feat/helm: Bump appVersion to 0.6.1 release (#272)

* feat/helm: Bump appVersion to 0.6.1 release

* Also bump chart version to trigger a new chart release

Co-authored-by: Yusuke Kuoka <c-ykuoka@zlab.co.jp>

.github/workflows/build-runner.yml

@@ -27,7 +27,7 @@ jobs:
           - name: actions-runner-dind
             dockerfile: dindrunner.Dockerfile
     env:
-      RUNNER_VERSION: 2.274.2
+      RUNNER_VERSION: 2.275.1
       DOCKER_VERSION: 19.03.12
       DOCKERHUB_USERNAME: ${{ github.repository_owner }}
     steps:

.github/workflows/on-push-lint-charts.yml

@@ -0,0 +1,75 @@
+name: Lint and Test Charts
+
+on:
+  push:
+    paths:
+      - 'charts/**'
+      - '.github/**'
+  workflow_dispatch:
+
+env:
+  KUBE_SCORE_VERSION: 1.10.0
+  HELM_VERSION: v3.4.1
+
+jobs:
+  lint-test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v1
+        with:
+          version: ${{ env.HELM_VERSION }}
+
+      - name: Set up kube-score
+        run: |
+          wget https://github.com/zegl/kube-score/releases/download/v${{ env.KUBE_SCORE_VERSION }}/kube-score_${{ env.KUBE_SCORE_VERSION }}_linux_amd64 -O kube-score
+          chmod 755 kube-score
+
+      - name: Kube-score generated manifests
+        run: helm template  --values charts/.ci/values-kube-score.yaml charts/* | ./kube-score score -
+              --ignore-test pod-networkpolicy
+              --ignore-test deployment-has-poddisruptionbudget
+              --ignore-test deployment-has-host-podantiaffinity
+              --ignore-test container-security-context
+              --ignore-test pod-probes
+              --ignore-test container-image-tag
+              --enable-optional-test container-security-context-privileged
+              --enable-optional-test container-security-context-readonlyrootfilesystem
+
+      # python is a requirement for the chart-testing action below (supports yamllint among other tests)
+      - uses: actions/setup-python@v2
+        with:
+          python-version: 3.7
+
+      - name: Set up chart-testing
+        uses: helm/chart-testing-action@v2.0.1
+
+      - name: Run chart-testing (list-changed)
+        id: list-changed
+        run: |
+          changed=$(ct list-changed --config charts/.ci/ct-config.yaml)
+          if [[ -n "$changed" ]]; then
+            echo "::set-output name=changed::true"
+          fi
+
+      - name: Run chart-testing (lint)
+        run: ct lint --config charts/.ci/ct-config.yaml
+
+      - name: Create kind cluster
+        uses: helm/kind-action@v1.0.0
+        if: steps.list-changed.outputs.changed == 'true'
+
+      # We need cert-manager already installed in the cluster because we assume the CRDs exist
+      - name: Install cert-manager
+        run: |
+          helm repo add jetstack https://charts.jetstack.io --force-update
+          helm install cert-manager jetstack/cert-manager --set installCRDs=true --wait
+        if: steps.list-changed.outputs.changed == 'true'
+
+      - name: Run chart-testing (install)
+        run: ct install --config charts/.ci/ct-config.yaml

.github/workflows/on-push-master-publish-chart.yml

@@ -0,0 +1,101 @@
+name: Publish helm chart
+
+on:
+  push:
+    branches:
+      - master
+      - main # assume that the branch name may change in future
+    paths:
+      - 'charts/**'
+      - '.github/**'
+  workflow_dispatch:
+
+env:
+  KUBE_SCORE_VERSION: 1.10.0
+  HELM_VERSION: v3.4.1
+
+jobs:
+  lint-chart:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v1
+        with:
+          version: ${{ env.HELM_VERSION }}
+
+      - name: Set up kube-score
+        run: |
+          wget https://github.com/zegl/kube-score/releases/download/v${{ env.KUBE_SCORE_VERSION }}/kube-score_${{ env.KUBE_SCORE_VERSION }}_linux_amd64 -O kube-score
+          chmod 755 kube-score
+
+      - name: Kube-score generated manifests
+        run: helm template  --values charts/.ci/values-kube-score.yaml charts/* | ./kube-score score -
+              --ignore-test pod-networkpolicy
+              --ignore-test deployment-has-poddisruptionbudget
+              --ignore-test deployment-has-host-podantiaffinity
+              --ignore-test container-security-context
+              --ignore-test pod-probes
+              --ignore-test container-image-tag
+              --enable-optional-test container-security-context-privileged
+              --enable-optional-test container-security-context-readonlyrootfilesystem
+
+      # python is a requirement for the chart-testing action below (supports yamllint among other tests)
+      - uses: actions/setup-python@v2
+        with:
+          python-version: 3.7
+
+      - name: Set up chart-testing
+        uses: helm/chart-testing-action@v2.0.1
+
+      - name: Run chart-testing (list-changed)
+        id: list-changed
+        run: |
+          changed=$(ct list-changed --config charts/.ci/ct-config.yaml)
+          if [[ -n "$changed" ]]; then
+            echo "::set-output name=changed::true"
+          fi
+
+      - name: Run chart-testing (lint)
+        run: ct lint --config charts/.ci/ct-config.yaml
+
+      - name: Create kind cluster
+        uses: helm/kind-action@v1.0.0
+        if: steps.list-changed.outputs.changed == 'true'
+
+      # We need cert-manager already installed in the cluster because we assume the CRDs exist
+      - name: Install cert-manager
+        run: |
+          helm repo add jetstack https://charts.jetstack.io --force-update
+          helm install cert-manager jetstack/cert-manager --set installCRDs=true --wait
+        if: steps.list-changed.outputs.changed == 'true'
+
+      - name: Run chart-testing (install)
+        run: ct install --config charts/.ci/ct-config.yaml
+        if: steps.list-changed.outputs.changed == 'true'
+
+  publish-chart:
+
+    runs-on: ubuntu-latest
+    needs: lint-chart
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+
+      - name: Configure Git
+        run: |
+          git config user.name "$GITHUB_ACTOR"
+          git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
+
+      - name: Run chart-releaser
+        uses: helm/chart-releaser-action@v1.1.0
+        env:
+          CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+

README.md

@@ -14,10 +14,20 @@ actions-runner-controller uses [cert-manager](https://cert-manager.io/docs/insta
 
 - [Installing cert-manager on Kubernetes](https://cert-manager.io/docs/installation/kubernetes/)
 
-Install the custom resource and actions-runner-controller itself. This will create actions-runner-system namespace in your Kubernetes and deploy the required resources.
+Install the custom resource and actions-runner-controller with `kubectl` or `helm`. This will create actions-runner-system namespace in your Kubernetes and deploy the required resources.
+
+`kubectl`:
 
 ```
-kubectl apply -f https://github.com/summerwind/actions-runner-controller/releases/latest/download/actions-runner-controller.yaml
+# REPLACE "v0.16.1" with the latest release
+kubectl apply -f https://github.com/summerwind/actions-runner-controller/releases/download/v0.16.1/actions-runner-controller.yaml
+```
+
+`helm`:
+
+```
+helm repo add actions-runner-controller https://summerwind.github.io/actions-runner-controller
+helm upgrade --install -n actions-runner-system actions-runner-controller/actions-runner-controller
 ```
 
 ### Github Enterprise support
@@ -25,7 +35,7 @@ kubectl apply -f https://github.com/summerwind/actions-runner-controller/release
 If you use either Github Enterprise Cloud or Server (and have recent enought version supporting Actions), you can use **actions-runner-controller**  with those, too. Authentication works same way as with public Github (repo and organization level).
 
 ```shell
-kubectl set env deploy controller-manager -c manager GITHUB_ENTERPRISE_URL=<GHEC/S URL>
+kubectl set env deploy controller-manager -c manager GITHUB_ENTERPRISE_URL=<GHEC/S URL> --namespace actions-runner-system
 ```
 
 [Enterprise level](https://docs.github.com/en/enterprise-server@2.22/actions/hosting-your-own-runners/adding-self-hosted-runners#adding-a-self-hosted-runner-to-an-enterprise) runners are not working yet as there's no API definition for those.
@@ -409,7 +419,7 @@ Note that if you specify `self-hosted` in your workflow, then this will run your
 
 ## Runner Groups
 
-Runner groups can be used to limit which repositories are able to use the GitHub Runner at an Organisation level.
+Runner groups can be used to limit which repositories are able to use the GitHub Runner at an Organisation level. Runner groups have to be [created in GitHub first](https://docs.github.com/en/actions/hosting-your-own-runners/managing-access-to-self-hosted-runners-using-groups) before they can be referenced.
 
 To add the runner to the group `NewGroup`, specify the group in your `Runner` or `RunnerDeployment` spec.
 
@@ -468,11 +478,11 @@ The virtual environments from GitHub contain a lot more software packages (diffe
 If there is a need to include packages in the runner image for which there is no setup action, then this can be achieved by building a custom container image for the runner. The easiest way is to start with the `summerwind/actions-runner` image and installing the extra dependencies directly in the docker image:
 
 ```shell
-FROM summerwind/actions-runner:v2.169.1
+FROM summerwind/actions-runner:latest
 
 RUN sudo apt update -y \
-  && apt install YOUR_PACKAGE
-  && rm -rf /var/lib/apt/lists/*
+  && sudo apt install YOUR_PACKAGE
+  && sudo rm -rf /var/lib/apt/lists/*
 ```
 
 You can then configure the runner to use a custom docker image by configuring the `image` field of a `Runner` or `RunnerDeployment`:

charts/.ci/ct-config.yaml

@@ -0,0 +1,4 @@
+# This file defines the config for "ct" (chart tester) used by the helm linting GitHub workflow
+lint-conf: charts/.ci/lint-config.yaml
+chart-repos:
+  - jetstack=https://charts.jetstack.io

charts/.ci/lint-config.yaml

@@ -0,0 +1,6 @@
+rules:
+  # One blank line is OK
+  empty-lines: 
+    max-start: 1
+    max-end: 1
+    max: 1

charts/.ci/scripts/local-ct-lint.sh

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+docker run --rm -it -w /repo -v $(pwd):/repo quay.io/helmpack/chart-testing ct lint --all --config charts/.ci/ct-config.yaml

charts/.ci/scripts/local-kube-score.sh

@@ -0,0 +1,15 @@
+#!/bin/bash
+
+
+for chart in `ls charts`;
+do
+helm template --values charts/$chart/ci/ci-values.yaml charts/$chart | kube-score score - \
+    --ignore-test pod-networkpolicy \
+    --ignore-test deployment-has-poddisruptionbudget \
+    --ignore-test deployment-has-host-podantiaffinity \
+    --ignore-test pod-probes \
+    --ignore-test container-image-tag \
+    --enable-optional-test container-security-context-privileged \
+    --enable-optional-test container-security-context-readonlyrootfilesystem \
+    --ignore-test container-security-context
+done

charts/actions-runner-controller/Chart.yaml

@@ -15,9 +15,22 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.0
+version: 0.2.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
-appVersion: 0.11.2
+appVersion: 0.16.1
+
+home: https://github.com/summerwind/actions-runner-controller
+
+sources:
+    - https://github.com/summerwind/actions-runner-controller
+
+maintainers:
+    - name: summerwind
+      email: contact@summerwind.jp
+      url: https://github.com/summerwind
+    - name: funkypenguin
+      email: davidy@funkypenguin.co.nz
+      url: https://www.funkypenguin.co.nz

charts/actions-runner-controller/ci/ci-values.yaml

@@ -0,0 +1,27 @@
+# This file sets some opinionated values for kube-score to use
+# when parsing the chart
+image:
+  pullPolicy: Always
+
+podSecurityContext:
+  fsGroup: 2000
+
+securityContext: 
+  capabilities:
+    drop:
+    - ALL
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+  runAsUser: 2000
+
+resources: 
+  limits:
+    cpu: 100m
+    memory: 128Mi
+  requests:
+    cpu: 100m
+    memory: 128Mi  
+
+# Set the following to true to create a dummy secret, allowing the manager pod to start
+# This is only useful in CI
+createDummySecret: true

charts/actions-runner-controller/templates/_helpers.tpl

@@ -89,7 +89,7 @@ Create the name of the service account to use
 {{- end }}
 
 {{- define "actions-runner-controller.authProxyServiceName" -}}
-{{- include "actions-runner-controller.fullname" . }}-controller-manager-metrics-service
+{{- include "actions-runner-controller.fullname" . }}-metrics-service
 {{- end }}
 
 {{- define "actions-runner-controller.selfsignedIssuerName" -}}

charts/actions-runner-controller/templates/ci-secret.yaml

@@ -0,0 +1,10 @@
+# This template only exists to facilitate CI testing of the chart, since
+# a secret is expected to be found in the namespace by the controller manager
+{{ if .Values.createDummySecret -}}
+apiVersion: v1
+data:
+  github_token: dGVzdA==
+kind: Secret
+metadata:
+  name: controller-manager
+{{- end }}

charts/actions-runner-controller/templates/deployment.yaml

@@ -57,6 +57,10 @@ spec:
               optional: true
         - name: GITHUB_APP_PRIVATE_KEY
           value: /etc/actions-runner-controller/github_app_private_key
+        {{- range $key, $val := .Values.env }}
+        - name: {{ $key }}
+          value: {{ $val | quote }}
+        {{- end }}
         image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default (cat "v" .Chart.AppVersion | replace " " "") }}"
         name: manager
         imagePullPolicy: {{ .Values.image.pullPolicy }}
@@ -66,10 +70,14 @@ spec:
           protocol: TCP
         resources:
           {{- toYaml .Values.resources | nindent 12 }}
+        securityContext:
+          {{- toYaml .Values.securityContext | nindent 12 }}          
         volumeMounts:
         - mountPath: "/etc/actions-runner-controller"
           name: controller-manager
           readOnly: true
+        - mountPath: /tmp
+          name: tmp         
         - mountPath: /tmp/k8s-webhook-server/serving-certs
           name: cert
           readOnly: true
@@ -78,11 +86,16 @@ spec:
         - "--upstream=http://127.0.0.1:8080/"
         - "--logtostderr=true"
         - "--v=10"
-        image: gcr.io/kubebuilder/kube-rbac-proxy:v0.4.1
+        image: "{{ .Values.kube_rbac_proxy.image.repository }}:{{ .Values.kube_rbac_proxy.image.tag }}"
         name: kube-rbac-proxy
+        imagePullPolicy: {{ .Values.image.pullPolicy }}
         ports:
         - containerPort: 8443
           name: https
+        resources:
+          {{- toYaml .Values.resources | nindent 12 }}   
+        securityContext:
+          {{- toYaml .Values.securityContext | nindent 12 }}     
       terminationGracePeriodSeconds: 10
       volumes:
       - name: controller-manager
@@ -92,6 +105,8 @@ spec:
         secret:
           defaultMode: 420
           secretName: webhook-server-cert
+      - name: tmp
+        emptyDir: {}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

charts/actions-runner-controller/templates/manager_secrets.yaml

@@ -0,0 +1,14 @@
+{{- if or .Values.authSecret.enabled }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: controller-manager
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "actions-runner-controller.labels" . | nindent 4 }}
+type: Opaque
+data:
+{{- range $k, $v := .Values.authSecret }}
+  {{ $k }}: {{ $v | toString | b64enc }}
+{{- end }} 
+{{- end }}

charts/actions-runner-controller/values.yaml

@@ -8,6 +8,17 @@ replicaCount: 1
 
 syncPeriod: 10m
 
+# Only 1 authentication method can be deployed at a time
+# Uncomment the configuration you are applying and fill in the details
+authSecret:
+  enabled: false
+  ### GitHub Apps Configuration
+  #github_app_id: ""
+  #github_app_installation_id: ""
+  #github_app_private_key: |
+  ### GitHub PAT Configuration
+  #github_token: ""
+
 image:
   repository: summerwind/actions-runner-controller
   # Overrides the manager image tag whose default is the chart appVersion if the tag key is commented out
@@ -15,6 +26,11 @@ image:
   dindSidecarRepositoryAndTag: "docker:dind"
   pullPolicy: IfNotPresent
 
+kube_rbac_proxy:
+  image:
+    repository: gcr.io/kubebuilder/kube-rbac-proxy
+    tag: v0.4.1
+
 imagePullSecrets: []
 nameOverride: ""
 fullnameOverride: ""
@@ -87,3 +103,8 @@ affinity: {}
 # ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
 # PriorityClass: system-cluster-critical
 priorityClassName: ""
+
+env: {}
+  # http_proxy: "proxy.com:8080"
+  # https_proxy: "proxy.com:8080"
+  # no_proxy: ""

controllers/autoscaling.go

@@ -219,23 +219,19 @@ func (r *HorizontalRunnerAutoscalerReconciler) calculateReplicasByPercentageRunn
 	var desiredReplicas int
 	fractionBusy := float64(numRunnersBusy) / float64(numRunners)
 	if fractionBusy >= scaleUpThreshold {
-		scaleUpReplicas := int(math.Ceil(float64(numRunners) * scaleUpFactor))
-		if scaleUpReplicas > maxReplicas {
-			desiredReplicas = maxReplicas
-		} else {
-			desiredReplicas = scaleUpReplicas
-		}
+		desiredReplicas = int(math.Ceil(float64(numRunners) * scaleUpFactor))
 	} else if fractionBusy < scaleDownThreshold {
-		scaleDownReplicas := int(float64(numRunners) * scaleDownFactor)
-		if scaleDownReplicas < minReplicas {
-			desiredReplicas = minReplicas
-		} else {
-			desiredReplicas = scaleDownReplicas
-		}
+		desiredReplicas = int(float64(numRunners) * scaleDownFactor)
 	} else {
 		desiredReplicas = *rd.Spec.Replicas
 	}
 
+	if desiredReplicas < minReplicas {
+		desiredReplicas = minReplicas
+	} else if desiredReplicas > maxReplicas {
+		desiredReplicas = maxReplicas
+	}
+
 	r.Log.V(1).Info(
 		"Calculated desired replicas",
 		"computed_replicas_desired", desiredReplicas,

controllers/runner_controller.go

@@ -426,6 +426,9 @@ func (r *RunnerReconciler) newPod(runner v1alpha1.Runner) (corev1.Pod, error) {
 	}
 
 	if !dockerdInRunner && dockerEnabled {
+		runnerVolumeName := "runner"
+		runnerVolumeMountPath := "/runner"
+
 		pod.Spec.Volumes = []corev1.Volume{
 			{
 				Name: "work",
@@ -434,7 +437,7 @@ func (r *RunnerReconciler) newPod(runner v1alpha1.Runner) (corev1.Pod, error) {
 				},
 			},
 			{
-				Name: "externals",
+				Name: runnerVolumeName,
 				VolumeSource: corev1.VolumeSource{
 					EmptyDir: &corev1.EmptyDirVolumeSource{},
 				},
@@ -452,8 +455,8 @@ func (r *RunnerReconciler) newPod(runner v1alpha1.Runner) (corev1.Pod, error) {
 				MountPath: workDir,
 			},
 			{
-				Name:      "externals",
-				MountPath: "/runner/externals",
+				Name:      runnerVolumeName,
+				MountPath: runnerVolumeMountPath,
 			},
 			{
 				Name:      "certs-client",
@@ -484,8 +487,8 @@ func (r *RunnerReconciler) newPod(runner v1alpha1.Runner) (corev1.Pod, error) {
 					MountPath: workDir,
 				},
 				{
-					Name:      "externals",
-					MountPath: "/runner/externals",
+					Name:      runnerVolumeName,
+					MountPath: runnerVolumeMountPath,
 				},
 				{
 					Name:      "certs-client",
@@ -501,6 +504,7 @@ func (r *RunnerReconciler) newPod(runner v1alpha1.Runner) (corev1.Pod, error) {
 			SecurityContext: &corev1.SecurityContext{
 				Privileged: &privileged,
 			},
+			Resources: runner.Spec.DockerdContainerResources,
 		})
 
 	}

controllers/runnerreplicaset_controller.go

@@ -52,7 +52,7 @@ type RunnerReplicaSetReconciler struct {
 
 func (r *RunnerReplicaSetReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) {
 	ctx := context.Background()
-	log := r.Log.WithValues("runner", req.NamespacedName)
+	log := r.Log.WithValues("runnerreplicaset", req.NamespacedName)
 
 	var rs v1alpha1.RunnerReplicaSet
 	if err := r.Get(ctx, req.NamespacedName, &rs); err != nil {

runner/Dockerfile

@@ -4,6 +4,8 @@ ARG TARGETPLATFORM
 ARG RUNNER_VERSION=2.274.2
 ARG DOCKER_VERSION=19.03.12
 
+RUN test -n "$TARGETPLATFORM" || (echo "TARGETPLATFORM must be set" && false)
+
 ENV DEBIAN_FRONTEND=noninteractive
 RUN apt update -y \
   && apt install -y software-properties-common \
@@ -42,7 +44,8 @@ RUN export ARCH=$(echo ${TARGETPLATFORM} | cut -d / -f2) \
   && chmod +x /usr/local/bin/dumb-init
 
 # Docker download supports arm64 as aarch64 & amd64 as x86_64
-RUN export ARCH=$(echo ${TARGETPLATFORM} | cut -d / -f2) \
+RUN set -vx; \
+  export ARCH=$(echo ${TARGETPLATFORM} | cut -d / -f2) \
   && if [ "$ARCH" = "arm64" ]; then export ARCH=aarch64 ; fi \
   && if [ "$ARCH" = "amd64" ]; then export ARCH=x86_64 ; fi \
   && curl -L -o docker.tgz https://download.docker.com/linux/static/stable/${ARCH}/docker-${DOCKER_VERSION}.tgz \
@@ -55,6 +58,8 @@ RUN export ARCH=$(echo ${TARGETPLATFORM} | cut -d / -f2) \
   && usermod -aG docker runner \
   && echo "%sudo   ALL=(ALL:ALL) NOPASSWD:ALL" > /etc/sudoers
 
+ENV RUNNER_ASSETS_DIR=/runnertmp
+
 # Runner download supports amd64 as x64. Externalstmp is needed for making mount points work inside DinD.
 #
 # libyaml-dev is required for ruby/setup-ruby action.
@@ -62,8 +67,8 @@ RUN export ARCH=$(echo ${TARGETPLATFORM} | cut -d / -f2) \
 # to avoid rerunning apt-update on its own.
 RUN export ARCH=$(echo ${TARGETPLATFORM} | cut -d / -f2) \
   && if [ "$ARCH" = "amd64" ]; then export ARCH=x64 ; fi \
-  && mkdir -p /runner \
-  && cd /runner \
+  && mkdir -p "$RUNNER_ASSETS_DIR" \
+  && cd "$RUNNER_ASSETS_DIR" \
   && curl -L -o runner.tar.gz https://github.com/actions/runner/releases/download/v${RUNNER_VERSION}/actions-runner-linux-${ARCH}-${RUNNER_VERSION}.tar.gz \
   && tar xzf ./runner.tar.gz \
   && rm runner.tar.gz \
@@ -72,14 +77,14 @@ RUN export ARCH=$(echo ${TARGETPLATFORM} | cut -d / -f2) \
   && apt-get install -y libyaml-dev \
   && rm -rf /var/lib/apt/lists/*
 
-RUN echo AGENT_TOOLSDIRECTORY=/opt/hostedtoolcache > /runner.env \
+RUN echo AGENT_TOOLSDIRECTORY=/opt/hostedtoolcache > .env \
   && mkdir /opt/hostedtoolcache \
   && chgrp runner /opt/hostedtoolcache \
   && chmod g+rwx /opt/hostedtoolcache
 
-COPY entrypoint.sh /runner
-COPY patched /runner/patched
+COPY entrypoint.sh /
+COPY patched $RUNNER_ASSETS_DIR/patched
 
 USER runner
 ENTRYPOINT ["/usr/local/bin/dumb-init", "--"]
-CMD ["/runner/entrypoint.sh"]
+CMD ["/entrypoint.sh"]

runner/Makefile

@@ -23,15 +23,13 @@ else
 endif
 
 docker-build:
-	docker build --build-arg RUNNER_VERSION=${RUNNER_VERSION} --build-arg DOCKER_VERSION=${DOCKER_VERSION} -t ${NAME}:${TAG} -t ${NAME}:v${RUNNER_VERSION} .
-	docker build --build-arg RUNNER_VERSION=${RUNNER_VERSION} --build-arg DOCKER_VERSION=${DOCKER_VERSION} -t ${DIND_RUNNER_NAME}:${TAG} -t ${DIND_RUNNER_NAME}:v${RUNNER_VERSION} -f dindrunner.Dockerfile .
+	docker build --build-arg TARGETPLATFORM=amd64 --build-arg RUNNER_VERSION=${RUNNER_VERSION} --build-arg DOCKER_VERSION=${DOCKER_VERSION} -t ${NAME}:${TAG} .
+	docker build --build-arg TARGETPLATFORM=amd64 --build-arg RUNNER_VERSION=${RUNNER_VERSION} --build-arg DOCKER_VERSION=${DOCKER_VERSION} -t ${DIND_RUNNER_NAME}:${TAG} -f dindrunner.Dockerfile .
 
 
 docker-push:
 	docker push ${NAME}:${TAG}
-	docker push ${NAME}:v${RUNNER_VERSION}
 	docker push ${DIND_RUNNER_NAME}:${TAG}
-	docker push ${DIND_RUNNER_NAME}:v${RUNNER_VERSION}
 
 docker-buildx:
 	export DOCKER_CLI_EXPERIMENTAL=enabled

runner/dindrunner.Dockerfile

@@ -48,6 +48,8 @@ ARG DOCKER_CHANNEL=stable
 ARG DOCKER_VERSION=19.03.13
 ARG DEBUG=false
 
+RUN test -n "$TARGETPLATFORM" || (echo "TARGETPLATFORM must be set" && false)
+
 # Docker installation
 RUN export ARCH=$(echo ${TARGETPLATFORM} | cut -d / -f2) \
     && if [ "$ARCH" = "arm64" ]; then export ARCH=aarch64 ; fi \
@@ -66,6 +68,8 @@ RUN export ARCH=$(echo ${TARGETPLATFORM} | cut -d / -f2) \
 	dockerd --version; \
 	docker --version
 
+ENV RUNNER_ASSETS_DIR=/runnertmp
+
 # Runner download supports amd64 as x64
 #
 # libyaml-dev is required for ruby/setup-ruby action.
@@ -73,8 +77,8 @@ RUN export ARCH=$(echo ${TARGETPLATFORM} | cut -d / -f2) \
 # to avoid rerunning apt-update on its own.
 RUN export ARCH=$(echo ${TARGETPLATFORM} | cut -d / -f2) \
     && if [ "$ARCH" = "amd64" ]; then export ARCH=x64 ; fi \
-    && mkdir -p /runner \
-     && cd /runner \
+    && mkdir -p "$RUNNER_ASSETS_DIR" \
+     && cd "$RUNNER_ASSETS_DIR" \
     && curl -L -o runner.tar.gz https://github.com/actions/runner/releases/download/v${RUNNER_VERSION}/actions-runner-linux-${ARCH}-${RUNNER_VERSION}.tar.gz \
     && tar xzf ./runner.tar.gz \
     && rm runner.tar.gz \
@@ -100,7 +104,7 @@ RUN export ARCH=$(echo ${TARGETPLATFORM} | cut -d / -f2) \
 
 VOLUME /var/lib/docker
 
-COPY patched /runner/patched
+COPY patched $RUNNER_ASSETS_DIR/patched
 
 # No group definition, as that makes it harder to run docker.
 USER runner

runner/entrypoint.sh

@@ -44,9 +44,18 @@ if [ -z "${RUNNER_REPO}" ] && [ -n "${RUNNER_ORG}" ] && [ -n "${RUNNER_GROUP}" ]
   RUNNER_GROUP_ARG="--runnergroup ${RUNNER_GROUP}"
 fi
 
+# Hack due to https://github.com/summerwind/actions-runner-controller/issues/252#issuecomment-758338483
+if [ ! -d /runner ]; then
+  echo "/runner should be an emptyDir mount. Please fix the pod spec." 1>&2
+  exit 1
+fi
+
+sudo chown -R runner:docker /runner
+mv /runnertmp/* /runner/
+
 cd /runner
 ./config.sh --unattended --replace --name "${RUNNER_NAME}" --url "${GITHUB_URL}${ATTACH}" --token "${RUNNER_TOKEN}" ${RUNNER_GROUP_ARG} ${LABEL_ARG} ${WORKDIR_ARG}
-
+mkdir ./externals
 # Hack due to the DinD volumes
 mv ./externalstmp/* ./externals/