Merge pull request #36 from summerwind/runner-v2.169.1

Update runner to v2.169.1
Use latest container image
2025-12-11 20:21:02 +00:00 · 2020-04-18 10:41:34 +09:00 · 2020-04-16 19:16:15 +09:00 · 2020-04-16 19:16:07 +09:00 · 2020-04-16 17:55:02 +09:00 · 2020-04-15 19:47:07 -04:00
15 changed files with 571 additions and 155 deletions
--- a/1
+++ b/1
@@ -13,6 +13,7 @@ RUN go mod download
 COPY main.go main.go
 COPY api/ api/
 COPY controllers/ controllers/
+COPY github/ github/

 # Build
 RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 GO111MODULE=on go build -a -o manager main.go
--- a/README.md
+++ b/README.md
@@ -16,10 +16,61 @@ First, install *actions-runner-controller* with a manifest file. This will creat
 $ kubectl apply -f https://github.com/summerwind/actions-runner-controller/releases/latest/download/actions-runner-controller.yaml
 ```

-Set your access token of GitHub to the secret. `${GITHUB_TOKEN}` is the value you must replace with your access token. This token is used to register Self-hosted runner by *actions-runner-controller*.
+Next, set up a GitHub App or personal access token for *actions-runner-controller* to access the GitHub API.
+
+### Using GitHub App
+
+You can create a GitHub App for either your account or any organization. If you want to create a GitHub App for your account, open the following link to the creation page, enter any unique name in the "GitHub App name" field, and hit the "Create GitHub App" button at the bottom of the page.
+
+- [Create GitHub Apps on your account](https://github.com/settings/apps/new?url=http://github.com/summerwind/actions-runner-controller&webhook_active=false&public=false&administration=write)
+
+If you want to create a GitHub App for your organization, replace the `:org` part of the following URL with your organization name before opening it. Then enter any unique name in the "GitHub App name" field, and hit the "Create GitHub App" button at the bottom of the page to create a GitHub App.
+
+- [Create GitHub Apps on your organization](https://github.com/organizations/:org/settings/apps/new?url=http://github.com/summerwind/actions-runner-controller&webhook_active=false&public=false&administration=write)
+
+You will see an *App ID* on the page of the GitHub App you created as follows, the value of this App ID will be used later.
+
+<img width="750" alt="App ID" src="https://user-images.githubusercontent.com/230145/78968802-6e7c8880-7b40-11ea-8b08-0c1b8e6a15f0.png">
+
+Download the private key file by pushing the "Generate a private key" button at the bottom of the GitHub App page. This file will also be used later.
+
+<img width="750" alt="Generate a private key" src="https://user-images.githubusercontent.com/230145/78968805-71777900-7b40-11ea-97e6-55c48dfc44ac.png">
+
+Go to the "Install App" tab on the left side of the page and install the GitHub App that you created for your account or organization.
+
+<img width="750" alt="Install App" src="https://user-images.githubusercontent.com/230145/78968806-72100f80-7b40-11ea-810d-2bd3261e9d40.png">
+
+When the installation is complete, you will be taken to a URL in one of the following formats, the last number of the URL will be used as the Installation ID later (For example, if the URL ends in `settings/installations/12345`, then the Installation ID is `12345`).
+
+- `https://github.com/settings/installations/${INSTALLATION_ID}`
+- `https://github.com/organizations/eventreactor/settings/installations/${INSTALLATION_ID}`
+
+Finally, register the App ID (`APP_ID`), Installation ID (`INSTALLATION_ID`), and downloaded private key file (`PRIVATE_KEY_FILE_PATH`) to Kubernetes as Secret.

 ```
-$ kubectl create secret generic controller-manager --from-literal=github_token=${GITHUB_TOKEN} -n actions-runner-system
+$ kubectl create secret generic controller-manager \
+    -n actions-runner-system \
+    --from-literal=github_app_id=${APP_ID} \
+    --from-literal=github_app_installation_id=${INSTALLATION_ID} \
+    --from-file=github_app_private_key=${PRIVATE_KEY_FILE_PATH}
+```
+
+### Using personal access token
+
+Next, from an account that has `admin` privileges for the repository, create a [personal access token](https://github.com/settings/tokens) with `repo` scope. This token is used to register a self-hosted runner by *actions-runner-controller*.
+
+To use a Personal Access Token, you must issue the token with an account that has `admin` privileges.
+
+Open the Create Token page from the following link, grant the `repo` scope, and press the "Generate Token" button at the bottom of the page to create the token.
+
+- [Create personal access token](https://github.com/settings/tokens/new)
+
+Register the created token (`GITHUB_TOKEN`) as a Kubernetes secret.
+
+```
+$ kubectl create secret generic controller-manager \
+    -n actions-runner-system \
+    --from-literal=github_token=${GITHUB_TOKEN}
 ```

 ## Usage
@@ -67,7 +118,7 @@ NAME           READY   STATUS    RESTARTS   AGE
 example-runner 2/2     Running   0          1m
 ```

-The runner you created has been registerd to your repository.
+The runner you created has been registered to your repository.

 <img width="756" alt="Actions tab in your repository settings" src="https://user-images.githubusercontent.com/230145/73618667-8cbf9700-466c-11ea-80b6-c67e6d3f70e7.png">

--- a/config/manager/manager.yaml
+++ b/config/manager/manager.yaml
@@ -35,6 +35,25 @@ spec:
            secretKeyRef:
              name: controller-manager
              key: github_token
+              optional: true
+        - name: GITHUB_APP_ID
+          valueFrom:
+            secretKeyRef:
+              name: controller-manager
+              key: github_app_id
+              optional: true
+        - name: GITHUB_APP_INSTALLATION_ID
+          valueFrom:
+            secretKeyRef:
+              name: controller-manager
+              key: github_app_installation_id
+              optional: true
+        - name: GITHUB_APP_PRIVATE_KEY
+          value: /etc/actions-runner-controller/github_app_private_key
+        volumeMounts:
+        - name: controller-manager
+          mountPath: "/etc/actions-runner-controller"
+          readOnly: true
        resources:
          limits:
            cpu: 100m
@@ -42,4 +61,8 @@ spec:
          requests:
            cpu: 100m
            memory: 20Mi
+      volumes:
+      - name: controller-manager
+        secret:
+          secretName: controller-manager
      terminationGracePeriodSeconds: 10
--- a/config/rbac/role.yaml
+++ b/config/rbac/role.yaml
@@ -66,6 +66,13 @@ rules:
  - get
  - patch
  - update
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
 - apiGroups:
  - ""
  resources:
--- a/controllers/runner_controller.go
+++ b/controllers/runner_controller.go
@@ -20,10 +20,8 @@ import (
 	"context"
 	"fmt"
 	"reflect"
-	"time"

 	"github.com/go-logr/logr"
-	"github.com/google/go-github/v29/github"
 	"k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/client-go/tools/record"
@@ -34,6 +32,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

 	"github.com/summerwind/actions-runner-controller/api/v1alpha1"
+	"github.com/summerwind/actions-runner-controller/github"
 )

 const (
@@ -41,23 +40,6 @@ const (
 	finalizerName = "runner.actions.summerwind.dev"
 )

-type GitHubRunnerList struct {
-	TotalCount int            `json:"total_count"`
-	Runners    []GitHubRunner `json:"runners,omitempty"`
-}
-
-type GitHubRunner struct {
-	ID     int    `json:"id"`
-	Name   string `json:"name"`
-	OS     string `json:"os"`
-	Status string `json:"status"`
-}
-
-type GitHubRegistrationToken struct {
-	Token     string `json:"token"`
-	ExpiresAt string `json:"expires_at"`
-}
-
 // RunnerReconciler reconciles a Runner object
 type RunnerReconciler struct {
 	client.Client
@@ -72,6 +54,7 @@ type RunnerReconciler struct {
 // +kubebuilder:rbac:groups=actions.summerwind.dev,resources=runners,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=actions.summerwind.dev,resources=runners/status,verbs=get;update;patch
 // +kubebuilder:rbac:groups=core,resources=pods,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=core,resources=events,verbs=create;patch

 func (r *RunnerReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) {
 	ctx := context.Background()
@@ -125,7 +108,7 @@ func (r *RunnerReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) {
 	}

 	if !runner.IsRegisterable() {
-		reg, err := r.newRegistration(ctx, runner.Spec.Repository)
+		rt, err := r.GitHubClient.GetRegistrationToken(ctx, runner.Spec.Repository, runner.Name)
 		if err != nil {
 			r.Recorder.Event(&runner, corev1.EventTypeWarning, "FailedUpdateRegistrationToken", "Updating registration token failed")
 			log.Error(err, "Failed to get new registration token")
@@ -133,7 +116,11 @@ func (r *RunnerReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) {
 		}

 		updated := runner.DeepCopy()
-		updated.Status.Registration = reg
+		updated.Status.Registration = v1alpha1.RunnerStatusRegistration{
+			Repository: runner.Spec.Repository,
+			Token:      rt.GetToken(),
+			ExpiresAt:  metav1.NewTime(rt.GetExpiresAt().Time),
+		}

 		if err := r.Status().Update(ctx, updated); err != nil {
 			log.Error(err, "Failed to update runner status")
@@ -225,109 +212,31 @@ func (r *RunnerReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) {
 	return ctrl.Result{}, nil
 }

-func (r *RunnerReconciler) newRegistration(ctx context.Context, repo string) (v1alpha1.RunnerStatusRegistration, error) {
-	var reg v1alpha1.RunnerStatusRegistration
-
-	rt, err := r.getRegistrationToken(ctx, repo)
-	if err != nil {
-		return reg, err
-	}
-
-	expiresAt, err := time.Parse(time.RFC3339, rt.ExpiresAt)
-	if err != nil {
-		return reg, err
-	}
-
-	reg.Repository = repo
-	reg.Token = rt.Token
-	reg.ExpiresAt = metav1.NewTime(expiresAt)
-
-	return reg, err
-}
-
-func (r *RunnerReconciler) getRegistrationToken(ctx context.Context, repo string) (GitHubRegistrationToken, error) {
-	var regToken GitHubRegistrationToken
-
-	req, err := r.GitHubClient.NewRequest("POST", fmt.Sprintf("/repos/%s/actions/runners/registration-token", repo), nil)
-	if err != nil {
-		return regToken, err
-	}
-
-	res, err := r.GitHubClient.Do(ctx, req, &regToken)
-	if err != nil {
-		return regToken, err
-	}
-
-	if res.StatusCode != 201 {
-		return regToken, fmt.Errorf("unexpected status: %d", res.StatusCode)
-	}
-
-	return regToken, nil
-}
-
 func (r *RunnerReconciler) unregisterRunner(ctx context.Context, repo, name string) (bool, error) {
-	runners, err := r.listRunners(ctx, repo)
+	runners, err := r.GitHubClient.ListRunners(ctx, repo)
 	if err != nil {
 		return false, err
 	}

-	id := 0
-	for _, runner := range runners.Runners {
-		if runner.Name == name {
-			id = runner.ID
+	id := int64(0)
+	for _, runner := range runners {
+		if runner.GetName() == name {
+			id = runner.GetID()
 			break
 		}
 	}

-	if id == 0 {
+	if id == int64(0) {
 		return false, nil
 	}

-	if err := r.removeRunner(ctx, repo, id); err != nil {
+	if err := r.GitHubClient.RemoveRunner(ctx, repo, id); err != nil {
 		return false, err
 	}

 	return true, nil
 }

-func (r *RunnerReconciler) listRunners(ctx context.Context, repo string) (GitHubRunnerList, error) {
-	runners := GitHubRunnerList{}
-
-	req, err := r.GitHubClient.NewRequest("GET", fmt.Sprintf("/repos/%s/actions/runners", repo), nil)
-	if err != nil {
-		return runners, err
-	}
-
-	res, err := r.GitHubClient.Do(ctx, req, &runners)
-	if err != nil {
-		return runners, err
-	}
-
-	if res.StatusCode != 200 {
-		return runners, fmt.Errorf("unexpected status: %d", res.StatusCode)
-	}
-
-	return runners, nil
-}
-
-func (r *RunnerReconciler) removeRunner(ctx context.Context, repo string, id int) error {
-	req, err := r.GitHubClient.NewRequest("DELETE", fmt.Sprintf("/repos/%s/actions/runners/%d", repo, id), nil)
-	if err != nil {
-		return err
-	}
-
-	res, err := r.GitHubClient.Do(ctx, req, nil)
-	if err != nil {
-		return err
-	}
-
-	if res.StatusCode != 204 {
-		return fmt.Errorf("unexpected status: %d", res.StatusCode)
-	}
-
-	return nil
-}
-
 func (r *RunnerReconciler) newPod(runner v1alpha1.Runner) (corev1.Pod, error) {
 	var (
 		privileged bool  = true
--- a/controllers/runnerdeployment_controller.go
+++ b/controllers/runnerdeployment_controller.go
@@ -20,7 +20,9 @@ import (
 	"context"
 	"fmt"
 	"hash/fnv"
+	"k8s.io/apimachinery/pkg/types"
 	"sort"
+	"time"

 	"github.com/davecgh/go-spew/spew"
 	"github.com/go-logr/logr"
@@ -54,10 +56,11 @@ type RunnerDeploymentReconciler struct {
 // +kubebuilder:rbac:groups=actions.summerwind.dev,resources=runnerdeployments/status,verbs=get;update;patch
 // +kubebuilder:rbac:groups=actions.summerwind.dev,resources=runnerreplicasets,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=actions.summerwind.dev,resources=runnerreplicasets/status,verbs=get;update;patch
+// +kubebuilder:rbac:groups=core,resources=events,verbs=create;patch

 func (r *RunnerDeploymentReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) {
 	ctx := context.Background()
-	log := r.Log.WithValues("runnerreplicaset", req.NamespacedName)
+	log := r.Log.WithValues("runnerdeployment", req.NamespacedName)

 	var rd v1alpha1.RunnerDeployment
 	if err := r.Get(ctx, req.NamespacedName, &rd); err != nil {
@@ -129,12 +132,19 @@ func (r *RunnerDeploymentReconciler) Reconcile(req ctrl.Request) (ctrl.Result, e
 			return ctrl.Result{}, err
 		}

-		return ctrl.Result{}, nil
+		// We requeue in order to clean up old runner replica sets later.
+		// Otherwise, they aren't cleaned up until the next re-sync interval.
+		return ctrl.Result{RequeueAfter: 5 * time.Second}, nil
 	}

+	const defaultReplicas = 1
+
+	currentDesiredReplicas := getIntOrDefault(newestSet.Spec.Replicas, defaultReplicas)
+	newDesiredReplicas := getIntOrDefault(desiredRS.Spec.Replicas, defaultReplicas)
+
 	// Please add more conditions that we can in-place update the newest runnerreplicaset without disruption
-	if newestSet.Spec.Replicas != desiredRS.Spec.Replicas {
-		newestSet.Spec.Replicas = desiredRS.Spec.Replicas
+	if currentDesiredReplicas != newDesiredReplicas {
+		newestSet.Spec.Replicas = &newDesiredReplicas

 		if err := r.Client.Update(ctx, newestSet); err != nil {
 			log.Error(err, "Failed to update runnerreplicaset resource")
@@ -142,7 +152,21 @@ func (r *RunnerDeploymentReconciler) Reconcile(req ctrl.Request) (ctrl.Result, e
 			return ctrl.Result{}, err
 		}

-		return ctrl.Result{}, nil
+		return ctrl.Result{}, err
+	}
+
+	// Do we old runner replica sets that should eventually deleted?
+	if len(oldSets) > 0 {
+		readyReplicas := newestSet.Status.ReadyReplicas
+
+		if readyReplicas < currentDesiredReplicas {
+			log.WithValues("runnerreplicaset", types.NamespacedName{
+				Namespace: newestSet.Namespace,
+				Name:      newestSet.Name,
+			}).
+				Info("Waiting until the newest runner replica set to be 100% available")
+
+			return ctrl.Result{RequeueAfter: 10 * time.Second}, nil
 		}

 		for i := range oldSets {
@@ -155,12 +179,22 @@ func (r *RunnerDeploymentReconciler) Reconcile(req ctrl.Request) (ctrl.Result, e
 			}

 			r.Recorder.Event(&rd, corev1.EventTypeNormal, "RunnerReplicaSetDeleted", fmt.Sprintf("Deleted runnerreplicaset '%s'", rs.Name))
+
 			log.Info("Deleted runnerreplicaset", "runnerdeployment", rd.ObjectMeta.Name, "runnerreplicaset", rs.Name)
 		}
+	}

 	return ctrl.Result{}, nil
 }

+func getIntOrDefault(p *int, d int) int {
+	if p == nil {
+		return d
+	}
+
+	return *p
+}
+
 func getTemplateHash(rs *v1alpha1.RunnerReplicaSet) (string, bool) {
 	hash, ok := rs.Labels[LabelKeyRunnerTemplateHash]

--- a/controllers/runnerreplicaset_controller.go
+++ b/controllers/runnerreplicaset_controller.go
@@ -45,6 +45,7 @@ type RunnerReplicaSetReconciler struct {
 // +kubebuilder:rbac:groups=actions.summerwind.dev,resources=runnerreplicasets/status,verbs=get;update;patch
 // +kubebuilder:rbac:groups=actions.summerwind.dev,resources=runners,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=actions.summerwind.dev,resources=runners/status,verbs=get;update;patch
+// +kubebuilder:rbac:groups=core,resources=events,verbs=create;patch

 func (r *RunnerReplicaSetReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) {
 	ctx := context.Background()
--- a/github/fake/fake.go
+++ b/github/fake/fake.go
@@ -0,0 +1,86 @@
+package fake
+
+import (
+	"fmt"
+	"net/http"
+	"net/http/httptest"
+	"time"
+)
+
+const (
+	RegistrationToken = "fake-registration-token"
+
+	RunnersListBody = `
+{
+  "total_count": 2,
+  "runners": [
+    {"id": 1, "name": "test1", "os": "linux", "status": "online"},
+    {"id": 2, "name": "test2", "os": "linux", "status": "offline"}
+  ]
+}
+`
+)
+
+type handler struct {
+	Status int
+	Body   string
+}
+
+func (h *handler) ServeHTTP(w http.ResponseWriter, req *http.Request) {
+	w.WriteHeader(h.Status)
+	fmt.Fprintf(w, h.Body)
+}
+
+func NewServer() *httptest.Server {
+	routes := map[string]handler{
+		// For CreateRegistrationToken
+		"/repos/test/valid/actions/runners/registration-token": handler{
+			Status: http.StatusCreated,
+			Body:   fmt.Sprintf("{\"token\": \"%s\", \"expires_at\": \"%s\"}", RegistrationToken, time.Now().Add(time.Hour*1).Format(time.RFC3339)),
+		},
+		"/repos/test/invalid/actions/runners/registration-token": handler{
+			Status: http.StatusOK,
+			Body:   fmt.Sprintf("{\"token\": \"%s\", \"expires_at\": \"%s\"}", RegistrationToken, time.Now().Add(time.Hour*1).Format(time.RFC3339)),
+		},
+		"/repos/test/error/actions/runners/registration-token": handler{
+			Status: http.StatusBadRequest,
+			Body:   "",
+		},
+
+		// For ListRunners
+		"/repos/test/valid/actions/runners": handler{
+			Status: http.StatusOK,
+			Body:   RunnersListBody,
+		},
+		"/repos/test/invalid/actions/runners": handler{
+			Status: http.StatusNoContent,
+			Body:   "",
+		},
+		"/repos/test/error/actions/runners": handler{
+			Status: http.StatusBadRequest,
+			Body:   "",
+		},
+
+		// For RemoveRunner
+		"/repos/test/valid/actions/runners/1": handler{
+			Status: http.StatusNoContent,
+			Body:   "",
+		},
+		"/repos/test/invalid/actions/runners/1": handler{
+			Status: http.StatusOK,
+			Body:   "",
+		},
+		"/repos/test/error/actions/runners/1": handler{
+			Status: http.StatusBadRequest,
+			Body:   "",
+		},
+	}
+
+	mux := http.NewServeMux()
+	for path, handler := range routes {
+		h := handler
+		mux.Handle(path, &h)
+	}
+
+	return httptest.NewServer(mux)
+}
--- a/github/github.go
+++ b/github/github.go
@@ -0,0 +1,147 @@
+package github
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"net/http"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/bradleyfalzon/ghinstallation"
+	"github.com/google/go-github/v31/github"
+	"golang.org/x/oauth2"
+)
+
+type Client struct {
+	*github.Client
+	regTokens map[string]*github.RegistrationToken
+	mu        sync.Mutex
+}
+
+// NewClient returns a client authenticated as a GitHub App.
+func NewClient(appID, installationID int64, privateKeyPath string) (*Client, error) {
+	tr, err := ghinstallation.NewKeyFromFile(http.DefaultTransport, appID, installationID, privateKeyPath)
+	if err != nil {
+		return nil, fmt.Errorf("authentication failed: %v", err)
+	}
+
+	return &Client{
+		Client:    github.NewClient(&http.Client{Transport: tr}),
+		regTokens: map[string]*github.RegistrationToken{},
+		mu:        sync.Mutex{},
+	}, nil
+}
+
+// NewClient returns a client authenticated with personal access token.
+func NewClientWithAccessToken(token string) (*Client, error) {
+	tc := oauth2.NewClient(context.Background(), oauth2.StaticTokenSource(
+		&oauth2.Token{AccessToken: token},
+	))
+
+	return &Client{
+		Client:    github.NewClient(tc),
+		regTokens: map[string]*github.RegistrationToken{},
+		mu:        sync.Mutex{},
+	}, nil
+}
+
+// GetRegistrationToken returns a registration token tied with the name of repository and runner.
+func (c *Client) GetRegistrationToken(ctx context.Context, repository, name string) (*github.RegistrationToken, error) {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+
+	owner, repo, err := splitOwnerAndRepo(repository)
+	if err != nil {
+		return nil, err
+	}
+
+	key := fmt.Sprintf("%s/%s", repo, name)
+	rt, ok := c.regTokens[key]
+	if ok && rt.GetExpiresAt().After(time.Now().Add(-10*time.Minute)) {
+		return rt, nil
+	}
+
+	rt, res, err := c.Client.Actions.CreateRegistrationToken(ctx, owner, repo)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create registration token: %v", err)
+	}
+
+	if res.StatusCode != 201 {
+		return nil, fmt.Errorf("unexpected status: %d", res.StatusCode)
+	}
+
+	c.regTokens[key] = rt
+	go func() {
+		c.cleanup()
+	}()
+
+	return rt, nil
+}
+
+// RemoveRunner removes a runner with specified runner ID from repocitory.
+func (c *Client) RemoveRunner(ctx context.Context, repository string, runnerID int64) error {
+	owner, repo, err := splitOwnerAndRepo(repository)
+	if err != nil {
+		return err
+	}
+
+	res, err := c.Client.Actions.RemoveRunner(ctx, owner, repo, runnerID)
+	if err != nil {
+		return fmt.Errorf("failed to remove runner: %v", err)
+	}
+
+	if res.StatusCode != 204 {
+		return fmt.Errorf("unexpected status: %d", res.StatusCode)
+	}
+
+	return nil
+}
+
+// ListRunners returns a list of runners of specified repository name.
+func (c *Client) ListRunners(ctx context.Context, repository string) ([]*github.Runner, error) {
+	var runners []*github.Runner
+
+	owner, repo, err := splitOwnerAndRepo(repository)
+	if err != nil {
+		return runners, err
+	}
+
+	opts := github.ListOptions{PerPage: 10}
+	for {
+		list, res, err := c.Client.Actions.ListRunners(ctx, owner, repo, &opts)
+		if err != nil {
+			return runners, fmt.Errorf("failed to remove runner: %v", err)
+		}
+
+		runners = append(runners, list.Runners...)
+		if res.NextPage == 0 {
+			break
+		}
+		opts.Page = res.NextPage
+	}
+
+	return runners, nil
+}
+
+// cleanup removes expired registration tokens.
+func (c *Client) cleanup() {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+
+	for key, rt := range c.regTokens {
+		if rt.GetExpiresAt().Before(time.Now()) {
+			delete(c.regTokens, key)
+		}
+	}
+}
+
+// splitOwnerAndRepo splits specified repository name to the owner and repo name.
+func splitOwnerAndRepo(repo string) (string, string, error) {
+	chunk := strings.Split(repo, "/")
+	if len(chunk) != 2 {
+		return "", "", errors.New("invalid repository name")
+	}
+	return chunk[0], chunk[1], nil
+}
--- a/github/github_test.go
+++ b/github/github_test.go
@@ -0,0 +1,124 @@
+package github
+
+import (
+	"context"
+	"net/http/httptest"
+	"net/url"
+	"testing"
+	"time"
+
+	"github.com/google/go-github/v31/github"
+	"github.com/summerwind/actions-runner-controller/github/fake"
+)
+
+var server *httptest.Server
+
+func newTestClient() *Client {
+	client, err := NewClientWithAccessToken("token")
+	if err != nil {
+		panic(err)
+	}
+
+	baseURL, err := url.Parse(server.URL + "/")
+	if err != nil {
+		panic(err)
+	}
+	client.Client.BaseURL = baseURL
+
+	return client
+}
+
+func TestMain(m *testing.M) {
+	server = fake.NewServer()
+	defer server.Close()
+	m.Run()
+}
+
+func TestGetRegistrationToken(t *testing.T) {
+	tests := []struct {
+		repo  string
+		token string
+		err   bool
+	}{
+		{repo: "test/valid", token: fake.RegistrationToken, err: false},
+		{repo: "test/invalid", token: "", err: true},
+		{repo: "test/error", token: "", err: true},
+	}
+
+	client := newTestClient()
+	for i, tt := range tests {
+		rt, err := client.GetRegistrationToken(context.Background(), tt.repo, "test")
+		if !tt.err && err != nil {
+			t.Errorf("[%d] unexpected error: %v", i, err)
+		}
+		if tt.token != rt.GetToken() {
+			t.Errorf("[%d] unexpected token: %v", i, rt.GetToken())
+		}
+	}
+}
+
+func TestListRunners(t *testing.T) {
+	tests := []struct {
+		repo   string
+		length int
+		err    bool
+	}{
+		{repo: "test/valid", length: 2, err: false},
+		{repo: "test/invalid", length: 0, err: true},
+		{repo: "test/error", length: 0, err: true},
+	}
+
+	client := newTestClient()
+	for i, tt := range tests {
+		runners, err := client.ListRunners(context.Background(), tt.repo)
+		if !tt.err && err != nil {
+			t.Errorf("[%d] unexpected error: %v", i, err)
+		}
+		if tt.length != len(runners) {
+			t.Errorf("[%d] unexpected runners list: %v", i, runners)
+		}
+	}
+}
+
+func TestRemoveRunner(t *testing.T) {
+	tests := []struct {
+		repo string
+		err  bool
+	}{
+		{repo: "test/valid", err: false},
+		{repo: "test/invalid", err: true},
+		{repo: "test/error", err: true},
+	}
+
+	client := newTestClient()
+	for i, tt := range tests {
+		err := client.RemoveRunner(context.Background(), tt.repo, int64(1))
+		if !tt.err && err != nil {
+			t.Errorf("[%d] unexpected error: %v", i, err)
+		}
+	}
+}
+
+func TestCleanup(t *testing.T) {
+	token := "token"
+
+	client := newTestClient()
+	client.regTokens = map[string]*github.RegistrationToken{
+		"active": &github.RegistrationToken{
+			Token:     &token,
+			ExpiresAt: &github.Timestamp{Time: time.Now().Add(time.Hour * 1)},
+		},
+		"expired": &github.RegistrationToken{
+			Token:     &token,
+			ExpiresAt: &github.Timestamp{Time: time.Now().Add(-time.Hour * 1)},
+		},
+	}
+
+	client.cleanup()
+	if _, ok := client.regTokens["active"]; !ok {
+		t.Errorf("active token was accidentally removed")
+	}
+	if _, ok := client.regTokens["expired"]; ok {
+		t.Errorf("expired token still exists")
+	}
+}
--- a/go.mod
+++ b/go.mod
@@ -3,18 +3,14 @@ module github.com/summerwind/actions-runner-controller
 go 1.13

 require (
-	github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751 // indirect
-	github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d // indirect
 	github.com/bradleyfalzon/ghinstallation v1.1.1
 	github.com/davecgh/go-spew v1.1.1
 	github.com/go-logr/logr v0.1.0
-	github.com/google/go-github v17.0.0+incompatible
-	github.com/google/go-github/v29 v29.0.3
+	github.com/google/go-github/v31 v31.0.0
 	github.com/onsi/ginkgo v1.8.0
 	github.com/onsi/gomega v1.5.0
-	github.com/prometheus/common v0.0.0-20181126121408-4724e9255275
+	github.com/stretchr/testify v1.4.0 // indirect
 	golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45
-	gopkg.in/alecthomas/kingpin.v2 v2.2.6 // indirect
 	k8s.io/api v0.0.0-20190918155943-95b840bb6a1f
 	k8s.io/apimachinery v0.0.0-20190913080033-27d36303b655
 	k8s.io/client-go v0.0.0-20190918160344-1fbdaa4c8d90
--- a/go.sum
+++ b/go.sum
@@ -18,10 +18,6 @@ github.com/PuerkitoBio/purell v1.1.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbt
 github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
 github.com/PuerkitoBio/urlesc v0.0.0-20160726150825-5bd2802263f2/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE=
 github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE=
-github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751 h1:JYp7IbQjafoB+tBA3gMyHYHrpOtNuDiK/uB5uXxq5wM=
-github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
-github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d h1:UQZhZ2O0vMHr2cI+DC1Mbh0TJxzA3RcLoMsFw+aXw7E=
-github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d/go.mod h1:rBZYJk541a8SKzHPHnH3zbiI+7dagKZ0cgpgrD7Fyho=
 github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8=
 github.com/asaskevich/govalidator v0.0.0-20180720115003-f9ffefc3facf/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY=
 github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY=
@@ -120,12 +116,10 @@ github.com/google/go-cmp v0.3.0 h1:crn/baboCvb5fXaQ0IJ1SGTsTVrWpDsCWC8EGETZijY=
 github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-cmp v0.3.1 h1:Xye71clBPdm5HgqGwUkwhbynsUJZhDbS20FvLhQ2izg=
 github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
-github.com/google/go-github v17.0.0+incompatible h1:N0LgJ1j65A7kfXrZnUDaYCs/Sf4rEjNlfyDHW9dolSY=
-github.com/google/go-github v17.0.0+incompatible/go.mod h1:zLgOLi98H3fifZn+44m+umXrS52loVEgC2AApnigrVQ=
 github.com/google/go-github/v29 v29.0.2 h1:opYN6Wc7DOz7Ku3Oh4l7prmkOMwEcQxpFtxdU8N8Pts=
 github.com/google/go-github/v29 v29.0.2/go.mod h1:CHKiKKPHJ0REzfwc14QMklvtHwCveD0PxlMjLlzAM5E=
-github.com/google/go-github/v29 v29.0.3 h1:IktKCTwU//aFHnpA+2SLIi7Oo9uhAzgsdZNbcAqhgdc=
-github.com/google/go-github/v29 v29.0.3/go.mod h1:CHKiKKPHJ0REzfwc14QMklvtHwCveD0PxlMjLlzAM5E=
+github.com/google/go-github/v31 v31.0.0 h1:JJUxlP9lFK+ziXKimTCprajMApV1ecWD4NB6CCb0plo=
+github.com/google/go-github/v31 v31.0.0/go.mod h1:NQPZol8/1sMoWYGN2yaALIBytu17gAWfhbweiEed3pM=
 github.com/google/go-querystring v1.0.0 h1:Xkwi/a1rcvNg1PPYe5vI8GbeBY/jrVuDX5ASuANWTrk=
 github.com/google/go-querystring v1.0.0/go.mod h1:odCYkC5MyYFN7vkCjXpyrEuKhc/BUO6wN/zVPAxq5ck=
 github.com/google/gofuzz v0.0.0-20161122191042-44d81051d367/go.mod h1:HP5RmnzzSNb993RKQDq4+1A4ia9nllfqcQFTQJedwGI=
@@ -237,6 +231,7 @@ github.com/stretchr/testify v0.0.0-20151208002404-e3a8ff8ce365/go.mod h1:a8OnRci
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0 h1:TivCn/peBQ7UY8ooIcPgZFpTNSz0Q2U6UrFlUfqbe0Q=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/stretchr/testify v1.4.0 h1:2E4SXV/wtOkTonXsotYi4li6zVWxYlZuYNCXe9XRJyk=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20170815181823-89b8d40f7ca8/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
 github.com/ugorji/go/codec v0.0.0-20181204163529-d75b2dcb6bc8/go.mod h1:VFNgLljTbGfSG7qAOspJ7OScBnGdDN/yBr0sguwnwf0=
@@ -343,8 +338,6 @@ google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRn
 google.golang.org/genproto v0.0.0-20190502173448-54afdca5d873/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
-gopkg.in/alecthomas/kingpin.v2 v2.2.6 h1:jMFz6MfLP0/4fUyZle81rXUoxOBFi19VUFKVDOQfozc=
-gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 h1:YR8cESwS4TdDjEe65xsg0ogRM/Nc3DYOhEAlW+xobZo=
--- a/main.go
+++ b/main.go
@@ -17,15 +17,14 @@ limitations under the License.
 package main

 import (
-	"context"
 	"flag"
 	"fmt"
 	"os"
+	"strconv"

-	"github.com/google/go-github/v29/github"
 	actionsv1alpha1 "github.com/summerwind/actions-runner-controller/api/v1alpha1"
 	"github.com/summerwind/actions-runner-controller/controllers"
-	"golang.org/x/oauth2"
+	"github.com/summerwind/actions-runner-controller/github"
 	"k8s.io/apimachinery/pkg/runtime"
 	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
 	_ "k8s.io/client-go/plugin/pkg/client/auth/gcp"
@@ -35,8 +34,8 @@ import (
 )

 const (
-	defaultRunnerImage = "summerwind/actions-runner:v2.165.2"
-	defaultDockerImage = "docker:19.03.6-dind"
+	defaultRunnerImage = "summerwind/actions-runner:latest"
+	defaultDockerImage = "docker:dind"
 )

 var (
@@ -53,12 +52,19 @@ func init() {

 func main() {
 	var (
+		err      error
+		ghClient *github.Client
+
 		metricsAddr          string
 		enableLeaderElection bool

 		runnerImage string
 		dockerImage string
+
 		ghToken             string
+		ghAppID             int64
+		ghAppInstallationID int64
+		ghAppPrivateKey     string
 	)

 	flag.StringVar(&metricsAddr, "metrics-addr", ":8080", "The address the metric endpoint binds to.")
@@ -66,21 +72,57 @@ func main() {
 		"Enable leader election for controller manager. Enabling this will ensure there is only one active controller manager.")
 	flag.StringVar(&runnerImage, "runner-image", defaultRunnerImage, "The image name of self-hosted runner container.")
 	flag.StringVar(&dockerImage, "docker-image", defaultDockerImage, "The image name of docker sidecar container.")
-	flag.StringVar(&ghToken, "github-token", "", "The access token of GitHub.")
+	flag.StringVar(&ghToken, "github-token", "", "The personal access token of GitHub.")
+	flag.Int64Var(&ghAppID, "github-app-id", 0, "The application ID of GitHub App.")
+	flag.Int64Var(&ghAppInstallationID, "github-app-installation-id", 0, "The installation ID of GitHub App.")
+	flag.StringVar(&ghAppPrivateKey, "github-app-private-key", "", "The path of a private key file to authenticate as a GitHub App")
 	flag.Parse()

 	if ghToken == "" {
 		ghToken = os.Getenv("GITHUB_TOKEN")
 	}
-	if ghToken == "" {
-		fmt.Fprintln(os.Stderr, "Error: GitHub access token must be specified.")
+	if ghAppID == 0 {
+		appID, err := strconv.ParseInt(os.Getenv("GITHUB_APP_ID"), 10, 64)
+		if err == nil {
+			ghAppID = appID
+		}
+	}
+	if ghAppInstallationID == 0 {
+		appInstallationID, err := strconv.ParseInt(os.Getenv("GITHUB_APP_INSTALLATION_ID"), 10, 64)
+		if err == nil {
+			ghAppInstallationID = appInstallationID
+		}
+	}
+	if ghAppPrivateKey == "" {
+		ghAppPrivateKey = os.Getenv("GITHUB_APP_PRIVATE_KEY")
+	}
+
+	if ghAppID != 0 {
+		if ghAppInstallationID == 0 {
+			fmt.Fprintln(os.Stderr, "Error: The installation ID must be specified.")
 			os.Exit(1)
 		}

-	tc := oauth2.NewClient(context.Background(), oauth2.StaticTokenSource(
-		&oauth2.Token{AccessToken: ghToken},
-	))
-	ghClient := github.NewClient(tc)
+		if ghAppPrivateKey == "" {
+			fmt.Fprintln(os.Stderr, "Error: The path of a private key file must be specified.")
+			os.Exit(1)
+		}
+
+		ghClient, err = github.NewClient(ghAppID, ghAppInstallationID, ghAppPrivateKey)
+		if err != nil {
+			fmt.Fprintf(os.Stderr, "Error: Failed to create GitHub client: %v\n", err)
+			os.Exit(1)
+		}
+	} else if ghToken != "" {
+		ghClient, err = github.NewClientWithAccessToken(ghToken)
+		if err != nil {
+			fmt.Fprintf(os.Stderr, "Error: Failed to create GitHub client: %v\n", err)
+			os.Exit(1)
+		}
+	} else {
+		fmt.Fprintln(os.Stderr, "Error: GitHub App credentials or personal access token must be specified.")
+		os.Exit(1)
+	}

 	ctrl.SetLogger(zap.New(func(o *zap.Options) {
 		o.Development = true
--- a/runner/Dockerfile
+++ b/runner/Dockerfile
@@ -4,14 +4,16 @@ ARG RUNNER_VERSION
 ARG DOCKER_VERSION

 RUN apt update \
-  && apt install curl ca-certificates -y --no-install-recommends \
+  && apt install sudo curl ca-certificates -y --no-install-recommends \
  && curl -L -o docker.tgz https://download.docker.com/linux/static/stable/x86_64/docker-${DOCKER_VERSION}.tgz \
  && tar zxvf docker.tgz \
  && install -o root -g root -m 755 docker/docker /usr/local/bin/docker \
  && rm -rf docker docker.tgz \
  && curl -L -o /usr/local/bin/dumb-init https://github.com/Yelp/dumb-init/releases/download/v1.2.2/dumb-init_1.2.2_amd64 \
  && chmod +x /usr/local/bin/dumb-init \
-  && adduser --disabled-password --gecos "" --uid 1000 runner
+  && adduser --disabled-password --gecos "" --uid 1000 runner \
+  && usermod -aG sudo runner \
+  && echo "%sudo   ALL=(ALL:ALL) NOPASSWD:ALL" > /etc/sudoers

 RUN mkdir -p /runner \
  && cd /runner \
--- a/runner/Makefile
+++ b/runner/Makefile
@@ -1,7 +1,7 @@
 NAME ?= summerwind/actions-runner

-RUNNER_VERSION ?= 2.165.2
-DOCKER_VERSION ?= 19.03.6
+RUNNER_VERSION ?= 2.169.1
+DOCKER_VERSION ?= 19.03.8

 docker-build:
 	docker build --build-arg RUNNER_VERSION=${RUNNER_VERSION} --build-arg DOCKER_VERSION=${DOCKER_VERSION} -t ${NAME}:latest -t ${NAME}:v${RUNNER_VERSION} .
Author	SHA1	Message	Date
Moto Ishizawa	427cc506e1	Merge pull request #36 from summerwind/runner-v2.169.1 Update runner to v2.169.1	2020-04-18 10:41:34 +09:00
Moto Ishizawa	13616ba1b2	Use latest container image	2020-04-16 19:16:15 +09:00
Moto Ishizawa	d8327e9ab8	Update runner to v2.169.1	2020-04-16 19:16:07 +09:00
Moto Ishizawa	fd1b72e4ed	Merge pull request #35 from chenrui333/default-docker-image-to-19.03.8 Make defaultDockerImage to 19.03.8	2020-04-16 17:55:02 +09:00
Rui Chen	79f15b4906	Make defaultDockerImage to 19.03.8	2020-04-15 19:47:07 -04:00
Moto Ishizawa	5714459c24	Merge pull request #31 from summerwind/github-package Use github package to access the GitHub API	2020-04-14 16:30:26 +09:00
Moto Ishizawa	ab28dde0ec	Add github package to container image	2020-04-13 22:29:48 +09:00
Moto Ishizawa	3ccc51433f	Use github package to access the GitHub API	2020-04-13 22:28:07 +09:00
Moto Ishizawa	5f608058cd	Add github package	2020-04-13 22:27:05 +09:00
Moto Ishizawa	a91df5c564	Merge pull request #29 from summerwind/add-github-apps-doc Add section to use GitHub App	2020-04-11 21:33:37 +09:00
Moto Ishizawa	0bb6f64470	Add section to use GitHub App	2020-04-10 15:42:27 +09:00
Moto Ishizawa	ce40635d1e	Merge pull request #28 from chenrui333/update-default-base-image Update defaultRunnerImage to v2.168.0	2020-04-10 14:12:07 +09:00
Rui Chen	52c0f2e4f3	Update defaultRunnerImage to v2.168.0	2020-04-09 20:16:52 -04:00
Yusuke Kuoka	b411d37f2b	fix: RunnerDeployment should clean up old RunnerReplicaSets ASAP Since the initial implementation of RunnerDeployment and until this change, any update to a runner deployment has been leaving old runner replicasets until the next resync interval. This fixes that, by continusouly retrying the reconcilation 10 seconds later to see if there are any old runner replicasets that can be removed. In addition to that, the cleanup of old runner replicasets has been improved to be deferred until all the runners of the newest replica set to be available. This gives you hopefully zero or at less downtime updates of runner deployments. Fixes #24	2020-04-04 07:55:12 +09:00
Vito Botta	a19cd373db	Bump Docker version	2020-04-02 08:32:27 +09:00
Vito Botta	f2dcb5659d	Add runner user to sudo group	2020-04-02 08:32:27 +09:00
Moto Ishizawa	b8b4ef4b60	Merge pull request #21 from summerwind/add-permission-events Add permission to create/patch events resource	2020-03-28 22:18:58 +09:00
Moto Ishizawa	cac199f16e	Merge pull request #20 from summerwind/github-apps-support Add support of GitHub Apps authentication	2020-03-28 22:18:36 +09:00
Moto Ishizawa	5efdc6efe6	Add permission to create/patch events resource	2020-03-27 23:25:37 +09:00
Moto Ishizawa	af81c7f4c9	Add environment variables and volumes for GitHub Apps credentials	2020-03-26 23:12:54 +09:00
Moto Ishizawa	80122a56d7	Add flags for GitHub Apps credentials	2020-03-26 23:12:11 +09:00
Adam Jensen	934ec7f181	Clarify instructions for getting a token (#18 ) * Clarify instructions for getting a token * Fix typo	2020-03-25 21:22:19 +09:00
Moto Ishizawa	49160138ab	Merge pull request #19 from summerwind/actions-runner-v2.168.0 Update runner to v2.168.0	2020-03-25 17:25:07 +09:00
Moto Ishizawa	fac211f5d9	Update runner to v2.168.0	2020-03-25 17:10:25 +09:00