Fix release workflow

This fixes the said issue by additionally treating any runner pod whose phase is Failed or the runner container exited with non-zero code as "complete" so that ARC gives up unregistering the runner from Actions, deletes the runner pod anyway.

Note that there are a plenty of causes for that. If you are deploying runner pods on AWS spot instances or GCE preemptive instances and a job assigned to a runner took more time than the shutdown grace period provided by your cloud provider (2 minutes for AWS spot instances), the runner pod would be terminated prematurely without letting actions/runner unregisters itself from Actions. If your VM or hypervisor failed then runner pods that were running on the node will become PodFailed without unregistering runners from Actions.

Please beware that it is currently users responsibility to clean up any dangling runner resources on GitHub Actions.

Ref https://github.com/actions-runner-controller/actions-runner-controller/issues/1307
Might also relate to https://github.com/actions-runner-controller/actions-runner-controller/issues/1273

.github/workflows/on-push-master-publish-chart.yml

@@ -114,7 +114,7 @@ jobs:
           git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
 
       - name: Run chart-releaser
-        uses: helm/chart-releaser-action@v1.3.0
+        uses: helm/chart-releaser-action@v1.4.0
         env:
           CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
 

.github/workflows/release.yml

@@ -20,7 +20,7 @@ jobs:
 
       - uses: actions/setup-go@v3
         with:
-          go-version: '^1.17.7'
+          go-version: '1.17.7'
 
       - name: Install tools
         run: |

.github/workflows/runners.yml

@@ -15,7 +15,7 @@ on:
       - '!**.md'
 
 env:
-  RUNNER_VERSION: 2.288.1
+  RUNNER_VERSION: 2.289.2
   DOCKER_VERSION: 20.10.12
   DOCKERHUB_USERNAME: summerwind
 

.github/workflows/test-entrypoint.yaml

@@ -18,5 +18,4 @@ jobs:
       uses: actions/checkout@v3
     - name: Run unit tests for entrypoint.sh
       run: |
-        cd test/entrypoint
-        bash entrypoint_unittest.sh
+        make acceptance/runner/entrypoint

.github/workflows/test.yaml

@@ -24,9 +24,10 @@ jobs:
       uses: actions/checkout@v3
     - uses: actions/setup-go@v3
       with:
-        go-version: '^1.17.7'
+        go-version: '1.17.7'
+        check-latest: false
     - run: go version
-    - uses: actions/cache@v2
+    - uses: actions/cache@v3
       with:
         path: ~/go/pkg/mod
         key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}

Makefile

@@ -197,6 +197,9 @@ acceptance/deploy:
 acceptance/tests:
 	acceptance/checks.sh
 
+acceptance/runner/entrypoint:
+	cd test/entrypoint/ && bash test.sh
+
 # We use -count=1 instead of `go clean -testcache`
 # See https://terratest.gruntwork.io/docs/testing-best-practices/avoid-test-caching/
 .PHONY: e2e

README.md

@@ -19,6 +19,7 @@ ToC:
   - [Enterprise Runners](#enterprise-runners)
   - [RunnerDeployments](#runnerdeployments)
   - [RunnerSets](#runnersets)
+  - [Persistent Runners](#persistent-runners)  
   - [Autoscaling](#autoscaling)
     - [Anti-Flapping Configuration](#anti-flapping-configuration)
     - [Pull Driven Scaling](#pull-driven-scaling)
@@ -32,7 +33,6 @@ ToC:
   - [Runner Groups](#runner-groups)
   - [Runner Entrypoint Features](#runner-entrypoint-features)
   - [Using IRSA (IAM Roles for Service Accounts) in EKS](#using-irsa-iam-roles-for-service-accounts-in-eks)
-  - [Persistent Runners](#persistent-runners)
   - [Software Installed in the Runner Image](#software-installed-in-the-runner-image)
   - [Using without cert-manager](#using-without-cert-manager)
 - [Troubleshooting](#troubleshooting)
@@ -55,8 +55,8 @@ Subsequent to this, install the custom resource definitions and actions-runner-c
 **Kubectl Deployment:**
 
 ```shell
-# REPLACE "v0.21.1" with the version you wish to deploy
-kubectl apply -f https://github.com/actions-runner-controller/actions-runner-controller/releases/download/v0.21.1/actions-runner-controller.yaml
+# REPLACE "v0.22.0" with the version you wish to deploy
+kubectl apply -f https://github.com/actions-runner-controller/actions-runner-controller/releases/download/v0.22.0/actions-runner-controller.yaml
 ```
 
 **Helm Deployment:**
@@ -226,14 +226,16 @@ By default the controller will look for runners in all namespaces, the watch nam
 
 This feature is configured via the controller's `--watch-namespace` flag. When a namespace is provided via this flag, the controller will only monitor runners in that namespace.
 
-If you plan on installing all instances of the controller stack into a single namespace you will need to make the names of the resources unique to each stack. In the case of Helm this can be done by giving each install a unique release name, or via the `fullnameOverride` properties.
+You can deploy multiple controllers either in a single shared namespace, or in a unique namespace per controller.
 
-Alternatively, you can install each controller stack into its own unique namespace (relative to other controller stacks in the cluster), avoiding the need to uniquely prefix resources.
+If you plan on installing all instances of the controller stack into a single namespace there are a few things you need to do for this to work.
 
-When you go to the route of sharing the namespace while giving each a unique Helm release name, you must also ensure the following values are configured correctly:
+1. All resources per stack must have a unique, in the case of Helm this can be done by giving each install a unique release name, or via the `fullnameOverride` properties.
+2. `authSecret.name` needs be unique per stack when each stack is tied to runners in different GitHub organizations and repositories AND you want your GitHub credentials to narrowly scoped.
+3. `leaderElectionId` needs to be unique per stack. If this is not unique to the stack the controller tries to race onto the leader election lock resulting in only one stack working concurrently. Your controller will be stuck with a log message something like this `attempting to acquire leader lease arc-controllers/actions-runner-controller...`
+4. The MutatingWebhookConfiguration in each stack must include a namespace selector for that stacks corresponding runner namespace, this is already configured in the helm chart.
 
-- `authSecret.name` needs be unique per stack when each stack is tied to runners in different GitHub organizations and repositories AND you want your GitHub credentials to narrowly scoped.
-- `leaderElectionId` needs to be unique per stack. If this is not unique to the stack the controller tries to race onto the leader election lock and resulting in only one stack working concurrently.
+Alternatively, you can install each controller stack into a unique namespace (relative to other controller stacks in the cluster). Implementing ARC this way avoids the first, second and third pitfalls (you still need to set the corresponding namespace selector for each stacks mutating webhook)
 
 ## Usage
 
@@ -365,6 +367,8 @@ example-runnerdeploy2475ht2qbr   mumoshu/actions-runner-controller-ci   Running
 
 > This feature requires controller version => [v0.20.0](https://github.com/actions-runner-controller/actions-runner-controller/releases/tag/v0.20.0)
 
+_Ensure you see the limitations before using this kind!!!!!_
+
 For scenarios where you require the advantages of a `StatefulSet`, for example persistent storage, ARC implements a runner based on Kubernete's StatefulSets, the RunnerSet.
 
 A basic `RunnerSet` would look like this:
@@ -448,11 +452,28 @@ Under the hood, `RunnerSet` relies on Kubernetes's `StatefulSet` and Mutating We
 **Limitations**
 
 * For autoscaling the `RunnerSet` kind only supports pull driven scaling or the `workflow_job` event for webhook driven scaling.
+* Whilst `RunnerSets` support all runner modes as well as autoscaling, currently PVs are **NOT** automatically cleaned up as they are still bound to their respective PVCs when a runner is deleted by the controller. This has **major** implications when using `RunnerSets` in the standard runner mode, `ephemeral: true`, see [persistent runners](#persistent-runners) for more details. As a result of this, using the default ephemeral configuration or implementing autoscaling for your `RunnerSets`, you will get a build up of PVCs and PVs without some sort of custom solution for cleaning up.
+
+### Persistent Runners
+
+Every runner managed by ARC is "ephemeral" by default. The life of an ephemeral runner managed by ARC looks like this- ARC creates a runner pod for the runner. As it's an ephemeral runner, the `--ephemeral` flag is passed to the `actions/runner` agent that runs within the `runner` container of the runner pod.
+
+`--ephemeral` is an `actions/runner` feature that instructs the runner to stop and de-register itself after the first job run.
+
+Once the ephemeral runner has completed running a workflow job, it stops with a status code of 0, hence the runner pod is marked as completed, removed by ARC.
+
+As it's removed after a workflow job run, the runner pod is never reused across multiple GitHub Actions workflow jobs, providing you a clean environment per each workflow job.
+
+Although not generally recommended, it's possible to disable passing `--ephemeral` flag by explicitly setting `ephemeral: false` in the `RunnerDeployment` or `RunnerSet` spec. When disabled, your runner becomes "persistent". A persistent runner does not stop after workflow job ends, and in this mode `actions/runner` is known to clean only runner's work dir after each job. Whilst this can seem helpful it creates a non-deterministic environment which is not ideal for a CI/CD environment. Between runs your actions cache, docker images stored in the `dind` and layer cache, globally installed packages etc are retained across multiple workflow job runs which can cause issues which are hard to debug and inconsistent.
+
+Persistent runners are available as an option for some edge cases however they are not preferred as they can create challenges around providing a deterministic and secure environment.
 
 ### Autoscaling
 
 > Since the release of GitHub's [`workflow_job` webhook](https://docs.github.com/en/developers/webhooks-and-events/webhooks/webhook-events-and-payloads#workflow_job), webhook driven scaling is the preferred way of autoscaling as it enables targeted scaling of your `RunnerDeployment` / `RunnerSet` as it includes the `runs-on` information needed to scale the appropriate runners for that workflow run. More broadly, webhook driven scaling is the preferred scaling option as it is far quicker compared to the pull driven scaling and is easy to setup.
 
+> If you are using controller version < [v0.22.0](https://github.com/actions-runner-controller/actions-runner-controller/releases/tag/v0.22.0) and you are not using GHES, and so can't set your rate limit budget, it is recommended that you use 100 replicas or fewer to prevent being rate limited.
+
 A `RunnerDeployment` or `RunnerSet` can scale the number of runners between `minReplicas` and `maxReplicas` fields driven by either pull based scaling metrics or via a webhook event (see limitations section of [stateful runners](#stateful-runners) for cavaets of this kind). Whether the autoscaling is driven from a webhook event or pull based metrics it is implemented by backing a `RunnerDeployment` or `RunnerSet` kind with a `HorizontalRunnerAutoscaler` kind.
 
 **_Important!!! If you opt to configure autoscaling, ensure you remove the `replicas:` attribute in the `RunnerDeployment` / `RunnerSet` kinds that are configured for autoscaling [#206](https://github.com/actions-runner-controller/actions-runner-controller/issues/206#issuecomment-748601907)_**
@@ -556,7 +577,7 @@ metadata:
 spec:
   scaleTargetRef:
     name: example-runner-deployment
-    # Uncomment the below in case the target is not RunnerDeployment but RunnerSet
+    # IMPORTANT : If your HRA is targeting a RunnerSet you must specify the kind in the scaleTargetRef:, uncomment the below
     #kind: RunnerSet
   minReplicas: 1
   maxReplicas: 5
@@ -664,7 +685,7 @@ The primary benefit of autoscaling on Webhook compared to the pull driven scalin
 
 > You can learn the implementation details in [#282](https://github.com/actions-runner-controller/actions-runner-controller/pull/282)
 
-To enable this feature, you firstly need to install the webhook server, currently, only our Helm chart has the ability install it:
+To enable this feature, you first need to install the GitHub webhook server. To install via our Helm chart,
 _[see the values documentation for all configuration options](https://github.com/actions-runner-controller/actions-runner-controller/blob/master/charts/actions-runner-controller/README.md)_
 
 ```console
@@ -840,7 +861,7 @@ spec:
 
 > This feature requires controller version => [v0.19.0](https://github.com/actions-runner-controller/actions-runner-controller/releases/tag/v0.19.0)
 
-The regular `RunnerDeployment` `replicas:` attribute as well as the `HorizontalRunnerAutoscaler` `minReplicas:` attribute supports being set to 0.
+The regular `RunnerDeployment` / `RunnerSet` `replicas:` attribute as well as the `HorizontalRunnerAutoscaler` `minReplicas:` attribute supports being set to 0.
 
 The main use case for scaling from 0 is with the `HorizontalRunnerAutoscaler` kind. To scale from 0 whilst still being able to provision runners as jobs are queued we must use the `HorizontalRunnerAutoscaler` with only certain scaling configurations, only the below configurations support scaling from 0 whilst also being able to provision runners as jobs are queued:
 
@@ -1107,7 +1128,7 @@ spec:
 You can configure your own custom volume mounts. For example to have the work/docker data in memory or on NVME ssd, for
 i/o intensive builds. Other custom volume mounts should be possible as well, see [kubernetes documentation](https://kubernetes.io/docs/concepts/storage/volumes/)
 
-** Ramdisk runner **
+**RAM Disk Runner**<br />
 Example how to place the runner work dir, docker sidecar and /tmp within the runner onto a ramdisk.
 ```yaml
 kind: RunnerDeployment
@@ -1133,7 +1154,7 @@ spec:
       emphemeral: true # recommended to not leak data between builds.
 ```
 
-** NVME ssd runner **
+**NVME SSD Runner**<br />
 In this example we provide NVME backed storage for the workdir, docker sidecar and /tmp within the runner.
 Here we use a working example on GKE, which will provide the NVME disk at /mnt/disks/ssd0.  We will be placing the respective volumes in subdirs here and in order to be able to run multiple runners we will use the pod name as prefix for subdirectories. Also the disk will fill up over time and disk space will not be freed until the node is removed.
 
@@ -1307,21 +1328,6 @@ spec:
       securityContext:
         fsGroup: 1000
 ```
-
-### Persistent Runners
-
-Every runner managed by ARC is "ephemeral" by default. The life of an ephemeral runner managed by ARC looks like this- ARC creates a runner pod for the runner. As it's an ephemeral runner, the `--ephemeral` flag is passed to the `actions/runner` agent that runs within the `runner` container of the runner pod.
-
-`--ephemeral` is an `actions/runner` feature that instructs the runner to stop and de-register itself after the first job run.
-
-Once the ephemeral runner has completed running a workflow job, it stops with a status code of 0, hence the runner pod is marked as completed, removed by ARC.
-
-As it's removed after a workflow job run, the runner pod is never reused across multiple GitHub Actions workflow jobs, providing you a clean environment per each workflow job.
-
-Although not recommended, it's possible to disable passing `--ephemeral` flag by explicitly setting `ephemeral: false` in the `RunnerDeployment` or `RunnerSet` spec. When disabled, your runner becomes "persistent". A persistent runner does not stop after workflow job ends, and in this mode `actions/runner` is known to clean only runner's work dir after each job. That means your runner's environment, including various actions cache, docker images stored in the `dind` and layer cache, is retained across multiple workflow job runs.
-
-Persistent runners are available as an option for some edge cases however they are not preferred as they can create challenges around providing a deterministic and secure environment.
-
 ### Software Installed in the Runner Image
 
 **Cloud Tooling**<br />

api/v1alpha1/runner_types.go

@@ -181,6 +181,9 @@ func (rs *RunnerSpec) ValidateRepository() error {
 
 // RunnerStatus defines the observed state of Runner
 type RunnerStatus struct {
+	// Turns true only if the runner pod is ready.
+	// +optional
+	Ready bool `json:"ready"`
 	// +optional
 	Registration RunnerStatusRegistration `json:"registration"`
 	// +optional

api/v1alpha1/runnerdeployment_webhook.go

@@ -26,7 +26,7 @@ import (
 )
 
 // log is for logging in this package.
-var runenrDeploymentLog = logf.Log.WithName("runnerdeployment-resource")
+var runnerDeploymentLog = logf.Log.WithName("runnerdeployment-resource")
 
 func (r *RunnerDeployment) SetupWebhookWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewWebhookManagedBy(mgr).
@@ -49,13 +49,13 @@ var _ webhook.Validator = &RunnerDeployment{}
 
 // ValidateCreate implements webhook.Validator so a webhook will be registered for the type
 func (r *RunnerDeployment) ValidateCreate() error {
-	runenrDeploymentLog.Info("validate resource to be created", "name", r.Name)
+	runnerDeploymentLog.Info("validate resource to be created", "name", r.Name)
 	return r.Validate()
 }
 
 // ValidateUpdate implements webhook.Validator so a webhook will be registered for the type
 func (r *RunnerDeployment) ValidateUpdate(old runtime.Object) error {
-	runenrDeploymentLog.Info("validate resource to be updated", "name", r.Name)
+	runnerDeploymentLog.Info("validate resource to be updated", "name", r.Name)
 	return r.Validate()
 }
 

charts/actions-runner-controller/Chart.yaml

@@ -15,10 +15,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.16.1
+version: 0.17.2
 
 # Used as the default manager tag value when no tag property is provided in the values.yaml
-appVersion: 0.21.1
+appVersion: 0.22.2
 
 home: https://github.com/actions-runner-controller/actions-runner-controller
 

charts/actions-runner-controller/crds/actions.summerwind.dev_runners.yaml

@@ -5126,6 +5126,9 @@ spec:
                   type: string
                 phase:
                   type: string
+                ready:
+                  description: Turns true only if the runner pod is ready.
+                  type: boolean
                 reason:
                   type: string
                 registration:

charts/actions-runner-controller/docs/UPGRADING.md

@@ -18,11 +18,11 @@ Due to the above you can't just do a `helm upgrade` to release the latest versio
 
 ## Steps
 
-1. Upgrade CRDs
+1. Upgrade CRDs, this isn't optional, the CRDs you are using must be those that correspond with the version of the controller you are installing
 
 ```shell
- # REMEMBER TO UPDATE THE CHART_VERSION TO RELEVANT CHART VERISON!!!!
-CHART_VERSION=0.16.1
+# REMEMBER TO UPDATE THE CHART_VERSION TO RELEVANT CHART VERISON!!!!
+CHART_VERSION=0.17.0
 
 curl -L https://github.com/actions-runner-controller/actions-runner-controller/releases/download/actions-runner-controller-${CHART_VERSION}/actions-runner-controller-${CHART_VERSION}.tgz | tar zxv --strip 1 actions-runner-controller/crds
 
@@ -32,6 +32,9 @@ kubectl replace -f crds/
 2. Upgrade the Helm release
 
 ```shell
+# helm repo [command]
+helm repo update
+
 # helm upgrade [RELEASE] [CHART] [flags]
 helm upgrade actions-runner-controller \
   actions-runner-controller/actions-runner-controller \

charts/actions-runner-controller/templates/webhook_configs.yaml

@@ -12,6 +12,11 @@ metadata:
 webhooks:
 - admissionReviewVersions:
   - v1beta1
+  {{- if .Values.scope.singleNamespace }}
+  namespaceSelector:
+    matchLabels:
+      name: {{ default .Release.Namespace .Values.scope.watchNamespace }}
+  {{- end }}
   clientConfig:
     {{- if .Values.admissionWebHooks.caBundle }}
     caBundle: {{ quote .Values.admissionWebHooks.caBundle }}
@@ -35,6 +40,11 @@ webhooks:
   sideEffects: None
 - admissionReviewVersions:
   - v1beta1
+  {{- if .Values.scope.singleNamespace }}
+  namespaceSelector:
+    matchLabels:
+      name: {{ default .Release.Namespace .Values.scope.watchNamespace }}
+  {{- end }}
   clientConfig:
     {{- if .Values.admissionWebHooks.caBundle }}
     caBundle: {{ .Values.admissionWebHooks.caBundle }}
@@ -58,6 +68,11 @@ webhooks:
   sideEffects: None
 - admissionReviewVersions:
   - v1beta1
+  {{- if .Values.scope.singleNamespace }}
+  namespaceSelector:
+    matchLabels:
+      name: {{ default .Release.Namespace .Values.scope.watchNamespace }}
+  {{- end }}
   clientConfig:
     {{- if .Values.admissionWebHooks.caBundle }}
     caBundle: {{ .Values.admissionWebHooks.caBundle }}
@@ -81,6 +96,11 @@ webhooks:
   sideEffects: None
 - admissionReviewVersions:
   - v1beta1
+  {{- if .Values.scope.singleNamespace }}
+  namespaceSelector:
+    matchLabels:
+      name: {{ default .Release.Namespace .Values.scope.watchNamespace }}
+  {{- end }}
   clientConfig:
     {{- if .Values.admissionWebHooks.caBundle }}
     caBundle: {{ .Values.admissionWebHooks.caBundle }}
@@ -117,6 +137,11 @@ metadata:
 webhooks:
 - admissionReviewVersions:
   - v1beta1
+  {{- if .Values.scope.singleNamespace }}
+  namespaceSelector:
+    matchLabels:
+      name: {{ default .Release.Namespace .Values.scope.watchNamespace }}
+  {{- end }}
   clientConfig:
     {{- if .Values.admissionWebHooks.caBundle }}
     caBundle: {{ .Values.admissionWebHooks.caBundle }}
@@ -140,6 +165,11 @@ webhooks:
   sideEffects: None
 - admissionReviewVersions:
   - v1beta1
+  {{- if .Values.scope.singleNamespace }}
+  namespaceSelector:
+    matchLabels:
+      name: {{ default .Release.Namespace .Values.scope.watchNamespace }}
+  {{- end }}
   clientConfig:
     {{- if .Values.admissionWebHooks.caBundle }}
     caBundle: {{ .Values.admissionWebHooks.caBundle }}
@@ -163,6 +193,11 @@ webhooks:
   sideEffects: None
 - admissionReviewVersions:
   - v1beta1
+  {{- if .Values.scope.singleNamespace }}
+  namespaceSelector:
+    matchLabels:
+      name: {{ default .Release.Namespace .Values.scope.watchNamespace }}
+  {{- end }}
   clientConfig:
     {{- if .Values.admissionWebHooks.caBundle }}
     caBundle: {{ .Values.admissionWebHooks.caBundle }}

config/crd/bases/actions.summerwind.dev_runners.yaml

@@ -5126,6 +5126,9 @@ spec:
                   type: string
                 phase:
                   type: string
+                ready:
+                  description: Turns true only if the runner pod is ready.
+                  type: boolean
                 reason:
                   type: string
                 registration:

config/default/gh-webhook-server-auth-proxy-patch.yaml

@@ -0,0 +1,23 @@
+# This patch injects an HTTP proxy sidecar container that performs RBAC
+# authorization against the Kubernetes API using SubjectAccessReviews.
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: github-webhook-server
+spec:
+  template:
+    spec:
+      containers:
+        - name: kube-rbac-proxy
+          image: quay.io/brancz/kube-rbac-proxy:v0.10.0
+          args:
+            - '--secure-listen-address=0.0.0.0:8443'
+            - '--upstream=http://127.0.0.1:8080/'
+            - '--logtostderr=true'
+            - '--v=10'
+          ports:
+            - containerPort: 8443
+              name: https
+        - name: github-webhook-server
+          args:
+            - '--metrics-addr=127.0.0.1:8080'

config/default/kustomization.yaml

@@ -22,17 +22,20 @@ bases:
 - ../certmanager
 # [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'.
 #- ../prometheus
+# [GH_WEBHOOK_SERVER] To enable the GitHub webhook server, uncomment all sections with 'GH_WEBHOOK_SERVER'.
+#- ../github-webhook-server
 
 patchesStrategicMerge:
-  # Protect the /metrics endpoint by putting it behind auth.
-  # Only one of manager_auth_proxy_patch.yaml and
-  # manager_prometheus_metrics_patch.yaml should be enabled.
+# Protect the /metrics endpoint by putting it behind auth.
+# Only one of manager_auth_proxy_patch.yaml and
+# manager_prometheus_metrics_patch.yaml should be enabled.
 - manager_auth_proxy_patch.yaml
-  # If you want your controller-manager to expose the /metrics
-  # endpoint w/o any authn/z, uncomment the following line and
-  # comment manager_auth_proxy_patch.yaml.
-  # Only one of manager_auth_proxy_patch.yaml and
-  # manager_prometheus_metrics_patch.yaml should be enabled.
+
+# If you want your controller-manager to expose the /metrics
+# endpoint w/o any authn/z, uncomment the following line and
+# comment manager_auth_proxy_patch.yaml.
+# Only one of manager_auth_proxy_patch.yaml and
+# manager_prometheus_metrics_patch.yaml should be enabled.
 #- manager_prometheus_metrics_patch.yaml
 
 # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in crd/kustomization.yaml
@@ -43,6 +46,10 @@ patchesStrategicMerge:
 # 'CERTMANAGER' needs to be enabled to use ca injection
 - webhookcainjection_patch.yaml
 
+# [GH_WEBHOOK_SERVER] To enable the GitHub webhook server, uncomment all sections with 'GH_WEBHOOK_SERVER'.
+# Protect the GitHub webhook server metrics endpoint by putting it behind auth.
+# - gh-webhook-server-auth-proxy-patch.yaml
+
 # the following config is for teaching kustomize how to do var substitution
 vars:
 # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix.

config/default/manager_auth_proxy_patch.yaml

@@ -23,4 +23,3 @@ spec:
         args:
         - "--metrics-addr=127.0.0.1:8080"
         - "--enable-leader-election"
-        - "--sync-period=10m"

config/github-webhook-server/deployment.yaml

@@ -0,0 +1,37 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/component: github-webhook-server
+    app.kubernetes.io/part-of: actions-runner-controller
+  name: github-webhook-server
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: github-webhook-server
+      app.kubernetes.io/part-of: actions-runner-controller
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: github-webhook-server
+        app.kubernetes.io/part-of: actions-runner-controller
+    spec:
+      containers:
+        - name: github-webhook-server
+          image: controller:latest
+          command:
+            - '/github-webhook-server'
+          env:
+            - name: GITHUB_WEBHOOK_SECRET_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  key: github_webhook_secret_token
+                  name: github-webhook-server
+                  optional: true
+          ports:
+            - containerPort: 8000
+              name: http
+              protocol: TCP
+      serviceAccountName: github-webhook-server
+      terminationGracePeriodSeconds: 10

config/github-webhook-server/kustomization.yaml

@@ -0,0 +1,12 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+images:
+  - name: controller
+    newName: summerwind/actions-runner-controller
+    newTag: latest
+
+resources:
+  - deployment.yaml
+  - rbac.yaml
+  - service.yaml

config/github-webhook-server/rbac.yaml

@@ -0,0 +1,113 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/component: github-webhook-server
+    app.kubernetes.io/part-of: actions-runner-controller
+  name: github-webhook-server
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/component: github-webhook-server
+    app.kubernetes.io/part-of: actions-runner-controller
+  name: github-webhook-server
+rules:
+  - apiGroups:
+      - actions.summerwind.dev
+    resources:
+      - horizontalrunnerautoscalers
+    verbs:
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - actions.summerwind.dev
+    resources:
+      - horizontalrunnerautoscalers/finalizers
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - actions.summerwind.dev
+    resources:
+      - horizontalrunnerautoscalers/status
+    verbs:
+      - get
+      - patch
+      - update
+  - apiGroups:
+      - actions.summerwind.dev
+    resources:
+      - runnersets
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - actions.summerwind.dev
+    resources:
+      - runnerdeployments
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - actions.summerwind.dev
+    resources:
+      - runnerdeployments/finalizers
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - actions.summerwind.dev
+    resources:
+      - runnerdeployments/status
+    verbs:
+      - get
+      - patch
+      - update
+  - apiGroups:
+      - authentication.k8s.io
+    resources:
+      - tokenreviews
+    verbs:
+      - create
+  - apiGroups:
+      - authorization.k8s.io
+    resources:
+      - subjectaccessreviews
+    verbs:
+      - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/component: github-webhook-server
+    app.kubernetes.io/part-of: actions-runner-controller
+  name: github-webhook-server
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: github-webhook-server
+subjects:
+  - kind: ServiceAccount
+    name: github-webhook-server

config/github-webhook-server/service.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/component: github-webhook-server
+    app.kubernetes.io/part-of: actions-runner-controller
+  name: github-webhook-server
+spec:
+  ports:
+    - port: 80
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    app.kubernetes.io/component: github-webhook-server
+    app.kubernetes.io/part-of: actions-runner-controller

controllers/pod_runner_token_injector.go

@@ -59,9 +59,9 @@ func (t *PodRunnerTokenInjector) Handle(ctx context.Context, req admission.Reque
 		return newEmptyResponse()
 	}
 
-	enterprise, okEnterprise := getEnv(runnerContainer, "RUNNER_ENTERPRISE")
-	repo, okRepo := getEnv(runnerContainer, "RUNNER_REPO")
-	org, okOrg := getEnv(runnerContainer, "RUNNER_ORG")
+	enterprise, okEnterprise := getEnv(runnerContainer, EnvVarEnterprise)
+	repo, okRepo := getEnv(runnerContainer, EnvVarRepo)
+	org, okOrg := getEnv(runnerContainer, EnvVarOrg)
 	if !okRepo || !okOrg || !okEnterprise {
 		return newEmptyResponse()
 	}

controllers/runner_controller.go

@@ -106,15 +106,16 @@ func (r *RunnerReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctr
 			return ctrl.Result{}, nil
 		}
 	} else {
+		// Request to remove a runner. DeletionTimestamp was set in the runner - we need to unregister runner
 		var pod corev1.Pod
 		if err := r.Get(ctx, req.NamespacedName, &pod); err != nil {
 			if !kerrors.IsNotFound(err) {
 				log.Info(fmt.Sprintf("Retrying soon as we failed to get runner pod: %v", err))
 				return ctrl.Result{Requeue: true}, nil
 			}
+			// Pod was not found
+			return r.processRunnerDeletion(runner, ctx, log, nil)
 		}
-
-		// Request to remove a runner. DeletionTimestamp was set in the runner - we need to unregister runner
 		return r.processRunnerDeletion(runner, ctx, log, &pod)
 	}
 
@@ -132,7 +133,9 @@ func (r *RunnerReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctr
 		phase = "Created"
 	}
 
-	if runner.Status.Phase != phase {
+	ready := runnerPodReady(&pod)
+
+	if runner.Status.Phase != phase || runner.Status.Ready != ready {
 		if pod.Status.Phase == corev1.PodRunning {
 			// Seeing this message, you can expect the runner to become `Running` soon.
 			log.V(1).Info(
@@ -143,6 +146,7 @@ func (r *RunnerReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctr
 
 		updated := runner.DeepCopy()
 		updated.Status.Phase = phase
+		updated.Status.Ready = ready
 		updated.Status.Reason = pod.Status.Reason
 		updated.Status.Message = pod.Status.Message
 
@@ -155,6 +159,18 @@ func (r *RunnerReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctr
 	return ctrl.Result{}, nil
 }
 
+func runnerPodReady(pod *corev1.Pod) bool {
+	for _, c := range pod.Status.Conditions {
+		if c.Type != corev1.PodReady {
+			continue
+		}
+
+		return c.Status == corev1.ConditionTrue
+	}
+
+	return false
+}
+
 func runnerContainerExitCode(pod *corev1.Pod) *int32 {
 	for _, status := range pod.Status.ContainerStatuses {
 		if status.Name != containerName {
@@ -172,7 +188,7 @@ func runnerContainerExitCode(pod *corev1.Pod) *int32 {
 func runnerPodOrContainerIsStopped(pod *corev1.Pod) bool {
 	// If pod has ended up succeeded we need to restart it
 	// Happens e.g. when dind is in runner and run completes
-	stopped := pod.Status.Phase == corev1.PodSucceeded
+	stopped := pod.Status.Phase == corev1.PodSucceeded || pod.Status.Phase == corev1.PodFailed
 
 	if !stopped {
 		if pod.Status.Phase == corev1.PodRunning {
@@ -181,7 +197,7 @@ func runnerPodOrContainerIsStopped(pod *corev1.Pod) bool {
 					continue
 				}
 
-				if status.State.Terminated != nil && status.State.Terminated.ExitCode == 0 {
+				if status.State.Terminated != nil {
 					stopped = true
 				}
 			}

controllers/runner_pod_controller.go

@@ -18,6 +18,7 @@ package controllers
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"time"
 
@@ -64,9 +65,19 @@ func (r *RunnerPodReconciler) Reconcile(ctx context.Context, req ctrl.Request) (
 		return ctrl.Result{}, nil
 	}
 
+	var envvars []corev1.EnvVar
+	for _, container := range runnerPod.Spec.Containers {
+		if container.Name == "runner" {
+			envvars = container.Env
+		}
+	}
+
+	if len(envvars) == 0 {
+		return ctrl.Result{}, errors.New("Could not determine env vars for runner Pod")
+	}
+
 	var enterprise, org, repo string
 
-	envvars := runnerPod.Spec.Containers[0].Env
 	for _, e := range envvars {
 		switch e.Name {
 		case EnvVarEnterprise:

github/github.go

@@ -153,8 +153,18 @@ func (c *Client) GetRegistrationToken(ctx context.Context, enterprise, org, repo
 	key := getRegistrationKey(org, repo, enterprise)
 	rt, ok := c.regTokens[key]
 
-	// we like to give runners a chance that are just starting up and may miss the expiration date by a bit
-	runnerStartupTimeout := 3 * time.Minute
+	// We'd like to allow the runner just starting up to miss the expiration date by a bit.
+	// Note that this means that we're going to cache Creation Registraion Token API response longer than the
+	// recommended cache duration.
+	//
+	// https://docs.github.com/en/rest/reference/actions#create-a-registration-token-for-a-repository
+	// https://docs.github.com/en/rest/reference/actions#create-a-registration-token-for-an-organization
+	// https://docs.github.com/en/rest/reference/actions#create-a-registration-token-for-an-enterprise
+	// https://docs.github.com/en/rest/overview/resources-in-the-rest-api#conditional-requests
+	//
+	// This is currently set to 30 minutes as the result of the discussion took place at the following issue:
+	// https://github.com/actions-runner-controller/actions-runner-controller/issues/1295
+	runnerStartupTimeout := 30 * time.Minute
 
 	if ok && rt.GetExpiresAt().After(time.Now().Add(runnerStartupTimeout)) {
 		return rt, nil

go.mod

@@ -19,10 +19,10 @@ require (
 	go.uber.org/zap v1.21.0
 	golang.org/x/oauth2 v0.0.0-20220309155454-6242fa91716a
 	gomodules.xyz/jsonpatch/v2 v2.2.0
-	k8s.io/api v0.23.4
-	k8s.io/apimachinery v0.23.4
-	k8s.io/client-go v0.23.4
-	sigs.k8s.io/controller-runtime v0.11.1
+	k8s.io/api v0.23.5
+	k8s.io/apimachinery v0.23.5
+	k8s.io/client-go v0.23.5
+	sigs.k8s.io/controller-runtime v0.11.2
 	sigs.k8s.io/yaml v1.3.0
 )
 
@@ -68,8 +68,8 @@ require (
 	gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect
-	k8s.io/apiextensions-apiserver v0.23.0 // indirect
-	k8s.io/component-base v0.23.0 // indirect
+	k8s.io/apiextensions-apiserver v0.23.5 // indirect
+	k8s.io/component-base v0.23.5 // indirect
 	k8s.io/klog/v2 v2.30.0 // indirect
 	k8s.io/kube-openapi v0.0.0-20211115234752-e816edb12b65 // indirect
 	k8s.io/utils v0.0.0-20211116205334-6203023598ed // indirect

go.sum

@@ -947,18 +947,30 @@ honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9
 k8s.io/api v0.23.0/go.mod h1:8wmDdLBHBNxtOIytwLstXt5E9PddnZb0GaMcqsvDBpg=
 k8s.io/api v0.23.4 h1:85gnfXQOWbJa1SiWGpE9EEtHs0UVvDyIsSMpEtl2D4E=
 k8s.io/api v0.23.4/go.mod h1:i77F4JfyNNrhOjZF7OwwNJS5Y1S9dpwvb9iYRYRczfI=
+k8s.io/api v0.23.5 h1:zno3LUiMubxD/V1Zw3ijyKO3wxrhbUF1Ck+VjBvfaoA=
+k8s.io/api v0.23.5/go.mod h1:Na4XuKng8PXJ2JsploYYrivXrINeTaycCGcYgF91Xm8=
 k8s.io/apiextensions-apiserver v0.23.0 h1:uii8BYmHYiT2ZTAJxmvc3X8UhNYMxl2A0z0Xq3Pm+WY=
 k8s.io/apiextensions-apiserver v0.23.0/go.mod h1:xIFAEEDlAZgpVBl/1VSjGDmLoXAWRG40+GsWhKhAxY4=
+k8s.io/apiextensions-apiserver v0.23.5 h1:5SKzdXyvIJKu+zbfPc3kCbWpbxi+O+zdmAJBm26UJqI=
+k8s.io/apiextensions-apiserver v0.23.5/go.mod h1:ntcPWNXS8ZPKN+zTXuzYMeg731CP0heCTl6gYBxLcuQ=
 k8s.io/apimachinery v0.23.0/go.mod h1:fFCTTBKvKcwTPFzjlcxp91uPFZr+JA0FubU4fLzzFYc=
 k8s.io/apimachinery v0.23.4 h1:fhnuMd/xUL3Cjfl64j5ULKZ1/J9n8NuQEgNL+WXWfdM=
 k8s.io/apimachinery v0.23.4/go.mod h1:BEuFMMBaIbcOqVIJqNZJXGFTP4W6AycEpb5+m/97hrM=
+k8s.io/apimachinery v0.23.5 h1:Va7dwhp8wgkUPWsEXk6XglXWU4IKYLKNlv8VkX7SDM0=
+k8s.io/apimachinery v0.23.5/go.mod h1:BEuFMMBaIbcOqVIJqNZJXGFTP4W6AycEpb5+m/97hrM=
 k8s.io/apiserver v0.23.0/go.mod h1:Cec35u/9zAepDPPFyT+UMrgqOCjgJ5qtfVJDxjZYmt4=
+k8s.io/apiserver v0.23.5/go.mod h1:7wvMtGJ42VRxzgVI7jkbKvMbuCbVbgsWFT7RyXiRNTw=
 k8s.io/client-go v0.23.0/go.mod h1:hrDnpnK1mSr65lHHcUuIZIXDgEbzc7/683c6hyG4jTA=
 k8s.io/client-go v0.23.4 h1:YVWvPeerA2gpUudLelvsolzH7c2sFoXXR5wM/sWqNFU=
 k8s.io/client-go v0.23.4/go.mod h1:PKnIL4pqLuvYUK1WU7RLTMYKPiIh7MYShLshtRY9cj0=
+k8s.io/client-go v0.23.5 h1:zUXHmEuqx0RY4+CsnkOn5l0GU+skkRXKGJrhmE2SLd8=
+k8s.io/client-go v0.23.5/go.mod h1:flkeinTO1CirYgzMPRWxUCnV0G4Fbu2vLhYCObnt/r4=
 k8s.io/code-generator v0.23.0/go.mod h1:vQvOhDXhuzqiVfM/YHp+dmg10WDZCchJVObc9MvowsE=
+k8s.io/code-generator v0.23.5/go.mod h1:S0Q1JVA+kSzTI1oUvbKAxZY/DYbA/ZUb4Uknog12ETk=
 k8s.io/component-base v0.23.0 h1:UAnyzjvVZ2ZR1lF35YwtNY6VMN94WtOnArcXBu34es8=
 k8s.io/component-base v0.23.0/go.mod h1:DHH5uiFvLC1edCpvcTDV++NKULdYYU6pR9Tt3HIKMKI=
+k8s.io/component-base v0.23.5 h1:8qgP5R6jG1BBSXmRYW+dsmitIrpk8F/fPEvgDenMCCE=
+k8s.io/component-base v0.23.5/go.mod h1:c5Nq44KZyt1aLl0IpHX82fhsn84Sb0jjzwjpcA42bY0=
 k8s.io/gengo v0.0.0-20210813121822-485abfe95c7c/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E=
 k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE=
 k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y=
@@ -974,8 +986,11 @@ rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8
 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
 rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.25/go.mod h1:Mlj9PNLmG9bZ6BHFwFKDo5afkpWyUISkb9Me0GnK66I=
+sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.30/go.mod h1:fEO7lRTdivWO2qYVCVG7dEADOMo/MLDCVr8So2g88Uw=
 sigs.k8s.io/controller-runtime v0.11.1 h1:7YIHT2QnHJArj/dk9aUkYhfqfK5cIxPOX5gPECfdZLU=
 sigs.k8s.io/controller-runtime v0.11.1/go.mod h1:KKwLiTooNGu+JmLZGn9Sl3Gjmfj66eMbCQznLP5zcqA=
+sigs.k8s.io/controller-runtime v0.11.2 h1:H5GTxQl0Mc9UjRJhORusqfJCIjBO8UtUxGggCwL1rLA=
+sigs.k8s.io/controller-runtime v0.11.2/go.mod h1:P6QCzrEjLaZGqHsfd+os7JQ+WFZhvB8MRFsn4dWF7O4=
 sigs.k8s.io/json v0.0.0-20211020170558-c049b76a60c6 h1:fD1pz4yfdADVNfFmcP2aBEtudwUQ1AlLnRBALr33v3s=
 sigs.k8s.io/json v0.0.0-20211020170558-c049b76a60c6/go.mod h1:p4QtZmO4uMYipTQNzagwnNoseA6OxSUutVw05NhYDRs=
 sigs.k8s.io/structured-merge-diff/v4 v4.0.2/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw=

runner/Dockerfile

@@ -83,7 +83,7 @@ ENV HOME=/home/runner
 #
 # If you're willing to uncomment the following line, you'd also need to comment-out the
 #   && curl -L -o runner.tar.gz https://github.com/actions/runner/releases/download/v${RUNNER_VERSION}/actions-runner-linux-${ARCH}-${RUNNER_VERSION}.tar.gz \
-# line in the next `RUN` command in this Dockerfile, to avoid overwiding this runner.tar.gz with a remote one.
+# line in the next `RUN` command in this Dockerfile, to avoid overwiting this runner.tar.gz with a remote one.
 
 # COPY actions-runner-linux-x64-2.280.3.tar.gz /runnertmp/runner.tar.gz
 
@@ -111,12 +111,14 @@ RUN mkdir /opt/hostedtoolcache \
     && chmod g+rwx /opt/hostedtoolcache
 
 COPY entrypoint.sh /
-COPY --chown=runner:docker patched $RUNNER_ASSETS_DIR/patched
 
 # Add the Python "User Script Directory" to the PATH
 ENV PATH="${PATH}:${HOME}/.local/bin"
 ENV ImageOS=ubuntu20
 
+RUN echo "PATH=${PATH}" > /etc/environment \
+    && echo "ImageOS=${ImageOS}" >> /etc/environment
+
 USER runner
 
 ENTRYPOINT ["/usr/local/bin/dumb-init", "--"]

runner/Dockerfile.dindrunner

@@ -114,12 +114,13 @@ RUN export ARCH=$(echo ${TARGETPLATFORM} | cut -d / -f2) \
 
 VOLUME /var/lib/docker
 
-COPY --chown=runner:docker patched $RUNNER_ASSETS_DIR/patched
-
 # Add the Python "User Script Directory" to the PATH
 ENV PATH="${PATH}:${HOME}/.local/bin"
 ENV ImageOS=ubuntu20
 
+RUN echo "PATH=${PATH}" > /etc/environment \
+    && echo "ImageOS=${ImageOS}" >> /etc/environment
+
 # No group definition, as that makes it harder to run docker.
 USER runner
 

runner/entrypoint.sh

@@ -1,5 +1,6 @@
 #!/bin/bash
 
+RUNNER_ASSETS_DIR=${RUNNER_ASSETS_DIR:-/runnertmp}
 RUNNER_HOME=${RUNNER_HOME:-/runner}
 
 LIGHTGREEN="\e[0;32m"
@@ -77,17 +78,21 @@ if [ ! -d "${RUNNER_HOME}" ]; then
 fi
 
 # if this is not a testing environment
-if [ -z "${UNITTEST:-}" ]; then
-  sudo chown -R runner:docker ${RUNNER_HOME}
-  # use cp over mv to avoid issues when /runnertmp and {RUNNER_HOME} are on different devices
-  cp -r /runnertmp/* ${RUNNER_HOME}/
+if [[ "${UNITTEST:-}" == '' ]]; then
+  sudo chown -R runner:docker "$RUNNER_HOME"
+  # enable dotglob so we can copy a ".env" file to load in env vars as part of the service startup if one is provided
+  # loading a .env from the root of the service is part of the actions/runner logic
+  shopt -s dotglob
+  # use cp instead of mv to avoid issues when src and dst are on different devices
+  cp -r "$RUNNER_ASSETS_DIR"/* "$RUNNER_HOME"/
+  shopt -u dotglob
 fi
 
 cd ${RUNNER_HOME}
 # past that point, it's all relative pathes from /runner
 
 config_args=()
-if [ "${RUNNER_FEATURE_FLAG_EPHEMERAL:-}" == "true" -a "${RUNNER_EPHEMERAL}" != "false" ]; then
+if [ "${RUNNER_FEATURE_FLAG_EPHEMERAL:-}" == "true" -a "${RUNNER_EPHEMERAL}" == "true" ]; then
   config_args+=(--ephemeral)
   echo "Passing --ephemeral to config.sh to enable the ephemeral runner."
 fi
@@ -145,29 +150,32 @@ cat .runner
 #     -H "Authorization: bearer ${GITHUB_TOKEN}"
 #     https://api.github.com/repos/USER/REPO/actions/runners/171
 
-if [ -n "${RUNNER_REGISTRATION_ONLY}" ]; then
-  success "This runner is configured to be registration-only. Exiting without starting the runner service..."
-  exit 0
-fi
-
 if [ -z "${UNITTEST:-}" ]; then
-  mkdir ./externals
+  mkdir -p ./externals
   # Hack due to the DinD volumes
   mv ./externalstmp/* ./externals/
-
-  for f in runsvc.sh RunnerService.js; do
-    diff {bin,patched}/${f} || :
-    sudo mv bin/${f}{,.bak}
-    sudo mv {patched,bin}/${f}
-  done
 fi
 
 args=()
-if [ "${RUNNER_FEATURE_FLAG_EPHEMERAL:-}" != "true" -a "${RUNNER_EPHEMERAL}" != "false" ]; then
+if [ "${RUNNER_FEATURE_FLAG_EPHEMERAL:-}" != "true" -a "${RUNNER_EPHEMERAL}" == "true" ]; then
   args+=(--once)
   echo "[WARNING] Passing --once is deprecated and will be removed as an option from the image and ARC at the release of 0.24.0."
   echo "[WARNING] Upgrade to GHES => 3.3 to continue using actions-runner-controller. If you are using github.com ignore this warning."
 fi
 
-unset RUNNER_NAME RUNNER_REPO RUNNER_TOKEN
-exec ./bin/runsvc.sh "${args[@]}"
+# Unset entrypoint environment variables so they don't leak into the runner environment
+unset RUNNER_NAME RUNNER_REPO RUNNER_TOKEN STARTUP_DELAY_IN_SECONDS DISABLE_WAIT_FOR_DOCKER
+
+# Docker ignores PAM and thus never loads the system environment variables that
+# are meant to be set in every environment of every user. We emulate the PAM
+# behavior by reading the environment variables without interpreting them.
+#
+# https://github.com/actions-runner-controller/actions-runner-controller/issues/1135
+# https://github.com/actions/runner/issues/1703
+
+# /etc/environment may not exist when running unit tests depending on the platform being used
+# (e.g. Mac OS) so we just skip the mapping entirely
+if [ -z "${UNITTEST:-}" ]; then
+  mapfile -t env </etc/environment
+fi
+exec env -- "${env[@]}" ./run.sh "${args[@]}"

runner/patched/RunnerService.js

@@ -1,91 +0,0 @@
-#!/usr/bin/env node
-// Copyright (c) GitHub. All rights reserved.
-// Licensed under the MIT license. See LICENSE file in the project root for full license information.
-
-var childProcess = require("child_process");
-var path = require("path")
-
-var supported = ['linux', 'darwin']
-
-if (supported.indexOf(process.platform) == -1) {
-    console.log('Unsupported platform: ' + process.platform);
-    console.log('Supported platforms are: ' + supported.toString());
-    process.exit(1);
-}
-
-var stopping = false;
-var listener = null;
-
-var runService = function() {
-    var listenerExePath = path.join(__dirname, '../bin/Runner.Listener');
-    var interactive = process.argv[2] === "interactive";
-
-    if(!stopping) {
-        try {
-            if (interactive) {
-                console.log('Starting Runner listener interactively');
-                listener = childProcess.spawn(listenerExePath, ['run'].concat(process.argv.slice(3)), { env: process.env });
-            } else {
-                console.log('Starting Runner listener with startup type: service');
-                listener = childProcess.spawn(listenerExePath, ['run', '--startuptype', 'service'].concat(process.argv.slice(2)), { env: process.env });
-            }
-
-            console.log('Started listener process');
-
-            listener.stdout.on('data', (data) => {
-                process.stdout.write(data.toString('utf8'));
-            });
-
-            listener.stderr.on('data', (data) => {
-                process.stdout.write(data.toString('utf8'));
-            });
-
-            listener.on('close', (code) => {
-                console.log(`Runner listener exited with error code ${code}`);
-
-                if (code === 0) {
-                    console.log('Runner listener exit with 0 return code, stop the service, no retry needed.');
-                    stopping = true;
-                } else if (code === 1) {
-                    console.log('Runner listener exit with terminated error, stop the service, no retry needed.');
-                    stopping = true;
-                } else if (code === 2) {
-                    console.log('Runner listener exit with retryable error, re-launch runner in 5 seconds.');
-                } else if (code === 3) {
-                    console.log('Runner listener exit because of updating, re-launch runner in 5 seconds.');
-                } else {
-                    console.log('Runner listener exit with undefined return code, re-launch runner in 5 seconds.');
-                }
-
-                if(!stopping) {
-                    setTimeout(runService, 5000);
-                }
-            });
-
-        } catch(ex) {
-            console.log(ex);
-        }
-    }
-}
-
-runService();
-console.log('Started running service');
-
-var gracefulShutdown = function(code) {
-    console.log('Shutting down runner listener');
-    stopping = true;
-    if (listener) {
-        console.log('Sending SIGINT to runner listener to stop');
-        listener.kill('SIGINT');
-
-        // TODO wait for 30 seconds and send a SIGKILL
-    }
-}
-
-process.on('SIGINT', () => {
-    gracefulShutdown(0);
-});
-
-process.on('SIGTERM', () => {
-    gracefulShutdown(0);
-});

runner/patched/runsvc.sh

@@ -1,20 +0,0 @@
-#!/bin/bash
-
-# convert SIGTERM signal to SIGINT
-# for more info on how to propagate SIGTERM to a child process see: http://veithen.github.io/2014/11/16/sigterm-propagation.html
-trap 'kill -INT $PID' TERM INT
-
-if [ -f ".path" ]; then
-    # configure
-    export PATH=`cat .path`
-    echo ".path=${PATH}"
-fi
-
-# insert anything to setup env when running as a service
-
-# run the host process which keep the listener alive
-./externals/node12/bin/node ./bin/RunnerService.js $* &
-PID=$!
-wait $PID
-trap - TERM INT
-wait $PID

test/e2e/e2e_test.go

@@ -37,13 +37,23 @@ var (
 		},
 		{
 			Dockerfile: "../../runner/Dockerfile",
-			Args:       []testing.BuildArg{},
-			Image:      runnerImage,
+			Args: []testing.BuildArg{
+				{
+					Name:  "RUNNER_VERSION",
+					Value: "2.289.2",
+				},
+			},
+			Image: runnerImage,
 		},
 		{
 			Dockerfile: "../../runner/Dockerfile.dindrunner",
-			Args:       []testing.BuildArg{},
-			Image:      runnerDindImage,
+			Args: []testing.BuildArg{
+				{
+					Name:  "RUNNER_VERSION",
+					Value: "2.289.2",
+				},
+			},
+			Image: runnerDindImage,
 		},
 	}
 
@@ -58,7 +68,7 @@ var (
 	}
 
 	commonScriptEnv = []string{
-		"SYNC_PERIOD=" + "10s",
+		"SYNC_PERIOD=" + "30m",
 		"NAME=" + controllerImageRepo,
 		"VERSION=" + controllerImageTag,
 		"RUNNER_TAG=" + runnerImageTag,

test/entrypoint/assets/config.sh

@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 
 export LIGHTGREEN='\e[0;32m'
 export LIGHTRED='\e[0;31m'
@@ -18,11 +18,15 @@ error(){
 }
 
 success "I'm configured normally"
-touch .runner
-echo "$*" > runner_config
+
+# Condition for should_retry_configuring test
+if [ -z "${FAIL_RUNNER_CONFIG_SETUP}" ]; then
+  touch .runner
+fi
+
+echo "$@" > runner_config
 success "created a dummy config file"
-success
-# Adding a counter to see how many times we've gone through the configuration step
+# adding a counter to see how many times we've gone through the configuration step
 count=`cat counter 2>/dev/null|| echo "0"`
 count=$((count + 1))
 echo ${count} > counter

test/entrypoint/assets/logging.sh

@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 
 export LIGHTGREEN='\e[0;32m'
 export LIGHTRED='\e[0;31m'

test/entrypoint/assets/run.sh

@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 
 set -euo pipefail
 
@@ -20,12 +20,9 @@ error(){
   exit 1
 }
 
+log "Dumping set runner arguments"
+echo "$@" > runner_args
+success "Pretending to run service..."
+touch run_sh_ran
+success "Success"
 success ""
-success "Running the service..."
-# SHOULD NOT HAPPEN
-# creating a file to show this script has run
-touch runsvc_ran
-success "...successful"
-success ""
-
-

test/entrypoint/should_retry_configuring/config.sh

@@ -1,29 +0,0 @@
-#!/bin/bash
-
-set -euo pipefail
-
-export LIGHTGREEN='\e[0;32m'
-export LIGHTRED='\e[0;31m'
-export WHITE='\e[0;97m'
-export RESET='\e[0m'
-
-log(){
-  printf "\t${WHITE}$@${RESET}\n" 2>&1
-}
-
-success(){
-  printf "\t${LIGHTGREEN}$@${RESET}\n" 2>&1
-}
-
-error(){
-  printf "\t${LIGHTRED}$@${RESET}\n" 2>&1
-  exit 1
-}
-
-echo "$*" > runner_config
-success "I'm pretending the configuration is not successful"
-# increasing a counter to measure how many times we restarted
-count=`cat counter 2>/dev/null|| echo "0"`
-count=$((count + 1))
-echo ${count} > counter
-

test/entrypoint/should_retry_configuring/test.sh

@@ -1,12 +1,12 @@
-#!/bin/bash
+#!/usr/bin/env bash
 
 # UNITTEST: retry config
 # Will simulate a configuration failure and expects:
 # - the configuration step to be run 10 times
 # - the entrypoint script to exit with error code 2
-# - the runsvc.sh script to never run.
+# - the run.sh script to never run.
 
-source ../logging.sh
+source ../assets/logging.sh
 
 entrypoint_log() {
   while read I; do
@@ -14,17 +14,22 @@ entrypoint_log() {
   done
 }
 
-log "Setting up the test"
+log "Setting up test area"
+export RUNNER_HOME=testarea
+mkdir -p ${RUNNER_HOME}
+
+log "Setting up the test config"
 export UNITTEST=true
-export RUNNER_HOME=localhome
+export FAIL_RUNNER_CONFIG_SETUP=true
 export RUNNER_NAME="example_runner_name"
 export RUNNER_REPO="myorg/myrepo"
 export RUNNER_TOKEN="xxxxxxxxxxxxx"
 
-mkdir -p ${RUNNER_HOME}/bin
-# add up the config.sh and runsvc.sh
-ln -s ../config.sh ${RUNNER_HOME}/config.sh
-ln -s ../../runsvc.sh ${RUNNER_HOME}/bin/runsvc.sh
+# run.sh and config.sh get used by the runner's real entrypoint.sh and are part of actions/runner.
+# We change symlink dummy versions so the entrypoint.sh can run allowing us to test the real entrypoint.sh
+log "Symlink dummy config.sh and run.sh"
+ln -s ../../assets/config.sh ${RUNNER_HOME}/config.sh
+ln -s ../../assets/run.sh ${RUNNER_HOME}/run.sh
 
 cleanup() {
   rm -rf ${RUNNER_HOME}
@@ -33,41 +38,44 @@ cleanup() {
   unset RUNNER_NAME
   unset RUNNER_REPO
   unset RUNNER_TOKEN
+  unset FAIL_RUNNER_CONFIG_SETUP
 }
 
+# Always run cleanup when test ends regardless of how it ends
 trap cleanup SIGINT SIGTERM SIGQUIT EXIT
 
 log "Running the entrypoint"
 log ""
 
+# Run the runner entrypoint script which as a final step runs this
+# unit tests run.sh as it was symlinked
 ../../../runner/entrypoint.sh 2> >(entrypoint_log)
 
 if [ "$?" != "2" ]; then
   error "========================================="
-  error "Configuration should have thrown an error"
+  error "FAIL | Configuration should have thrown an error"
   exit 1
 fi
-success "Entrypoint didn't complete successfully"
-success ""
+
+success "PASS | Entrypoint didn't complete successfully"
 
 log "Checking the counter, should have 10 iterations"
 count=`cat ${RUNNER_HOME}/counter || "notfound"`
 if [ "${count}" != "10" ]; then
   error "============================================="
-  error "The retry loop should have done 10 iterations"
+  error "FAIL | The retry loop should have done 10 iterations"
   exit 1
 fi
-success "Retry loop went up to 10"
-success
+success "PASS | Retry loop went up to 10"
 
-log "Checking that runsvc never ran"
-if [ -f ${RUNNER_HOME}/runsvc_ran ]; then
+log "Checking that run.sh never ran"
+if [ -f ${RUNNER_HOME}/run_sh_ran ]; then
   error "================================================================="
-  error "runsvc was invoked, entrypoint.sh should have failed before that."
+  error "FAIL | run.sh was invoked, entrypoint.sh should have failed before that."
   exit 1
 fi
 
-success "runsvc.sh never ran"
+success "PASS | run.sh never ran"
 success
 success "==========================="
 success "Test completed successfully"

test/entrypoint/should_switch_to_ephemeral_upstream_feature/config.sh

@@ -1,29 +0,0 @@
-#!/bin/bash
-
-export LIGHTGREEN='\e[0;32m'
-export LIGHTRED='\e[0;31m'
-export WHITE='\e[0;97m'
-export RESET='\e[0m'
-
-log(){
-  printf "\t${WHITE}$@${RESET}\n" 2>&1
-}
-
-success(){
-  printf "\t${LIGHTGREEN}$@${RESET}\n" 2>&1
-}
-
-error(){
-  printf "\t${LIGHTRED}$@${RESET}\n" 2>&1
-}
-
-success "I'm configured normally"
-touch .runner
-echo "$*" > runner_config
-success "created a dummy config file"
-success
-# adding a counter to see how many times we've gone through a configuration step
-count=`cat counter 2>/dev/null|| echo "0"`
-count=$((count + 1))
-echo ${count} > counter
-

test/entrypoint/should_switch_to_ephemeral_upstream_feature/runsvc.sh

@@ -1,31 +0,0 @@
-#!/bin/bash
-
-set -euo pipefail
-
-export LIGHTGREEN='\e[0;32m'
-export LIGHTRED='\e[0;31m'
-export WHITE='\e[0;97m'
-export RESET='\e[0m'
-
-log(){
-  printf "\t${WHITE}$@${RESET}\n" 2>&1
-}
-
-success(){
-  printf "\t${LIGHTGREEN}$@${RESET}\n" 2>&1
-}
-
-error(){
-  printf "\t${LIGHTRED}$@${RESET}\n" 2>&1
-  exit 1
-}
-
-success ""
-success "Running the service..."
-# test if --once is present as a parameter
-echo "$*" | grep -q 'once' && error "Should not include --once in the parameters"
-success "...successful"
-touch runsvc_ran
-success ""
-
-

test/entrypoint/should_switch_to_ephemeral_upstream_feature/test.sh

@@ -1,81 +0,0 @@
-#!/bin/bash
-
-# UNITTEST: should work as non ephemeral
-# Will simulate a scenario where ephemeral=false. expects:
-# - the configuration step to be run exactly once
-# - the entrypoint script to exit with no error
-# - the runsvc.sh script to run without the --once flag
-
-source ../logging.sh
-
-entrypoint_log() {
-  while read I; do
-    printf "\tentrypoint.sh: $I\n"
-  done
-}
-
-log "Setting up the test"
-export UNITTEST=true
-export RUNNER_HOME=localhome
-export RUNNER_NAME="example_runner_name"
-export RUNNER_REPO="myorg/myrepo"
-export RUNNER_TOKEN="xxxxxxxxxxxxx"
-export RUNNER_EPHEMERAL=true
-export RUNNER_FEATURE_FLAG_EPHEMERAL=true
-
-mkdir -p ${RUNNER_HOME}/bin
-# add up the config.sh and runsvc.sh
-ln -s ../config.sh ${RUNNER_HOME}/config.sh
-ln -s ../../runsvc.sh ${RUNNER_HOME}/bin/runsvc.sh
-
-cleanup() {
-  rm -rf ${RUNNER_HOME}
-  unset UNITTEST
-  unset RUNNERHOME
-  unset RUNNER_NAME
-  unset RUNNER_REPO
-  unset RUNNER_TOKEN
-  unset RUNNER_EPHEMERAL
-  unset RUNNER_FEATURE_FLAG_EPHEMERAL
-}
-
-trap cleanup SIGINT SIGTERM SIGQUIT EXIT
-
-log "Running the entrypoint"
-log ""
-
-../../../runner/entrypoint.sh 2> >(entrypoint_log)
-
-if [ "$?" != "0" ]; then
-  error "==========================================="
-  error "Entrypoint script did not exit successfully"
-  exit 1
-fi
-
-log "Testing if we went through the configuration step only once"
-count=`cat ${RUNNER_HOME}/counter || echo "not_found"`
-if [ ${count} != "1" ]; then
-  error "==============================================="
-  error "The configuration step was not run exactly once"
-  exit 1
-fi
-
-log "Testing if the configuration included the --ephemeral flag"
-if ! grep -q -- '--ephemeral' ${RUNNER_HOME}/runner_config; then
-  error "==============================================="
-  error "The configuration did not include the --ephemeral flag"
-  exit 1
-fi
-
-success "The configuration ran ${count} time(s)"
-
-log "Testing if runsvc ran"
-if [ ! -f "${RUNNER_HOME}/runsvc_ran" ]; then
-  error "=============================="
-  error "The runner service has not run"
-  exit 1
-fi
-success "The service ran"
-success ""
-success "==========================="
-success "Test completed successfully"

test/entrypoint/should_work_disable_update/runsvc.sh

@@ -1,31 +0,0 @@
-#!/bin/bash
-
-set -euo pipefail
-
-export LIGHTGREEN='\e[0;32m'
-export LIGHTRED='\e[0;31m'
-export WHITE='\e[0;97m'
-export RESET='\e[0m'
-
-log(){
-  printf "\t${WHITE}$@${RESET}\n" 2>&1
-}
-
-success(){
-  printf "\t${LIGHTGREEN}$@${RESET}\n" 2>&1
-}
-
-error(){
-  printf "\t${LIGHTRED}$@${RESET}\n" 2>&1
-  exit 1
-}
-
-success ""
-success "Running the service..."
-# test if --once is present as a parameter
-echo "$*" | grep -q 'once' || error "Should include --once in the parameters"j
-success "...successful"
-touch runsvc_ran
-success ""
-
-

test/entrypoint/should_work_non_ephemeral/config.sh

@@ -1,29 +0,0 @@
-#!/bin/bash
-
-export LIGHTGREEN='\e[0;32m'
-export LIGHTRED='\e[0;31m'
-export WHITE='\e[0;97m'
-export RESET='\e[0m'
-
-log(){
-  printf "\t${WHITE}$@${RESET}\n" 2>&1
-}
-
-success(){
-  printf "\t${LIGHTGREEN}$@${RESET}\n" 2>&1
-}
-
-error(){
-  printf "\t${LIGHTRED}$@${RESET}\n" 2>&1
-}
-
-success "I'm configured normally"
-touch .runner
-echo "$*" > runner_config
-success "created a dummy config file"
-success
-# adding a counter to see how many times we've gone through a configuration step
-count=`cat counter 2>/dev/null|| echo "0"`
-count=$((count + 1))
-echo ${count} > counter
-

test/entrypoint/should_work_non_ephemeral/runsvc.sh

@@ -1,31 +0,0 @@
-#!/bin/bash
-
-set -euo pipefail
-
-export LIGHTGREEN='\e[0;32m'
-export LIGHTRED='\e[0;31m'
-export WHITE='\e[0;97m'
-export RESET='\e[0m'
-
-log(){
-  printf "\t${WHITE}$@${RESET}\n" 2>&1
-}
-
-success(){
-  printf "\t${LIGHTGREEN}$@${RESET}\n" 2>&1
-}
-
-error(){
-  printf "\t${LIGHTRED}$@${RESET}\n" 2>&1
-  exit 1
-}
-
-success ""
-success "Running the service..."
-# test if --once is present as a parameter
-echo "$*" | grep -q 'once' && error "Should not include --once in the parameters"
-success "...successful"
-touch runsvc_ran
-success ""
-
-

test/entrypoint/should_work_non_ephemeral/test.sh

@@ -1,12 +1,12 @@
-#!/bin/bash
+#!/usr/bin/env bash
 
 # UNITTEST: should work as non ephemeral
 # Will simulate a scenario where ephemeral=false. expects:
 # - the configuration step to be run exactly once
 # - the entrypoint script to exit with no error
-# - the runsvc.sh script to run without the --once flag
+# - the run.sh script to run without the --once flag
 
-source ../logging.sh
+source ../assets/logging.sh
 
 entrypoint_log() {
   while read I; do
@@ -14,18 +14,22 @@ entrypoint_log() {
   done
 }
 
+log "Setting up test area"
+export RUNNER_HOME=testarea
+mkdir -p ${RUNNER_HOME}
+
 log "Setting up the test"
 export UNITTEST=true
-export RUNNER_HOME=localhome
 export RUNNER_NAME="example_runner_name"
 export RUNNER_REPO="myorg/myrepo"
 export RUNNER_TOKEN="xxxxxxxxxxxxx"
 export RUNNER_EPHEMERAL=false
 
-mkdir -p ${RUNNER_HOME}/bin
-# add up the config.sh and runsvc.sh
-ln -s ../config.sh ${RUNNER_HOME}/config.sh
-ln -s ../../runsvc.sh ${RUNNER_HOME}/bin/runsvc.sh
+# run.sh and config.sh get used by the runner's real entrypoint.sh and are part of actions/runner.
+# We change symlink dummy versions so the entrypoint.sh can run allowing us to test the real entrypoint.sh
+log "Symlink dummy config.sh and run.sh"
+ln -s ../../assets/config.sh ${RUNNER_HOME}/config.sh
+ln -s ../../assets/run.sh ${RUNNER_HOME}/run.sh
 
 cleanup() {
   rm -rf ${RUNNER_HOME}
@@ -37,16 +41,19 @@ cleanup() {
   unset RUNNER_EPHEMERAL
 }
 
+# Always run cleanup when test ends regardless of how it ends
 trap cleanup SIGINT SIGTERM SIGQUIT EXIT
 
 log "Running the entrypoint"
 log ""
 
+# Run the runner entrypoint script which as a final step runs this
+# unit tests run.sh as it was symlinked
 ../../../runner/entrypoint.sh 2> >(entrypoint_log)
 
 if [ "$?" != "0" ]; then
   error "==========================================="
-  error "Entrypoint script did not exit successfully"
+  error "FAIL | Entrypoint script did not exit successfully"
   exit 1
 fi
 
@@ -54,19 +61,19 @@ log "Testing if we went through the configuration step only once"
 count=`cat ${RUNNER_HOME}/counter || echo "not_found"`
 if [ ${count} != "1" ]; then
   error "==============================================="
-  error "The configuration step was not run exactly once"
+  error "FAIL | The configuration step was not run exactly once"
   exit 1
 fi
 
-success "The configuration ran ${count} time(s)"
+success "PASS | The configuration ran ${count} time(s)"
 
-log "Testing if runsvc ran"
-if [ ! -f "${RUNNER_HOME}/runsvc_ran" ]; then
+log "Testing if run.sh ran"
+if [ ! -f "${RUNNER_HOME}/run_sh_ran" ]; then
   error "=============================="
-  error "The runner service has not run"
+  error "FAIL | The runner service has not run"
   exit 1
 fi
-success "The service ran"
+success "PASS | run.sh ran"
 success ""
 success "==========================="
 success "Test completed successfully"

test/entrypoint/should_work_normally/config.sh

@@ -1,29 +0,0 @@
-#!/bin/bash
-
-export LIGHTGREEN='\e[0;32m'
-export LIGHTRED='\e[0;31m'
-export WHITE='\e[0;97m'
-export RESET='\e[0m'
-
-log(){
-  printf "\t${WHITE}$@${RESET}\n" 2>&1
-}
-
-success(){
-  printf "\t${LIGHTGREEN}$@${RESET}\n" 2>&1
-}
-
-error(){
-  printf "\t${LIGHTRED}$@${RESET}\n" 2>&1
-}
-
-success "I'm configured normally"
-touch .runner
-echo "$*" > runner_config
-success "created a dummy config file"
-success
-# Adding a counter to see how many times we've gone through the configuration step
-count=`cat counter 2>/dev/null|| echo "0"`
-count=$((count + 1))
-echo ${count} > counter
-

test/entrypoint/should_work_normally/runsvc.sh

@@ -1,31 +0,0 @@
-#!/bin/bash
-
-set -euo pipefail
-
-export LIGHTGREEN='\e[0;32m'
-export LIGHTRED='\e[0;31m'
-export WHITE='\e[0;97m'
-export RESET='\e[0m'
-
-log(){
-  printf "\t${WHITE}$@${RESET}\n" 2>&1
-}
-
-success(){
-  printf "\t${LIGHTGREEN}$@${RESET}\n" 2>&1
-}
-
-error(){
-  printf "\t${LIGHTRED}$@${RESET}\n" 2>&1
-  exit 1
-}
-
-success ""
-success "Running the service..."
-# test if --once is present as a parameter
-echo "$*" | grep -q 'once' || error "Should include --once in the parameters"j
-success "...successful"
-touch runsvc_ran
-success ""
-
-

test/entrypoint/should_work_normally/test.sh

@@ -1,12 +1,12 @@
-#!/bin/bash
+#!/usr/bin/env bash
 
 # UNITTEST: should work normally
 # Will simulate a normal execution scenario. expects:
 # - the configuration step to be run exactly once
 # - the entrypoint script to exit with no error
-# - the runsvc.sh script to run with the --once flag activated.
+# - the run.sh script to run with the --once flag activated.
 
-source ../logging.sh
+source ../assets/logging.sh
 
 entrypoint_log() {
   while read I; do
@@ -14,17 +14,21 @@ entrypoint_log() {
   done
 }
 
+log "Setting up test area"
+export RUNNER_HOME=testarea
+mkdir -p ${RUNNER_HOME}
+
 log "Setting up the test"
 export UNITTEST=true
-export RUNNER_HOME=localhome
 export RUNNER_NAME="example_runner_name"
 export RUNNER_REPO="myorg/myrepo"
 export RUNNER_TOKEN="xxxxxxxxxxxxx"
 
-mkdir -p ${RUNNER_HOME}/bin
-# add up the config.sh and runsvc.sh
-ln -s ../config.sh ${RUNNER_HOME}/config.sh
-ln -s ../../runsvc.sh ${RUNNER_HOME}/bin/runsvc.sh
+# run.sh and config.sh get used by the runner's real entrypoint.sh and are part of actions/runner.
+# We change symlink dummy versions so the entrypoint.sh can run allowing us to test the real entrypoint.sh
+log "Symlink dummy config.sh and run.sh"
+ln -s ../../assets/config.sh ${RUNNER_HOME}/config.sh
+ln -s ../../assets/run.sh ${RUNNER_HOME}/run.sh
 
 cleanup() {
   rm -rf ${RUNNER_HOME}
@@ -35,11 +39,14 @@ cleanup() {
   unset RUNNER_TOKEN
 }
 
+# Always run cleanup when test ends regardless of how it ends
 trap cleanup SIGINT SIGTERM SIGQUIT EXIT
 
 log "Running the entrypoint"
 log ""
 
+# Run the runner entrypoint script which as a final step runs this
+# unit tests run.sh as it was symlinked
 ../../../runner/entrypoint.sh 2> >(entrypoint_log)
 
 if [ "$?" != "0" ]; then
@@ -52,26 +59,29 @@ log "Testing if the configuration step was run only once"
 count=`cat ${RUNNER_HOME}/counter || echo "not_found"`
 if [ ${count} != "1" ]; then
   error "==============================================="
-  error "The configuration step was not run exactly once"
+  error "FAIL | The configuration step was not run exactly once"
   exit 1
 fi
-success "The configuration ran ${count} time(s)"
+
+success "PASS | The configuration ran ${count} time(s)"
 
 log "Testing if the configuration included the --ephemeral flag"
 if grep -q -- '--ephemeral' ${RUNNER_HOME}/runner_config; then
   error "==============================================="
-  error "The configuration should not include the --ephemeral flag"
+  error "FAIL | The configuration should not include the --ephemeral flag"
   exit 1
 fi
 
-log "Testing if runsvc ran"
-if [ ! -f "${RUNNER_HOME}/runsvc_ran" ]; then
+success "PASS | The --ephemeral switch was included in the configuration"
+
+log "Testing if run.sh ran"
+if [ ! -f "${RUNNER_HOME}/run_sh_ran" ]; then
   error "=============================="
-  error "The runner service has not run"
+  error "FAIL | The runner service has not run"
   exit 1
 fi
 
-success "The service ran"
+success "PASS | run.sh ran"
 success ""
 success "==========================="
 success "Test completed successfully"

test/entrypoint/should_work_use_disable_update_switch/test.sh

@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 
 # UNITTEST: should work disable update
 # Will simulate a scneario where disableupdate=true. expects:
@@ -6,7 +6,7 @@
 # - the entrypoint script to exit with no error
 # - the config.sh script to run with the --disableupdate flag set to 'true'.
 
-source ../logging.sh
+source ../assets/logging.sh
 
 entrypoint_log() {
   while read I; do
@@ -14,18 +14,22 @@ entrypoint_log() {
   done
 }
 
+log "Setting up test area"
+export RUNNER_HOME=testarea
+mkdir -p ${RUNNER_HOME}
+
 log "Setting up the test"
 export UNITTEST=true
-export RUNNER_HOME=localhome
 export RUNNER_NAME="example_runner_name"
 export RUNNER_REPO="myorg/myrepo"
 export RUNNER_TOKEN="xxxxxxxxxxxxx"
 export DISABLE_RUNNER_UPDATE="true"
 
-mkdir -p ${RUNNER_HOME}/bin
-# add up the config.sh and runsvc.sh
-ln -s ../config.sh ${RUNNER_HOME}/config.sh
-ln -s ../../runsvc.sh ${RUNNER_HOME}/bin/runsvc.sh
+# run.sh and config.sh get used by the runner's real entrypoint.sh and are part of actions/runner.
+# We change symlink dummy versions so the entrypoint.sh can run allowing us to test the real entrypoint.sh
+log "Symlink dummy config.sh and run.sh"
+ln -s ../../assets/config.sh ${RUNNER_HOME}/config.sh
+ln -s ../../assets/run.sh ${RUNNER_HOME}/run.sh
 
 cleanup() {
   rm -rf ${RUNNER_HOME}
@@ -36,16 +40,19 @@ cleanup() {
   unset RUNNER_TOKEN
 }
 
+# Always run cleanup when test ends regardless of how it ends
 trap cleanup SIGINT SIGTERM SIGQUIT EXIT
 
 log "Running the entrypoint"
 log ""
 
+# run.sh and config.sh get used by the runner's real entrypoint.sh and are part of actions/runner.
+# We change symlink dummy versions so the entrypoint.sh can run allowing us to test the real entrypoint.sh
 ../../../runner/entrypoint.sh 2> >(entrypoint_log)
 
 if [ "$?" != "0" ]; then
   error "=========================="
-  error "Test completed with errors"
+  error "FAIL | Test completed with errors"
   exit 1
 fi
 
@@ -53,26 +60,28 @@ log "Testing if the configuration step was run only once"
 count=`cat ${RUNNER_HOME}/counter || echo "not_found"`
 if [ ${count} != "1" ]; then
   error "==============================================="
-  error "The configuration step was not run exactly once"
+  error "FAIL | The configuration step was not run exactly once"
   exit 1
 fi
-success "The configuration ran ${count} time(s)"
+success "PASS | The configuration ran ${count} time(s)"
 
 log "Testing if the configuration included the --disableupdate flag"
 if ! grep -q -- '--disableupdate' ${RUNNER_HOME}/runner_config; then
   error "==============================================="
-  error "The configuration should not include the --disableupdate flag"
+  error "FAIL | The configuration should not include the --disableupdate flag"
   exit 1
 fi
 
-log "Testing if runsvc ran"
-if [ ! -f "${RUNNER_HOME}/runsvc_ran" ]; then
+success "PASS | The --disableupdate switch was included in the configuration"
+
+log "Testing if run.sh ran"
+if [ ! -f "${RUNNER_HOME}/run_sh_ran" ]; then
   error "=============================="
-  error "The runner service has not run"
+  error "FAIL | The runner service has not run"
   exit 1
 fi
 
-success "The service ran"
+success "PASS | run.sh ran"
 success ""
 success "==========================="
 success "Test completed successfully"

test/entrypoint/should_work_use_once_switch/test.sh

@@ -0,0 +1,90 @@
+#!/usr/bin/env bash
+
+# UNITTEST: should work legacy once switch set
+# Will simulate a scenario where RUNNER_FEATURE_FLAG_EPHEMERAL=false. expects:
+# - the configuration step to be run exactly once
+# - the entrypoint script to exit with no error
+# - the run.sh script to run with the --once flag
+
+source ../assets/logging.sh
+
+entrypoint_log() {
+  while read I; do
+    printf "\tentrypoint.sh: $I\n"
+  done
+}
+
+log "Setting up test area"
+export RUNNER_HOME=testarea
+mkdir -p ${RUNNER_HOME}
+
+log "Setting up the test"
+export UNITTEST=true
+export RUNNER_NAME="example_runner_name"
+export RUNNER_REPO="myorg/myrepo"
+export RUNNER_TOKEN="xxxxxxxxxxxxx"
+export RUNNER_FEATURE_FLAG_EPHEMERAL="false"
+export RUNNER_EPHEMERAL="true"
+
+# run.sh and config.sh get used by the runner's real entrypoint.sh and are part of actions/runner.
+# We change symlink dummy versions so the entrypoint.sh can run allowing us to test the real entrypoint.sh
+log "Symlink dummy config.sh and run.sh"
+ln -s ../../assets/config.sh ${RUNNER_HOME}/config.sh
+ln -s ../../assets/run.sh ${RUNNER_HOME}/run.sh
+
+cleanup() {
+  rm -rf ${RUNNER_HOME}
+  unset UNITTEST
+  unset RUNNERHOME
+  unset RUNNER_NAME
+  unset RUNNER_REPO
+  unset RUNNER_TOKEN
+  unset RUNNER_EPHEMERAL
+  unset RUNNER_FEATURE_FLAG_EPHEMERAL
+}
+
+# Always run cleanup when test ends regardless of how it ends
+trap cleanup SIGINT SIGTERM SIGQUIT EXIT
+
+log "Running the entrypoint"
+log ""
+
+# run.sh and config.sh get used by the runner's real entrypoint.sh and are part of actions/runner.
+# We change symlink dummy versions so the entrypoint.sh can run allowing us to test the real entrypoint.sh
+../../../runner/entrypoint.sh 2> >(entrypoint_log)
+
+if [ "$?" != "0" ]; then
+  error "==========================================="
+  error "FAIL | Entrypoint script did not exit successfully"
+  exit 1
+fi
+
+log "Testing if we went through the configuration step only once"
+count=`cat ${RUNNER_HOME}/counter || echo "not_found"`
+if [ ${count} != "1" ]; then
+  error "==============================================="
+  error "FAIL | The configuration step was not run exactly once"
+  exit 1
+fi
+
+success "PASS | The configuration ran ${count} time(s)"
+
+log "Testing if the configuration included the --once flag"
+if ! grep -q -- '--once' ${RUNNER_HOME}/runner_args; then
+  error "==============================================="
+  error "FAIL | The configuration did not include the --once flag, config printed below:"
+  exit 1
+fi
+
+success "PASS | The --once argument was passed in"
+
+log "Testing if run.sh ran"
+if [ ! -f "${RUNNER_HOME}/run_sh_ran" ]; then
+  error "=============================="
+  error "FAIL | The runner service has not run"
+  exit 1
+fi
+success "PASS | run.sh ran"
+success ""
+success "==========================="
+success "Test completed successfully"

test/entrypoint/test.sh

@@ -1,13 +1,12 @@
-#!/bin/bash
+#!/usr/bin/env bash
 
-source logging.sh
+source assets/logging.sh
 
 for unittest in ./should*; do
   log "**********************************"
   log " UNIT TEST: ${unittest}"
   log "**********************************"
   log ""
-
   cd ${unittest}
   ./test.sh
   ret_code=$?