; i++ {
-		ephemeralRunner := r.newEphemeralRunner(runnerSet)
+		ephemeralRunner := r.ResourceBuilder.newEphemeralRunner(runnerSet)
 		if runnerSet.Spec.EphemeralRunnerSpec.Proxy != nil {
 			ephemeralRunner.Spec.ProxySecretRef = proxyEphemeralRunnerSetSecretName(runnerSet)
 		}
@@ -641,7 +641,7 @@ func newEphemeralRunnerState(ephemeralRunnerList *v1alpha1.EphemeralRunnerList)
 		if err == nil && patchID > ephemeralRunnerState.latestPatchID {
 			ephemeralRunnerState.latestPatchID = patchID
 		}
-		if !r.DeletionTimestamp.IsZero() {
+		if !r.ObjectMeta.DeletionTimestamp.IsZero() {
 			ephemeralRunnerState.deleting = append(ephemeralRunnerState.deleting, r)
 			continue
 		}
--- a/controllers/actions.github.com/resourcebuilder.go
+++ b/controllers/actions.github.com/resourcebuilder.go
@@ -78,7 +78,13 @@ func boolPtr(v bool) *bool {
 	return &v
 }

-func (b *ResourceBuilder) newAutoScalingListener(autoscalingRunnerSet *v1alpha1.AutoscalingRunnerSet, ephemeralRunnerSet *v1alpha1.EphemeralRunnerSet, namespace, image string, imagePullSecrets []corev1.LocalObjectReference) (*v1alpha1.AutoscalingListener, error) {
+func (b *ResourceBuilder) newAutoScalingListener(
+	autoscalingRunnerSet *v1alpha1.AutoscalingRunnerSet,
+	ephemeralRunnerSet *v1alpha1.EphemeralRunnerSet,
+	githubSecret *corev1.Secret,
+	namespace, image string,
+	imagePullSecrets []corev1.LocalObjectReference,
+) (*v1alpha1.AutoscalingListener, error) {
 	runnerScaleSetId, err := strconv.Atoi(autoscalingRunnerSet.Annotations[runnerScaleSetIdAnnotationKey])
 	if err != nil {
 		return nil, err
@@ -102,7 +108,7 @@ func (b *ResourceBuilder) newAutoScalingListener(autoscalingRunnerSet *v1alpha1.
 	})

 	annotations := map[string]string{
-		annotationKeyRunnerSpecHash: autoscalingRunnerSet.ListenerSpecHash(),
+		annotationKeyRunnerSpecHash: autoscalingRunnerSet.ListenerSpecHash(githubSecret),
 		annotationKeyValuesHash:     autoscalingRunnerSet.Annotations[annotationKeyValuesHash],
 	}

@@ -543,8 +549,8 @@ func (b *ResourceBuilder) newEphemeralRunnerSet(autoscalingRunnerSet *v1alpha1.A
 	newEphemeralRunnerSet := &v1alpha1.EphemeralRunnerSet{
 		TypeMeta: metav1.TypeMeta{},
 		ObjectMeta: metav1.ObjectMeta{
-			GenerateName: autoscalingRunnerSet.Name + "-",
-			Namespace:    autoscalingRunnerSet.Namespace,
+			GenerateName: autoscalingRunnerSet.ObjectMeta.Name + "-",
+			Namespace:    autoscalingRunnerSet.ObjectMeta.Namespace,
 			Labels:       labels,
 			Annotations:  newAnnotations,
 			OwnerReferences: []metav1.OwnerReference{
@@ -617,18 +623,18 @@ func (b *ResourceBuilder) newEphemeralRunnerPod(ctx context.Context, runner *v1a
 	labels := map[string]string{}
 	annotations := map[string]string{}

-	for k, v := range runner.Labels {
+	for k, v := range runner.ObjectMeta.Labels {
 		labels[k] = v
 	}
-	for k, v := range runner.Spec.Labels {
+	for k, v := range runner.Spec.PodTemplateSpec.Labels {
 		labels[k] = v
 	}
 	labels["actions-ephemeral-runner"] = string(corev1.ConditionTrue)

-	for k, v := range runner.Annotations {
+	for k, v := range runner.ObjectMeta.Annotations {
 		annotations[k] = v
 	}
-	for k, v := range runner.Spec.Annotations {
+	for k, v := range runner.Spec.PodTemplateSpec.Annotations {
 		annotations[k] = v
 	}

@@ -640,8 +646,8 @@ func (b *ResourceBuilder) newEphemeralRunnerPod(ctx context.Context, runner *v1a
 	)

 	objectMeta := metav1.ObjectMeta{
-		Name:        runner.Name,
-		Namespace:   runner.Namespace,
+		Name:        runner.ObjectMeta.Name,
+		Namespace:   runner.ObjectMeta.Namespace,
 		Labels:      labels,
 		Annotations: annotations,
 		OwnerReferences: []metav1.OwnerReference{
@@ -657,10 +663,10 @@ func (b *ResourceBuilder) newEphemeralRunnerPod(ctx context.Context, runner *v1a
 	}

 	newPod.ObjectMeta = objectMeta
-	newPod.Spec = runner.Spec.Spec
-	newPod.Spec.Containers = make([]corev1.Container, 0, len(runner.Spec.Spec.Containers))
+	newPod.Spec = runner.Spec.PodTemplateSpec.Spec
+	newPod.Spec.Containers = make([]corev1.Container, 0, len(runner.Spec.PodTemplateSpec.Spec.Containers))

-	for _, c := range runner.Spec.Spec.Containers {
+	for _, c := range runner.Spec.PodTemplateSpec.Spec.Containers {
 		if c.Name == v1alpha1.EphemeralRunnerContainerName {
 			c.Env = append(
 				c.Env,
--- a/controllers/actions.github.com/resourcebuilder_test.go
+++ b/controllers/actions.github.com/resourcebuilder_test.go
@@ -59,7 +59,24 @@ func TestLabelPropagation(t *testing.T) {
 	assert.Equal(t, autoscalingRunnerSet.Annotations[AnnotationKeyGitHubRunnerScaleSetName], ephemeralRunnerSet.Annotations[AnnotationKeyGitHubRunnerScaleSetName])
 	assert.Equal(t, autoscalingRunnerSet.Labels["arbitrary-label"], ephemeralRunnerSet.Labels["arbitrary-label"])

-	listener, err := b.newAutoScalingListener(&autoscalingRunnerSet, ephemeralRunnerSet, autoscalingRunnerSet.Namespace, "test:latest", nil)
+	githubSecret := &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "test-scale-set",
+			Namespace: "test-ns",
+		},
+		Data: map[string][]byte{
+			"github_token": []byte("github_token"),
+		},
+	}
+
+	listener, err := b.newAutoScalingListener(
+		&autoscalingRunnerSet,
+		ephemeralRunnerSet,
+		githubSecret,
+		autoscalingRunnerSet.Namespace,
+		"test:latest",
+		nil,
+	)
 	require.NoError(t, err)
 	assert.Equal(t, labelValueKubernetesPartOf, listener.Labels[LabelKeyKubernetesPartOf])
 	assert.Equal(t, "runner-scale-set-listener", listener.Labels[LabelKeyKubernetesComponent])
@@ -120,6 +137,16 @@ func TestGitHubURLTrimLabelValues(t *testing.T) {
 	organization := strings.Repeat("b", 64)
 	repository := strings.Repeat("c", 64)

+	githubSecret := &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "test-scale-set",
+			Namespace: "test-ns",
+		},
+		Data: map[string][]byte{
+			"github_token": []byte("github_token"),
+		},
+	}
+
 	autoscalingRunnerSet := v1alpha1.AutoscalingRunnerSet{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      "test-scale-set",
@@ -151,7 +178,14 @@ func TestGitHubURLTrimLabelValues(t *testing.T) {
 		assert.True(t, strings.HasSuffix(ephemeralRunnerSet.Labels[LabelKeyGitHubOrganization], trimLabelVauleSuffix))
 		assert.True(t, strings.HasSuffix(ephemeralRunnerSet.Labels[LabelKeyGitHubRepository], trimLabelVauleSuffix))

-		listener, err := b.newAutoScalingListener(autoscalingRunnerSet, ephemeralRunnerSet, autoscalingRunnerSet.Namespace, "test:latest", nil)
+		listener, err := b.newAutoScalingListener(
+			autoscalingRunnerSet,
+			ephemeralRunnerSet,
+			githubSecret,
+			autoscalingRunnerSet.Namespace,
+			"test:latest",
+			nil,
+		)
 		require.NoError(t, err)
 		assert.Len(t, listener.Labels[LabelKeyGitHubEnterprise], 0)
 		assert.Len(t, listener.Labels[LabelKeyGitHubOrganization], 63)
@@ -174,7 +208,14 @@ func TestGitHubURLTrimLabelValues(t *testing.T) {
 		assert.Len(t, ephemeralRunnerSet.Labels[LabelKeyGitHubOrganization], 0)
 		assert.Len(t, ephemeralRunnerSet.Labels[LabelKeyGitHubRepository], 0)

-		listener, err := b.newAutoScalingListener(autoscalingRunnerSet, ephemeralRunnerSet, autoscalingRunnerSet.Namespace, "test:latest", nil)
+		listener, err := b.newAutoScalingListener(
+			autoscalingRunnerSet,
+			ephemeralRunnerSet,
+			githubSecret,
+			autoscalingRunnerSet.Namespace,
+			"test:latest",
+			nil,
+		)
 		require.NoError(t, err)
 		assert.Len(t, listener.Labels[LabelKeyGitHubEnterprise], 63)
 		assert.True(t, strings.HasSuffix(ephemeralRunnerSet.Labels[LabelKeyGitHubEnterprise], trimLabelVauleSuffix))
--- a/controllers/actions.summerwind.net/autoscaling.go
+++ b/controllers/actions.summerwind.net/autoscaling.go
@@ -345,7 +345,7 @@ func (r *HorizontalRunnerAutoscalerReconciler) suggestReplicasByPercentageRunner
 	}

 	var runnerPodList corev1.PodList
-	if err := r.List(ctx, &runnerPodList, client.InNamespace(hra.Namespace), client.MatchingLabels(map[string]string{
+	if err := r.Client.List(ctx, &runnerPodList, client.InNamespace(hra.Namespace), client.MatchingLabels(map[string]string{
 		kindLabel: hra.Spec.ScaleTargetRef.Name,
 	})); err != nil {
 		return nil, err
--- a/controllers/actions.summerwind.net/autoscaling_test.go
+++ b/controllers/actions.summerwind.net/autoscaling_test.go
@@ -29,7 +29,7 @@ func newGithubClient(server *httptest.Server) *github.Client {
 	if err != nil {
 		panic(err)
 	}
-	client.BaseURL = baseURL
+	client.Client.BaseURL = baseURL

 	return client
 }
--- a/controllers/actions.summerwind.net/horizontal_runner_autoscaler_batch_scale.go
+++ b/controllers/actions.summerwind.net/horizontal_runner_autoscaler_batch_scale.go
@@ -82,8 +82,8 @@ func (s *batchScaler) Add(st *ScaleTarget) {
 						break batch
 					case st := <-s.queue:
 						nsName := types.NamespacedName{
-							Namespace: st.Namespace,
-							Name:      st.Name,
+							Namespace: st.HorizontalRunnerAutoscaler.Namespace,
+							Name:      st.HorizontalRunnerAutoscaler.Name,
 						}
 						b, ok := batches[nsName]
 						if !ok {
@@ -208,7 +208,7 @@ func (s *batchScaler) planBatchScale(ctx context.Context, batch batchScaleOperat
 			//
 			// In other words, updating HRA.spec.scaleTriggers[].duration does not result in delaying capacity reservations expiration any longer
 			// than the "intended" duration, which is the duration of the trigger when the reservation was created.
-			duration := copy.Spec.CapacityReservations[i].ExpirationTime.Sub(copy.Spec.CapacityReservations[i].EffectiveTime.Time)
+			duration := copy.Spec.CapacityReservations[i].ExpirationTime.Time.Sub(copy.Spec.CapacityReservations[i].EffectiveTime.Time)
 			copy.Spec.CapacityReservations[i].EffectiveTime = metav1.Time{Time: now}
 			copy.Spec.CapacityReservations[i].ExpirationTime = metav1.Time{Time: now.Add(duration)}
 		}
--- a/controllers/actions.summerwind.net/horizontal_runner_autoscaler_webhook.go
+++ b/controllers/actions.summerwind.net/horizontal_runner_autoscaler_webhook.go
@@ -503,13 +503,13 @@ func (autoscaler *HorizontalRunnerAutoscalerGitHubWebhook) getManagedRunnerGroup
 		switch kind {
 		case "RunnerSet":
 			var rs v1alpha1.RunnerSet
-			if err := autoscaler.Get(context.Background(), types.NamespacedName{Namespace: hra.Namespace, Name: hra.Spec.ScaleTargetRef.Name}, &rs); err != nil {
+			if err := autoscaler.Client.Get(context.Background(), types.NamespacedName{Namespace: hra.Namespace, Name: hra.Spec.ScaleTargetRef.Name}, &rs); err != nil {
 				return groups, err
 			}
 			o, e, g = rs.Spec.Organization, rs.Spec.Enterprise, rs.Spec.Group
 		case "RunnerDeployment", "":
 			var rd v1alpha1.RunnerDeployment
-			if err := autoscaler.Get(context.Background(), types.NamespacedName{Namespace: hra.Namespace, Name: hra.Spec.ScaleTargetRef.Name}, &rd); err != nil {
+			if err := autoscaler.Client.Get(context.Background(), types.NamespacedName{Namespace: hra.Namespace, Name: hra.Spec.ScaleTargetRef.Name}, &rd); err != nil {
 				return groups, err
 			}
 			o, e, g = rd.Spec.Template.Spec.Organization, rd.Spec.Template.Spec.Enterprise, rd.Spec.Template.Spec.Group
@@ -562,7 +562,7 @@ func (autoscaler *HorizontalRunnerAutoscalerGitHubWebhook) getJobScaleTarget(ctx

 HRA:
 	for _, hra := range hras {
-		if !hra.DeletionTimestamp.IsZero() {
+		if !hra.ObjectMeta.DeletionTimestamp.IsZero() {
 			continue
 		}

@@ -603,7 +603,7 @@ HRA:
 		case "RunnerSet":
 			var rs v1alpha1.RunnerSet

-			if err := autoscaler.Get(context.Background(), types.NamespacedName{Namespace: hra.Namespace, Name: hra.Spec.ScaleTargetRef.Name}, &rs); err != nil {
+			if err := autoscaler.Client.Get(context.Background(), types.NamespacedName{Namespace: hra.Namespace, Name: hra.Spec.ScaleTargetRef.Name}, &rs); err != nil {
 				return nil, err
 			}

@@ -634,7 +634,7 @@ HRA:
 		case "RunnerDeployment", "":
 			var rd v1alpha1.RunnerDeployment

-			if err := autoscaler.Get(context.Background(), types.NamespacedName{Namespace: hra.Namespace, Name: hra.Spec.ScaleTargetRef.Name}, &rd); err != nil {
+			if err := autoscaler.Client.Get(context.Background(), types.NamespacedName{Namespace: hra.Namespace, Name: hra.Spec.ScaleTargetRef.Name}, &rd); err != nil {
 				return nil, err
 			}

@@ -676,7 +676,7 @@ func getValidCapacityReservations(autoscaler *v1alpha1.HorizontalRunnerAutoscale
 	now := time.Now()

 	for _, reservation := range autoscaler.Spec.CapacityReservations {
-		if reservation.ExpirationTime.After(now) {
+		if reservation.ExpirationTime.Time.After(now) {
 			capacityReservations = append(capacityReservations, reservation)
 		}
 	}
@@ -713,7 +713,7 @@ func (autoscaler *HorizontalRunnerAutoscalerGitHubWebhook) indexer(rawObj client
 	switch hra.Spec.ScaleTargetRef.Kind {
 	case "", "RunnerDeployment":
 		var rd v1alpha1.RunnerDeployment
-		if err := autoscaler.Get(context.Background(), types.NamespacedName{Namespace: hra.Namespace, Name: hra.Spec.ScaleTargetRef.Name}, &rd); err != nil {
+		if err := autoscaler.Client.Get(context.Background(), types.NamespacedName{Namespace: hra.Namespace, Name: hra.Spec.ScaleTargetRef.Name}, &rd); err != nil {
 			autoscaler.Log.V(1).Info(fmt.Sprintf("RunnerDeployment not found with scale target ref name %s for hra %s", hra.Spec.ScaleTargetRef.Name, hra.Name))
 			return nil
 		}
@@ -740,7 +740,7 @@ func (autoscaler *HorizontalRunnerAutoscalerGitHubWebhook) indexer(rawObj client
 		return keys
 	case "RunnerSet":
 		var rs v1alpha1.RunnerSet
-		if err := autoscaler.Get(context.Background(), types.NamespacedName{Namespace: hra.Namespace, Name: hra.Spec.ScaleTargetRef.Name}, &rs); err != nil {
+		if err := autoscaler.Client.Get(context.Background(), types.NamespacedName{Namespace: hra.Namespace, Name: hra.Spec.ScaleTargetRef.Name}, &rs); err != nil {
 			autoscaler.Log.V(1).Info(fmt.Sprintf("RunnerSet not found with scale target ref name %s for hra %s", hra.Spec.ScaleTargetRef.Name, hra.Name))
 			return nil
 		}
--- a/controllers/actions.summerwind.net/horizontalrunnerautoscaler_controller.go
+++ b/controllers/actions.summerwind.net/horizontalrunnerautoscaler_controller.go
@@ -71,7 +71,7 @@ func (r *HorizontalRunnerAutoscalerReconciler) Reconcile(ctx context.Context, re
 		return ctrl.Result{}, client.IgnoreNotFound(err)
 	}

-	if !hra.DeletionTimestamp.IsZero() {
+	if !hra.ObjectMeta.DeletionTimestamp.IsZero() {
 		r.GitHubClient.DeinitForHRA(&hra)

 		return ctrl.Result{}, nil
@@ -91,7 +91,7 @@ func (r *HorizontalRunnerAutoscalerReconciler) Reconcile(ctx context.Context, re
 			return ctrl.Result{}, client.IgnoreNotFound(err)
 		}

-		if !rd.DeletionTimestamp.IsZero() {
+		if !rd.ObjectMeta.DeletionTimestamp.IsZero() {
 			return ctrl.Result{}, nil
 		}

@@ -120,14 +120,14 @@ func (r *HorizontalRunnerAutoscalerReconciler) Reconcile(ctx context.Context, re
 					copy.Spec.EffectiveTime = &metav1.Time{Time: *effectiveTime}
 				}

-				if err := r.Patch(ctx, copy, client.MergeFrom(&rd)); err != nil {
+				if err := r.Client.Patch(ctx, copy, client.MergeFrom(&rd)); err != nil {
 					return fmt.Errorf("patching runnerdeployment to have %d replicas: %w", newDesiredReplicas, err)
 				}
 			} else if ephemeral && effectiveTime != nil {
 				copy := rd.DeepCopy()
 				copy.Spec.EffectiveTime = &metav1.Time{Time: *effectiveTime}

-				if err := r.Patch(ctx, copy, client.MergeFrom(&rd)); err != nil {
+				if err := r.Client.Patch(ctx, copy, client.MergeFrom(&rd)); err != nil {
 					return fmt.Errorf("patching runnerdeployment to have %d replicas: %w", newDesiredReplicas, err)
 				}
 			}
@@ -142,7 +142,7 @@ func (r *HorizontalRunnerAutoscalerReconciler) Reconcile(ctx context.Context, re
 			return ctrl.Result{}, client.IgnoreNotFound(err)
 		}

-		if !rs.DeletionTimestamp.IsZero() {
+		if !rs.ObjectMeta.DeletionTimestamp.IsZero() {
 			return ctrl.Result{}, nil
 		}

@@ -160,7 +160,7 @@ func (r *HorizontalRunnerAutoscalerReconciler) Reconcile(ctx context.Context, re
 			org:        rs.Spec.Organization,
 			repo:       rs.Spec.Repository,
 			replicas:   replicas,
-			labels:     rs.Spec.Labels,
+			labels:     rs.Spec.RunnerConfig.Labels,
 			getRunnerMap: func() (map[string]struct{}, error) {
 				// return the list of runners in namespace. Horizontal Runner Autoscaler should only be responsible for scaling resources in its own ns.
 				var runnerPodList corev1.PodList
@@ -224,14 +224,14 @@ func (r *HorizontalRunnerAutoscalerReconciler) Reconcile(ctx context.Context, re
 					copy.Spec.EffectiveTime = &metav1.Time{Time: *effectiveTime}
 				}

-				if err := r.Patch(ctx, copy, client.MergeFrom(&rs)); err != nil {
+				if err := r.Client.Patch(ctx, copy, client.MergeFrom(&rs)); err != nil {
 					return fmt.Errorf("patching runnerset to have %d replicas: %w", newDesiredReplicas, err)
 				}
 			} else if ephemeral && effectiveTime != nil {
 				copy := rs.DeepCopy()
 				copy.Spec.EffectiveTime = &metav1.Time{Time: *effectiveTime}

-				if err := r.Patch(ctx, copy, client.MergeFrom(&rs)); err != nil {
+				if err := r.Client.Patch(ctx, copy, client.MergeFrom(&rs)); err != nil {
 					return fmt.Errorf("patching runnerset to have %d replicas: %w", newDesiredReplicas, err)
 				}
 			}
@@ -253,7 +253,7 @@ func (r *HorizontalRunnerAutoscalerReconciler) scaleTargetFromRD(ctx context.Con
 		org:        rd.Spec.Template.Spec.Organization,
 		repo:       rd.Spec.Template.Spec.Repository,
 		replicas:   rd.Spec.Replicas,
-		labels:     rd.Spec.Template.Spec.Labels,
+		labels:     rd.Spec.Template.Spec.RunnerConfig.Labels,
 		getRunnerMap: func() (map[string]struct{}, error) {
 			// return the list of runners in namespace. Horizontal Runner Autoscaler should only be responsible for scaling resources in its own ns.
 			var runnerList v1alpha1.RunnerList
@@ -484,7 +484,7 @@ func (r *HorizontalRunnerAutoscalerReconciler) computeReplicasWithCache(ghc *arc
 	var reserved int

 	for _, reservation := range hra.Spec.CapacityReservations {
-		if reservation.ExpirationTime.After(now) {
+		if reservation.ExpirationTime.Time.After(now) {
 			reserved += reservation.Replicas
 		}
 	}
--- a/controllers/actions.summerwind.net/runner_controller.go
+++ b/controllers/actions.summerwind.net/runner_controller.go
@@ -20,13 +20,12 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"k8s.io/apimachinery/pkg/api/resource"
 	"reflect"
 	"strconv"
 	"strings"
 	"time"

-	"k8s.io/apimachinery/pkg/api/resource"
-
 	"github.com/actions/actions-runner-controller/build"
 	"github.com/actions/actions-runner-controller/hash"
 	"github.com/go-logr/logr"
@@ -108,12 +107,12 @@ func (r *RunnerReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctr
 		return ctrl.Result{}, client.IgnoreNotFound(err)
 	}

-	if runner.DeletionTimestamp.IsZero() {
-		finalizers, added := addFinalizer(runner.Finalizers, finalizerName)
+	if runner.ObjectMeta.DeletionTimestamp.IsZero() {
+		finalizers, added := addFinalizer(runner.ObjectMeta.Finalizers, finalizerName)

 		if added {
 			newRunner := runner.DeepCopy()
-			newRunner.Finalizers = finalizers
+			newRunner.ObjectMeta.Finalizers = finalizers

 			if err := r.Update(ctx, newRunner); err != nil {
 				log.Error(err, "Failed to update runner")
@@ -272,11 +271,11 @@ func ephemeralRunnerContainerStatus(pod *corev1.Pod) *corev1.ContainerStatus {
 }

 func (r *RunnerReconciler) processRunnerDeletion(runner v1alpha1.Runner, ctx context.Context, log logr.Logger, pod *corev1.Pod) (reconcile.Result, error) {
-	finalizers, removed := removeFinalizer(runner.Finalizers, finalizerName)
+	finalizers, removed := removeFinalizer(runner.ObjectMeta.Finalizers, finalizerName)

 	if removed {
 		newRunner := runner.DeepCopy()
-		newRunner.Finalizers = finalizers
+		newRunner.ObjectMeta.Finalizers = finalizers

 		if err := r.Patch(ctx, newRunner, client.MergeFrom(&runner)); err != nil {
 			log.Error(err, "Unable to remove finalizer")
@@ -306,8 +305,8 @@ func (r *RunnerReconciler) processRunnerCreation(ctx context.Context, runner v1a
 	if needsServiceAccount {
 		serviceAccount := &corev1.ServiceAccount{
 			ObjectMeta: metav1.ObjectMeta{
-				Name:      runner.Name,
-				Namespace: runner.Namespace,
+				Name:      runner.ObjectMeta.Name,
+				Namespace: runner.ObjectMeta.Namespace,
 			},
 		}
 		if res := r.createObject(ctx, serviceAccount, serviceAccount.ObjectMeta, &runner, log); res != nil {
@@ -322,7 +321,7 @@ func (r *RunnerReconciler) processRunnerCreation(ctx context.Context, runner v1a
 					APIGroups:     []string{"actions.summerwind.dev"},
 					Resources:     []string{"runners/status"},
 					Verbs:         []string{"get", "update", "patch"},
-					ResourceNames: []string{runner.Name},
+					ResourceNames: []string{runner.ObjectMeta.Name},
 				},
 			}...)
 		}
@@ -360,8 +359,8 @@ func (r *RunnerReconciler) processRunnerCreation(ctx context.Context, runner v1a

 		role := &rbacv1.Role{
 			ObjectMeta: metav1.ObjectMeta{
-				Name:      runner.Name,
-				Namespace: runner.Namespace,
+				Name:      runner.ObjectMeta.Name,
+				Namespace: runner.ObjectMeta.Namespace,
 			},
 			Rules: rules,
 		}
@@ -371,19 +370,19 @@ func (r *RunnerReconciler) processRunnerCreation(ctx context.Context, runner v1a

 		roleBinding := &rbacv1.RoleBinding{
 			ObjectMeta: metav1.ObjectMeta{
-				Name:      runner.Name,
-				Namespace: runner.Namespace,
+				Name:      runner.ObjectMeta.Name,
+				Namespace: runner.ObjectMeta.Namespace,
 			},
 			RoleRef: rbacv1.RoleRef{
 				APIGroup: "rbac.authorization.k8s.io",
 				Kind:     "Role",
-				Name:     runner.Name,
+				Name:     runner.ObjectMeta.Name,
 			},
 			Subjects: []rbacv1.Subject{
 				{
 					Kind:      "ServiceAccount",
-					Name:      runner.Name,
-					Namespace: runner.Namespace,
+					Name:      runner.ObjectMeta.Name,
+					Namespace: runner.ObjectMeta.Namespace,
 				},
 			},
 		}
@@ -483,7 +482,7 @@ func (r *RunnerReconciler) newPod(runner v1alpha1.Runner) (corev1.Pod, error) {

 	labels := map[string]string{}

-	for k, v := range runner.Labels {
+	for k, v := range runner.ObjectMeta.Labels {
 		labels[k] = v
 	}

@@ -512,8 +511,8 @@ func (r *RunnerReconciler) newPod(runner v1alpha1.Runner) (corev1.Pod, error) {
 	//
 	//     See https://github.com/actions/actions-runner-controller/issues/143 for more context.
 	labels[LabelKeyPodTemplateHash] = hash.FNVHashStringObjects(
-		filterLabels(runner.Labels, LabelKeyRunnerTemplateHash),
-		runner.Annotations,
+		filterLabels(runner.ObjectMeta.Labels, LabelKeyRunnerTemplateHash),
+		runner.ObjectMeta.Annotations,
 		runner.Spec,
 		ghc.GithubBaseURL,
 		// Token change should trigger replacement.
@@ -524,10 +523,10 @@ func (r *RunnerReconciler) newPod(runner v1alpha1.Runner) (corev1.Pod, error) {
 	)

 	objectMeta := metav1.ObjectMeta{
-		Name:        runner.Name,
-		Namespace:   runner.Namespace,
+		Name:        runner.ObjectMeta.Name,
+		Namespace:   runner.ObjectMeta.Namespace,
 		Labels:      labels,
-		Annotations: runner.Annotations,
+		Annotations: runner.ObjectMeta.Annotations,
 	}

 	template.ObjectMeta = objectMeta
@@ -650,7 +649,7 @@ func (r *RunnerReconciler) newPod(runner v1alpha1.Runner) (corev1.Pod, error) {
 	if runnerSpec.ServiceAccountName != "" {
 		pod.Spec.ServiceAccountName = runnerSpec.ServiceAccountName
 	} else if r.RunnerPodDefaults.UseRunnerStatusUpdateHook || runner.Spec.ContainerMode == "kubernetes" {
-		pod.Spec.ServiceAccountName = runner.Name
+		pod.Spec.ServiceAccountName = runner.ObjectMeta.Name
 	}

 	if runnerSpec.AutomountServiceAccountToken != nil {
@@ -705,7 +704,7 @@ func (r *RunnerReconciler) newPod(runner v1alpha1.Runner) (corev1.Pod, error) {
 		pod.Spec.RuntimeClassName = runnerSpec.RuntimeClassName
 	}

-	pod.Name = runner.Name
+	pod.ObjectMeta.Name = runner.ObjectMeta.Name

 	// Inject the registration token and the runner name
 	updated := mutatePod(&pod, runner.Status.Registration.Token)
@@ -721,7 +720,7 @@ func mutatePod(pod *corev1.Pod, token string) *corev1.Pod {
 	updated := pod.DeepCopy()

 	if getRunnerEnv(pod, EnvVarRunnerName) == "" {
-		setRunnerEnv(updated, EnvVarRunnerName, pod.Name)
+		setRunnerEnv(updated, EnvVarRunnerName, pod.ObjectMeta.Name)
 	}

 	if getRunnerEnv(pod, EnvVarRunnerToken) == "" {
@@ -771,11 +770,11 @@ func runnerHookEnvs(pod *corev1.Pod) ([]corev1.EnvVar, error) {

 func newRunnerPodWithContainerMode(containerMode string, template corev1.Pod, runnerSpec v1alpha1.RunnerConfig, githubBaseURL string, d RunnerPodDefaults) (corev1.Pod, error) {
 	var (
-		privileged                = true
-		dockerdInRunner           = runnerSpec.DockerdWithinRunnerContainer != nil && *runnerSpec.DockerdWithinRunnerContainer
-		dockerEnabled             = runnerSpec.DockerEnabled == nil || *runnerSpec.DockerEnabled
-		ephemeral                 = runnerSpec.Ephemeral == nil || *runnerSpec.Ephemeral
-		dockerdInRunnerPrivileged = dockerdInRunner
+		privileged                bool = true
+		dockerdInRunner           bool = runnerSpec.DockerdWithinRunnerContainer != nil && *runnerSpec.DockerdWithinRunnerContainer
+		dockerEnabled             bool = runnerSpec.DockerEnabled == nil || *runnerSpec.DockerEnabled
+		ephemeral                 bool = runnerSpec.Ephemeral == nil || *runnerSpec.Ephemeral
+		dockerdInRunnerPrivileged bool = dockerdInRunner

 		defaultRunnerImage            = d.RunnerImage
 		defaultRunnerImagePullSecrets = d.RunnerImagePullSecrets
@@ -798,10 +797,10 @@ func newRunnerPodWithContainerMode(containerMode string, template corev1.Pod, ru
 	template = *template.DeepCopy()

 	// This label selector is used by default when rd.Spec.Selector is empty.
-	template.Labels = CloneAndAddLabel(template.Labels, LabelKeyRunner, "")
-	template.Labels = CloneAndAddLabel(template.Labels, LabelKeyPodMutation, LabelValuePodMutation)
+	template.ObjectMeta.Labels = CloneAndAddLabel(template.ObjectMeta.Labels, LabelKeyRunner, "")
+	template.ObjectMeta.Labels = CloneAndAddLabel(template.ObjectMeta.Labels, LabelKeyPodMutation, LabelValuePodMutation)
 	if runnerSpec.GitHubAPICredentialsFrom != nil {
-		template.Annotations = CloneAndAddLabel(template.Annotations, annotationKeyGitHubAPICredsSecret, runnerSpec.GitHubAPICredentialsFrom.SecretRef.Name)
+		template.ObjectMeta.Annotations = CloneAndAddLabel(template.ObjectMeta.Annotations, annotationKeyGitHubAPICredsSecret, runnerSpec.GitHubAPICredentialsFrom.SecretRef.Name)
 	}

 	workDir := runnerSpec.WorkDir
@@ -888,11 +887,10 @@ func newRunnerPodWithContainerMode(containerMode string, template corev1.Pod, ru

 	for i := range template.Spec.Containers {
 		c := template.Spec.Containers[i]
-		switch c.Name {
-		case containerName:
+		if c.Name == containerName {
 			runnerContainerIndex = i
 			runnerContainer = &c
-		case "docker":
+		} else if c.Name == "docker" {
 			dockerdContainerIndex = i
 			dockerdContainer = &c
 		}
@@ -1366,7 +1364,7 @@ func applyWorkVolumeClaimTemplateToPod(pod *corev1.Pod, workVolumeClaimTemplate
 	}
 	for i := range pod.Spec.Volumes {
 		if pod.Spec.Volumes[i].Name == "work" {
-			return fmt.Errorf("work volume should not be specified in container mode kubernetes. workVolumeClaimTemplate field should be used instead")
+			return fmt.Errorf("Work volume should not be specified in container mode kubernetes. workVolumeClaimTemplate field should be used instead.")
 		}
 	}
 	pod.Spec.Volumes = append(pod.Spec.Volumes, workVolumeClaimTemplate.V1Volume())
--- a/controllers/actions.summerwind.net/runner_pod_controller.go
+++ b/controllers/actions.summerwind.net/runner_pod_controller.go
@@ -79,7 +79,7 @@ func (r *RunnerPodReconciler) Reconcile(ctx context.Context, req ctrl.Request) (
 	}

 	if len(envvars) == 0 {
-		return ctrl.Result{}, errors.New("could not determine env vars for runner Pod")
+		return ctrl.Result{}, errors.New("Could not determine env vars for runner Pod")
 	}

 	var enterprise, org, repo string
@@ -103,8 +103,8 @@ func (r *RunnerPodReconciler) Reconcile(ctx context.Context, req ctrl.Request) (
 		return ctrl.Result{}, err
 	}

-	if runnerPod.DeletionTimestamp.IsZero() {
-		finalizers, added := addFinalizer(runnerPod.Finalizers, runnerPodFinalizerName)
+	if runnerPod.ObjectMeta.DeletionTimestamp.IsZero() {
+		finalizers, added := addFinalizer(runnerPod.ObjectMeta.Finalizers, runnerPodFinalizerName)

 		var cleanupFinalizersAdded bool
 		if isContainerMode {
@@ -113,7 +113,7 @@ func (r *RunnerPodReconciler) Reconcile(ctx context.Context, req ctrl.Request) (

 		if added || cleanupFinalizersAdded {
 			newRunner := runnerPod.DeepCopy()
-			newRunner.Finalizers = finalizers
+			newRunner.ObjectMeta.Finalizers = finalizers

 			if err := r.Patch(ctx, newRunner, client.MergeFrom(&runnerPod)); err != nil {
 				log.Error(err, "Failed to update runner")
@@ -142,7 +142,7 @@ func (r *RunnerPodReconciler) Reconcile(ctx context.Context, req ctrl.Request) (
 			}
 		}

-		if finalizers, removed := removeFinalizer(runnerPod.Finalizers, runnerLinkedResourcesFinalizerName); removed {
+		if finalizers, removed := removeFinalizer(runnerPod.ObjectMeta.Finalizers, runnerLinkedResourcesFinalizerName); removed {
 			if err := r.cleanupRunnerLinkedPods(ctx, &runnerPod, log); err != nil {
 				log.Info("Runner-linked pods clean up that has failed due to an error. If this persists, please manually remove the runner-linked pods to unblock ARC", "err", err.Error())
 				return ctrl.Result{Requeue: true, RequeueAfter: 30 * time.Second}, nil
@@ -152,7 +152,7 @@ func (r *RunnerPodReconciler) Reconcile(ctx context.Context, req ctrl.Request) (
 				return ctrl.Result{Requeue: true, RequeueAfter: 30 * time.Second}, nil
 			}
 			patchedPod := runnerPod.DeepCopy()
-			patchedPod.Finalizers = finalizers
+			patchedPod.ObjectMeta.Finalizers = finalizers

 			if err := r.Patch(ctx, patchedPod, client.MergeFrom(&runnerPod)); err != nil {
 				log.Error(err, "Failed to update runner for finalizer linked resources removal")
@@ -163,7 +163,7 @@ func (r *RunnerPodReconciler) Reconcile(ctx context.Context, req ctrl.Request) (
 			runnerPod = *patchedPod
 		}

-		finalizers, removed := removeFinalizer(runnerPod.Finalizers, runnerPodFinalizerName)
+		finalizers, removed := removeFinalizer(runnerPod.ObjectMeta.Finalizers, runnerPodFinalizerName)

 		if removed {
 			// In a standard scenario, the upstream controller, like runnerset-controller, ensures this runner to be gracefully stopped before the deletion timestamp is set.
@@ -175,7 +175,7 @@ func (r *RunnerPodReconciler) Reconcile(ctx context.Context, req ctrl.Request) (
 			}

 			patchedPod := updatedPod.DeepCopy()
-			patchedPod.Finalizers = finalizers
+			patchedPod.ObjectMeta.Finalizers = finalizers

 			// We commit the removal of the finalizer so that Kuberenetes notices it and delete the pod resource from the cluster.
 			if err := r.Patch(ctx, patchedPod, client.MergeFrom(&runnerPod)); err != nil {
@@ -284,7 +284,7 @@ func (r *RunnerPodReconciler) cleanupRunnerLinkedPods(ctx context.Context, pod *
 	var runnerLinkedPodList corev1.PodList
 	if err := r.List(ctx, &runnerLinkedPodList, client.InNamespace(pod.Namespace), client.MatchingLabels(
 		map[string]string{
-			"runner-pod": pod.Name,
+			"runner-pod": pod.ObjectMeta.Name,
 		},
 	)); err != nil {
 		return fmt.Errorf("failed to list runner-linked pods: %w", err)
@@ -295,7 +295,7 @@ func (r *RunnerPodReconciler) cleanupRunnerLinkedPods(ctx context.Context, pod *
 		errs []error
 	)
 	for _, p := range runnerLinkedPodList.Items {
-		if !p.DeletionTimestamp.IsZero() {
+		if !p.ObjectMeta.DeletionTimestamp.IsZero() {
 			continue
 		}

@@ -307,7 +307,7 @@ func (r *RunnerPodReconciler) cleanupRunnerLinkedPods(ctx context.Context, pod *
 				if kerrors.IsNotFound(err) || kerrors.IsGone(err) {
 					return
 				}
-				errs = append(errs, fmt.Errorf("delete pod %q error: %v", p.Name, err))
+				errs = append(errs, fmt.Errorf("delete pod %q error: %v", p.ObjectMeta.Name, err))
 			}
 		}()
 	}
@@ -330,7 +330,7 @@ func (r *RunnerPodReconciler) cleanupRunnerLinkedSecrets(ctx context.Context, po
 	var runnerLinkedSecretList corev1.SecretList
 	if err := r.List(ctx, &runnerLinkedSecretList, client.InNamespace(pod.Namespace), client.MatchingLabels(
 		map[string]string{
-			"runner-pod": pod.Name,
+			"runner-pod": pod.ObjectMeta.Name,
 		},
 	)); err != nil {
 		return fmt.Errorf("failed to list runner-linked secrets: %w", err)
@@ -341,7 +341,7 @@ func (r *RunnerPodReconciler) cleanupRunnerLinkedSecrets(ctx context.Context, po
 		errs []error
 	)
 	for _, s := range runnerLinkedSecretList.Items {
-		if !s.DeletionTimestamp.IsZero() {
+		if !s.ObjectMeta.DeletionTimestamp.IsZero() {
 			continue
 		}

@@ -353,7 +353,7 @@ func (r *RunnerPodReconciler) cleanupRunnerLinkedSecrets(ctx context.Context, po
 				if kerrors.IsNotFound(err) || kerrors.IsGone(err) {
 					return
 				}
-				errs = append(errs, fmt.Errorf("delete secret %q error: %v", s.Name, err))
+				errs = append(errs, fmt.Errorf("delete secret %q error: %v", s.ObjectMeta.Name, err))
 			}
 		}()
 	}
--- a/controllers/actions.summerwind.net/runner_pod_owner.go
+++ b/controllers/actions.summerwind.net/runner_pod_owner.go
@@ -90,7 +90,7 @@ var _ owner = (*ownerStatefulSet)(nil)
 func (s *ownerStatefulSet) pods(ctx context.Context, c client.Client) ([]corev1.Pod, error) {
 	var podList corev1.PodList

-	if err := c.List(ctx, &podList, client.MatchingLabels(s.StatefulSet.Spec.Template.Labels)); err != nil {
+	if err := c.List(ctx, &podList, client.MatchingLabels(s.StatefulSet.Spec.Template.ObjectMeta.Labels)); err != nil {
 		s.Log.Error(err, "Failed to list pods managed by statefulset")
 		return nil, err
 	}
--- a/controllers/actions.summerwind.net/runnerdeployment_controller.go
+++ b/controllers/actions.summerwind.net/runnerdeployment_controller.go
@@ -73,7 +73,7 @@ func (r *RunnerDeploymentReconciler) Reconcile(ctx context.Context, req ctrl.Req
 		return ctrl.Result{}, client.IgnoreNotFound(err)
 	}

-	if !rd.DeletionTimestamp.IsZero() {
+	if !rd.ObjectMeta.DeletionTimestamp.IsZero() {
 		return ctrl.Result{}, nil
 	}

@@ -112,7 +112,7 @@ func (r *RunnerDeploymentReconciler) Reconcile(ctx context.Context, req ctrl.Req
 	}

 	if newestSet == nil {
-		if err := r.Create(ctx, desiredRS); err != nil {
+		if err := r.Client.Create(ctx, desiredRS); err != nil {
 			log.Error(err, "Failed to create runnerreplicaset resource")

 			return ctrl.Result{}, err
@@ -138,7 +138,7 @@ func (r *RunnerDeploymentReconciler) Reconcile(ctx context.Context, req ctrl.Req
 	}

 	if newestTemplateHash != desiredTemplateHash {
-		if err := r.Create(ctx, desiredRS); err != nil {
+		if err := r.Client.Create(ctx, desiredRS); err != nil {
 			log.Error(err, "Failed to create runnerreplicaset resource")

 			return ctrl.Result{}, err
@@ -159,7 +159,7 @@ func (r *RunnerDeploymentReconciler) Reconcile(ctx context.Context, req ctrl.Req
 		// but we still need to update the existing replicaset with it.
 		// Otherwise selector-based runner query will never work on replicasets created before the controller v0.17.0
 		// See https://github.com/actions/actions-runner-controller/pull/355#discussion_r585379259
-		if err := r.Update(ctx, updateSet); err != nil {
+		if err := r.Client.Update(ctx, updateSet); err != nil {
 			log.Error(err, "Failed to update runnerreplicaset resource")

 			return ctrl.Result{}, err
@@ -195,7 +195,7 @@ func (r *RunnerDeploymentReconciler) Reconcile(ctx context.Context, req ctrl.Req
 		newestSet.Spec.Replicas = &newDesiredReplicas
 		newestSet.Spec.EffectiveTime = rd.Spec.EffectiveTime

-		if err := r.Update(ctx, newestSet); err != nil {
+		if err := r.Client.Update(ctx, newestSet); err != nil {
 			log.Error(err, "Failed to update runnerreplicaset resource")

 			return ctrl.Result{}, err
@@ -257,7 +257,7 @@ func (r *RunnerDeploymentReconciler) Reconcile(ctx context.Context, req ctrl.Req
 				updated := rs.DeepCopy()
 				zero := 0
 				updated.Spec.Replicas = &zero
-				if err := r.Update(ctx, updated); err != nil {
+				if err := r.Client.Update(ctx, updated); err != nil {
 					rslog.Error(err, "Failed to scale runnerreplicaset to zero")

 					return ctrl.Result{}, err
@@ -268,7 +268,7 @@ func (r *RunnerDeploymentReconciler) Reconcile(ctx context.Context, req ctrl.Req
 				continue
 			}

-			if err := r.Delete(ctx, &rs); err != nil {
+			if err := r.Client.Delete(ctx, &rs); err != nil {
 				rslog.Error(err, "Failed to delete runnerreplicaset resource")

 				return ctrl.Result{}, err
@@ -445,10 +445,10 @@ func newRunnerReplicaSet(rd *v1alpha1.RunnerDeployment, commonRunnerLabels []str
 	templateHash := ComputeHash(&newRSTemplate)

 	// Add template hash label to selector.
-	newRSTemplate.Labels = CloneAndAddLabel(newRSTemplate.Labels, LabelKeyRunnerTemplateHash, templateHash)
+	newRSTemplate.ObjectMeta.Labels = CloneAndAddLabel(newRSTemplate.ObjectMeta.Labels, LabelKeyRunnerTemplateHash, templateHash)

 	// This label selector is used by default when rd.Spec.Selector is empty.
-	newRSTemplate.Labels = CloneAndAddLabel(newRSTemplate.Labels, LabelKeyRunnerDeploymentName, rd.Name)
+	newRSTemplate.ObjectMeta.Labels = CloneAndAddLabel(newRSTemplate.ObjectMeta.Labels, LabelKeyRunnerDeploymentName, rd.Name)

 	selector := getSelector(rd)

@@ -457,9 +457,9 @@ func newRunnerReplicaSet(rd *v1alpha1.RunnerDeployment, commonRunnerLabels []str
 	rs := v1alpha1.RunnerReplicaSet{
 		TypeMeta: metav1.TypeMeta{},
 		ObjectMeta: metav1.ObjectMeta{
-			GenerateName: rd.Name + "-",
-			Namespace:    rd.Namespace,
-			Labels:       newRSTemplate.Labels,
+			GenerateName: rd.ObjectMeta.Name + "-",
+			Namespace:    rd.ObjectMeta.Namespace,
+			Labels:       newRSTemplate.ObjectMeta.Labels,
 		},
 		Spec: v1alpha1.RunnerReplicaSetSpec{
 			Replicas:      rd.Spec.Replicas,
--- a/controllers/actions.summerwind.net/runnerreplicaset_controller.go
+++ b/controllers/actions.summerwind.net/runnerreplicaset_controller.go
@@ -62,7 +62,7 @@ func (r *RunnerReplicaSetReconciler) Reconcile(ctx context.Context, req ctrl.Req
 		return ctrl.Result{}, client.IgnoreNotFound(err)
 	}

-	if !rs.DeletionTimestamp.IsZero() {
+	if !rs.ObjectMeta.DeletionTimestamp.IsZero() {
 		// RunnerReplicaSet cannot be gracefuly removed.
 		// That means any runner that is running a job can be prematurely terminated.
 		// To gracefully remove a RunnerReplicaSet, scale it down to zero first, observe RunnerReplicaSet's status replicas,
@@ -70,14 +70,14 @@ func (r *RunnerReplicaSetReconciler) Reconcile(ctx context.Context, req ctrl.Req
 		return ctrl.Result{}, nil
 	}

-	if rs.Labels == nil {
-		rs.Labels = map[string]string{}
+	if rs.ObjectMeta.Labels == nil {
+		rs.ObjectMeta.Labels = map[string]string{}
 	}

 	// Template hash is usually set by the upstream controller(RunnerDeplloyment controller) on authoring
 	// RunerReplicaset resource, but it may be missing when the user directly created RunnerReplicaSet.
 	// As a template hash is required by by the runner replica management, we dynamically add it here without ever persisting it.
-	if rs.Labels[LabelKeyRunnerTemplateHash] == "" {
+	if rs.ObjectMeta.Labels[LabelKeyRunnerTemplateHash] == "" {
 		template := rs.Spec.DeepCopy()
 		template.Replicas = nil
 		template.EffectiveTime = nil
@@ -85,8 +85,8 @@ func (r *RunnerReplicaSetReconciler) Reconcile(ctx context.Context, req ctrl.Req

 		log.Info("Using auto-generated template hash", "value", templateHash)

-		rs.Labels = CloneAndAddLabel(rs.Labels, LabelKeyRunnerTemplateHash, templateHash)
-		rs.Spec.Template.Labels = CloneAndAddLabel(rs.Spec.Template.Labels, LabelKeyRunnerTemplateHash, templateHash)
+		rs.ObjectMeta.Labels = CloneAndAddLabel(rs.ObjectMeta.Labels, LabelKeyRunnerTemplateHash, templateHash)
+		rs.Spec.Template.ObjectMeta.Labels = CloneAndAddLabel(rs.Spec.Template.ObjectMeta.Labels, LabelKeyRunnerTemplateHash, templateHash)
 	}

 	selector, err := metav1.LabelSelectorAsSelector(rs.Spec.Selector)
@@ -169,8 +169,8 @@ func (r *RunnerReplicaSetReconciler) newRunner(rs v1alpha1.RunnerReplicaSet) (v1
 	// the "runner template hash" label to the template.meta which is necessary to make this controller work correctly
 	objectMeta := rs.Spec.Template.ObjectMeta.DeepCopy()

-	objectMeta.GenerateName = rs.Name + "-"
-	objectMeta.Namespace = rs.Namespace
+	objectMeta.GenerateName = rs.ObjectMeta.Name + "-"
+	objectMeta.Namespace = rs.ObjectMeta.Namespace
 	if objectMeta.Annotations == nil {
 		objectMeta.Annotations = map[string]string{}
 	}
--- a/controllers/actions.summerwind.net/runnerset_controller.go
+++ b/controllers/actions.summerwind.net/runnerset_controller.go
@@ -77,7 +77,7 @@ func (r *RunnerSetReconciler) Reconcile(ctx context.Context, req ctrl.Request) (
 		return ctrl.Result{}, err
 	}

-	if !runnerSet.DeletionTimestamp.IsZero() {
+	if !runnerSet.ObjectMeta.DeletionTimestamp.IsZero() {
 		r.GitHubClient.DeinitForRunnerSet(runnerSet)

 		return ctrl.Result{}, nil
@@ -191,11 +191,11 @@ func (r *RunnerSetReconciler) newStatefulSet(ctx context.Context, runnerSet *v1a
 	runnerSetWithOverrides.Labels = append(runnerSetWithOverrides.Labels, r.CommonRunnerLabels...)

 	template := corev1.Pod{
-		ObjectMeta: runnerSetWithOverrides.Template.ObjectMeta,
-		Spec:       runnerSetWithOverrides.Template.Spec,
+		ObjectMeta: runnerSetWithOverrides.StatefulSetSpec.Template.ObjectMeta,
+		Spec:       runnerSetWithOverrides.StatefulSetSpec.Template.Spec,
 	}

-	if runnerSet.Spec.ContainerMode == "kubernetes" {
+	if runnerSet.Spec.RunnerConfig.ContainerMode == "kubernetes" {
 		found := false
 		for i := range template.Spec.Containers {
 			if template.Spec.Containers[i].Name == containerName {
@@ -208,7 +208,7 @@ func (r *RunnerSetReconciler) newStatefulSet(ctx context.Context, runnerSet *v1a
 			})
 		}

-		workDir := runnerSet.Spec.WorkDir
+		workDir := runnerSet.Spec.RunnerConfig.WorkDir
 		if workDir == "" {
 			workDir = "/runner/_work"
 		}
@@ -219,7 +219,7 @@ func (r *RunnerSetReconciler) newStatefulSet(ctx context.Context, runnerSet *v1a
 		template.Spec.ServiceAccountName = runnerSet.Spec.ServiceAccountName
 	}

-	template.Labels = CloneAndAddLabel(template.Labels, LabelKeyRunnerSetName, runnerSet.Name)
+	template.ObjectMeta.Labels = CloneAndAddLabel(template.ObjectMeta.Labels, LabelKeyRunnerSetName, runnerSet.Name)

 	ghc, err := r.GitHubClient.InitForRunnerSet(ctx, runnerSet)
 	if err != nil {
@@ -228,38 +228,38 @@ func (r *RunnerSetReconciler) newStatefulSet(ctx context.Context, runnerSet *v1a

 	githubBaseURL := ghc.GithubBaseURL

-	pod, err := newRunnerPodWithContainerMode(runnerSet.Spec.ContainerMode, template, runnerSet.Spec.RunnerConfig, githubBaseURL, r.RunnerPodDefaults)
+	pod, err := newRunnerPodWithContainerMode(runnerSet.Spec.RunnerConfig.ContainerMode, template, runnerSet.Spec.RunnerConfig, githubBaseURL, r.RunnerPodDefaults)
 	if err != nil {
 		return nil, err
 	}

-	runnerSetWithOverrides.Template.ObjectMeta = pod.ObjectMeta
-	runnerSetWithOverrides.Template.Spec = pod.Spec
+	runnerSetWithOverrides.StatefulSetSpec.Template.ObjectMeta = pod.ObjectMeta
+	runnerSetWithOverrides.StatefulSetSpec.Template.Spec = pod.Spec
 	// NOTE: Seems like the only supported restart policy for statefulset is "Always"?
 	// I got errosr like the below when tried to use "OnFailure":
 	//   StatefulSet.apps \"example-runnersetpg9rx\" is invalid: [spec.template.metadata.labels: Invalid value: map[string]string{\"runner-template-hash\"
 	//   :\"85d7578bd6\", \"runnerset-name\":\"example-runnerset\"}: `selector` does not match template `labels`, spec.
 	//   template.spec.restartPolicy: Unsupported value: \"OnFailure\": supported values: \"Always\"]
-	runnerSetWithOverrides.Template.Spec.RestartPolicy = corev1.RestartPolicyAlways
+	runnerSetWithOverrides.StatefulSetSpec.Template.Spec.RestartPolicy = corev1.RestartPolicyAlways

 	templateHash := ComputeHash(pod.Spec)

 	// Add template hash label to selector.
-	runnerSetWithOverrides.Template.Labels = CloneAndAddLabel(runnerSetWithOverrides.Template.Labels, LabelKeyRunnerTemplateHash, templateHash)
+	runnerSetWithOverrides.Template.ObjectMeta.Labels = CloneAndAddLabel(runnerSetWithOverrides.Template.ObjectMeta.Labels, LabelKeyRunnerTemplateHash, templateHash)

 	selector := getRunnerSetSelector(runnerSet)
 	selector = CloneSelectorAndAddLabel(selector, LabelKeyRunnerTemplateHash, templateHash)
 	selector = CloneSelectorAndAddLabel(selector, LabelKeyRunnerSetName, runnerSet.Name)
 	selector = CloneSelectorAndAddLabel(selector, LabelKeyPodMutation, LabelValuePodMutation)

-	runnerSetWithOverrides.Selector = selector
+	runnerSetWithOverrides.StatefulSetSpec.Selector = selector

 	rs := appsv1.StatefulSet{
 		TypeMeta: metav1.TypeMeta{},
 		ObjectMeta: metav1.ObjectMeta{
-			GenerateName: runnerSet.Name + "-",
-			Namespace:    runnerSet.Namespace,
-			Labels:       CloneAndAddLabel(runnerSet.Labels, LabelKeyRunnerTemplateHash, templateHash),
+			GenerateName: runnerSet.ObjectMeta.Name + "-",
+			Namespace:    runnerSet.ObjectMeta.Namespace,
+			Labels:       CloneAndAddLabel(runnerSet.ObjectMeta.Labels, LabelKeyRunnerTemplateHash, templateHash),
 			Annotations: map[string]string{
 				SyncTimeAnnotationKey: time.Now().Format(time.RFC3339),
 			},
--- a/controllers/actions.summerwind.net/sync_volumes.go
+++ b/controllers/actions.summerwind.net/sync_volumes.go
@@ -23,7 +23,7 @@ const (
 func syncVolumes(ctx context.Context, c client.Client, log logr.Logger, ns string, runnerSet *v1alpha1.RunnerSet, statefulsets []appsv1.StatefulSet) (*ctrl.Result, error) {
 	log = log.WithValues("ns", ns)

-	for _, t := range runnerSet.Spec.VolumeClaimTemplates {
+	for _, t := range runnerSet.Spec.StatefulSetSpec.VolumeClaimTemplates {
 		for _, sts := range statefulsets {
 			pvcName := fmt.Sprintf("%s-%s-0", t.Name, sts.Name)

--- a/controllers/actions.summerwind.net/testresourcereader.go
+++ b/controllers/actions.summerwind.net/testresourcereader.go
@@ -16,7 +16,7 @@ type testResourceReader struct {
 }

 func (r *testResourceReader) Get(_ context.Context, key client.ObjectKey, obj client.Object, _ ...client.GetOption) error {
-	nsName := types.NamespacedName(key)
+	nsName := types.NamespacedName{Namespace: key.Namespace, Name: key.Name}
 	ret, ok := r.objects[nsName]
 	if !ok {
 		return &kerrors.StatusError{ErrStatus: metav1.Status{Reason: metav1.StatusReasonNotFound}}
--- a/controllers/actions.summerwind.net/utils_test.go
+++ b/controllers/actions.summerwind.net/utils_test.go
@@ -64,22 +64,22 @@ func Test_workVolumeClaimTemplateVolumeV1VolumeTransformation(t *testing.T) {
 		t.Errorf("want name %q, got %q\n", want.Name, got.Name)
 	}

-	if got.Ephemeral == nil {
+	if got.VolumeSource.Ephemeral == nil {
 		t.Fatal("work volume claim template should transform itself into Ephemeral volume source\n")
 	}

-	if got.Ephemeral.VolumeClaimTemplate == nil {
+	if got.VolumeSource.Ephemeral.VolumeClaimTemplate == nil {
 		t.Fatal("work volume claim template should have ephemeral volume claim template set\n")
 	}

-	gotClassName := *got.Ephemeral.VolumeClaimTemplate.Spec.StorageClassName
-	wantClassName := *want.Ephemeral.VolumeClaimTemplate.Spec.StorageClassName
+	gotClassName := *got.VolumeSource.Ephemeral.VolumeClaimTemplate.Spec.StorageClassName
+	wantClassName := *want.VolumeSource.Ephemeral.VolumeClaimTemplate.Spec.StorageClassName
 	if gotClassName != wantClassName {
 		t.Errorf("expected storage class name %q, got %q\n", wantClassName, gotClassName)
 	}

-	gotAccessModes := got.Ephemeral.VolumeClaimTemplate.Spec.AccessModes
-	wantAccessModes := want.Ephemeral.VolumeClaimTemplate.Spec.AccessModes
+	gotAccessModes := got.VolumeSource.Ephemeral.VolumeClaimTemplate.Spec.AccessModes
+	wantAccessModes := want.VolumeSource.Ephemeral.VolumeClaimTemplate.Spec.AccessModes
 	if len(gotAccessModes) != len(wantAccessModes) {
 		t.Fatalf("access modes lengths missmatch: got %v, expected %v\n", gotAccessModes, wantAccessModes)
 	}
--- a/github/actions/client_job_acquisition_test.go
+++ b/github/actions/client_job_acquisition_test.go
@@ -54,7 +54,7 @@ func TestAcquireJobs(t *testing.T) {
 			RunnerScaleSet:          &actions.RunnerScaleSet{Id: 1},
 			MessageQueueAccessToken: "abc",
 		}
-		var requestIDs = []int64{1}
+		var requestIDs []int64 = []int64{1}

 		retryMax := 1
 		actualRetry := 0
--- a/github/actions/client_runner_test.go
+++ b/github/actions/client_runner_test.go
@@ -67,7 +67,7 @@ func TestGetRunnerByName(t *testing.T) {

 	t.Run("Get Runner by Name", func(t *testing.T) {
 		var runnerID int64 = 1
-		var runnerName = "self-hosted-ubuntu"
+		var runnerName string = "self-hosted-ubuntu"
 		want := &actions.RunnerReference{
 			Id:   int(runnerID),
 			Name: runnerName,
@@ -87,7 +87,7 @@ func TestGetRunnerByName(t *testing.T) {
 	})

 	t.Run("Get Runner by name with not exist runner", func(t *testing.T) {
-		var runnerName = "self-hosted-ubuntu"
+		var runnerName string = "self-hosted-ubuntu"
 		response := []byte(`{"count": 0, "value": []}`)

 		server := newActionsServer(t, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@@ -103,7 +103,7 @@ func TestGetRunnerByName(t *testing.T) {
 	})

 	t.Run("Default retries on server error", func(t *testing.T) {
-		var runnerName = "self-hosted-ubuntu"
+		var runnerName string = "self-hosted-ubuntu"

 		retryWaitMax := 1 * time.Millisecond
 		retryMax := 1
@@ -181,7 +181,7 @@ func TestGetRunnerGroupByName(t *testing.T) {

 	t.Run("Get RunnerGroup by Name", func(t *testing.T) {
 		var runnerGroupID int64 = 1
-		var runnerGroupName = "test-runner-group"
+		var runnerGroupName string = "test-runner-group"
 		want := &actions.RunnerGroup{
 			ID:   runnerGroupID,
 			Name: runnerGroupName,
@@ -201,7 +201,7 @@ func TestGetRunnerGroupByName(t *testing.T) {
 	})

 	t.Run("Get RunnerGroup by name with not exist runner group", func(t *testing.T) {
-		var runnerGroupName = "test-runner-group"
+		var runnerGroupName string = "test-runner-group"
 		response := []byte(`{"count": 0, "value": []}`)

 		server := newActionsServer(t, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
--- a/github/actions/fake/client.go
+++ b/github/actions/fake/client.go
@@ -123,6 +123,7 @@ var defaultRunnerScaleSetJitRunnerConfig = &actions.RunnerScaleSetJitRunnerConfi

 // FakeClient implements actions service
 type FakeClient struct {
+	id                      uuid.UUID
 	getRunnerScaleSetResult struct {
 		*actions.RunnerScaleSet
 		err error
@@ -191,7 +192,9 @@ type FakeClient struct {
 }

 func NewFakeClient(options ...Option) actions.ActionsService {
-	f := &FakeClient{}
+	f := &FakeClient{
+		id: uuid.New(),
+	}
 	f.applyDefaults()
 	for _, opt := range options {
 		opt(f)
@@ -199,6 +202,10 @@ func NewFakeClient(options ...Option) actions.ActionsService {
 	return f
 }

+func (f *FakeClient) ID() uuid.UUID {
+	return f.id
+}
+
 func (f *FakeClient) applyDefaults() {
 	f.getRunnerScaleSetResult.RunnerScaleSet = defaultRunnerScaleSet
 	f.getRunnerScaleSetByIdResult.RunnerScaleSet = defaultRunnerScaleSet
--- a/github/fake/fake.go
+++ b/github/fake/fake.go
@@ -127,7 +127,7 @@ func NewServer(opts ...Option) *httptest.Server {
 		},

 		// For ListRunners
-		"/repos/test/valid/actions/runners": config.ListRunners,
+		"/repos/test/valid/actions/runners": config.FixedResponses.ListRunners,
 		"/repos/test/invalid/actions/runners": &Handler{
 			Status: http.StatusNoContent,
 			Body:   "",
@@ -204,10 +204,10 @@ func NewServer(opts ...Option) *httptest.Server {
 		},

 		// For auto-scaling based on the number of queued(pending) workflow runs
-		"/repos/test/valid/actions/runs": config.ListRepositoryWorkflowRuns,
+		"/repos/test/valid/actions/runs": config.FixedResponses.ListRepositoryWorkflowRuns,

 		// For auto-scaling based on the number of queued(pending) workflow jobs
-		"/repos/test/valid/actions/runs/": config.ListWorkflowJobs,
+		"/repos/test/valid/actions/runs/": config.FixedResponses.ListWorkflowJobs,
 	}

 	mux := http.NewServeMux()
--- a/github/fake/options.go
+++ b/github/fake/options.go
@@ -12,7 +12,7 @@ type Option func(*ServerConfig)

 func WithListRepositoryWorkflowRunsResponse(status int, body, queued, in_progress string) Option {
 	return func(c *ServerConfig) {
-		c.ListRepositoryWorkflowRuns = &Handler{
+		c.FixedResponses.ListRepositoryWorkflowRuns = &Handler{
 			Status: status,
 			Body:   body,
 			Statuses: map[string]string{
@@ -25,7 +25,7 @@ func WithListRepositoryWorkflowRunsResponse(status int, body, queued, in_progres

 func WithListWorkflowJobsResponse(status int, bodies map[int]string) Option {
 	return func(c *ServerConfig) {
-		c.ListWorkflowJobs = &MapHandler{
+		c.FixedResponses.ListWorkflowJobs = &MapHandler{
 			Status: status,
 			Bodies: bodies,
 		}
@@ -34,7 +34,7 @@ func WithListWorkflowJobsResponse(status int, bodies map[int]string) Option {

 func WithListRunnersResponse(status int, body string) Option {
 	return func(c *ServerConfig) {
-		c.ListRunners = &ListRunnersHandler{
+		c.FixedResponses.ListRunners = &ListRunnersHandler{
 			Status: status,
 			Body:   body,
 		}
--- a/github/github.go
+++ b/github/github.go
@@ -290,7 +290,7 @@ func (c *Client) ListRunnerGroupRepositoryAccesses(ctx context.Context, org stri

 	opts := github.ListOptions{PerPage: 100}
 	for {
-		list, res, err := c.Actions.ListRepositoryAccessRunnerGroup(ctx, org, runnerGroupId, &opts)
+		list, res, err := c.Client.Actions.ListRepositoryAccessRunnerGroup(ctx, org, runnerGroupId, &opts)
 		if err != nil {
 			return nil, fmt.Errorf("failed to list repository access for runner group: %w", err)
 		}
@@ -323,32 +323,32 @@ func (c *Client) cleanup() {

 func (c *Client) createRegistrationToken(ctx context.Context, enterprise, org, repo string) (*github.RegistrationToken, *github.Response, error) {
 	if len(repo) > 0 {
-		return c.Actions.CreateRegistrationToken(ctx, org, repo)
+		return c.Client.Actions.CreateRegistrationToken(ctx, org, repo)
 	}
 	if len(org) > 0 {
-		return c.Actions.CreateOrganizationRegistrationToken(ctx, org)
+		return c.Client.Actions.CreateOrganizationRegistrationToken(ctx, org)
 	}
-	return c.Enterprise.CreateRegistrationToken(ctx, enterprise)
+	return c.Client.Enterprise.CreateRegistrationToken(ctx, enterprise)
 }

 func (c *Client) removeRunner(ctx context.Context, enterprise, org, repo string, runnerID int64) (*github.Response, error) {
 	if len(repo) > 0 {
-		return c.Actions.RemoveRunner(ctx, org, repo, runnerID)
+		return c.Client.Actions.RemoveRunner(ctx, org, repo, runnerID)
 	}
 	if len(org) > 0 {
-		return c.Actions.RemoveOrganizationRunner(ctx, org, runnerID)
+		return c.Client.Actions.RemoveOrganizationRunner(ctx, org, runnerID)
 	}
-	return c.Enterprise.RemoveRunner(ctx, enterprise, runnerID)
+	return c.Client.Enterprise.RemoveRunner(ctx, enterprise, runnerID)
 }

 func (c *Client) listRunners(ctx context.Context, enterprise, org, repo string, opts *github.ListOptions) (*github.Runners, *github.Response, error) {
 	if len(repo) > 0 {
-		return c.Actions.ListRunners(ctx, org, repo, opts)
+		return c.Client.Actions.ListRunners(ctx, org, repo, opts)
 	}
 	if len(org) > 0 {
-		return c.Actions.ListOrganizationRunners(ctx, org, opts)
+		return c.Client.Actions.ListOrganizationRunners(ctx, org, opts)
 	}
-	return c.Enterprise.ListRunners(ctx, enterprise, opts)
+	return c.Client.Enterprise.ListRunners(ctx, enterprise, opts)
 }

 func (c *Client) ListRepositoryWorkflowRuns(ctx context.Context, user string, repoName string) ([]*github.WorkflowRun, error) {
@@ -381,7 +381,7 @@ func (c *Client) listRepositoryWorkflowRuns(ctx context.Context, user string, re
 	}

 	for {
-		list, res, err := c.Actions.ListRepositoryWorkflowRuns(ctx, user, repoName, &opts)
+		list, res, err := c.Client.Actions.ListRepositoryWorkflowRuns(ctx, user, repoName, &opts)

 		if err != nil {
 			return workflowRuns, fmt.Errorf("failed to list workflow runs: %v", err)
--- a/github/github_test.go
+++ b/github/github_test.go
@@ -26,7 +26,7 @@ func newTestClient() *Client {
 	if err != nil {
 		panic(err)
 	}
-	client.BaseURL = baseURL
+	client.Client.BaseURL = baseURL

 	return client
 }
--- a/go.mod
+++ b/go.mod
@@ -1,6 +1,7 @@
 module github.com/actions/actions-runner-controller

 go 1.24.0
+
 require (
 	github.com/bradleyfalzon/ghinstallation/v2 v2.14.0
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc
@@ -16,16 +17,16 @@ require (
 	github.com/hashicorp/go-retryablehttp v0.7.7
 	github.com/kelseyhightower/envconfig v1.4.0
 	github.com/onsi/ginkgo v1.16.5
-	github.com/onsi/ginkgo/v2 v2.23.3
-	github.com/onsi/gomega v1.36.3
+	github.com/onsi/ginkgo/v2 v2.23.4
+	github.com/onsi/gomega v1.37.0
 	github.com/prometheus/client_golang v1.21.1
 	github.com/stretchr/testify v1.10.0
 	github.com/teambition/rrule-go v1.8.2
 	go.uber.org/multierr v1.11.0
 	go.uber.org/zap v1.27.0
-	golang.org/x/net v0.38.0
+	golang.org/x/net v0.39.0
 	golang.org/x/oauth2 v0.28.0
-	golang.org/x/sync v0.12.0
+	golang.org/x/sync v0.13.0
 	gomodules.xyz/jsonpatch/v2 v2.5.0
 	gopkg.in/yaml.v2 v2.4.0
 	k8s.io/api v0.32.3
@@ -92,6 +93,7 @@ require (
 	github.com/go-openapi/jsonreference v0.21.0 // indirect
 	github.com/go-openapi/swag v0.23.0 // indirect
 	github.com/go-sql-driver/mysql v1.9.0 // indirect
+	github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0 // indirect
 	github.com/go-task/slim-sprig/v3 v3.0.0 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
@@ -106,7 +108,7 @@ require (
 	github.com/google/go-github/v69 v69.2.0 // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
-	github.com/google/pprof v0.0.0-20250302191652-9094ed2288e7 // indirect
+	github.com/google/pprof v0.0.0-20250403155104-27863c87afa6 // indirect
 	github.com/gorilla/websocket v1.5.3 // indirect
 	github.com/gruntwork-io/go-commons v0.17.2 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
@@ -133,6 +135,7 @@ require (
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect
+	github.com/nxadm/tail v1.4.8 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/pquerna/otp v1.4.0 // indirect
@@ -148,16 +151,18 @@ require (
 	github.com/virtuald/go-ordered-json v0.0.0-20170621173500-b18e6e673d74 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1 // indirect
-	golang.org/x/crypto v0.36.0 // indirect
+	go.uber.org/automaxprocs v1.6.0 // indirect
+	golang.org/x/crypto v0.37.0 // indirect
 	golang.org/x/exp v0.0.0-20250305212735-054e65f0b394 // indirect
-	golang.org/x/sys v0.31.0 // indirect
-	golang.org/x/term v0.30.0 // indirect
-	golang.org/x/text v0.23.0 // indirect
+	golang.org/x/sys v0.32.0 // indirect
+	golang.org/x/term v0.31.0 // indirect
+	golang.org/x/text v0.24.0 // indirect
 	golang.org/x/time v0.11.0 // indirect
-	golang.org/x/tools v0.31.0 // indirect
+	golang.org/x/tools v0.32.0 // indirect
 	google.golang.org/protobuf v1.36.5 // indirect
 	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
+	gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	k8s.io/apiextensions-apiserver v0.32.2 // indirect
 	k8s.io/klog/v2 v2.130.1 // indirect
--- a/go.sum
+++ b/go.sum
@@ -127,6 +127,7 @@ github.com/go-openapi/swag v0.23.0 h1:vsEVJDUo2hPJ2tu0/Xc+4noaxyEffXNIs3cOULZ+Gr
 github.com/go-openapi/swag v0.23.0/go.mod h1:esZ8ITTYEsH1V2trKHjAN8Ai7xHb8RV+YSZ577vPjgQ=
 github.com/go-sql-driver/mysql v1.9.0 h1:Y0zIbQXhQKmQgTp44Y1dp3wTXcn804QoTptLZT1vtvo=
 github.com/go-sql-driver/mysql v1.9.0/go.mod h1:pDetrLJeA3oMujJuvXc8RJoasr589B6A9fwzD3QMrqw=
+github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0 h1:p104kn46Q8WdvHunIJ9dAyjPVtrBPhSr3KT2yUst43I=
 github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE=
 github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI=
 github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8=
@@ -177,6 +178,8 @@ github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
 github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/pprof v0.0.0-20250302191652-9094ed2288e7 h1:+J3r2e8+RsmN3vKfo75g0YSY61ms37qzPglu4p0sGro=
 github.com/google/pprof v0.0.0-20250302191652-9094ed2288e7/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144=
+github.com/google/pprof v0.0.0-20250403155104-27863c87afa6 h1:BHT72Gu3keYf3ZEu2J0b1vyeLSOYI8bm5wbJM/8yDe8=
+github.com/google/pprof v0.0.0-20250403155104-27863c87afa6/go.mod h1:boTsfXsheKC2y+lKOCMpSfarhxDeIzfZG1jqGcPl3cA=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY=
@@ -258,6 +261,7 @@ github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8m
 github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f h1:y5//uYreIhSUg3J1GEMiLbxo1LJaP8RfCpH6pymGZus=
 github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
 github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A=
+github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE=
 github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU=
 github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk=
@@ -265,10 +269,14 @@ github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE=
 github.com/onsi/ginkgo v1.16.5/go.mod h1:+E8gABHa3K6zRBolWtd+ROzc/U5bkGt0FwiG042wbpU=
 github.com/onsi/ginkgo/v2 v2.23.3 h1:edHxnszytJ4lD9D5Jjc4tiDkPBZ3siDeJJkUZJJVkp0=
 github.com/onsi/ginkgo/v2 v2.23.3/go.mod h1:zXTP6xIp3U8aVuXN8ENK9IXRaTjFnpVB9mGmaSRvxnM=
+github.com/onsi/ginkgo/v2 v2.23.4 h1:ktYTpKJAVZnDT4VjxSbiBenUjmlL/5QkBEocaWXiQus=
+github.com/onsi/ginkgo/v2 v2.23.4/go.mod h1:Bt66ApGPBFzHyR+JO10Zbt0Gsp4uWxu5mIOTusL46e8=
 github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY=
 github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo=
 github.com/onsi/gomega v1.36.3 h1:hID7cr8t3Wp26+cYnfcjR6HpJ00fdogN6dqZ1t6IylU=
 github.com/onsi/gomega v1.36.3/go.mod h1:8D9+Txp43QWKhM24yyOBEdpkzN8FvJyAwecBgsU4KU0=
+github.com/onsi/gomega v1.37.0 h1:CdEG8g0S133B4OswTDC/5XPSzE1OeP29QOioj2PID2Y=
+github.com/onsi/gomega v1.37.0/go.mod h1:8D9+Txp43QWKhM24yyOBEdpkzN8FvJyAwecBgsU4KU0=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
@@ -315,6 +323,8 @@ github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1 h1:gEOO8jv9F4OT7lGC
 github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1/go.mod h1:Ohn+xnUBiLI6FVj/9LpzZWtj1/D6lUovWYBkxHVV3aM=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+go.uber.org/automaxprocs v1.6.0 h1:O3y2/QNTOdbF+e/dpXNNW7Rx2hZ4sTIPyybbxyNqTUs=
+go.uber.org/automaxprocs v1.6.0/go.mod h1:ifeIMSnPZuznNm6jmdzmU3/bfk01Fe2fotchwEFJ8r8=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
 go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
@@ -326,6 +336,8 @@ golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8U
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.36.0 h1:AnAEvhDddvBdpY+uR+MyHmuZzzNqXSe/GvuDeob5L34=
 golang.org/x/crypto v0.36.0/go.mod h1:Y4J0ReaxCR1IMaabaSMugxJES1EpwhBHhv2bDHklZvc=
+golang.org/x/crypto v0.37.0 h1:kJNSjF/Xp7kU0iB2Z+9viTPMW4EqqsrywMXLJOOsXSE=
+golang.org/x/crypto v0.37.0/go.mod h1:vg+k43peMZ0pUMhYmVAWysMK35e6ioLh3wB8ZCAfbVc=
 golang.org/x/exp v0.0.0-20250305212735-054e65f0b394 h1:nDVHiLt8aIbd/VzvPWN6kSOPE7+F/fNFDSXLVYkE/Iw=
 golang.org/x/exp v0.0.0-20250305212735-054e65f0b394/go.mod h1:sIifuuw/Yco/y6yb6+bDNfyeQ/MdPUy/hKEMYQV17cM=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
@@ -338,6 +350,8 @@ golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.38.0 h1:vRMAPTMaeGqVhG5QyLJHqNDwecKTomGeqbnfZyKlBI8=
 golang.org/x/net v0.38.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8=
+golang.org/x/net v0.39.0 h1:ZCu7HMWDxpXpaiKdhzIfaltL9Lp31x/3fCP11bc6/fY=
+golang.org/x/net v0.39.0/go.mod h1:X7NRbYVEA+ewNkCNyJ513WmMdQ3BineSwVtN2zD/d+E=
 golang.org/x/oauth2 v0.28.0 h1:CrgCKl8PPAVtLnU3c+EDw6x11699EWlsDeWNWKdIOkc=
 golang.org/x/oauth2 v0.28.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -346,6 +360,8 @@ golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.12.0 h1:MHc5BpPuC30uJk597Ri8TV3CNZcTLu6B6z4lJy+g6Jw=
 golang.org/x/sync v0.12.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
+golang.org/x/sync v0.13.0 h1:AauUjRAJ9OSnvULf/ARrrVywoJDy0YS2AwQ98I37610=
+golang.org/x/sync v0.13.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -358,12 +374,18 @@ golang.org/x/sys v0.0.0-20210112080510-489259a85091/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.31.0 h1:ioabZlmFYtWhL+TRYpcnNlLwhyxaM9kWTDEmfnprqik=
 golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/sys v0.32.0 h1:s77OFDvIQeibCmezSnk/q6iAfkdiQaJi4VzroCFrN20=
+golang.org/x/sys v0.32.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
 golang.org/x/term v0.30.0 h1:PQ39fJZ+mfadBm0y5WlL4vlM7Sx1Hgf13sMIY2+QS9Y=
 golang.org/x/term v0.30.0/go.mod h1:NYYFdzHoI5wRh/h5tDMdMqCqPJZEuNqVR5xJLd/n67g=
+golang.org/x/term v0.31.0 h1:erwDkOK1Msy6offm1mOgvspSkslFnIGsFnxOKoufg3o=
+golang.org/x/term v0.31.0/go.mod h1:R4BeIy7D95HzImkxGkTW1UQTtP54tio2RyHz7PwK0aw=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY=
 golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4=
+golang.org/x/text v0.24.0 h1:dd5Bzh4yt5KYA8f9CJHCP4FB4D51c2c6JvN37xJJkJ0=
+golang.org/x/text v0.24.0/go.mod h1:L8rBsPeo2pSS+xqN0d5u2ikmjtmoJbDBT1b7nHvFCdU=
 golang.org/x/time v0.11.0 h1:/bpjEDfN9tkoN/ryeYHnv5hcMlc8ncjMcM4XBk5NWV0=
 golang.org/x/time v0.11.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
@@ -373,6 +395,8 @@ golang.org/x/tools v0.0.0-20201224043029-2b0845dc783e/go.mod h1:emZCQorbCU4vsT4f
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.31.0 h1:0EedkvKDbh+qistFTd0Bcwe/YLh4vHwWEkiI0toFIBU=
 golang.org/x/tools v0.31.0/go.mod h1:naFTU+Cev749tSJRXJlna0T3WxKvb1kWEx15xA4SdmQ=
+golang.org/x/tools v0.32.0 h1:Q7N1vhpkQv7ybVzLFtTjvQya2ewbwNDZzUgfXGqtMWU=
+golang.org/x/tools v0.32.0/go.mod h1:ZxrU41P/wAbZD8EDa6dDCa6XfpkhJ7HFMjHJXfBDu8s=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -396,6 +420,7 @@ gopkg.in/evanphx/json-patch.v4 v4.12.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWM
 gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
 gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
 gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
+gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
--- a/hash/hash.go
+++ b/hash/hash.go
@@ -49,3 +49,22 @@ func ComputeTemplateHash(template interface{}) string {

 	return rand.SafeEncodeString(fmt.Sprint(hasher.Sum32()))
 }
+
+func ComputeCombinedObjectsHash(first any, others ...any) string {
+	hasher := fnv.New32a()
+
+	hasher.Reset()
+
+	printer := spew.ConfigState{
+		Indent:         " ",
+		SortKeys:       true,
+		DisableMethods: true,
+		SpewKeys:       true,
+	}
+
+	for _, obj := range append([]any{first}, others...) {
+		printer.Fprintf(hasher, "%#v", obj)
+	}
+
+	return rand.SafeEncodeString(fmt.Sprint(hasher.Sum32()))
+}
--- a/runner/Makefile
+++ b/runner/Makefile
@@ -7,7 +7,7 @@ OS_IMAGE ?= ubuntu-22.04
 TARGETPLATFORM ?= $(shell arch)

 RUNNER_VERSION ?= 2.323.0
-RUNNER_CONTAINER_HOOKS_VERSION ?= 0.7.0
+RUNNER_CONTAINER_HOOKS_VERSION ?= 0.6.2
 DOCKER_VERSION ?= 24.0.7

 # default list of platforms for which multiarch image is built
--- a/runner/VERSION
+++ b/runner/VERSION
@@ -1,2 +1,2 @@
 RUNNER_VERSION=2.323.0
-RUNNER_CONTAINER_HOOKS_VERSION=0.7.0
+RUNNER_CONTAINER_HOOKS_VERSION=0.6.2
--- a/test/e2e/e2e_test.go
+++ b/test/e2e/e2e_test.go
@@ -37,7 +37,7 @@ var (
 	testResultCMNamePrefix = "test-result-"

 	RunnerVersion               = "2.323.0"
-	RunnerContainerHooksVersion = "0.7.0"
+	RunnerContainerHooksVersion = "0.6.2"
 )

 // If you're willing to run this test via VS Code "run test" or "debug test",
@@ -598,9 +598,9 @@ func initTestEnv(t *testing.T, k8sMinorVer string, vars vars) *env {
 		}

 		e.Kind = testing.StartKind(t, k8sMinorVer, testing.Preload(images...))
-		e.Kubeconfig = e.Kind.Kubeconfig()
+		e.Env.Kubeconfig = e.Kind.Kubeconfig()
 	} else {
-		e.Kubeconfig = e.remoteKubeconfig
+		e.Env.Kubeconfig = e.remoteKubeconfig

 		// Kind automatically installs https://github.com/rancher/local-path-provisioner for PVs.
 		// But assuming the remote cluster isn't a kind Kubernetes cluster,
@@ -1181,7 +1181,7 @@ func installActionsWorkflow(t *testing.T, testName, runnerLabel, testResultCMNam
 				steps = append(steps,
 					testing.Step{
 						Name: "Set up Docker Buildx",
-						Uses: "docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2",
+						Uses: "docker/setup-buildx-action@v1",
 						With: setupBuildXActionWith,
 					},
 					testing.Step{
@@ -1193,7 +1193,7 @@ func installActionsWorkflow(t *testing.T, testName, runnerLabel, testResultCMNam
 						Run: "docker run --rm test1",
 					},
 					testing.Step{
-						Uses: "addnab/docker-run-action@4f65fabd2431ebc8d299f8e5a018d79a769ae185",
+						Uses: "addnab/docker-run-action@v3",
 						With: &testing.With{
 							Image: "test1",
 							Run:   "hello",
@@ -1234,7 +1234,7 @@ func installActionsWorkflow(t *testing.T, testName, runnerLabel, testResultCMNam

 		steps = append(steps,
 			testing.Step{
-				Uses: "azure/setup-kubectl@3e0aec4d80787158d308d7b364cb1b702e7feb7f",
+				Uses: "azure/setup-kubectl@v1",
 				With: &testing.With{
 					Version: "v1.24.0",
 				},
Author	SHA1	Message	Date
Nikola Jokic	4bea1ebf10	remove mirror secret	2025-04-17 13:30:33 +02:00
Nikola Jokic	c36c141185	pull in updated listener	2025-04-14 11:00:15 +02:00
Nikola Jokic	8a8d279aba	Re-create the listener when GitHub secret is updated	2025-04-14 10:35:52 +02:00