Prepare 0.8.0 release and bump dependencies once more (#256)

* Prepare 0.8.0 release and bump dependencies once more

* Update releaseNotes.md

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

---------

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

.eslintignore

@@ -1,4 +0,0 @@
-dist/
-lib/
-node_modules/
-**/tests/**

.eslintrc.json

@@ -1,56 +0,0 @@
-{
-  "plugins": ["@typescript-eslint"],
-  "extends": ["plugin:github/recommended"],
-  "parser": "@typescript-eslint/parser",
-  "parserOptions": {
-    "ecmaVersion": 9,
-    "sourceType": "module",
-    "project": "./tsconfig.json"
-  },
-  "rules": {
-    "eslint-comments/no-use": "off",
-    "import/no-namespace": "off",
-    "no-constant-condition": "off",
-    "no-unused-vars": "off",
-    "i18n-text/no-en": "off",
-    "@typescript-eslint/no-unused-vars": "error",
-    "@typescript-eslint/explicit-member-accessibility": ["error", {"accessibility": "no-public"}],
-    "@typescript-eslint/no-require-imports": "error",
-    "@typescript-eslint/array-type": "error",
-    "@typescript-eslint/await-thenable": "error",
-    "camelcase": "off",
-    "@typescript-eslint/explicit-function-return-type": ["error", {"allowExpressions": true}],
-    "@typescript-eslint/func-call-spacing": ["error", "never"],
-    "@typescript-eslint/no-array-constructor": "error",
-    "@typescript-eslint/no-empty-interface": "error",
-    "@typescript-eslint/no-explicit-any": "warn",
-    "@typescript-eslint/no-extraneous-class": "error",
-    "@typescript-eslint/no-floating-promises": "error",
-    "@typescript-eslint/no-for-in-array": "error",
-    "@typescript-eslint/no-inferrable-types": "error",
-    "@typescript-eslint/no-misused-new": "error",
-    "@typescript-eslint/no-namespace": "error",
-    "@typescript-eslint/no-non-null-assertion": "warn",
-    "@typescript-eslint/no-unnecessary-qualifier": "error",
-    "@typescript-eslint/no-unnecessary-type-assertion": "error",
-    "@typescript-eslint/no-useless-constructor": "error",
-    "@typescript-eslint/no-var-requires": "error",
-    "@typescript-eslint/prefer-for-of": "warn",
-    "@typescript-eslint/prefer-function-type": "warn",
-    "@typescript-eslint/prefer-includes": "error",
-    "@typescript-eslint/prefer-string-starts-ends-with": "error",
-    "@typescript-eslint/promise-function-async": "error",
-    "@typescript-eslint/require-array-sort-compare": "error",
-    "@typescript-eslint/restrict-plus-operands": "error",
-    "semi": "off",
-    "@typescript-eslint/semi": ["error", "never"],
-    "@typescript-eslint/type-annotation-spacing": "error",
-    "@typescript-eslint/unbound-method": "error",
-    "no-shadow": "off",
-    "@typescript-eslint/no-shadow": ["error"]
-  },
-  "env": {
-    "node": true,
-    "es6": true
-  }
-}

.gitattributes

@@ -0,0 +1 @@
+*.png filter=lfs diff=lfs merge=lfs -text

.github/workflows/build.yaml

@@ -6,11 +6,13 @@ on:
     paths-ignore:
     - '**.md'
   workflow_dispatch:
+
 jobs:
-  build:
+  format-and-lint:
+    name: Format & Lint Checks
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v5
       - run: npm install
         name: Install dependencies
       - run: npm run bootstrap
@@ -18,9 +20,43 @@ jobs:
       - run: npm run build-all
         name: Build packages
       - run: npm run format-check
+        name: Check formatting
       - name: Check linter
         run: |
           npm run lint
-          git diff --exit-code
+          git diff --exit-code -- . ':!packages/k8s/tests/test-kind.yaml'
-      - name: Run tests
+
-        run: npm run test
+  docker-tests:
+    name: Docker Hook Tests
+    runs-on: ubuntu-latest
+    needs: format-and-lint
+    steps:
+      - uses: actions/checkout@v5
+      - run: npm install
+        name: Install dependencies
+      - run: npm run bootstrap
+        name: Bootstrap the packages
+      - run: npm run build-all
+        name: Build packages
+      - name: Run Docker tests
+        run: npm run test --prefix packages/docker
+
+  k8s-tests:
+    name: Kubernetes Hook Tests
+    runs-on: ubuntu-latest
+    needs: format-and-lint
+    steps:
+      - uses: actions/checkout@v5
+      - run: sed -i "s|{{PATHTOREPO}}|$(pwd)|" packages/k8s/tests/test-kind.yaml
+        name: Setup kind cluster yaml config
+      - uses: helm/kind-action@v1.12.0
+        with:
+          config: packages/k8s/tests/test-kind.yaml
+      - run: npm install
+        name: Install dependencies
+      - run: npm run bootstrap
+        name: Bootstrap the packages
+      - run: npm run build-all
+        name: Build packages
+      - name: Run Kubernetes tests
+        run: npm run test --prefix packages/k8s

.github/workflows/codeql-analysis.yml

@@ -38,11 +38,11 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@v5
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@v3
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -56,7 +56,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v2
+      uses: github/codeql-action/autobuild@v3
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -69,4 +69,4 @@ jobs:
     #   ./location_of_script_within_repo/buildscript.sh
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@v3

.github/workflows/release.yaml

@@ -1,57 +1,70 @@
 name: CD - Release new version
+
 on:
   workflow_dispatch:
+
+permissions:
+  contents: write
+
 jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v5
-      - run: npm install
+
-        name: Install dependencies
+      - name: Install dependencies
-      - run: npm run bootstrap
+        run: npm install
-        name: Bootstrap the packages
+
-      - run: npm run build-all
+      - name: Bootstrap the packages
-        name: Build packages
+        run: npm run bootstrap
-      - uses: actions/github-script@v6
+
-        id: releaseNotes
+      - name: Build packages
+        run: npm run build-all
+
+      - uses: actions/github-script@v8
+        id: releaseVersion
         with:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          result-encoding: string
           script: |
             const fs = require('fs');
-            const hookVersion = require('./package.json').version
+            return require('./package.json').version
-            var releaseNotes = fs.readFileSync('${{ github.workspace }}/releaseNotes.md', 'utf8').replace(/<HOOK_VERSION>/g, hookVersion)
+
-            console.log(releaseNotes)
-            core.setOutput('version', hookVersion);
-            core.setOutput('note', releaseNotes);
       - name: Zip up releases
         run: |
-          zip -r -j actions-runner-hooks-docker-${{ steps.releaseNotes.outputs.version }}.zip packages/docker/dist
+          zip -r -j actions-runner-hooks-docker-${{ steps.releaseVersion.outputs.result }}.zip packages/docker/dist
-          zip -r -j actions-runner-hooks-k8s-${{ steps.releaseNotes.outputs.version }}.zip packages/k8s/dist
+          zip -r -j actions-runner-hooks-k8s-${{ steps.releaseVersion.outputs.result }}.zip packages/k8s/dist
-      - uses: actions/create-release@v1
+
-        id: createRelease
+      - name: Calculate SHA
-        name: Create ${{ steps.releaseNotes.outputs.version }} Hook Release
+        id: sha
-        env:
+        shell: bash
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          sha_docker=$(sha256sum actions-runner-hooks-docker-${{ steps.releaseVersion.outputs.result }}.zip | awk '{print $1}')
+          echo "Docker SHA: $sha_docker"
+          echo "docker-sha=$sha_docker" >> $GITHUB_OUTPUT
+          sha_k8s=$(sha256sum actions-runner-hooks-k8s-${{ steps.releaseVersion.outputs.result }}.zip | awk '{print $1}')
+          echo "K8s SHA: $sha_k8s"
+          echo "k8s-sha=$sha_k8s" >> $GITHUB_OUTPUT
+
+      - name: Create release notes
+        id: releaseNotes
+        uses: actions/github-script@v8
         with:
-          tag_name: "v${{ steps.releaseNotes.outputs.version }}"
+          script: |
-          release_name: "v${{ steps.releaseNotes.outputs.version }}"
+            const fs = require('fs');
-          body: |
+            var releaseNotes = fs.readFileSync('${{ github.workspace }}/releaseNotes.md', 'utf8').replace(/<HOOK_VERSION>/g, '${{ steps.releaseVersion.outputs.result }}')
-            ${{ steps.releaseNotes.outputs.note }}
+            releaseNotes = releaseNotes.replace(/<DOCKER_SHA>/g, '${{ steps.sha.outputs.docker-sha }}')
-      - name: Upload K8s hooks
+            releaseNotes = releaseNotes.replace(/<K8S_SHA>/g, '${{ steps.sha.outputs.k8s-sha }}')
-        uses: actions/upload-release-asset@v1
+            console.log(releaseNotes)
+            fs.writeFileSync('${{ github.workspace }}/finalReleaseNotes.md', releaseNotes);
+
+      - name: Create ${{ steps.releaseVersion.outputs.result }} Hook Release
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
+        run: |
-          upload_url: ${{ steps.createRelease.outputs.upload_url }}
+          gh release create v${{ steps.releaseVersion.outputs.result }} \
-          asset_path: ${{ github.workspace }}/actions-runner-hooks-k8s-${{ steps.releaseNotes.outputs.version }}.zip
+            --title "v${{ steps.releaseVersion.outputs.result }}" \
-          asset_name: actions-runner-hooks-k8s-${{ steps.releaseNotes.outputs.version }}.zip
+            --repo ${{ github.repository }} \
-          asset_content_type: application/octet-stream
+            --notes-file ${{ github.workspace }}/finalReleaseNotes.md \
-      - name: Upload docker hooks
+            --latest \
-        uses: actions/upload-release-asset@v1
+            ${{ github.workspace }}/actions-runner-hooks-k8s-${{ steps.releaseVersion.outputs.result }}.zip \
-        env:
+            ${{ github.workspace }}/actions-runner-hooks-docker-${{ steps.releaseVersion.outputs.result }}.zip
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          upload_url: ${{ steps.createRelease.outputs.upload_url }}
-          asset_path: ${{ github.workspace }}/actions-runner-hooks-docker-${{ steps.releaseNotes.outputs.version }}.zip
-          asset_name: actions-runner-hooks-docker-${{ steps.releaseNotes.outputs.version }}.zip
-          asset_content_type: application/octet-stream

.gitignore

@@ -2,3 +2,4 @@ node_modules/
 lib/
 dist/
 **/tests/_temp/**
+packages/k8s/tests/test-kind.yaml

CODEOWNERS

@@ -1 +1 @@
-* @actions/actions-runtime
+* @actions/actions-compute @nikola-jokic

CONTRIBUTING.md

@@ -13,7 +13,7 @@ You'll need a runner compatible with hooks, a repository with container workflow
 - You'll need a runner compatible with hooks, a repository with container workflows to which you can register the runner and the hooks from this repository.
 - See [the runner contributing.md](../../github/CONTRIBUTING.MD) for how to get started with runner development.
 - Build your hook using `npm run build`
-- Enable the hooks by setting `ACTIONS_RUNNER_CONTAINER_HOOK=./packages/{libraryname}/dist/index.js` file generated by [ncc](https://github.com/vercel/ncc)
+- Enable the hooks by setting `ACTIONS_RUNNER_CONTAINER_HOOKS=./packages/{libraryname}/dist/index.js` file generated by [ncc](https://github.com/vercel/ncc)
 - Configure your self hosted runner against the a repository you have admin access
 - Run a workflow with a container job, for example
 ```

README.md

@@ -3,6 +3,24 @@ The Runner Container Hooks repo provides a set of packages that implement the co
 
 More information on how to implement your own hooks can be found in the [adr](https://github.com/actions/runner/pull/1891). The `examples` folder provides example inputs for each hook.
 
+### Note
+
+Thank you for your interest in this GitHub action, however, right now we are not taking contributions. 
+
+We continue to focus our resources on strategic areas that help our customers be successful while making developers' lives easier. While GitHub Actions remains a key part of this vision, we are allocating resources towards other areas of Actions and are not taking contributions to this repository at this time. The GitHub public roadmap is the best place to follow along for any updates on features we’re working on and what stage they’re in.
+
+We are taking the following steps to better direct requests related to GitHub Actions, including:
+
+1. We will be directing questions and support requests to our [Community Discussions area](https://github.com/orgs/community/discussions/categories/actions)
+
+2. High Priority bugs can be reported through Community Discussions or you can report these to our support team https://support.github.com/contact/bug-report.
+
+3. Security Issues should be handled as per our [security.md](security.md)
+
+We will still provide security updates for this project and fix major breaking changes during this time.
+
+You are welcome to still raise bugs in this repo.
+
 ## Background 
 
 Three projects are included in the `packages` folder
@@ -10,10 +28,6 @@ Three projects are included in the `packages` folder
 - docker: A hook implementation of the runner's docker implementation. More details can be found in the [readme](./packages/docker/README.md)
 - hooklib: a shared library which contains typescript definitions and utilities that the other projects consume
 
-### Requirements
-
-We welcome contributions.  See [how to contribute to get started](./CONTRIBUTING.md).
-
 ## License 
 
 This project is licensed under the terms of the MIT open source license. Please refer to [MIT](./LICENSE.md) for the full terms.

docs/adrs/0072-using-ephemeral-containers.md

@@ -0,0 +1,184 @@
+# ADR 0072: Using Ephemeral Containers
+
+**Date:** 27 March 2023
+
+**Status**: Rejected <!--Accepted|Rejected|Superceded|Deprecated-->
+
+## Context
+
+We are evaluating using Kubernetes [ephemeral containers](https://kubernetes.io/docs/concepts/workloads/pods/ephemeral-containers/) as a drop-in replacement for creating pods for [jobs that run in containers](https://docs.github.com/en/actions/using-jobs/running-jobs-in-a-container) and [service containers](https://docs.github.com/en/actions/using-containerized-services/about-service-containers).
+
+The main motivator behind using ephemeral containers is to eliminate the need for [Persistent Volumes](https://kubernetes.io/docs/concepts/storage/persistent-volumes/). Persistent Volume implementations vary depending on the provider and we want to avoid building a dependency on it in order to provide our end-users a consistent experience.
+
+With ephemeral containers we could leverage [emptyDir volumes](https://kubernetes.io/docs/concepts/storage/volumes/#emptydir) which fits our use case better and its behaviour is consistent across providers.
+
+However, it's important to acknowledge that ephemeral containers were not designed to handle workloads but rather provide a mechanism to inspect running containers for debugging and troubleshooting purposes.
+
+## Evaluation
+
+The criteria that we are using to evaluate whether ephemeral containers are fit for purpose are:
+
+- Networking
+- Storage
+- Security
+- Resource limits
+- Logs
+- Customizability
+
+### Networking
+
+Ephemeral containers share the networking namespace of the pod they are attached to. This means that ephemeral containers can access the same network interfaces as the pod and can communicate with other containers in the same pod. However, ephemeral containers cannot have ports configured and as such the fields ports, livenessProbe, and readinessProbe are not available [^1][^2]
+
+In this scenario we have 3 containers in a pod:
+
+- `runner`: the main container that runs the GitHub Actions job
+- `debugger`: the first ephemeral container
+- `debugger2`: the second ephemeral container
+
+By sequentially opening ports on each of these containers and connecting to them we can demonstrate that the communication flow between the runner and the debuggers is feasible.
+
+<details>
+<summary>1. Runner -> Debugger communication</summary>
+
+![runner->debugger](./images/runner-debugger.png)
+</details>
+
+<details>
+<summary>2. Debugger -> Runner communication</summary>
+
+![debugger->runner](./images/debugger-runner.png)
+</details>
+
+<details>
+<summary>3. Debugger2 -> Debugger communication</summary>
+
+![debugger2->debugger](./images/debugger2-debugger.png)
+</details>
+
+### Storage
+
+An emptyDir volume can be successfully mounted (read/write) by the runner as well as the ephemeral containers. This means that ephemeral containers can share data with the runner and other ephemeral containers.
+
+<details>
+<summary>Configuration</summary>
+
+```yaml
+# Extracted from the values.yaml for the gha-runner-scale-set helm chart
+  spec:
+    containers:
+    - name: runner
+      image: ghcr.io/actions/actions-runner:latest
+      command: ["/home/runner/run.sh"]
+      volumeMounts:
+      - mountPath: /workspace
+        name: work-volume
+    volumes:
+      - name: work-volume
+        emptyDir:
+          sizeLimit: 1Gi
+```
+
+```bash
+# The API call to the Kubernetes API used to create the ephemeral containers
+
+POD_NAME="arc-runner-set-6sfwd-runner-k7qq6"
+NAMESPACE="arc-runners"
+
+curl -v "https://<IP>:<PORT>/api/v1/namespaces/$NAMESPACE/pods/$POD_NAME/ephemeralcontainers" \
+  -X PATCH \
+  -H 'Content-Type: application/strategic-merge-patch+json' \
+  --cacert <PATH_TO_CACERT> \
+  --cert <PATH_TO_CERT> \
+  --key <PATH_TO_CLIENT_KEY> \
+  -d '
+{
+    "spec":
+    {
+        "ephemeralContainers":
+        [
+            {
+                "name": "debugger",
+                "command": ["sh"],
+                "image": "ghcr.io/actions/actions-runner:latest",
+                "targetContainerName": "runner",
+                "stdin": true,
+                "tty": true,
+                "volumeMounts": [{
+                    "mountPath": "/workspace",
+                    "name": "work-volume",
+                    "readOnly": false
+                }]
+            },
+            {
+                "name": "debugger2",
+                "command": ["sh"],
+                "image": "ghcr.io/actions/actions-runner:latest",
+                "targetContainerName": "runner",
+                "stdin": true,
+                "tty": true,
+                "volumeMounts": [{
+                    "mountPath": "/workspace",
+                    "name": "work-volume",
+                    "readOnly": false
+                }]
+            }
+        ]
+    }
+}'
+```
+
+</details>
+
+<details>
+<summary>emptyDir volume mount</summary>
+
+![emptyDir volume mount](./images/emptyDir_volume.png)
+
+</details>
+
+### Security
+
+According to the [ephemeral containers API specification](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#ephemeralcontainer-v1-core) the configuration of the `securityContext` field is possible.
+
+Ephemeral containers share the same network namespace as the pod they are attached to. This means that ephemeral containers can access the same network interfaces as the pod and can communicate with other containers in the same pod.
+
+It is also possible for ephemeral containers to [share the process namespace](https://kubernetes.io/docs/tasks/configure-pod-container/share-process-namespace/) with the other containers in the pod. This is disabled by default.
+
+The above could have unpredictable security implications.
+
+### Resource limits
+
+Resources are not allowed for ephemeral containers. Ephemeral containers use spare resources already allocated to the pod. [^1] This is a major drawback as it means that ephemeral containers cannot be configured to have resource limits.
+
+There are no guaranteed resources for ad-hoc troubleshooting. If troubleshooting causes a pod to exceed its resource limit it may be evicted. [^3]
+
+### Logs
+
+Since ephemeral containers can share volumes with the runner container, it's possible to write logs to the same volume and have them available to the runner container.
+
+### Customizability
+
+Ephemeral containers can run any image and tag provided, they can be customized to run any arbitrary job. However, it's important to note that the following are not feasible:
+
+- Lifecycle is not allowed for ephemeral containers
+    - Ephemeral containers will stop when their command exits, such as exiting a shell, and they will not be restarted. Unlike `kubectl exec`, processes in Ephemeral Containers will not receive an `EOF` if their connections are interrupted, so shells won't automatically exit on disconnect. There is no API support for killing or restarting an ephemeral container. The only way to exit the container is to send it an OS signal. [^4]
+- Probes are not allowed for ephemeral containers.
+- Ports are not allowed for ephemeral containers.
+
+## Decision
+
+While the evaluation shows that ephemeral containers can be used to run jobs in containers, it's important to acknowledge that ephemeral containers were not designed to handle workloads but rather provide a mechanism to inspect running containers for debugging and troubleshooting purposes.
+
+Given the limitations of ephemeral containers, we decided not to use them outside of their intended purpose.
+
+## Consequences
+
+Proposal rejected, no further action required. This document will be used as a reference for future discussions.
+
+[^1]: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#ephemeralcontainer-v1-core
+
+[^2]: https://kubernetes.io/docs/concepts/workloads/pods/ephemeral-containers/
+
+[^3]: https://github.com/kubernetes/enhancements/blob/master/keps/sig-node/277-ephemeral-containers/README.md#notesconstraintscaveats
+
+[^4]: https://github.com/kubernetes/enhancements/blob/master/keps/sig-node/277-ephemeral-containers/README.md#ephemeral-container-lifecycle

docs/adrs/0096-hook-extensions.md

@@ -0,0 +1,34 @@
+# ADR 0096: Hook extensions
+
+**Date:** 3 August 2023
+
+**Status**: Superceded [^1]
+
+## Context
+
+The current implementation of container hooks does not allow users to customize the pods created by the hook. While the implementation is designed to be used as is or as a starting point, building and maintaining a custom hook implementation just to specify additional fields is not a good user experience.
+
+## Decision
+
+We have decided to add hook extensions to the container hook implementation. This will allow users to customize the pods created by the hook by specifying additional fields. The hook extensions will be implemented in a way that is backwards-compatible with the existing hook implementation.
+
+To allow customization, the runner executing the hook should have `ACTIONS_RUNNER_CONTAINER_HOOK_TEMPLATE` environment variable pointing to a yaml file on the runner system. The extension specified in that file will be applied both for job pods, and container steps.
+
+If environment variable is set, but the file can't be read, the hook will fail, signaling incorrect configuration.
+
+If the environment variable does not exist, the hook will apply the default spec.
+
+In case the hook is able to read the extended spec, it will first create a default configuration, and then merged modified fields in the following way:
+
+1. The `.metadata` fields that will be appended if they are not reserved are `labels` and `annotations`.
+2. The pod spec fields except for `containers` and `volumes` are applied from the template, possibly overwriting the field.
+3. The volumes are applied in form of appending additional volumes to the default volumes.
+4. The containers are merged based on the name assigned to them:
+    1. If the name of the container *is not* "$job", the entire spec of the container will be added to the pod definition.
+    2. If the name of the container *is* "$job", the `name` and the `image` fields are going to be ignored and the spec will be applied so that `env`, `volumeMounts`, `ports` are appended to the default container spec created by the hook, while the rest of the fields are going to be applied to the newly created container spec.
+
+## Consequences
+
+The addition of hook extensions will provide a better user experience for users who need to customize the pods created by the container hook. However, it will require additional effort to provide the template to the runner pod, and configure it properly.
+
+[^1]: Superseded by [ADR 0134](0134-hook-extensions.md)

docs/adrs/0134-hook-extensions.md

@@ -0,0 +1,41 @@
+# ADR 0134: Hook extensions
+
+**Date:** 20 February 2024
+
+**Status**: Accepted [^1]
+
+## Context
+
+The current implementation of container hooks does not allow users to customize the pods created by the hook. 
+While the implementation is designed to be used as is or as a starting point, building and maintaining a custom hook implementation just to specify additional fields is not a good user experience.
+
+## Decision
+
+We have decided to add hook extensions to the container hook implementation. 
+This will allow users to customize the pods created by the hook by specifying additional fields. 
+The hook extensions will be implemented in a way that is backwards-compatible with the existing hook implementation.
+
+To allow customization, the runner executing the hook should have `ACTIONS_RUNNER_CONTAINER_HOOK_TEMPLATE` environment variable pointing to a yaml file on the runner system. 
+The extension specified in that file will be applied both for job pods, and container steps.
+
+If environment variable is set, but the file can't be read, the hook will fail, signaling incorrect configuration.
+
+If the environment variable does not exist, the hook will apply the default spec.
+
+In case the hook is able to read the extended spec, it will first create a default configuration, and then merged modified fields in the following way:
+
+1. The `.metadata` fields that will be appended if they are not reserved are `labels` and `annotations`.
+2. The pod spec fields except for `containers` and `volumes` are applied from the template, possibly overwriting the field.
+3. The volumes are applied in form of appending additional volumes to the default volumes.
+4. The containers are merged based on the name assigned to them:
+   1. If the name of the container *is* "$job", the `name` and the `image` fields are going to be ignored and the spec will be applied so that `env`, `volumeMounts`, `ports` are appended to the default container spec created by the hook, while the rest of the fields are going to be applied to the newly created container spec.
+   2. If the name of the container *starts with* "$", and matches the name of the [container service](https://docs.github.com/en/actions/using-containerized-services/about-service-containers), the `name` and the `image` fields are going to be ignored and the spec will be applied to that service container, so that `env`, `volumeMounts`, `ports` are appended to the default container spec for service created by the hook, while the rest of the fields are going to be applied to the created container spec. 
+      If there is no container service with such name defined in the workflow, such spec extension will be ignored.  
+   3. If the name of the container *does not start with* "$", the entire spec of the container will be added to the pod definition.
+
+## Consequences
+
+The addition of hook extensions will provide a better user experience for users who need to customize the pods created by the container hook. 
+However, it will require additional effort to provide the template to the runner pod, and configure it properly.
+
+[^1]: Supersedes [ADR 0096](0096-hook-extensions.md)

eslint.config.js

@@ -0,0 +1,122 @@
+const eslint = require('@eslint/js');
+const tseslint = require('@typescript-eslint/eslint-plugin');
+const tsparser = require('@typescript-eslint/parser');
+const globals = require('globals');
+const pluginJest = require('eslint-plugin-jest');
+
+module.exports = [
+  eslint.configs.recommended,
+  {
+    files: ['**/*.ts'],
+    languageOptions: {
+      parser: tsparser,
+      parserOptions: {
+        ecmaVersion: 2018,
+        sourceType: 'module',
+        project: ['./tsconfig.json', './packages/*/tsconfig.json']
+      },
+      globals: {
+        ...globals.node,
+        ...globals.es6
+      }
+    },
+    plugins: {
+      '@typescript-eslint': tseslint,
+    },
+    rules: {
+      // Disabled rules from original config
+      'eslint-comments/no-use': 'off',
+      'import/no-namespace': 'off',
+      'no-constant-condition': 'off',
+      'no-unused-vars': 'off',
+      'i18n-text/no-en': 'off',
+      'camelcase': 'off',
+      'semi': 'off',
+      'no-shadow': 'off',
+
+      // TypeScript ESLint rules
+      '@typescript-eslint/no-unused-vars': 'error',
+      '@typescript-eslint/explicit-member-accessibility': ['error', { accessibility: 'no-public' }],
+      '@typescript-eslint/no-require-imports': 'error',
+      '@typescript-eslint/array-type': 'error',
+      '@typescript-eslint/await-thenable': 'error',
+      '@typescript-eslint/explicit-function-return-type': ['error', { allowExpressions: true }],
+      '@typescript-eslint/no-array-constructor': 'error',
+      '@typescript-eslint/no-empty-interface': 'error',
+      '@typescript-eslint/no-explicit-any': 'off', // Fixed: removed duplicate and kept only this one
+      '@typescript-eslint/no-extraneous-class': 'error',
+      '@typescript-eslint/no-floating-promises': 'error',
+      '@typescript-eslint/no-for-in-array': 'error',
+      '@typescript-eslint/no-inferrable-types': 'error',
+      '@typescript-eslint/no-misused-new': 'error',
+      '@typescript-eslint/no-namespace': 'error',
+      '@typescript-eslint/no-non-null-assertion': 'warn',
+      '@typescript-eslint/no-unnecessary-qualifier': 'error',
+      '@typescript-eslint/no-unnecessary-type-assertion': 'error',
+      '@typescript-eslint/no-useless-constructor': 'error',
+      '@typescript-eslint/no-var-requires': 'error',
+      '@typescript-eslint/prefer-for-of': 'warn',
+      '@typescript-eslint/prefer-function-type': 'warn',
+      '@typescript-eslint/prefer-includes': 'error',
+      '@typescript-eslint/prefer-string-starts-ends-with': 'error',
+      '@typescript-eslint/promise-function-async': 'error',
+      '@typescript-eslint/require-array-sort-compare': 'error',
+      '@typescript-eslint/restrict-plus-operands': 'error',
+      '@typescript-eslint/unbound-method': 'error',
+      '@typescript-eslint/no-shadow': ['error']
+    }
+  },
+  {
+    // Test files configuration - Fixed file pattern to match .ts files
+    files: ['**/*test*.ts', '**/*spec*.ts', '**/tests/**/*.ts'],
+    languageOptions: {
+      parser: tsparser,
+      parserOptions: {
+        ecmaVersion: 2018,
+        sourceType: 'module',
+        project: ['./tsconfig.json', './packages/*/tsconfig.json']
+      },
+      globals: {
+        ...globals.node,
+        ...globals.es6,
+        // Fixed Jest globals
+        describe: 'readonly',
+        it: 'readonly',
+        test: 'readonly',
+        expect: 'readonly',
+        beforeEach: 'readonly',
+        afterEach: 'readonly',
+        beforeAll: 'readonly',
+        afterAll: 'readonly',
+        jest: 'readonly'
+      }
+    },
+    plugins: {
+      '@typescript-eslint': tseslint,
+      jest: pluginJest
+    },
+    rules: {
+      // Disable no-undef for test files since Jest globals are handled above
+      'no-undef': 'off',
+      // Relax some rules for test files
+      '@typescript-eslint/no-explicit-any': 'off',
+      '@typescript-eslint/no-non-null-assertion': 'off',
+      '@typescript-eslint/explicit-function-return-type': 'off'
+    }
+  },
+  {
+    files: ['**/jest.config.js', '**/jest.setup.js'],
+    languageOptions: {
+      globals: {
+        ...globals.node,
+        jest: 'readonly',
+        module: 'writable'
+      }
+    },
+    rules: {
+      '@typescript-eslint/no-require-imports': 'off',
+      '@typescript-eslint/no-var-requires': 'off',
+      'import/no-commonjs': 'off'
+    }
+  }
+];

examples/example-script.sh

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+echo "Hello World"

examples/extension.yaml

@@ -0,0 +1,38 @@
+metadata:
+  annotations:
+    annotated-by: "extension"
+  labels:
+    labeled-by: "extension"
+spec:
+  restartPolicy: Never
+  containers:
+  - name: $job # overwrites job container
+    env:
+    - name: ENV1
+      value: "value1"
+    imagePullPolicy: Always
+    image: "busybox:1.28" # Ignored
+    command:
+    - sh
+    args:
+    - -c
+    - sleep 50
+  - name: $redis # overwrites redis service
+    env:
+      - name: ENV2
+        value: "value2"
+    image: "busybox:1.28" # Ignored
+    resources:
+      requests:
+        memory: "1Mi"
+        cpu: "1"
+      limits:
+        memory: "1Gi"
+        cpu: "2"
+  - name: side-car
+    image: "ubuntu:latest" # required
+    command:
+      - sh
+    args:
+      - -c
+      - sleep 60

examples/prepare-job.json

@@ -4,8 +4,8 @@
   "state": {},
   "args": {
     "container": {
-      "image": "node:14.16",
+      "image": "node:22",
-      "workingDirectory": "/__w/thboop-test2/thboop-test2",
+      "workingDirectory": "/__w/repo/repo",
       "createOptions": "--cpus 1",
       "environmentVariables": {
         "NODE_ENV": "development"
@@ -24,37 +24,37 @@
           "readOnly": false
         },
         {
-          "sourceVolumePath": "//Users/thomas/git/runner/_layout/_work",
+          "sourceVolumePath": "/Users/thomas/git/runner/_layout/_work",
           "targetVolumePath": "/__w",
           "readOnly": false
         },
         {
-          "sourceVolumePath": "//Users/thomas/git/runner/_layout/externals",
+          "sourceVolumePath": "/Users/thomas/git/runner/_layout/externals",
           "targetVolumePath": "/__e",
           "readOnly": true
         },
         {
-          "sourceVolumePath": "//Users/thomas/git/runner/_layout/_work/_temp",
+          "sourceVolumePath": "/Users/thomas/git/runner/_layout/_work/_temp",
           "targetVolumePath": "/__w/_temp",
           "readOnly": false
         },
         {
-          "sourceVolumePath": "//Users/thomas/git/runner/_layout/_work/_actions",
+          "sourceVolumePath": "/Users/thomas/git/runner/_layout/_work/_actions",
           "targetVolumePath": "/__w/_actions",
           "readOnly": false
         },
         {
-          "sourceVolumePath": "//Users/thomas/git/runner/_layout/_work/_tool",
+          "sourceVolumePath": "/Users/thomas/git/runner/_layout/_work/_tool",
           "targetVolumePath": "/__w/_tool",
           "readOnly": false
         },
         {
-          "sourceVolumePath": "//Users/thomas/git/runner/_layout/_work/_temp/_github_home",
+          "sourceVolumePath": "/Users/thomas/git/runner/_layout/_work/_temp/_github_home",
           "targetVolumePath": "/github/home",
           "readOnly": false
         },
         {
-          "sourceVolumePath": "//Users/thomas/git/runner/_layout/_work/_temp/_github_workflow",
+          "sourceVolumePath": "/Users/thomas/git/runner/_layout/_work/_temp/_github_workflow",
           "targetVolumePath": "/github/workflow",
           "readOnly": false
         }
@@ -73,6 +73,8 @@
         "contextName": "redis",
         "image": "redis",
         "createOptions": "--cpus 1",
+        "entrypoint": null,
+        "entryPointArgs": [],
         "environmentVariables": {},
         "userMountVolumes": [
           {

examples/run-container-step.json

@@ -9,14 +9,14 @@
     }
   },
   "args": {
-    "image": "node:14.16",
+    "image": "node:22",
     "dockerfile": null,
     "entryPointArgs": [
-      "-c",
+      "-e",
-      "echo \"hello world2\""
+      "example-script.sh"
     ],
     "entryPoint": "bash",
-    "workingDirectory": "/__w/thboop-test2/thboop-test2",
+    "workingDirectory": "/__w/repo/repo",
     "createOptions": "--cpus 1",
     "environmentVariables": {
       "NODE_ENV": "development"
@@ -34,27 +34,27 @@
     ],
     "systemMountVolumes": [
       {
-        "sourceVolumePath": "//Users/thomas/git/runner/_layout/_work",
+        "sourceVolumePath": "/Users/thomas/git/runner/_layout/_work",
         "targetVolumePath": "/__w",
         "readOnly": false
       },
       {
-        "sourceVolumePath": "//Users/thomas/git/runner/_layout/externals",
+        "sourceVolumePath": "/Users/thomas/git/runner/_layout/externals",
         "targetVolumePath": "/__e",
         "readOnly": true
       },
       {
-        "sourceVolumePath": "//Users/thomas/git/runner/_layout/_work/_temp",
+        "sourceVolumePath": "/Users/thomas/git/runner/_layout/_work/_temp",
         "targetVolumePath": "/__w/_temp",
         "readOnly": false
       },
       {
-        "sourceVolumePath": "//Users/thomas/git/runner/_layout/_work/_actions",
+        "sourceVolumePath": "/Users/thomas/git/runner/_layout/_work/_actions",
         "targetVolumePath": "/__w/_actions",
         "readOnly": false
       },
       {
-        "sourceVolumePath": "//Users/thomas/git/runner/_layout/_work/_tool",
+        "sourceVolumePath": "/Users/thomas/git/runner/_layout/_work/_tool",
         "targetVolumePath": "/__w/_tool",
         "readOnly": false
       },
@@ -64,7 +64,7 @@
         "readOnly": false
       },
       {
-        "sourceVolumePath": "//Users/thomas/git/runner/_layout/_work/_temp/_github_workflow",
+        "sourceVolumePath": "/Users/thomas/git/runner/_layout/_work/_temp/_github_workflow",
         "targetVolumePath": "/github/workflow",
         "readOnly": false
       }

examples/run-script-step.json

@@ -10,8 +10,8 @@
     },
     "args": {
         "entryPointArgs": [
-            "-c",
+            "-e",
-            "echo \"hello world\""
+            "example-script.sh"
         ],
         "entryPoint": "bash",
         "environmentVariables": {
@@ -21,6 +21,6 @@
             "/foo/bar",
             "bar/foo"
         ],
-        "workingDirectory": "/__w/thboop-test2/thboop-test2"
+        "workingDirectory": "/__w/repo/repo"
     }
 }

package.json

@@ -1,13 +1,13 @@
 {
   "name": "hooks",
-  "version": "0.1.0",
+  "version": "0.8.0",
   "description": "Three projects are included - k8s: a kubernetes hook implementation that spins up pods dynamically to run a job - docker: A hook implementation of the runner's docker implementation  - A hook lib, which contains shared typescript definitions and utilities that the other packages consume",
   "main": "",
   "directories": {
     "doc": "docs"
   },
   "scripts": {
-    "test": "npm run test --prefix packages/docker",
+    "test": "npm run test --prefix packages/docker && npm run test --prefix packages/k8s",
     "bootstrap": "npm install --prefix packages/hooklib && npm install --prefix packages/k8s && npm install --prefix packages/docker",
     "format": "prettier --write '**/*.ts'",
     "format-check": "prettier --check '**/*.ts'",
@@ -25,12 +25,18 @@
   },
   "homepage": "https://github.com/actions/runner-container-hooks#readme",
   "devDependencies": {
-    "@types/jest": "^27.5.1",
+    "@eslint/js": "^9.31.0",
-    "@types/node": "^17.0.23",
+    "@types/jest": "^30.0.0",
-    "@typescript-eslint/parser": "^5.18.0",
+    "@types/node": "^24.0.14",
-    "eslint": "^8.12.0",
+    "@typescript-eslint/eslint-plugin": "^8.37.0",
-    "eslint-plugin-github": "^4.3.6",
+    "@typescript-eslint/parser": "^8.37.0",
-    "prettier": "^2.6.2",
+    "eslint": "^9.31.0",
-    "typescript": "^4.6.3"
+    "eslint-plugin-github": "^6.0.0",
+    "globals": "^15.12.0",
+    "prettier": "^3.6.2",
+    "typescript": "^5.8.3"
+  },
+  "dependencies": {
+    "eslint-plugin-jest": "^29.0.1"
   }
 }

packages/docker/jest.config.js

@@ -1,13 +1,26 @@
-// eslint-disable-next-line import/no-commonjs
 module.exports = {
   clearMocks: true,
+  preset: 'ts-jest',
   moduleFileExtensions: ['js', 'ts'],
   testEnvironment: 'node',
   testMatch: ['**/*-test.ts'],
   testRunner: 'jest-circus/runner',
+  verbose: true,
   transform: {
-    '^.+\\.ts$': 'ts-jest'
+    '^.+\\.ts$': [
-  },
+      'ts-jest',
-  setupFilesAfterEnv: ['./jest.setup.js'],
+      {
-  verbose: true
+        tsconfig: 'tsconfig.test.json'
+      }
+    ],
+    // Transform ESM modules to CommonJS
+    '^.+\\.(js|mjs)$': ['babel-jest', {
+      presets: [['@babel/preset-env', { targets: { node: 'current' } }]]
+    }]
+  },
+  transformIgnorePatterns: [
+    // Transform these ESM packages
+    'node_modules/(?!(shlex|@kubernetes/client-node|openid-client|oauth4webapi|jose|uuid)/)'
+  ],
+  setupFilesAfterEnv: ['./jest.setup.js']
 }

packages/docker/jest.setup.js

@@ -1 +1 @@
-jest.setTimeout(90000)
+jest.setTimeout(500000)

packages/docker/package.json

@@ -5,25 +5,31 @@
   "main": "lib/index.js",
   "scripts": {
     "test": "jest --runInBand",
-    "build": "npx tsc && npx ncc build"
+    "build": "npx tsc && npx ncc build",
+    "format": "prettier --write '**/*.ts'",
+    "format-check": "prettier --check '**/*.ts'",
+    "lint": "eslint src/**/*.ts"
   },
   "author": "",
   "license": "MIT",
   "dependencies": {
-    "@actions/core": "^1.6.0",
+    "@actions/core": "^1.11.1",
     "@actions/exec": "^1.1.1",
     "hooklib": "file:../hooklib",
-    "uuid": "^8.3.2"
+    "shlex": "^3.0.0",
+    "uuid": "^11.1.0"
   },
   "devDependencies": {
-    "@types/jest": "^27.4.1",
+    "@babel/core": "^7.25.2",
-    "@types/node": "^17.0.23",
+    "@babel/preset-env": "^7.25.4",
-    "@typescript-eslint/parser": "^5.18.0",
+    "@types/jest": "^30.0.0",
-    "@vercel/ncc": "^0.33.4",
+    "@types/node": "^24.0.14",
-    "jest": "^27.5.1",
+    "@typescript-eslint/parser": "^8.37.0",
-    "ts-jest": "^27.1.4",
+    "@vercel/ncc": "^0.38.3",
-    "ts-node": "^10.7.0",
+    "jest": "^30.0.4",
-    "tsconfig-paths": "^3.14.1",
+    "ts-jest": "^29.4.0",
-    "typescript": "^4.6.3"
+    "ts-node": "^10.9.2",
+    "tsconfig-paths": "^4.2.0",
+    "typescript": "^5.8.3"
   }
 }

packages/docker/src/dockerCommands/container.ts

@@ -2,12 +2,11 @@ import * as core from '@actions/core'
 import * as fs from 'fs'
 import {
   ContainerInfo,
-  JobContainerInfo,
+  Registry,
   RunContainerStepArgs,
-  ServiceContainerInfo,
+  ServiceContainerInfo
-  StepContainerInfo
 } from 'hooklib/lib'
-import path from 'path'
+import * as path from 'path'
 import { env } from 'process'
 import { v4 as uuidv4 } from 'uuid'
 import { runDockerCommand, RunDockerCommandOptions } from '../utils'
@@ -43,23 +42,26 @@ export async function createContainer(
   }
 
   if (args.environmentVariables) {
-    for (const [key, value] of Object.entries(args.environmentVariables)) {
+    for (const [key] of Object.entries(args.environmentVariables)) {
-      dockerArgs.push('-e')
+      dockerArgs.push('-e', key)
-      if (!value) {
-        dockerArgs.push(`"${key}"`)
-      } else {
-        dockerArgs.push(`"${key}=${value}"`)
     }
   }
+
+  dockerArgs.push('-e', 'GITHUB_ACTIONS=true')
+  // Use same behavior as the runner https://github.com/actions/runner/blob/27d9c886ab9a45e0013cb462529ac85d581f8c41/src/Runner.Worker/Container/DockerCommandManager.cs#L150
+  if (!('CI' in (args.environmentVariables ?? {}))) {
+    dockerArgs.push('-e', 'CI=true')
   }
 
   const mountVolumes = [
     ...(args.userMountVolumes || []),
-    ...((args as JobContainerInfo | StepContainerInfo).systemMountVolumes || [])
+    ...(args.systemMountVolumes || [])
   ]
   for (const mountVolume of mountVolumes) {
     dockerArgs.push(
-      `-v=${mountVolume.sourceVolumePath}:${mountVolume.targetVolumePath}`
+      `-v=${mountVolume.sourceVolumePath}:${mountVolume.targetVolumePath}${
+        mountVolume.readOnly ? ':ro' : ''
+      }`
     )
   }
   if (args.entryPoint) {
@@ -74,7 +76,9 @@ export async function createContainer(
     }
   }
 
-  const id = (await runDockerCommand(dockerArgs)).trim()
+  const id = (
+    await runDockerCommand(dockerArgs, { env: args.environmentVariables })
+  ).trim()
   if (!id) {
     throw new Error('Could not read id from docker command')
   }
@@ -94,11 +98,12 @@ export async function containerPull(
   image: string,
   configLocation: string
 ): Promise<void> {
-  const dockerArgs: string[] = ['pull']
+  const dockerArgs: string[] = []
   if (configLocation) {
     dockerArgs.push('--config')
     dockerArgs.push(configLocation)
   }
+  dockerArgs.push('pull')
   dockerArgs.push(image)
   for (let i = 0; i < 3; i++) {
     try {
@@ -146,17 +151,41 @@ export async function containerBuild(
   args: RunContainerStepArgs,
   tag: string
 ): Promise<void> {
-  const context = path.dirname(`${env.GITHUB_WORKSPACE}/${args.dockerfile}`)
+  if (!args.dockerfile) {
+    throw new Error("Container build expects 'args.dockerfile' to be set")
+  }
+
   const dockerArgs: string[] = ['build']
   dockerArgs.push('-t', tag)
-  dockerArgs.push('-f', `${env.GITHUB_WORKSPACE}/${args.dockerfile}`)
+  dockerArgs.push('-f', args.dockerfile)
-  dockerArgs.push(context)
+  dockerArgs.push(getBuildContext(args.dockerfile))
-  // TODO: figure out build working directory
+
   await runDockerCommand(dockerArgs, {
-    workingDir: args['buildWorkingDirectory']
+    workingDir: getWorkingDir(args.dockerfile)
   })
 }
 
+function getBuildContext(dockerfilePath: string): string {
+  return path.dirname(dockerfilePath)
+}
+
+function getWorkingDir(dockerfilePath: string): string {
+  const workspace = env.GITHUB_WORKSPACE as string
+  let workingDir = workspace
+  if (!dockerfilePath?.includes(workspace)) {
+    // This is container action
+    const pathSplit = dockerfilePath.split('/')
+    const actionIndex = pathSplit?.findIndex(d => d === '_actions')
+    if (actionIndex) {
+      const actionSubdirectoryDepth = 3 // handle + repo + [branch | tag]
+      pathSplit.splice(actionIndex + actionSubdirectoryDepth + 1)
+      workingDir = pathSplit.join('/')
+    }
+  }
+
+  return workingDir
+}
+
 export async function containerLogs(id: string): Promise<void> {
   const dockerArgs: string[] = ['logs']
   dockerArgs.push('--details')
@@ -171,6 +200,18 @@ export async function containerNetworkRemove(network: string): Promise<void> {
   await runDockerCommand(dockerArgs)
 }
 
+export async function containerNetworkPrune(): Promise<void> {
+  const dockerArgs = [
+    'network',
+    'prune',
+    '--force',
+    '--filter',
+    `label=${getRunnerLabel()}`
+  ]
+
+  await runDockerCommand(dockerArgs)
+}
+
 export async function containerPrune(): Promise<void> {
   const dockerPSArgs: string[] = [
     'ps',
@@ -238,22 +279,36 @@ export async function healthCheck({
 export async function containerPorts(id: string): Promise<string[]> {
   const dockerArgs = ['port', id]
   const portMappings = (await runDockerCommand(dockerArgs)).trim()
-  return portMappings.split('\n')
+  return portMappings.split('\n').filter(p => !!p)
 }
 
-export async function registryLogin(args): Promise<string> {
+export async function getContainerEnvValue(
-  if (!args.registry) {
+  id: string,
+  name: string
+): Promise<string> {
+  const dockerArgs = [
+    'inspect',
+    `--format='{{range $index, $value := .Config.Env}}{{if eq (index (split $value "=") 0) "${name}"}}{{index (split $value "=") 1}}{{end}}{{end}}'`,
+    id
+  ]
+  const value = (await runDockerCommand(dockerArgs)).trim()
+  const lines = value.split('\n')
+  return lines.length ? lines[0].replace(/^'/, '').replace(/'$/, '') : ''
+}
+
+export async function registryLogin(registry?: Registry): Promise<string> {
+  if (!registry) {
     return ''
   }
   const credentials = {
-    username: args.registry.username,
+    username: registry.username,
-    password: args.registry.password
+    password: registry.password
   }
 
   const configLocation = `${env.RUNNER_TEMP}/.docker_${uuidv4()}`
   fs.mkdirSync(configLocation)
   try {
-    await dockerLogin(configLocation, args.registry.serverUrl, credentials)
+    await dockerLogin(configLocation, registry.serverUrl, credentials)
   } catch (error) {
     fs.rmdirSync(configLocation, { recursive: true })
     throw error
@@ -271,7 +326,7 @@ export async function registryLogout(configLocation: string): Promise<void> {
 async function dockerLogin(
   configLocation: string,
   registry: string,
-  credentials: { username: string; password: string }
+  credentials: { username?: string; password?: string }
 ): Promise<void> {
   const credentialsArgs =
     credentials.username && credentials.password
@@ -307,30 +362,36 @@ export async function containerExecStep(
 ): Promise<void> {
   const dockerArgs: string[] = ['exec', '-i']
   dockerArgs.push(`--workdir=${args.workingDirectory}`)
-  for (const [key, value] of Object.entries(args['environmentVariables'])) {
+  for (const [key] of Object.entries(args['environmentVariables'])) {
     dockerArgs.push('-e')
-    if (!value) {
+    dockerArgs.push(key)
-      dockerArgs.push(`"${key}"`)
-    } else {
-      dockerArgs.push(`"${key}=${value}"`)
-    }
   }
 
-  // Todo figure out prepend path and update it here
+  if (args.prependPath?.length) {
-  // (we need to pass path in as -e Path={fullpath}) where {fullpath is the prepend path added to the current containers path}
+    // TODO: remove compatibility with typeof prependPath === 'string' as we bump to next major version, the hooks will lose PrependPath compat with runners 2.293.0 and older
+    const prependPath =
+      typeof args.prependPath === 'string'
+        ? args.prependPath
+        : args.prependPath.join(':')
+
+    dockerArgs.push(
+      '-e',
+      `PATH=${prependPath}:${await getContainerEnvValue(containerId, 'PATH')}`
+    )
+  }
 
   dockerArgs.push(containerId)
   dockerArgs.push(args.entryPoint)
   for (const entryPointArg of args.entryPointArgs) {
     dockerArgs.push(entryPointArg)
   }
-  await runDockerCommand(dockerArgs)
+  await runDockerCommand(dockerArgs, { env: args.environmentVariables })
 }
 
 export async function containerRun(
   args: RunContainerStepArgs,
   name: string,
-  network: string
+  network?: string
 ): Promise<void> {
   if (!args.image) {
     throw new Error('expected image to be set')
@@ -340,20 +401,25 @@ export async function containerRun(
   dockerArgs.push('--name', name)
   dockerArgs.push(`--workdir=${args.workingDirectory}`)
   dockerArgs.push(`--label=${getRunnerLabel()}`)
+  if (network) {
     dockerArgs.push(`--network=${network}`)
+  }
 
   if (args.createOptions) {
     dockerArgs.push(...args.createOptions.split(' '))
   }
   if (args.environmentVariables) {
-    for (const [key, value] of Object.entries(args.environmentVariables)) {
+    for (const [key] of Object.entries(args.environmentVariables)) {
-      // Pass in this way to avoid printing secrets
+      dockerArgs.push('-e', key)
-      env[key] = value ?? undefined
-      dockerArgs.push('-e')
-      dockerArgs.push(key)
     }
   }
 
+  dockerArgs.push('-e', 'GITHUB_ACTIONS=true')
+  // Use same behavior as the runner https://github.com/actions/runner/blob/27d9c886ab9a45e0013cb462529ac85d581f8c41/src/Runner.Worker/Container/DockerCommandManager.cs#L150
+  if (!('CI' in (args.environmentVariables ?? {}))) {
+    dockerArgs.push('-e', 'CI=true')
+  }
+
   const mountVolumes = [
     ...(args.userMountVolumes || []),
     ...(args.systemMountVolumes || [])
@@ -374,11 +440,14 @@ export async function containerRun(
   dockerArgs.push(args.image)
   if (args.entryPointArgs) {
     for (const entryPointArg of args.entryPointArgs) {
+      if (!entryPointArg) {
+        continue
+      }
       dockerArgs.push(entryPointArg)
     }
   }
 
-  await runDockerCommand(dockerArgs)
+  await runDockerCommand(dockerArgs, { env: args.environmentVariables })
 }
 
 export async function isContainerAlpine(containerId: string): Promise<boolean> {
@@ -387,7 +456,7 @@ export async function isContainerAlpine(containerId: string): Promise<boolean> {
     containerId,
     'sh',
     '-c',
-    "[ $(cat /etc/*release* | grep -i -e '^ID=*alpine*' -c) != 0 ] || exit 1"
+    `'[ $(cat /etc/*release* | grep -i -e "^ID=*alpine*" -c) != 0 ] || exit 1'`
   ]
   try {
     await runDockerCommand(dockerArgs)

packages/docker/src/hooks/cleanup-job.ts

@@ -1,21 +1,9 @@
 import {
-  containerRemove,
+  containerNetworkPrune,
-  containerNetworkRemove
+  containerPrune
 } from '../dockerCommands/container'
 
-// eslint-disable-next-line @typescript-eslint/no-unused-vars
+export async function cleanupJob(): Promise<void> {
-export async function cleanupJob(args, state, responseFile): Promise<void> {
+  await containerPrune()
-  const containerIds: string[] = []
+  await containerNetworkPrune()
-  if (state?.container) {
-    containerIds.push(state.container)
-  }
-  if (state?.services) {
-    containerIds.push(state.services)
-  }
-  if (containerIds.length > 0) {
-    await containerRemove(containerIds)
-  }
-  if (state.network) {
-    await containerNetworkRemove(state.network)
-  }
 }

packages/docker/src/hooks/prepare-job.ts

@@ -31,16 +31,20 @@ export async function prepareJob(
     core.info('No containers exist, skipping hook invocation')
     exit(0)
   }
-  const networkName = generateNetworkName()
+
+  let networkName = process.env.ACTIONS_RUNNER_NETWORK_DRIVER
+  if (!networkName) {
+    networkName = generateNetworkName()
     // Create network
     await networkCreate(networkName)
+  }
 
   // Create Job Container
   let containerMetadata: ContainerMetadata | undefined = undefined
   if (!container?.image) {
     core.info('No job container provided, skipping')
   } else {
-    setupContainer(container)
+    setupContainer(container, true)
 
     const configLocation = await registryLogin(container.registry)
     try {
@@ -48,6 +52,7 @@ export async function prepareJob(
     } finally {
       await registryLogout(configLocation)
     }
+
     containerMetadata = await createContainer(
       container,
       generateContainerName(container.image),
@@ -78,6 +83,7 @@ export async function prepareJob(
         generateContainerName(service.image),
         networkName
       )
+
       servicesMetadata.push(response)
       await containerStart(response.id)
     }
@@ -94,7 +100,10 @@ export async function prepareJob(
     )
   }
 
-  const isAlpine = await isContainerAlpine(containerMetadata!.id)
+  let isAlpine = false
+  if (containerMetadata?.id) {
+    isAlpine = await isContainerAlpine(containerMetadata.id)
+  }
 
   if (containerMetadata?.id) {
     containerMetadata.ports = await containerPorts(containerMetadata.id)
@@ -105,7 +114,10 @@ export async function prepareJob(
     }
   }
 
-  const healthChecks: Promise<void>[] = [healthCheck(containerMetadata!)]
+  const healthChecks: Promise<void>[] = []
+  if (containerMetadata) {
+    healthChecks.push(healthCheck(containerMetadata))
+  }
   for (const service of servicesMetadata) {
     healthChecks.push(healthCheck(service))
   }
@@ -133,7 +145,6 @@ function generateResponseFile(
   servicesMetadata?: ContainerMetadata[],
   isAlpine = false
 ): void {
-  // todo figure out if we are alpine
   const response = {
     state: { network: networkName },
     context: {},
@@ -167,10 +178,12 @@ function generateResponseFile(
   writeToResponseFile(responseFile, JSON.stringify(response))
 }
 
-function setupContainer(container): void {
+function setupContainer(container, jobContainer = false): void {
+  if (!container.entryPoint && jobContainer) {
     container.entryPointArgs = [`-f`, `/dev/null`]
     container.entryPoint = 'tail'
   }
+}
 
 function generateNetworkName(): string {
   return `github_network_${uuidv4()}`
@@ -186,15 +199,15 @@ function transformDockerPortsToContextPorts(
   meta: ContainerMetadata
 ): ContextPorts {
   // ex: '80/tcp -> 0.0.0.0:80'
-  const re = /^(\d+)\/(\w+)? -> (.*):(\d+)$/
+  const re = /^(\d+)(\/\w+)? -> (.*):(\d+)$/
   const contextPorts: ContextPorts = {}
 
-  if (meta.ports) {
+  if (meta.ports?.length) {
     for (const port of meta.ports) {
       const matches = port.match(re)
       if (!matches) {
         throw new Error(
-          'Container ports could not match the regex: "^(\\d+)\\/(\\w+)? -> (.*):(\\d+)$"'
+          'Container ports could not match the regex: "^(\\d+)(\\/\\w+)? -> (.*):(\\d+)$"'
         )
       }
       contextPorts[matches[1]] = matches[matches.length - 1]

packages/docker/src/hooks/run-container-step.ts

@@ -1,13 +1,12 @@
+import { RunContainerStepArgs } from 'hooklib/lib'
+import { v4 as uuidv4 } from 'uuid'
 import {
   containerBuild,
-  registryLogin,
-  registryLogout,
   containerPull,
-  containerRun
+  containerRun,
+  registryLogin,
+  registryLogout
 } from '../dockerCommands'
-import { v4 as uuidv4 } from 'uuid'
-import * as core from '@actions/core'
-import { RunContainerStepArgs } from 'hooklib/lib'
 import { getRunnerLabel } from '../dockerCommands/constants'
 
 export async function runContainerStep(
@@ -15,23 +14,23 @@ export async function runContainerStep(
   state
 ): Promise<void> {
   const tag = generateBuildTag() // for docker build
-  if (!args.image) {
+  if (args.image) {
-    core.error('expected an image')
+    const configLocation = await registryLogin(args.registry)
-  } else {
-    if (args.dockerfile) {
-      await containerBuild(args, tag)
-      args.image = tag
-    } else {
-      const configLocation = await registryLogin(args)
     try {
       await containerPull(args.image, configLocation)
     } finally {
       await registryLogout(configLocation)
     }
-    }
+  } else if (args.dockerfile) {
+    await containerBuild(args, tag)
+    args.image = tag
+  } else {
+    throw new Error(
+      'run container step should have image or dockerfile fields specified'
+    )
   }
   // container will get pruned at the end of the job based on the label, no need to cleanup here
-  await containerRun(args, tag.split(':')[1], state.network)
+  await containerRun(args, tag.split(':')[1], state?.network)
 }
 
 function generateBuildTag(): string {

packages/docker/src/index.ts

@@ -13,22 +13,23 @@ import {
   runContainerStep,
   runScriptStep
 } from './hooks'
+import { checkEnvironment } from './utils'
 
 async function run(): Promise<void> {
+  try {
+    checkEnvironment()
     const input = await getInputFromStdin()
 
     const args = input['args']
     const command = input['command']
     const responseFile = input['responseFile']
     const state = input['state']
-
-  try {
     switch (command) {
       case Command.PrepareJob:
         await prepareJob(args as PrepareJobArgs, responseFile)
         return exit(0)
       case Command.CleanupJob:
-        await cleanupJob(null, state, null)
+        await cleanupJob()
         return exit(0)
       case Command.RunScriptStep:
         await runScriptStep(args as RunScriptStepArgs, state)

packages/docker/src/utils.ts

@@ -1,19 +1,23 @@
 /* eslint-disable @typescript-eslint/no-var-requires */
 /* eslint-disable @typescript-eslint/no-require-imports */
-/* eslint-disable import/no-commonjs */
 import * as core from '@actions/core'
+import { env } from 'process'
 // Import this way otherwise typescript has errors
 const exec = require('@actions/exec')
+const shlex = require('shlex')
 
 export interface RunDockerCommandOptions {
   workingDir?: string
   input?: Buffer
+  env?: { [key: string]: string }
 }
 
 export async function runDockerCommand(
   args: string[],
   options?: RunDockerCommandOptions
 ): Promise<string> {
+  options = optionsWithDockerEnvs(options)
+  args = fixArgs(args)
   const pipes = await exec.getExecOutput('docker', args, options)
   if (pipes.exitCode !== 0) {
     core.error(`Docker failed with exit code ${pipes.exitCode}`)
@@ -22,6 +26,45 @@ export async function runDockerCommand(
   return Promise.resolve(pipes.stdout)
 }
 
+export function optionsWithDockerEnvs(
+  options?: RunDockerCommandOptions
+): RunDockerCommandOptions | undefined {
+  // From https://docs.docker.com/engine/reference/commandline/cli/#environment-variables
+  const dockerCliEnvs = new Set([
+    'DOCKER_API_VERSION',
+    'DOCKER_CERT_PATH',
+    'DOCKER_CONFIG',
+    'DOCKER_CONTENT_TRUST_SERVER',
+    'DOCKER_CONTENT_TRUST',
+    'DOCKER_CONTEXT',
+    'DOCKER_DEFAULT_PLATFORM',
+    'DOCKER_HIDE_LEGACY_COMMANDS',
+    'DOCKER_HOST',
+    'DOCKER_STACK_ORCHESTRATOR',
+    'DOCKER_TLS_VERIFY',
+    'BUILDKIT_PROGRESS'
+  ])
+  const dockerEnvs = {}
+  for (const key in process.env) {
+    if (dockerCliEnvs.has(key)) {
+      dockerEnvs[key] = process.env[key]
+    }
+  }
+
+  const newOptions = {
+    workingDir: options?.workingDir,
+    input: options?.input,
+    env: options?.env || {}
+  }
+
+  // Set docker envs or overwrite provided ones
+  for (const [key, value] of Object.entries(dockerEnvs)) {
+    newOptions.env[key] = value as string
+  }
+
+  return newOptions
+}
+
 export function sanitize(val: string): string {
   if (!val || typeof val !== 'string') {
     return ''
@@ -42,6 +85,16 @@ export function sanitize(val: string): string {
   return newNameBuilder.join('')
 }
 
+export function fixArgs(args: string[]): string[] {
+  return shlex.split(args.join(' '))
+}
+
+export function checkEnvironment(): void {
+  if (!env.GITHUB_WORKSPACE) {
+    throw new Error('GITHUB_WORKSPACE is not set')
+  }
+}
+
 // isAlpha accepts single character and checks if
 // that character is [a-zA-Z]
 function isAlpha(val: string): boolean {

packages/docker/tests/cleanup-job-test.ts

@@ -1,62 +1,33 @@
-import { prepareJob, cleanupJob } from '../src/hooks'
+import { PrepareJobArgs } from 'hooklib/lib'
-import { v4 as uuidv4 } from 'uuid'
+import { cleanupJob, prepareJob } from '../src/hooks'
-import * as fs from 'fs'
-import * as path from 'path'
 import TestSetup from './test-setup'
 
-const prepareJobInputPath = path.resolve(
-  `${__dirname}/../../../examples/prepare-job.json`
-)
-
-const tmpOutputDir = `${__dirname}/${uuidv4()}`
-
-let prepareJobOutputPath: string
-let prepareJobData: any
-
 let testSetup: TestSetup
 
 jest.useRealTimers()
 
 describe('cleanup job', () => {
-  beforeAll(() => {
-    fs.mkdirSync(tmpOutputDir, { recursive: true })
-  })
-
-  afterAll(() => {
-    fs.rmSync(tmpOutputDir, { recursive: true })
-  })
-
   beforeEach(async () => {
-    const prepareJobRawData = fs.readFileSync(prepareJobInputPath, 'utf8')
-    prepareJobData = JSON.parse(prepareJobRawData.toString())
-
-    prepareJobOutputPath = `${tmpOutputDir}/prepare-job-output-${uuidv4()}.json`
-    fs.writeFileSync(prepareJobOutputPath, '')
-
     testSetup = new TestSetup()
     testSetup.initialize()
 
-    prepareJobData.args.container.userMountVolumes = testSetup.userMountVolumes
+    const prepareJobDefinition = testSetup.getPrepareJobDefinition()
-    prepareJobData.args.container.systemMountVolumes =
-      testSetup.systemMountVolumes
-    prepareJobData.args.container.workingDirectory = testSetup.workingDirectory
 
-    await prepareJob(prepareJobData.args, prepareJobOutputPath)
+    const prepareJobOutput = testSetup.createOutputFile(
+      'prepare-job-output.json'
+    )
+
+    await prepareJob(
+      prepareJobDefinition.args as PrepareJobArgs,
+      prepareJobOutput
+    )
   })
 
   afterEach(() => {
-    fs.rmSync(prepareJobOutputPath, { force: true })
     testSetup.teardown()
   })
 
   it('should cleanup successfully', async () => {
-    const prepareJobOutputContent = fs.readFileSync(
+    await expect(cleanupJob()).resolves.not.toThrow()
-      prepareJobOutputPath,
-      'utf-8'
-    )
-    const parsedPrepareJobOutput = JSON.parse(prepareJobOutputContent)
-    await expect(
-      cleanupJob(prepareJobData.args, parsedPrepareJobOutput.state, null)
-    ).resolves.not.toThrow()
   })
 })

packages/docker/tests/container-build-test.ts

@@ -0,0 +1,27 @@
+import { containerBuild } from '../src/dockerCommands'
+import TestSetup from './test-setup'
+
+let testSetup
+let runContainerStepDefinition
+
+describe('container build', () => {
+  beforeEach(() => {
+    testSetup = new TestSetup()
+    testSetup.initialize()
+
+    runContainerStepDefinition = testSetup.getRunContainerStepDefinition()
+  })
+
+  afterEach(() => {
+    testSetup.teardown()
+  })
+
+  it('should build container', async () => {
+    runContainerStepDefinition.image = ''
+    const actionPath = testSetup.initializeDockerAction()
+    runContainerStepDefinition.dockerfile = `${actionPath}/Dockerfile`
+    await expect(
+      containerBuild(runContainerStepDefinition, 'example-test-tag')
+    ).resolves.not.toThrow()
+  })
+})

packages/docker/tests/container-pull-test.ts

@@ -4,7 +4,7 @@ jest.useRealTimers()
 
 describe('container pull', () => {
   it('should fail', async () => {
-    const arg = { image: 'doesNotExist' }
+    const arg = { image: 'does-not-exist' }
     await expect(containerPull(arg.image, '')).rejects.toThrow()
   })
   it('should succeed', async () => {

packages/docker/tests/e2e-test.ts

@@ -1,102 +1,72 @@
-import {
-  prepareJob,
-  cleanupJob,
-  runScriptStep,
-  runContainerStep
-} from '../src/hooks'
 import * as fs from 'fs'
-import * as path from 'path'
+import {
-import { v4 as uuidv4 } from 'uuid'
+  cleanupJob,
+  prepareJob,
+  runContainerStep,
+  runScriptStep
+} from '../src/hooks'
 import TestSetup from './test-setup'
 
-const prepareJobJson = fs.readFileSync(
+let definitions
-  path.resolve(__dirname + '/../../../examples/prepare-job.json'),
-  'utf8'
-)
-
-const containerStepJson = fs.readFileSync(
-  path.resolve(__dirname + '/../../../examples/run-container-step.json'),
-  'utf8'
-)
-
-const tmpOutputDir = `${__dirname}/_temp/${uuidv4()}`
-
-let prepareJobData: any
-let scriptStepJson: any
-let scriptStepData: any
-let containerStepData: any
-
-let prepareJobOutputFilePath: string
 
 let testSetup: TestSetup
 
 describe('e2e', () => {
-  beforeAll(() => {
-    fs.mkdirSync(tmpOutputDir, { recursive: true })
-  })
-
-  afterAll(() => {
-    fs.rmSync(tmpOutputDir, { recursive: true })
-  })
-
   beforeEach(() => {
-    // init dirs
     testSetup = new TestSetup()
     testSetup.initialize()
 
-    prepareJobData = JSON.parse(prepareJobJson)
+    definitions = {
-    prepareJobData.args.container.userMountVolumes = testSetup.userMountVolumes
+      prepareJob: testSetup.getPrepareJobDefinition(),
-    prepareJobData.args.container.systemMountVolumes =
+      runScriptStep: testSetup.getRunScriptStepDefinition(),
-      testSetup.systemMountVolumes
+      runContainerStep: testSetup.getRunContainerStepDefinition()
-    prepareJobData.args.container.workingDirectory = testSetup.workingDirectory
+    }
-
-    scriptStepJson = fs.readFileSync(
-      path.resolve(__dirname + '/../../../examples/run-script-step.json'),
-      'utf8'
-    )
-    scriptStepData = JSON.parse(scriptStepJson)
-    scriptStepData.args.workingDirectory = testSetup.workingDirectory
-
-    containerStepData = JSON.parse(containerStepJson)
-    containerStepData.args.workingDirectory = testSetup.workingDirectory
-    containerStepData.args.userMountVolumes = testSetup.userMountVolumes
-    containerStepData.args.systemMountVolumes = testSetup.systemMountVolumes
-
-    prepareJobOutputFilePath = `${tmpOutputDir}/prepare-job-output-${uuidv4()}.json`
-    fs.writeFileSync(prepareJobOutputFilePath, '')
   })
 
   afterEach(() => {
-    fs.rmSync(prepareJobOutputFilePath, { force: true })
     testSetup.teardown()
   })
 
   it('should prepare job, then run script step, then run container step then cleanup', async () => {
+    const prepareJobOutput = testSetup.createOutputFile(
+      'prepare-job-output.json'
+    )
+
     await expect(
-      prepareJob(prepareJobData.args, prepareJobOutputFilePath)
+      prepareJob(definitions.prepareJob.args, prepareJobOutput)
     ).resolves.not.toThrow()
-    let rawState = fs.readFileSync(prepareJobOutputFilePath, 'utf-8')
+
+    let rawState = fs.readFileSync(prepareJobOutput, 'utf-8')
     let resp = JSON.parse(rawState)
+
     await expect(
-      runScriptStep(scriptStepData.args, resp.state)
+      runScriptStep(definitions.runScriptStep.args, resp.state)
     ).resolves.not.toThrow()
+
     await expect(
-      runContainerStep(containerStepData.args, resp.state)
+      runContainerStep(definitions.runContainerStep.args, resp.state)
     ).resolves.not.toThrow()
-    await expect(cleanupJob(resp, resp.state, null)).resolves.not.toThrow()
+
+    await expect(cleanupJob()).resolves.not.toThrow()
   })
 
   it('should prepare job, then run script step, then run container step with Dockerfile then cleanup', async () => {
+    const prepareJobOutput = testSetup.createOutputFile(
+      'prepare-job-output.json'
+    )
+
     await expect(
-      prepareJob(prepareJobData.args, prepareJobOutputFilePath)
+      prepareJob(definitions.prepareJob.args, prepareJobOutput)
-    ).resolves.not.toThrow()
-    let rawState = fs.readFileSync(prepareJobOutputFilePath, 'utf-8')
-    let resp = JSON.parse(rawState)
-    await expect(
-      runScriptStep(scriptStepData.args, resp.state)
     ).resolves.not.toThrow()
 
-    const dockerfilePath = `${tmpOutputDir}/Dockerfile`
+    let rawState = fs.readFileSync(prepareJobOutput, 'utf-8')
+    let resp = JSON.parse(rawState)
+
+    await expect(
+      runScriptStep(definitions.runScriptStep.args, resp.state)
+    ).resolves.not.toThrow()
+
+    const dockerfilePath = `${testSetup.workingDirectory}/Dockerfile`
     fs.writeFileSync(
       dockerfilePath,
       `FROM ubuntu:latest
@@ -104,14 +74,17 @@ ENV TEST=test
 ENTRYPOINT [ "tail", "-f", "/dev/null" ]
     `
     )
-    const containerStepDataCopy = JSON.parse(JSON.stringify(containerStepData))
+
-    process.env.GITHUB_WORKSPACE = tmpOutputDir
+    const containerStepDataCopy = JSON.parse(
+      JSON.stringify(definitions.runContainerStep)
+    )
+
     containerStepDataCopy.args.dockerfile = 'Dockerfile'
-    containerStepDataCopy.args.context = '.'
+
-    console.log(containerStepDataCopy.args)
     await expect(
       runContainerStep(containerStepDataCopy.args, resp.state)
     ).resolves.not.toThrow()
-    await expect(cleanupJob(resp, resp.state, null)).resolves.not.toThrow()
+
+    await expect(cleanupJob()).resolves.not.toThrow()
   })
 })

packages/docker/tests/prepare-job-test.ts

@@ -1,40 +1,18 @@
 import * as fs from 'fs'
-import { v4 as uuidv4 } from 'uuid'
 import { prepareJob } from '../src/hooks'
 import TestSetup from './test-setup'
 
 jest.useRealTimers()
 
-let prepareJobOutputPath: string
+let prepareJobDefinition
-let prepareJobData: any
-const tmpOutputDir = `${__dirname}/_temp/${uuidv4()}`
-const prepareJobInputPath = `${__dirname}/../../../examples/prepare-job.json`
 
 let testSetup: TestSetup
 
 describe('prepare job', () => {
-  beforeAll(() => {
+  beforeEach(() => {
-    fs.mkdirSync(tmpOutputDir, { recursive: true })
-  })
-
-  afterAll(() => {
-    fs.rmSync(tmpOutputDir, { recursive: true })
-  })
-
-  beforeEach(async () => {
     testSetup = new TestSetup()
     testSetup.initialize()
-
+    prepareJobDefinition = testSetup.getPrepareJobDefinition()
-    let prepareJobRawData = fs.readFileSync(prepareJobInputPath, 'utf8')
-    prepareJobData = JSON.parse(prepareJobRawData.toString())
-
-    prepareJobData.args.container.userMountVolumes = testSetup.userMountVolumes
-    prepareJobData.args.container.systemMountVolumes =
-      testSetup.systemMountVolumes
-    prepareJobData.args.container.workingDirectory = testSetup.workingDirectory
-
-    prepareJobOutputPath = `${tmpOutputDir}/prepare-job-output-${uuidv4()}.json`
-    fs.writeFileSync(prepareJobOutputPath, '')
   })
 
   afterEach(() => {
@@ -42,38 +20,68 @@ describe('prepare job', () => {
   })
 
   it('should not throw', async () => {
+    const prepareJobOutput = testSetup.createOutputFile(
+      'prepare-job-output.json'
+    )
     await expect(
-      prepareJob(prepareJobData.args, prepareJobOutputPath)
+      prepareJob(prepareJobDefinition.args, prepareJobOutput)
     ).resolves.not.toThrow()
 
-    expect(() => fs.readFileSync(prepareJobOutputPath, 'utf-8')).not.toThrow()
+    expect(() => fs.readFileSync(prepareJobOutput, 'utf-8')).not.toThrow()
   })
 
   it('should have JSON output written to a file', async () => {
-    await prepareJob(prepareJobData.args, prepareJobOutputPath)
+    const prepareJobOutput = testSetup.createOutputFile(
-    const prepareJobOutputContent = fs.readFileSync(
+      'prepare-job-output.json'
-      prepareJobOutputPath,
-      'utf-8'
     )
+    await prepareJob(prepareJobDefinition.args, prepareJobOutput)
+    const prepareJobOutputContent = fs.readFileSync(prepareJobOutput, 'utf-8')
     expect(() => JSON.parse(prepareJobOutputContent)).not.toThrow()
   })
 
   it('should have context written to a file', async () => {
-    await prepareJob(prepareJobData.args, prepareJobOutputPath)
+    const prepareJobOutput = testSetup.createOutputFile(
-    const prepareJobOutputContent = fs.readFileSync(
+      'prepare-job-output.json'
-      prepareJobOutputPath,
+    )
-      'utf-8'
+    await prepareJob(prepareJobDefinition.args, prepareJobOutput)
+    const parsedPrepareJobOutput = JSON.parse(
+      fs.readFileSync(prepareJobOutput, 'utf-8')
     )
-    const parsedPrepareJobOutput = JSON.parse(prepareJobOutputContent)
     expect(parsedPrepareJobOutput.context).toBeDefined()
   })
 
-  it('should have container ids written to file', async () => {
+  it('should have isAlpine field set correctly', async () => {
-    await prepareJob(prepareJobData.args, prepareJobOutputPath)
+    let prepareJobOutput = testSetup.createOutputFile(
-    const prepareJobOutputContent = fs.readFileSync(
+      'prepare-job-output-alpine.json'
-      prepareJobOutputPath,
-      'utf-8'
     )
+    const prepareJobArgsClone = JSON.parse(
+      JSON.stringify(prepareJobDefinition.args)
+    )
+    prepareJobArgsClone.container.image = 'alpine:latest'
+    await prepareJob(prepareJobArgsClone, prepareJobOutput)
+
+    let parsedPrepareJobOutput = JSON.parse(
+      fs.readFileSync(prepareJobOutput, 'utf-8')
+    )
+    expect(parsedPrepareJobOutput.isAlpine).toBe(true)
+
+    prepareJobOutput = testSetup.createOutputFile(
+      'prepare-job-output-ubuntu.json'
+    )
+    prepareJobArgsClone.container.image = 'ubuntu:latest'
+    await prepareJob(prepareJobArgsClone, prepareJobOutput)
+    parsedPrepareJobOutput = JSON.parse(
+      fs.readFileSync(prepareJobOutput, 'utf-8')
+    )
+    expect(parsedPrepareJobOutput.isAlpine).toBe(false)
+  })
+
+  it('should have container ids written to file', async () => {
+    const prepareJobOutput = testSetup.createOutputFile(
+      'prepare-job-output.json'
+    )
+    await prepareJob(prepareJobDefinition.args, prepareJobOutput)
+    const prepareJobOutputContent = fs.readFileSync(prepareJobOutput, 'utf-8')
     const parsedPrepareJobOutput = JSON.parse(prepareJobOutputContent)
 
     expect(parsedPrepareJobOutput.context.container.id).toBeDefined()
@@ -82,11 +90,11 @@ describe('prepare job', () => {
   })
 
   it('should have ports for context written in form [containerPort]:[hostPort]', async () => {
-    await prepareJob(prepareJobData.args, prepareJobOutputPath)
+    const prepareJobOutput = testSetup.createOutputFile(
-    const prepareJobOutputContent = fs.readFileSync(
+      'prepare-job-output.json'
-      prepareJobOutputPath,
-      'utf-8'
     )
+    await prepareJob(prepareJobDefinition.args, prepareJobOutput)
+    const prepareJobOutputContent = fs.readFileSync(prepareJobOutput, 'utf-8')
     const parsedPrepareJobOutput = JSON.parse(prepareJobOutputContent)
 
     const mainContainerPorts = parsedPrepareJobOutput.context.container.ports
@@ -100,4 +108,14 @@ describe('prepare job', () => {
     expect(redisServicePorts['80']).toBe('8080')
     expect(redisServicePorts['8080']).toBe('8088')
   })
+
+  it('should run prepare job without job container without exception', async () => {
+    prepareJobDefinition.args.container = null
+    const prepareJobOutput = testSetup.createOutputFile(
+      'prepare-job-output.json'
+    )
+    await expect(
+      prepareJob(prepareJobDefinition.args, prepareJobOutput)
+    ).resolves.not.toThrow()
+  })
 })

packages/docker/tests/run-script-step-test.ts

@@ -0,0 +1,96 @@
+import * as fs from 'fs'
+import { PrepareJobResponse } from 'hooklib/lib'
+import { prepareJob, runScriptStep } from '../src/hooks'
+import TestSetup from './test-setup'
+
+jest.useRealTimers()
+
+let testSetup: TestSetup
+
+let definitions
+
+let prepareJobResponse: PrepareJobResponse
+
+describe('run script step', () => {
+  beforeEach(async () => {
+    testSetup = new TestSetup()
+    testSetup.initialize()
+
+    definitions = {
+      prepareJob: testSetup.getPrepareJobDefinition(),
+      runScriptStep: testSetup.getRunScriptStepDefinition()
+    }
+
+    const prepareJobOutput = testSetup.createOutputFile(
+      'prepare-job-output.json'
+    )
+    await prepareJob(definitions.prepareJob.args, prepareJobOutput)
+
+    prepareJobResponse = JSON.parse(fs.readFileSync(prepareJobOutput, 'utf-8'))
+  })
+
+  it('Should run script step without exceptions', async () => {
+    await expect(
+      runScriptStep(definitions.runScriptStep.args, prepareJobResponse.state)
+    ).resolves.not.toThrow()
+  })
+
+  it('Should have path variable changed in container with prepend path string', async () => {
+    definitions.runScriptStep.args.prependPath = '/some/path'
+    definitions.runScriptStep.args.entryPoint = '/bin/bash'
+    definitions.runScriptStep.args.entryPointArgs = [
+      '-c',
+      `'if [[ ! $(env | grep "^PATH=") = "PATH=${definitions.runScriptStep.args.prependPath}:"* ]]; then exit 1; fi'`
+    ]
+    await expect(
+      runScriptStep(definitions.runScriptStep.args, prepareJobResponse.state)
+    ).resolves.not.toThrow()
+  })
+
+  it("Should fix expansion and print correctly in container's stdout", async () => {
+    const spy = jest.spyOn(process.stdout, 'write').mockImplementation()
+
+    definitions.runScriptStep.args.entryPoint = 'echo'
+    definitions.runScriptStep.args.entryPointArgs = ['"Mona', 'the', `Octocat"`]
+    await expect(
+      runScriptStep(definitions.runScriptStep.args, prepareJobResponse.state)
+    ).resolves.not.toThrow()
+    expect(spy).toHaveBeenCalledWith(
+      expect.stringContaining('Mona the Octocat')
+    )
+
+    spy.mockRestore()
+  })
+
+  it('Should have path variable changed in container with prepend path string array', async () => {
+    definitions.runScriptStep.args.prependPath = ['/some/other/path']
+    definitions.runScriptStep.args.entryPoint = '/bin/bash'
+    definitions.runScriptStep.args.entryPointArgs = [
+      '-c',
+      `'if [[ ! $(env | grep "^PATH=") = "PATH=${definitions.runScriptStep.args.prependPath.join(
+        ':'
+      )}:"* ]]; then exit 1; fi'`
+    ]
+    await expect(
+      runScriptStep(definitions.runScriptStep.args, prepareJobResponse.state)
+    ).resolves.not.toThrow()
+  })
+
+  it('Should confirm that CI and GITHUB_ACTIONS are set', async () => {
+    definitions.runScriptStep.args.entryPoint = '/bin/bash'
+    definitions.runScriptStep.args.entryPointArgs = [
+      '-c',
+      `'if [[ ! $(env | grep "^CI=") = "CI=true" ]]; then exit 1; fi'`
+    ]
+    await expect(
+      runScriptStep(definitions.runScriptStep.args, prepareJobResponse.state)
+    ).resolves.not.toThrow()
+    definitions.runScriptStep.args.entryPointArgs = [
+      '-c',
+      `'if [[ ! $(env | grep "^GITHUB_ACTIONS=") = "GITHUB_ACTIONS=true" ]]; then exit 1; fi'`
+    ]
+    await expect(
+      runScriptStep(definitions.runScriptStep.args, prepareJobResponse.state)
+    ).resolves.not.toThrow()
+  })
+})

packages/docker/tests/test-setup.ts

@@ -1,11 +1,15 @@
 import * as fs from 'fs'
-import { v4 as uuidv4 } from 'uuid'
-import { env } from 'process'
 import { Mount } from 'hooklib'
+import { HookData } from 'hooklib/lib'
+import * as path from 'path'
+import { env } from 'process'
+import { v4 as uuidv4 } from 'uuid'
 
 export default class TestSetup {
   private testdir: string
   private runnerMockDir: string
+  readonly runnerOutputDir: string
+
   private runnerMockSubdirs = {
     work: '_work',
     externals: 'externals',
@@ -16,17 +20,18 @@ export default class TestSetup {
     githubWorkflow: '_work/_temp/_github_workflow'
   }
 
-  private readonly projectName = 'example'
+  private readonly projectName = 'repo'
 
   constructor() {
     this.testdir = `${__dirname}/_temp/${uuidv4()}`
     this.runnerMockDir = `${this.testdir}/runner/_layout`
+    this.runnerOutputDir = `${this.testdir}/outputs`
   }
 
   private get allTestDirectories() {
-    const resp = [this.testdir, this.runnerMockDir]
+    const resp = [this.testdir, this.runnerMockDir, this.runnerOutputDir]
 
-    for (const [key, value] of Object.entries(this.runnerMockSubdirs)) {
+    for (const [, value] of Object.entries(this.runnerMockSubdirs)) {
       resp.push(`${this.runnerMockDir}/${value}`)
     }
 
@@ -37,31 +42,27 @@ export default class TestSetup {
     return resp
   }
 
-  public initialize(): void {
+  initialize(): void {
+    env['GITHUB_WORKSPACE'] = this.workingDirectory
+    env['RUNNER_NAME'] = 'test'
+    env['RUNNER_TEMP'] =
+      `${this.runnerMockDir}/${this.runnerMockSubdirs.workTemp}`
+
     for (const dir of this.allTestDirectories) {
       fs.mkdirSync(dir, { recursive: true })
     }
-    env['RUNNER_NAME'] = 'test'
+
-    env[
+    fs.copyFileSync(
-      'RUNNER_TEMP'
+      path.resolve(`${__dirname}/../../../examples/example-script.sh`),
-    ] = `${this.runnerMockDir}/${this.runnerMockSubdirs.workTemp}`
+      `${env.RUNNER_TEMP}/example-script.sh`
+    )
   }
 
-  public teardown(): void {
+  teardown(): void {
     fs.rmdirSync(this.testdir, { recursive: true })
   }
 
-  public get userMountVolumes(): Mount[] {
+  private get systemMountVolumes(): Mount[] {
-    return [
-      {
-        sourceVolumePath: 'my_docker_volume',
-        targetVolumePath: '/volume_mount',
-        readOnly: false
-      }
-    ]
-  }
-
-  public get systemMountVolumes(): Mount[] {
     return [
       {
         sourceVolumePath: '/var/run/docker.sock',
@@ -106,7 +107,89 @@ export default class TestSetup {
     ]
   }
 
-  public get workingDirectory(): string {
+  createOutputFile(name: string): string {
+    let filePath = path.join(this.runnerOutputDir, name || `${uuidv4()}.json`)
+    fs.writeFileSync(filePath, '')
+    return filePath
+  }
+
+  get workingDirectory(): string {
+    return `${this.runnerMockDir}/_work/${this.projectName}/${this.projectName}`
+  }
+
+  get containerWorkingDirectory(): string {
     return `/__w/${this.projectName}/${this.projectName}`
   }
+
+  initializeDockerAction(): string {
+    const actionPath = `${this.testdir}/_actions/example-handle/example-repo/example-branch/mock-directory`
+    fs.mkdirSync(actionPath, { recursive: true })
+    this.writeDockerfile(actionPath)
+    this.writeEntrypoint(actionPath)
+    return actionPath
+  }
+
+  private writeDockerfile(actionPath: string) {
+    const content = `FROM alpine:3.10
+COPY entrypoint.sh /entrypoint.sh
+ENTRYPOINT ["/entrypoint.sh"]`
+    fs.writeFileSync(`${actionPath}/Dockerfile`, content)
+  }
+
+  private writeEntrypoint(actionPath) {
+    const content = `#!/bin/sh -l
+echo "Hello $1"
+time=$(date)
+echo "::set-output name=time::$time"`
+    const entryPointPath = `${actionPath}/entrypoint.sh`
+    fs.writeFileSync(entryPointPath, content)
+    fs.chmodSync(entryPointPath, 0o755)
+  }
+
+  getPrepareJobDefinition(): HookData {
+    const prepareJob = JSON.parse(
+      fs.readFileSync(
+        path.resolve(__dirname + '/../../../examples/prepare-job.json'),
+        'utf8'
+      )
+    )
+
+    prepareJob.args.container.systemMountVolumes = this.systemMountVolumes
+    prepareJob.args.container.workingDirectory = this.workingDirectory
+    prepareJob.args.container.userMountVolumes = undefined
+    prepareJob.args.container.registry = null
+    prepareJob.args.services.forEach(s => {
+      s.registry = null
+    })
+
+    return prepareJob
+  }
+
+  getRunScriptStepDefinition(): HookData {
+    const runScriptStep = JSON.parse(
+      fs.readFileSync(
+        path.resolve(__dirname + '/../../../examples/run-script-step.json'),
+        'utf8'
+      )
+    )
+
+    runScriptStep.args.entryPointArgs[1] = `/__w/_temp/example-script.sh`
+    return runScriptStep
+  }
+
+  getRunContainerStepDefinition(): HookData {
+    const runContainerStep = JSON.parse(
+      fs.readFileSync(
+        path.resolve(__dirname + '/../../../examples/run-container-step.json'),
+        'utf8'
+      )
+    )
+
+    runContainerStep.args.entryPointArgs[1] = `/__w/_temp/example-script.sh`
+    runContainerStep.args.systemMountVolumes = this.systemMountVolumes
+    runContainerStep.args.workingDirectory = this.workingDirectory
+    runContainerStep.args.userMountVolumes = undefined
+    runContainerStep.args.registry = null
+    return runContainerStep
+  }
 }

packages/docker/tests/utils-test.ts

@@ -1,4 +1,4 @@
-import { sanitize } from '../src/utils'
+import { optionsWithDockerEnvs, sanitize, fixArgs } from '../src/utils'
 
 describe('Utilities', () => {
   it('should return sanitized image name', () => {
@@ -9,4 +9,72 @@ describe('Utilities', () => {
     const validStr = 'teststr8_one'
     expect(sanitize(validStr)).toBe(validStr)
   })
+
+  test.each([
+    [['"Hello', 'World"'], ['Hello World']],
+    [
+      [
+        'sh',
+        '-c',
+        `'[ $(cat /etc/*release* | grep -i -e "^ID=*alpine*" -c) != 0 ] || exit 1'`
+      ],
+      [
+        'sh',
+        '-c',
+        `[ $(cat /etc/*release* | grep -i -e "^ID=*alpine*" -c) != 0 ] || exit 1`
+      ]
+    ],
+    [
+      [
+        'sh',
+        '-c',
+        `'[ $(cat /etc/*release* | grep -i -e '\\''^ID=*alpine*'\\'' -c) != 0 ] || exit 1'`
+      ],
+      [
+        'sh',
+        '-c',
+        `[ $(cat /etc/*release* | grep -i -e '^ID=*alpine*' -c) != 0 ] || exit 1`
+      ]
+    ]
+  ])('should fix split arguments(%p, %p)', (args, expected) => {
+    const got = fixArgs(args)
+    expect(got).toStrictEqual(expected)
+  })
+
+  describe('with docker options', () => {
+    it('should augment options with docker environment variables', () => {
+      process.env.DOCKER_HOST = 'unix:///run/user/1001/docker.sock'
+      process.env.DOCKER_NOTEXIST = 'notexist'
+
+      const optionDefinitions: any = [
+        undefined,
+        {},
+        { env: {} },
+        { env: { DOCKER_HOST: 'unix://var/run/docker.sock' } }
+      ]
+      for (const opt of optionDefinitions) {
+        let options = optionsWithDockerEnvs(opt)
+        expect(options).toBeDefined()
+        expect(options?.env).toBeDefined()
+        expect(options?.env?.DOCKER_HOST).toBe(process.env.DOCKER_HOST)
+        expect(options?.env?.DOCKER_NOTEXIST).toBeUndefined()
+      }
+    })
+
+    it('should not overwrite other options', () => {
+      process.env.DOCKER_HOST = 'unix:///run/user/1001/docker.sock'
+      const opt = {
+        workingDir: 'test',
+        input: Buffer.from('test')
+      }
+
+      const options = optionsWithDockerEnvs(opt)
+      expect(options).toBeDefined()
+      expect(options?.workingDir).toBe(opt.workingDir)
+      expect(options?.input).toBe(opt.input)
+      expect(options?.env).toStrictEqual({
+        DOCKER_HOST: process.env.DOCKER_HOST
+      })
+    })
+  })
 })

packages/docker/tsconfig.test.json

@@ -0,0 +1,6 @@
+{
+  "compilerOptions": {
+    "allowJs": true
+  },
+  "extends": "./tsconfig.json"
+}

packages/hooklib/package.json

@@ -3,7 +3,7 @@
   "version": "0.1.0",
   "description": "",
   "main": "lib/index.js",
-  "types": "index.d.ts",
+  "types": "lib/index.d.ts",
   "scripts": {
     "test": "echo \"Error: no test specified\" && exit 1",
     "build": "tsc",
@@ -14,15 +14,14 @@
   "author": "",
   "license": "MIT",
   "devDependencies": {
-    "@types/node": "^17.0.23",
+    "@types/node": "^24.0.14",
-    "@typescript-eslint/parser": "^5.18.0",
     "@zeit/ncc": "^0.22.3",
-    "eslint": "^8.12.0",
+    "eslint": "^9.31.0",
-    "eslint-plugin-github": "^4.3.6",
+    "eslint-plugin-github": "^6.0.0",
-    "prettier": "^2.6.2",
+    "prettier": "^3.6.2",
-    "typescript": "^4.6.3"
+    "typescript": "^5.8.3"
   },
   "dependencies": {
-    "@actions/core": "^1.6.0"
+    "@actions/core": "^1.11.1"
   }
 }

packages/hooklib/src/interfaces.ts

@@ -34,6 +34,7 @@ export interface ContainerInfo {
   createOptions?: string
   environmentVariables?: { [key: string]: string }
   userMountVolumes?: Mount[]
+  systemMountVolumes?: Mount[]
   registry?: Registry
   portMappings?: string[]
 }
@@ -73,14 +74,6 @@ export enum Protocol {
   UDP = 'udp'
 }
 
-export enum PodPhase {
-  PENDING = 'Pending',
-  RUNNING = 'Running',
-  SUCCEEDED = 'Succeded',
-  FAILED = 'Failed',
-  UNKNOWN = 'Unknown'
-}
-
 export interface PrepareJobResponse {
   state?: object
   context?: ContainerContext

packages/hooklib/src/utils.ts

@@ -1,4 +1,3 @@
-import * as core from '@actions/core'
 import * as events from 'events'
 import * as fs from 'fs'
 import * as os from 'os'
@@ -13,7 +12,6 @@ export async function getInputFromStdin(): Promise<HookData> {
   })
 
   rl.on('line', line => {
-    core.debug(`Line from STDIN: ${line}`)
     input = line
   })
   await events.default.once(rl, 'close')

packages/k8s/README.md

@@ -6,7 +6,38 @@ This implementation provides a way to dynamically spin up jobs to run container
 ## Pre-requisites 
 Some things are expected to be set when using these hooks
 - The runner itself should be running in a pod, with a service account with the following permissions
-    - The `ACTIONS_RUNNER_REQUIRE_JOB_CONTAINER=true` should be set to true
+```
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  namespace: default
+  name: runner-role
+rules:
+- apiGroups: [""]
+  resources: ["pods"]
+  verbs: ["get", "list", "create", "delete"]
+- apiGroups: [""]
+  resources: ["pods/exec"]
+  verbs: ["get", "create"]
+- apiGroups: [""]
+  resources: ["pods/log"]
+  verbs: ["get", "list", "watch",]
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["get", "list", "create", "delete"]
+```
 - The `ACTIONS_RUNNER_POD_NAME` env should be set to the name of the pod
+- The `ACTIONS_RUNNER_REQUIRE_JOB_CONTAINER` env should be set to true to prevent the runner from running any jobs outside of a container
 - The runner pod should map a persistent volume claim into the `_work` directory
-    - The `ACTIONS_RUNNER_CLAIM_NAME` should be set to the persistent volume claim that contains the runner's working directory
+    - The `ACTIONS_RUNNER_CLAIM_NAME` env should be set to the persistent volume claim that contains the runner's working directory, otherwise it defaults to `${ACTIONS_RUNNER_POD_NAME}-work`
+- Some actions runner env's are expected to be set. These are set automatically by the runner.
+    - `RUNNER_WORKSPACE` is expected to be set to the workspace of the runner
+    - `GITHUB_WORKSPACE` is expected to be set to the workspace of the job
+
+
+## Limitations
+- A [job containers](https://docs.github.com/en/actions/using-jobs/running-jobs-in-a-container) will be required for all jobs
+- Building container actions from a dockerfile is not supported at this time
+- Container actions will not have access to the services network or job container network
+- Docker [create options](https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idcontaineroptions) are not supported
+- Container actions will have to specify the entrypoint, since the default entrypoint will be overridden to run the commands from the workflow.

packages/k8s/jest.config.js

@@ -1,13 +1,26 @@
-// eslint-disable-next-line import/no-commonjs
 module.exports = {
   clearMocks: true,
+  preset: 'ts-jest',
   moduleFileExtensions: ['js', 'ts'],
   testEnvironment: 'node',
   testMatch: ['**/*-test.ts'],
   testRunner: 'jest-circus/runner',
+  verbose: true,
   transform: {
-    '^.+\\.ts$': 'ts-jest'
+    '^.+\\.ts$': [
-  },
+      'ts-jest',
-  setupFilesAfterEnv: ['./jest.setup.js'],
+      {
-  verbose: true
+        tsconfig: 'tsconfig.test.json'
+      }
+    ],
+    // Transform ESM modules to CommonJS
+    '^.+\\.(js|mjs)$': ['babel-jest', {
+      presets: [['@babel/preset-env', { targets: { node: 'current' } }]]
+    }]
+  },
+  transformIgnorePatterns: [
+    // Transform these ESM packages
+    'node_modules/(?!(shlex|@kubernetes/client-node|openid-client|oauth4webapi|jose|uuid)/)'
+  ],
+  setupFilesAfterEnv: ['./jest.setup.js']
 }

packages/k8s/jest.setup.js

@@ -1 +1,2 @@
-jest.setTimeout(90000)
+// eslint-disable-next-line filenames/match-regex, no-undef
+jest.setTimeout(500000)

packages/k8s/package.json

@@ -13,18 +13,25 @@
   "author": "",
   "license": "MIT",
   "dependencies": {
-    "@actions/core": "^1.6.0",
+    "@actions/core": "^1.11.1",
     "@actions/exec": "^1.1.1",
-    "@actions/io": "^1.1.2",
+    "@actions/io": "^1.1.3",
-    "@kubernetes/client-node": "^0.16.3",
+    "@kubernetes/client-node": "^1.3.0",
-    "hooklib": "file:../hooklib"
+    "hooklib": "file:../hooklib",
+    "js-yaml": "^4.1.0",
+    "shlex": "^3.0.0",
+    "tar-fs": "^3.1.0",
+    "uuid": "^11.1.0"
   },
   "devDependencies": {
-    "@types/jest": "^27.4.1",
+    "@babel/core": "^7.28.3",
-    "@types/node": "^17.0.23",
+    "@babel/preset-env": "^7.28.3",
-    "@vercel/ncc": "^0.33.4",
+    "@types/jest": "^30.0.0",
-    "jest": "^27.5.1",
+    "@types/node": "^24.3.0",
-    "ts-jest": "^27.1.4",
+    "@vercel/ncc": "^0.38.3",
-    "typescript": "^4.6.3"
+    "babel-jest": "^30.1.1",
+    "jest": "^30.1.1",
+    "ts-jest": "^29.4.1",
+    "typescript": "^5.9.2"
   }
 }

packages/k8s/src/hooks/cleanup-job.ts

@@ -1,5 +1,5 @@
-import { podPrune } from '../k8s'
+import { prunePods, pruneSecrets } from '../k8s'
 
 export async function cleanupJob(): Promise<void> {
-  await podPrune()
+  await Promise.all([prunePods(), pruneSecrets()])
 }

packages/k8s/src/hooks/constants.ts

@@ -20,28 +20,35 @@ export function getJobPodName(): string {
 export function getStepPodName(): string {
   return `${getRunnerPodName().substring(
     0,
-    MAX_POD_NAME_LENGTH - ('-step'.length + STEP_POD_NAME_SUFFIX_LENGTH)
+    MAX_POD_NAME_LENGTH - ('-step-'.length + STEP_POD_NAME_SUFFIX_LENGTH)
   )}-step-${uuidv4().substring(0, STEP_POD_NAME_SUFFIX_LENGTH)}`
 }
 
 export function getVolumeClaimName(): string {
   const name = process.env.ACTIONS_RUNNER_CLAIM_NAME
   if (!name) {
-    throw new Error(
+    return `${getRunnerPodName()}-work`
-      "'ACTIONS_RUNNER_CLAIM_NAME' is required, please contact your self hosted runner administrator"
-    )
   }
   return name
 }
 
-const MAX_POD_NAME_LENGTH = 63
+export function getSecretName(): string {
-const STEP_POD_NAME_SUFFIX_LENGTH = 8
+  return `${getRunnerPodName().substring(
+    0,
+    MAX_POD_NAME_LENGTH - ('-secret-'.length + STEP_POD_NAME_SUFFIX_LENGTH)
+  )}-secret-${uuidv4().substring(0, STEP_POD_NAME_SUFFIX_LENGTH)}`
+}
+
+export const MAX_POD_NAME_LENGTH = 63
+export const STEP_POD_NAME_SUFFIX_LENGTH = 8
+export const CONTAINER_EXTENSION_PREFIX = '$'
 export const JOB_CONTAINER_NAME = 'job'
+export const JOB_CONTAINER_EXTENSION_NAME = '$job'
 
 export class RunnerInstanceLabel {
-  runnerhook: string
+  private podName: string
   constructor() {
-    this.runnerhook = process.env.ACTIONS_RUNNER_POD_NAME as string
+    this.podName = getRunnerPodName()
   }
 
   get key(): string {
@@ -49,10 +56,10 @@ export class RunnerInstanceLabel {
   }
 
   get value(): string {
-    return this.runnerhook
+    return this.podName
   }
 
   toString(): string {
-    return `runner-pod=${this.runnerhook}`
+    return `runner-pod=${this.podName}`
   }
 }

packages/k8s/src/hooks/prepare-job.ts

@@ -1,83 +1,143 @@
 import * as core from '@actions/core'
-import * as io from '@actions/io'
 import * as k8s from '@kubernetes/client-node'
 import {
+  JobContainerInfo,
   ContextPorts,
-  PodPhase,
+  PrepareJobArgs,
-  prepareJobArgs,
+  writeToResponseFile,
-  writeToResponseFile
+  ServiceContainerInfo
 } from 'hooklib'
-import path from 'path'
 import {
   containerPorts,
-  createPod,
+  createJobPod,
-  isAuthPermissionsOK,
   isPodContainerAlpine,
-  namespace,
+  prunePods,
-  podPrune,
+  waitForPodPhases,
-  requiredPermissions,
+  getPrepareJobTimeoutSeconds,
-  waitForPodPhases
+  execCpToPod,
+  execPodStep
 } from '../k8s'
 import {
-  containerVolumes,
+  CONTAINER_VOLUMES,
   DEFAULT_CONTAINER_ENTRY_POINT,
-  DEFAULT_CONTAINER_ENTRY_POINT_ARGS
+  DEFAULT_CONTAINER_ENTRY_POINT_ARGS,
+  generateContainerName,
+  mergeContainerWithOptions,
+  readExtensionFromFile,
+  PodPhase,
+  fixArgs,
+  prepareJobScript
 } from '../k8s/utils'
-import { JOB_CONTAINER_NAME } from './constants'
+import {
+  CONTAINER_EXTENSION_PREFIX,
+  getJobPodName,
+  JOB_CONTAINER_NAME
+} from './constants'
+import { dirname } from 'path'
 
 export async function prepareJob(
-  args: prepareJobArgs,
+  args: PrepareJobArgs,
   responseFile
 ): Promise<void> {
-  await podPrune()
+  if (!args.container) {
-  if (!(await isAuthPermissionsOK())) {
+    throw new Error('Job Container is required.')
-    throw new Error(
-      `The Service account needs the following permissions ${JSON.stringify(
-        requiredPermissions
-      )} on the pod resource in the '${namespace}' namespace. Please contact your self hosted runner administrator.`
-    )
   }
-  await copyExternalsToRoot()
+
+  await prunePods()
+
+  const extension = readExtensionFromFile()
+
   let container: k8s.V1Container | undefined = undefined
   if (args.container?.image) {
-    core.info(`Using image '${args.container.image}' for job image`)
+    container = createContainerSpec(
-    container = createPodSpec(args.container, JOB_CONTAINER_NAME, true)
+      args.container,
+      JOB_CONTAINER_NAME,
+      true,
+      extension
+    )
   }
 
   let services: k8s.V1Container[] = []
   if (args.services?.length) {
     services = args.services.map(service => {
-      core.info(`Adding service '${service.image}' to pod definition`)
+      return createContainerSpec(
-      return createPodSpec(service, service.image.split(':')[0])
+        service,
+        generateContainerName(service.image),
+        false,
+        extension
+      )
     })
   }
+
   if (!container && !services?.length) {
     throw new Error('No containers exist, skipping hook invocation')
   }
+
   let createdPod: k8s.V1Pod | undefined = undefined
   try {
-    createdPod = await createPod(container, services, args.registry)
+    createdPod = await createJobPod(
+      getJobPodName(),
+      container,
+      services,
+      args.container.registry,
+      extension
+    )
   } catch (err) {
-    await podPrune()
+    await prunePods()
-    throw new Error(`failed to create job pod: ${err}`)
+    core.debug(`createPod failed: ${JSON.stringify(err)}`)
+    const message = (err as any)?.response?.body?.message || err
+    throw new Error(`failed to create job pod: ${message}`)
   }
 
   if (!createdPod?.metadata?.name) {
     throw new Error('created pod should have metadata.name')
   }
+  core.debug(
+    `Job pod created, waiting for it to come online ${createdPod?.metadata?.name}`
+  )
+
+  const runnerWorkspace = dirname(process.env.RUNNER_WORKSPACE as string)
+
+  let prepareScript: { containerPath: string; runnerPath: string } | undefined
+  if (args.container?.userMountVolumes?.length) {
+    prepareScript = prepareJobScript(args.container.userMountVolumes || [])
+  }
 
   try {
     await waitForPodPhases(
       createdPod.metadata.name,
       new Set([PodPhase.RUNNING]),
-      new Set([PodPhase.PENDING])
+      new Set([PodPhase.PENDING]),
+      getPrepareJobTimeoutSeconds()
     )
   } catch (err) {
-    await podPrune()
+    await prunePods()
-    throw new Error(`Pod failed to come online with error: ${err}`)
+    throw new Error(`pod failed to come online with error: ${err}`)
   }
 
-  core.info('Pod is ready for traffic')
+  await execCpToPod(createdPod.metadata.name, runnerWorkspace, '/__w')
+
+  if (prepareScript) {
+    await execPodStep(
+      ['sh', '-e', prepareScript.containerPath],
+      createdPod.metadata.name,
+      JOB_CONTAINER_NAME
+    )
+
+    const promises: Promise<void>[] = []
+    for (const vol of args?.container?.userMountVolumes || []) {
+      promises.push(
+        execCpToPod(
+          createdPod.metadata.name,
+          vol.sourceVolumePath,
+          vol.targetVolumePath
+        )
+      )
+    }
+    await Promise.all(promises)
+  }
+
+  core.debug('Job pod is ready for traffic')
 
   let isAlpine = false
   try {
@@ -86,19 +146,29 @@ export async function prepareJob(
       JOB_CONTAINER_NAME
     )
   } catch (err) {
-    throw new Error(`Failed to determine if the pod is alpine: ${err}`)
+    core.debug(
+      `Failed to determine if the pod is alpine: ${JSON.stringify(err)}`
+    )
+    const message = (err as any)?.response?.body?.message || err
+    throw new Error(`failed to determine if the pod is alpine: ${message}`)
   }
-
+  core.debug(`Setting isAlpine to ${isAlpine}`)
-  generateResponseFile(responseFile, createdPod, isAlpine)
+  generateResponseFile(responseFile, args, createdPod, isAlpine)
 }
 
 function generateResponseFile(
   responseFile: string,
+  args: PrepareJobArgs,
   appPod: k8s.V1Pod,
-  isAlpine
+  isAlpine: boolean
 ): void {
+  if (!appPod.metadata?.name) {
+    throw new Error('app pod must have metadata.name specified')
+  }
   const response = {
-    state: {},
+    state: {
+      jobPod: appPod.metadata.name
+    },
     context: {},
     isAlpine
   }
@@ -121,18 +191,20 @@ function generateResponseFile(
     }
   }
 
-  const serviceContainers = appPod.spec?.containers.filter(
+  if (args.services?.length) {
-    c => c.name !== JOB_CONTAINER_NAME
+    const serviceContainerNames =
-  )
+      args.services?.map(s => generateContainerName(s.image)) || []
-  if (serviceContainers?.length) {
-    response.context['services'] = serviceContainers.map(c => {
-      if (!c.ports) {
-        return
-      }
 
+    response.context['services'] = appPod?.spec?.containers
+      ?.filter(c => serviceContainerNames.includes(c.name))
+      .map(c => {
         const ctxPorts: ContextPorts = {}
+        if (c.ports?.length) {
           for (const port of c.ports) {
-        ctxPorts[port.containerPort] = port.hostPort
+            if (port.containerPort && port.hostPort) {
+              ctxPorts[port.containerPort.toString()] = port.hostPort.toString()
+            }
+          }
         }
 
         return {
@@ -141,57 +213,72 @@ function generateResponseFile(
         }
       })
   }
+
   writeToResponseFile(responseFile, JSON.stringify(response))
 }
 
-async function copyExternalsToRoot(): Promise<void> {
+export function createContainerSpec(
-  const workspace = process.env['RUNNER_WORKSPACE']
+  container: JobContainerInfo | ServiceContainerInfo,
-  if (workspace) {
+  name: string,
-    await io.cp(
+  jobContainer = false,
-      path.join(workspace, '../../externals'),
+  extension?: k8s.V1PodTemplateSpec
-      path.join(workspace, '../externals'),
+): k8s.V1Container {
-      { force: true, recursive: true, copySourceDirectory: false }
+  if (!container.entryPoint && jobContainer) {
-    )
+    container.entryPoint = DEFAULT_CONTAINER_ENTRY_POINT
-  }
+    container.entryPointArgs = DEFAULT_CONTAINER_ENTRY_POINT_ARGS
   }
 
-function createPodSpec(
-  container,
-  name: string,
-  jobContainer = false
-): k8s.V1Container {
-  core.info(JSON.stringify(container))
-  if (!container.entryPointArgs) {
-    container.entryPointArgs = DEFAULT_CONTAINER_ENTRY_POINT_ARGS
-  }
-  container.entryPointArgs = DEFAULT_CONTAINER_ENTRY_POINT_ARGS
-  if (!container.entryPoint) {
-    container.entryPoint = DEFAULT_CONTAINER_ENTRY_POINT
-  }
   const podContainer = {
     name,
     image: container.image,
-    command: [container.entryPoint],
-    args: container.entryPointArgs,
     ports: containerPorts(container)
   } as k8s.V1Container
-  if (container.workingDirectory) {
+  if (container['workingDirectory']) {
-    podContainer.workingDir = container.workingDirectory
+    podContainer.workingDir = container['workingDirectory']
+  }
+
+  if (container.entryPoint) {
+    podContainer.command = [container.entryPoint]
+  }
+
+  if (container.entryPointArgs && container.entryPointArgs.length > 0) {
+    podContainer.args = fixArgs(container.entryPointArgs)
   }
 
   podContainer.env = []
   for (const [key, value] of Object.entries(
-    container['environmentVariables']
+    container['environmentVariables'] || {}
   )) {
     if (value && key !== 'HOME') {
-      podContainer.env.push({ name: key, value: value as string })
+      podContainer.env.push({ name: key, value })
     }
   }
 
-  podContainer.volumeMounts = containerVolumes(
+  podContainer.env.push({
-    container.userMountVolumes,
+    name: 'GITHUB_ACTIONS',
-    jobContainer
+    value: 'true'
+  })
+
+  if (!('CI' in (container['environmentVariables'] || {}))) {
+    podContainer.env.push({
+      name: 'CI',
+      value: 'true'
+    })
+  }
+
+  podContainer.volumeMounts = CONTAINER_VOLUMES
+
+  if (!extension) {
+    return podContainer
+  }
+
+  const from = extension.spec?.containers?.find(
+    c => c.name === CONTAINER_EXTENSION_PREFIX + name
   )
 
+  if (from) {
+    mergeContainerWithOptions(podContainer, from)
+  }
+
   return podContainer
 }

packages/k8s/src/hooks/run-container-step.ts

@@ -1,69 +1,153 @@
-import * as k8s from '@kubernetes/client-node'
 import * as core from '@actions/core'
-import { PodPhase } from 'hooklib'
+import * as fs from 'fs'
+import * as k8s from '@kubernetes/client-node'
+import { RunContainerStepArgs } from 'hooklib'
+import { dirname } from 'path'
 import {
-  createJob,
+  createContainerStepPod,
-  getContainerJobPodName,
+  deletePod,
-  getPodLogs,
+  execCpFromPod,
-  getPodStatus,
+  execCpToPod,
-  waitForJobToComplete,
+  execPodStep,
+  getPrepareJobTimeoutSeconds,
   waitForPodPhases
 } from '../k8s'
-import { JOB_CONTAINER_NAME } from './constants'
+import {
-import { containerVolumes } from '../k8s/utils'
+  CONTAINER_VOLUMES,
+  mergeContainerWithOptions,
+  PodPhase,
+  readExtensionFromFile,
+  DEFAULT_CONTAINER_ENTRY_POINT_ARGS,
+  writeContainerStepScript
+} from '../k8s/utils'
+import {
+  getJobPodName,
+  getStepPodName,
+  JOB_CONTAINER_EXTENSION_NAME,
+  JOB_CONTAINER_NAME
+} from './constants'
 
-export async function runContainerStep(stepContainer): Promise<number> {
+export async function runContainerStep(
+  stepContainer: RunContainerStepArgs
+): Promise<number> {
   if (stepContainer.dockerfile) {
     throw new Error('Building container actions is not currently supported')
   }
-  const container = createPodSpec(stepContainer)
+
-  const job = await createJob(container)
+  if (!stepContainer.entryPoint) {
-  if (!job.metadata?.name) {
+    throw new Error(
+      'failed to start the container since the entrypoint is overwritten'
+    )
+  }
+
+  const envs = stepContainer.environmentVariables || {}
+  envs['GITHUB_ACTIONS'] = 'true'
+  if (!('CI' in envs)) {
+    envs.CI = 'true'
+  }
+
+  const extension = readExtensionFromFile()
+
+  const container = createContainerSpec(stepContainer, extension)
+
+  let pod: k8s.V1Pod
+  try {
+    pod = await createContainerStepPod(getStepPodName(), container, extension)
+  } catch (err) {
+    core.debug(`createJob failed: ${JSON.stringify(err)}`)
+    const message = (err as any)?.response?.body?.message || err
+    throw new Error(`failed to run script step: ${message}`)
+  }
+
+  if (!pod.metadata?.name) {
     throw new Error(
       `Expected job ${JSON.stringify(
-        job
+        pod
       )} to have correctly set the metadata.name`
     )
   }
+  const podName = pod.metadata.name
 
-  const podName = await getContainerJobPodName(job.metadata.name)
+  try {
     await waitForPodPhases(
       podName,
-    new Set([PodPhase.COMPLETED, PodPhase.RUNNING]),
+      new Set([PodPhase.RUNNING]),
-    new Set([PodPhase.PENDING])
+      new Set([PodPhase.PENDING, PodPhase.UNKNOWN]),
+      getPrepareJobTimeoutSeconds()
     )
-  await getPodLogs(podName, JOB_CONTAINER_NAME)
+
-  await waitForJobToComplete(job.metadata.name)
+    const runnerWorkspace = dirname(process.env.RUNNER_WORKSPACE as string)
-  // pod has failed so pull the status code from the container
+    const githubWorkspace = process.env.GITHUB_WORKSPACE as string
-  const status = await getPodStatus(podName)
+    const parts = githubWorkspace.split('/').slice(-2)
-  if (!status?.containerStatuses?.length) {
+    if (parts.length !== 2) {
-    core.warning(`Can't determine container status`)
+      throw new Error(`Invalid github workspace directory: ${githubWorkspace}`)
-    return 0
+    }
+    const relativeWorkspace = parts.join('/')
+
+    core.debug(
+      `Copying files from pod ${getJobPodName()} to ${runnerWorkspace}/${relativeWorkspace}`
+    )
+    await execCpFromPod(getJobPodName(), `/__w`, `${runnerWorkspace}`)
+
+    const { containerPath, runnerPath } = writeContainerStepScript(
+      `${runnerWorkspace}/__w/_temp`,
+      githubWorkspace,
+      stepContainer.entryPoint,
+      stepContainer.entryPointArgs,
+      envs
+    )
+
+    await execCpToPod(podName, `${runnerWorkspace}/__w`, '/__w')
+
+    fs.rmSync(`${runnerWorkspace}/__w`, { recursive: true, force: true })
+
+    try {
+      core.debug(`Executing container step script in pod ${podName}`)
+      return await execPodStep(
+        ['/__e/sh', '-e', containerPath],
+        pod.metadata.name,
+        JOB_CONTAINER_NAME
+      )
+    } catch (err) {
+      core.debug(`execPodStep failed: ${JSON.stringify(err)}`)
+      const message = (err as any)?.response?.body?.message || err
+      throw new Error(`failed to run script step: ${message}`)
+    } finally {
+      fs.rmSync(runnerPath, { force: true })
+    }
+  } catch (error) {
+    core.error(`Failed to run container step: ${error}`)
+    throw error
+  } finally {
+    await deletePod(podName).catch(err => {
+      core.error(`Failed to delete step pod ${podName}: ${err}`)
+    })
+  }
 }
 
-  const exitCode =
+function createContainerSpec(
-    status.containerStatuses[status.containerStatuses.length - 1].state
+  container: RunContainerStepArgs,
-      ?.terminated?.exitCode
+  extension?: k8s.V1PodTemplateSpec
-  return Number(exitCode) || 0
+): k8s.V1Container {
-}
-
-function createPodSpec(container): k8s.V1Container {
   const podContainer = new k8s.V1Container()
   podContainer.name = JOB_CONTAINER_NAME
   podContainer.image = container.image
-  if (container.entryPoint) {
+  podContainer.workingDir = '/__w'
-    podContainer.command = [container.entryPoint, ...container.entryPointArgs]
+  podContainer.command = ['/__e/tail']
+  podContainer.args = DEFAULT_CONTAINER_ENTRY_POINT_ARGS
+
+  podContainer.volumeMounts = CONTAINER_VOLUMES
+
+  if (!extension) {
+    return podContainer
   }
 
-  podContainer.env = []
+  const from = extension.spec?.containers?.find(
-  for (const [key, value] of Object.entries(
+    c => c.name === JOB_CONTAINER_EXTENSION_NAME
-    container['environmentVariables']
+  )
-  )) {
+  if (from) {
-    if (value && key !== 'HOME') {
+    mergeContainerWithOptions(podContainer, from)
-      podContainer.env.push({ name: key, value: value as string })
   }
-  }
-  podContainer.volumeMounts = containerVolumes()
 
   return podContainer
 }

packages/k8s/src/hooks/run-script-step.ts

@@ -1,38 +1,58 @@
 /* eslint-disable @typescript-eslint/no-unused-vars */
+import * as fs from 'fs'
+import * as core from '@actions/core'
 import { RunScriptStepArgs } from 'hooklib'
-import { execPodStep } from '../k8s'
+import { execCpFromPod, execCpToPod, execPodStep } from '../k8s'
+import { writeRunScript, sleep, listDirAllCommand } from '../k8s/utils'
 import { JOB_CONTAINER_NAME } from './constants'
+import { dirname } from 'path'
 
 export async function runScriptStep(
   args: RunScriptStepArgs,
-  state,
+  state
-  responseFile
 ): Promise<void> {
-  const cb = new CommandsBuilder(
+  // Write the entrypoint first. This will be later coppied to the workflow pod
-    args.entryPoint,
+  const { entryPoint, entryPointArgs, environmentVariables } = args
-    args.entryPointArgs,
+  const { containerPath, runnerPath } = writeRunScript(
-    args.environmentVariables
+    args.workingDirectory,
+    entryPoint,
+    entryPointArgs,
+    args.prependPath,
+    environmentVariables
   )
-  await execPodStep(cb.command, state.jobPod, JOB_CONTAINER_NAME)
+
+  const workdir = dirname(process.env.RUNNER_WORKSPACE as string)
+  const containerTemp = '/__w/_temp'
+  const runnerTemp = `${workdir}/_temp`
+  await execCpToPod(state.jobPod, runnerTemp, containerTemp)
+
+  // Execute the entrypoint script
+  args.entryPoint = 'sh'
+  args.entryPointArgs = ['-e', containerPath]
+  try {
+    await execPodStep(
+      [args.entryPoint, ...args.entryPointArgs],
+      state.jobPod,
+      JOB_CONTAINER_NAME
+    )
+  } catch (err) {
+    core.debug(`execPodStep failed: ${JSON.stringify(err)}`)
+    const message = (err as any)?.response?.body?.message || err
+    throw new Error(`failed to run script step: ${message}`)
+  } finally {
+    try {
+      fs.rmSync(runnerPath, { force: true })
+    } catch (removeErr) {
+      core.debug(`Failed to remove file ${runnerPath}: ${removeErr}`)
+    }
   }
 
-class CommandsBuilder {
+  try {
-  constructor(
+    core.debug(
-    private entryPoint: string,
+      `Copying from job pod '${state.jobPod}' ${containerTemp} to ${runnerTemp}`
-    private entryPointArgs: string[],
+    )
-    private environmentVariables: { [key: string]: string }
+    await execCpFromPod(state.jobPod, containerTemp, workdir)
-  ) {}
+  } catch (error) {
-
+    core.warning('Failed to copy _temp from pod')
-  get command(): string[] {
-    const envCommands: string[] = []
-    if (
-      this.environmentVariables &&
-      Object.entries(this.environmentVariables).length
-    ) {
-      for (const [key, value] of Object.entries(this.environmentVariables)) {
-        envCommands.push(`${key}=${value}`)
-      }
-    }
-    return ['env', ...envCommands, this.entryPoint, ...this.entryPointArgs]
   }
 }

packages/k8s/src/index.ts

@@ -1,44 +1,56 @@
-import { Command, getInputFromStdin, prepareJobArgs } from 'hooklib'
+import * as core from '@actions/core'
+import {
+  Command,
+  getInputFromStdin,
+  PrepareJobArgs,
+  RunContainerStepArgs,
+  RunScriptStepArgs
+} from 'hooklib'
 import {
   cleanupJob,
   prepareJob,
   runContainerStep,
   runScriptStep
 } from './hooks'
+import { isAuthPermissionsOK, namespace, requiredPermissions } from './k8s'
 
 async function run(): Promise<void> {
+  try {
     const input = await getInputFromStdin()
 
     const args = input['args']
     const command = input['command']
     const responseFile = input['responseFile']
     const state = input['state']
+    if (!(await isAuthPermissionsOK())) {
+      throw new Error(
+        `The Service account needs the following permissions ${JSON.stringify(
+          requiredPermissions
+        )} on the pod resource in the '${namespace()}' namespace. Please contact your self hosted runner administrator.`
+      )
+    }
 
     let exitCode = 0
-  try {
     switch (command) {
       case Command.PrepareJob:
-        await prepareJob(args as prepareJobArgs, responseFile)
+        await prepareJob(args as PrepareJobArgs, responseFile)
-        break
+        return process.exit(0)
       case Command.CleanupJob:
         await cleanupJob()
-        break
+        return process.exit(0)
       case Command.RunScriptStep:
-        await runScriptStep(args, state, null)
+        await runScriptStep(args as RunScriptStepArgs, state)
-        break
+        return process.exit(0)
       case Command.RunContainerStep:
-        exitCode = await runContainerStep(args)
+        exitCode = await runContainerStep(args as RunContainerStepArgs)
-        break
+        return process.exit(exitCode)
-      case Command.runContainerStep:
       default:
         throw new Error(`Command not recognized: ${command}`)
     }
   } catch (error) {
-    // eslint-disable-next-line no-console
+    core.error(error as Error)
-    console.log(error)
+    process.exit(1)
-    exitCode = 1
   }
-  process.exitCode = exitCode
 }
 
 void run()

packages/k8s/src/k8s/index.ts

@@ -1,13 +1,27 @@
+import * as core from '@actions/core'
+import * as path from 'path'
+import { spawn } from 'child_process'
 import * as k8s from '@kubernetes/client-node'
-import { ContainerInfo, PodPhase, Registry } from 'hooklib'
+import tar from 'tar-fs'
 import * as stream from 'stream'
-import { v4 as uuidv4 } from 'uuid'
+import { WritableStreamBuffer } from 'stream-buffers'
+import { createHash } from 'crypto'
+import type { ContainerInfo, Registry } from 'hooklib'
 import {
-  getJobPodName,
+  getSecretName,
-  getRunnerPodName,
+  JOB_CONTAINER_NAME,
-  getVolumeClaimName,
   RunnerInstanceLabel
 } from '../hooks/constants'
+import {
+  PodPhase,
+  mergePodSpecWithOptions,
+  mergeObjectMeta,
+  fixArgs,
+  listDirAllCommand,
+  sleep,
+  EXTERNALS_VOLUME_NAME,
+  GITHUB_VOLUME_NAME
+} from './utils'
 
 const kc = new k8s.KubeConfig()
 
@@ -17,7 +31,7 @@ const k8sApi = kc.makeApiClient(k8s.CoreV1Api)
 const k8sBatchV1Api = kc.makeApiClient(k8s.BatchV1Api)
 const k8sAuthorizationV1Api = kc.makeApiClient(k8s.AuthorizationV1Api)
 
-export const POD_VOLUME_NAME = 'work'
+const DEFAULT_WAIT_FOR_POD_TIME_SECONDS = 10 * 60 // 10 min
 
 export const requiredPermissions = [
   {
@@ -39,24 +53,19 @@ export const requiredPermissions = [
     subresource: 'log'
   },
   {
-    group: 'batch',
+    group: '',
-    verbs: ['get', 'list', 'create', 'delete'],
+    verbs: ['create', 'delete', 'get', 'list'],
-    resource: 'jobs',
+    resource: 'secrets',
     subresource: ''
   }
 ]
 
-const secretPermission = {
+export async function createJobPod(
-  group: '',
+  name: string,
-  verbs: ['get', 'list', 'create', 'delete'],
-  resource: 'secrets',
-  subresource: ''
-}
-
-export async function createPod(
   jobContainer?: k8s.V1Container,
   services?: k8s.V1Container[],
-  registry?: Registry
+  registry?: Registry,
+  extension?: k8s.V1PodTemplateSpec
 ): Promise<k8s.V1Pod> {
   const containers: k8s.V1Container[] = []
   if (jobContainer) {
@@ -72,27 +81,50 @@ export async function createPod(
   appPod.kind = 'Pod'
 
   appPod.metadata = new k8s.V1ObjectMeta()
-  appPod.metadata.name = getJobPodName()
+  appPod.metadata.name = name
 
   const instanceLabel = new RunnerInstanceLabel()
   appPod.metadata.labels = {
     [instanceLabel.key]: instanceLabel.value
   }
+  appPod.metadata.annotations = {}
 
   appPod.spec = new k8s.V1PodSpec()
   appPod.spec.containers = containers
+  appPod.spec.initContainers = [
+    {
+      name: 'fs-init',
+      image:
+        process.env.ACTIONS_RUNNER_IMAGE ||
+        'ghcr.io/actions/actions-runner:latest',
+      command: ['sh', '-c', 'sudo mv /home/runner/externals/* /mnt/externals'],
+      securityContext: {
+        runAsGroup: 1001,
+        runAsUser: 1001
+      },
+      volumeMounts: [
+        {
+          name: EXTERNALS_VOLUME_NAME,
+          mountPath: '/mnt/externals'
+        }
+      ]
+    }
+  ]
+
   appPod.spec.restartPolicy = 'Never'
-  appPod.spec.nodeName = await getCurrentNodeName()
+
-  const claimName = getVolumeClaimName()
   appPod.spec.volumes = [
     {
-      name: 'work',
+      name: EXTERNALS_VOLUME_NAME,
-      persistentVolumeClaim: { claimName }
+      emptyDir: {}
+    },
+    {
+      name: GITHUB_VOLUME_NAME,
+      emptyDir: {}
     }
   ]
 
   if (registry) {
-    if (await isSecretsAuthOK()) {
     const secret = await createDockerSecret(registry)
     if (!secret?.metadata?.name) {
       throw new Error(`created secret does not have secret.metadata.name`)
@@ -100,80 +132,104 @@ export async function createPod(
     const secretReference = new k8s.V1LocalObjectReference()
     secretReference.name = secret.metadata.name
     appPod.spec.imagePullSecrets = [secretReference]
-    } else {
-      throw new Error(
-        `Pulls from private registry is not allowed. Please contact your self hosted runner administrator. Service account needs permissions for ${secretPermission.verbs} in resource ${secretPermission.resource}`
-      )
-    }
   }
 
-  const { body } = await k8sApi.createNamespacedPod(namespace(), appPod)
+  if (extension?.metadata) {
-  return body
+    mergeObjectMeta(appPod, extension.metadata)
   }
 
-export async function createJob(
+  if (extension?.spec) {
-  container: k8s.V1Container
+    mergePodSpecWithOptions(appPod.spec, extension.spec)
-): Promise<k8s.V1Job> {
+  }
-  const job = new k8s.V1Job()
 
-  job.apiVersion = 'batch/v1'
+  return await k8sApi.createNamespacedPod({
-  job.kind = 'Job'
+    namespace: namespace(),
-  job.metadata = new k8s.V1ObjectMeta()
+    body: appPod
-  job.metadata.name = getJobPodName()
+  })
-  job.metadata.labels = { 'runner-pod': getRunnerPodName() }
+}
 
-  job.spec = new k8s.V1JobSpec()
+export async function createContainerStepPod(
-  job.spec.ttlSecondsAfterFinished = 300
+  name: string,
-  job.spec.backoffLimit = 0
+  container: k8s.V1Container,
-  job.spec.template = new k8s.V1PodTemplateSpec()
+  extension?: k8s.V1PodTemplateSpec
+): Promise<k8s.V1Pod> {
+  const appPod = new k8s.V1Pod()
 
-  job.spec.template.spec = new k8s.V1PodSpec()
+  appPod.apiVersion = 'v1'
-  job.spec.template.spec.containers = [container]
+  appPod.kind = 'Pod'
-  job.spec.template.spec.restartPolicy = 'Never'
-  job.spec.template.spec.nodeName = await getCurrentNodeName()
 
-  const claimName = `${runnerName()}-work`
+  appPod.metadata = new k8s.V1ObjectMeta()
-  job.spec.template.spec.volumes = [
+  appPod.metadata.name = name
+
+  const instanceLabel = new RunnerInstanceLabel()
+  appPod.metadata.labels = {
+    [instanceLabel.key]: instanceLabel.value
+  }
+  appPod.metadata.annotations = {}
+
+  appPod.spec = new k8s.V1PodSpec()
+  appPod.spec.containers = [container]
+  appPod.spec.initContainers = [
     {
-      name: 'work',
+      name: 'fs-init',
-      persistentVolumeClaim: { claimName }
+      image:
+        process.env.ACTIONS_RUNNER_IMAGE ||
+        'ghcr.io/actions/actions-runner:latest',
+      command: [
+        'bash',
+        '-c',
+        `sudo cp $(which sh) /mnt/externals/sh \
+        && sudo cp $(which tail) /mnt/externals/tail \
+        && sudo cp $(which env) /mnt/externals/env \
+        && sudo chmod -R 777 /mnt/externals`
+      ],
+      securityContext: {
+        runAsGroup: 1001,
+        runAsUser: 1001,
+        privileged: true
+      },
+      volumeMounts: [
+        {
+          name: EXTERNALS_VOLUME_NAME,
+          mountPath: '/mnt/externals'
+        }
+      ]
     }
   ]
 
-  const { body } = await k8sBatchV1Api.createNamespacedJob(namespace(), job)
+  appPod.spec.restartPolicy = 'Never'
-  return body
+
+  appPod.spec.volumes = [
+    {
+      name: EXTERNALS_VOLUME_NAME,
+      emptyDir: {}
+    },
+    {
+      name: GITHUB_VOLUME_NAME,
+      emptyDir: {}
+    }
+  ]
+
+  if (extension?.metadata) {
+    mergeObjectMeta(appPod, extension.metadata)
   }
 
-export async function getContainerJobPodName(jobName: string): Promise<string> {
+  if (extension?.spec) {
-  const selector = `job-name=${jobName}`
+    mergePodSpecWithOptions(appPod.spec, extension.spec)
-  const backOffManager = new BackOffManager(60)
-  while (true) {
-    const podList = await k8sApi.listNamespacedPod(
-      namespace(),
-      undefined,
-      undefined,
-      undefined,
-      undefined,
-      selector,
-      1
-    )
-
-    if (!podList.body.items?.length) {
-      await backOffManager.backOff()
-      continue
   }
 
-    if (!podList.body.items[0].metadata?.name) {
+  return await k8sApi.createNamespacedPod({
-      throw new Error(
+    namespace: namespace(),
-        `Failed to determine the name of the pod for job ${jobName}`
+    body: appPod
-      )
+  })
-    }
-    return podList.body.items[0].metadata.name
-  }
 }
 
-export async function deletePod(podName: string): Promise<void> {
+export async function deletePod(name: string): Promise<void> {
-  await k8sApi.deleteNamespacedPod(podName, namespace())
+  await k8sApi.deleteNamespacedPod({
+    name,
+    namespace: namespace(),
+    gracePeriodSeconds: 0
+  })
 }
 
 export async function execPodStep(
@@ -181,15 +237,13 @@ export async function execPodStep(
   podName: string,
   containerName: string,
   stdin?: stream.Readable
-): Promise<void> {
+): Promise<number> {
-  // TODO, we need to add the path from `prependPath` to the PATH variable. How can we do that? Maybe another exec before running this one?
-  // Maybe something like, get the current path, if these entries aren't in it, add them, then set the current path to that?
-
-  // TODO: how do we set working directory? There doesn't seem to be an easy way to do it. Should we cd then execute our bash script?
   const exec = new k8s.Exec(kc)
-  return new Promise(async function (resolve, reject) {
+
-    try {
+  command = fixArgs(command)
-      await exec.exec(
+  return await new Promise(function (resolve, reject) {
+    exec
+      .exec(
         namespace(),
         podName,
         containerName,
@@ -199,20 +253,279 @@ export async function execPodStep(
         stdin ?? null,
         false /* tty */,
         resp => {
-          // kube.exec returns an error if exit code is not 0, but we can't actually get the exit code
+          core.debug(`execPodStep response: ${JSON.stringify(resp)}`)
+          if (resp.status === 'Success') {
+            resolve(resp.code || 0)
+          } else {
+            core.debug(
+              JSON.stringify({
+                message: resp?.message,
+                details: resp?.details
+              })
+            )
+            reject(new Error(resp?.message || 'execPodStep failed'))
+          }
+        }
+      )
+      .catch(e => reject(e))
+  })
+}
+
+export async function execCalculateOutputHash(
+  podName: string,
+  containerName: string,
+  command: string[]
+): Promise<string> {
+  const exec = new k8s.Exec(kc)
+
+  // Create a writable stream that updates a SHA-256 hash with stdout data
+  const hash = createHash('sha256')
+  const hashWriter = new stream.Writable({
+    write(chunk, _enc, cb) {
+      try {
+        hash.update(chunk.toString('utf8') as Buffer)
+        cb()
+      } catch (e) {
+        cb(e as Error)
+      }
+    }
+  })
+
+  await new Promise<void>((resolve, reject) => {
+    exec
+      .exec(
+        namespace(),
+        podName,
+        containerName,
+        command,
+        hashWriter, // capture stdout for hashing
+        process.stderr,
+        null,
+        false /* tty */,
+        resp => {
+          core.debug(`internalExecOutput response: ${JSON.stringify(resp)}`)
           if (resp.status === 'Success') {
             resolve()
           } else {
-            reject(
+            core.debug(
-              JSON.stringify({ message: resp?.message, details: resp?.details })
+              JSON.stringify({
+                message: resp?.message,
+                details: resp?.details
+              })
             )
+            reject(new Error(resp?.message || 'internalExecOutput failed'))
           }
         }
       )
-    } catch (error) {
+      .catch(e => reject(e))
-      reject(error)
+  })
+
+  // finalize hash and return digest
+  hashWriter.end()
+
+  return hash.digest('hex')
+}
+
+export async function localCalculateOutputHash(
+  commands: string[]
+): Promise<string> {
+  return await new Promise<string>((resolve, reject) => {
+    const hash = createHash('sha256')
+    const child = spawn(commands[0], commands.slice(1), {
+      stdio: ['ignore', 'pipe', 'ignore']
+    })
+
+    child.stdout.on('data', chunk => {
+      hash.update(chunk)
+    })
+    child.on('error', reject)
+    child.on('close', (code: number) => {
+      if (code === 0) {
+        resolve(hash.digest('hex'))
+      } else {
+        reject(new Error(`child process exited with code ${code}`))
       }
     })
+  })
+}
+
+export async function execCpToPod(
+  podName: string,
+  runnerPath: string,
+  containerPath: string
+): Promise<void> {
+  core.debug(`Copying ${runnerPath} to pod ${podName} at ${containerPath}`)
+
+  let attempt = 0
+  while (true) {
+    try {
+      const exec = new k8s.Exec(kc)
+      const command = ['tar', 'xf', '-', '-C', containerPath]
+      const readStream = tar.pack(runnerPath)
+      const errStream = new WritableStreamBuffer()
+      await new Promise((resolve, reject) => {
+        exec
+          .exec(
+            namespace(),
+            podName,
+            JOB_CONTAINER_NAME,
+            command,
+            null,
+            errStream,
+            readStream,
+            false,
+            async status => {
+              if (errStream.size()) {
+                reject(
+                  new Error(
+                    `Error from cpFromPod - details: \n ${errStream.getContentsAsString()}`
+                  )
+                )
+              }
+              resolve(status)
+            }
+          )
+          .catch(e => reject(e))
+      })
+      break
+    } catch (error) {
+      core.debug(`cpToPod: Attempt ${attempt + 1} failed: ${error}`)
+      attempt++
+      if (attempt >= 30) {
+        throw new Error(
+          `cpToPod failed after ${attempt} attempts: ${JSON.stringify(error)}`
+        )
+      }
+      await sleep(1000)
+    }
+  }
+
+  const want = await localCalculateOutputHash([
+    'sh',
+    '-c',
+    listDirAllCommand(runnerPath)
+  ])
+
+  let attempts = 15
+  const delay = 1000
+  for (let i = 0; i < attempts; i++) {
+    try {
+      const got = await execCalculateOutputHash(podName, JOB_CONTAINER_NAME, [
+        'sh',
+        '-c',
+        listDirAllCommand(containerPath)
+      ])
+
+      if (got !== want) {
+        core.debug(
+          `The hash of the directory does not match the expected value; want='${want}' got='${got}'`
+        )
+        await sleep(delay)
+        continue
+      }
+
+      break
+    } catch (error) {
+      core.debug(`Attempt ${i + 1} failed: ${error}`)
+      await sleep(delay)
+    }
+  }
+}
+
+export async function execCpFromPod(
+  podName: string,
+  containerPath: string,
+  parentRunnerPath: string
+): Promise<void> {
+  const targetRunnerPath = `${parentRunnerPath}/${path.basename(containerPath)}`
+  core.debug(
+    `Copying from pod ${podName} ${containerPath} to ${targetRunnerPath}`
+  )
+  const want = await execCalculateOutputHash(podName, JOB_CONTAINER_NAME, [
+    'sh',
+    '-c',
+    listDirAllCommand(containerPath)
+  ])
+
+  let attempt = 0
+  while (true) {
+    try {
+      // make temporary directory
+      const exec = new k8s.Exec(kc)
+      const containerPaths = containerPath.split('/')
+      const dirname = containerPaths.pop() as string
+      const command = [
+        'tar',
+        'cf',
+        '-',
+        '-C',
+        containerPaths.join('/') || '/',
+        dirname
+      ]
+      const writerStream = tar.extract(parentRunnerPath)
+      const errStream = new WritableStreamBuffer()
+
+      await new Promise((resolve, reject) => {
+        exec
+          .exec(
+            namespace(),
+            podName,
+            JOB_CONTAINER_NAME,
+            command,
+            writerStream,
+            errStream,
+            null,
+            false,
+            async status => {
+              if (errStream.size()) {
+                reject(
+                  new Error(
+                    `Error from cpFromPod - details: \n ${errStream.getContentsAsString()}`
+                  )
+                )
+              }
+              resolve(status)
+            }
+          )
+          .catch(e => reject(e))
+      })
+      break
+    } catch (error) {
+      core.debug(`Attempt ${attempt + 1} failed: ${error}`)
+      attempt++
+      if (attempt >= 30) {
+        throw new Error(
+          `execCpFromPod failed after ${attempt} attempts: ${JSON.stringify(error)}`
+        )
+      }
+      await sleep(1000)
+    }
+  }
+
+  let attempts = 15
+  const delay = 1000
+  for (let i = 0; i < attempts; i++) {
+    try {
+      const got = await localCalculateOutputHash([
+        'sh',
+        '-c',
+        listDirAllCommand(targetRunnerPath)
+      ])
+
+      if (got !== want) {
+        core.debug(
+          `The hash of the directory does not match the expected value; want='${want}' got='${got}'`
+        )
+        await sleep(delay)
+        continue
+      }
+
+      break
+    } catch (error) {
+      core.debug(`Attempt ${i + 1} failed: ${error}`)
+      await sleep(delay)
+    }
+  }
 }
 
 export async function waitForJobToComplete(jobName: string): Promise<void> {
@@ -223,7 +536,7 @@ export async function waitForJobToComplete(jobName: string): Promise<void> {
         return
       }
     } catch (error) {
-      throw new Error(`job ${jobName} has failed`)
+      throw new Error(`job ${jobName} has failed: ${JSON.stringify(error)}`)
     }
     await backOffManager.backOff()
   }
@@ -234,46 +547,105 @@ export async function createDockerSecret(
 ): Promise<k8s.V1Secret> {
   const authContent = {
     auths: {
-      [registry.serverUrl]: {
+      [registry.serverUrl || 'https://index.docker.io/v1/']: {
         username: registry.username,
         password: registry.password,
-        auth: Buffer.from(
+        auth: Buffer.from(`${registry.username}:${registry.password}`).toString(
-          `${registry.username}:${registry.password}`,
           'base64'
-        ).toString()
+        )
       }
     }
   }
-  const secretName = generateSecretName()
+
+  const runnerInstanceLabel = new RunnerInstanceLabel()
+
+  const secretName = getSecretName()
   const secret = new k8s.V1Secret()
   secret.immutable = true
   secret.apiVersion = 'v1'
   secret.metadata = new k8s.V1ObjectMeta()
   secret.metadata.name = secretName
+  secret.metadata.namespace = namespace()
+  secret.metadata.labels = {
+    [runnerInstanceLabel.key]: runnerInstanceLabel.value
+  }
+  secret.type = 'kubernetes.io/dockerconfigjson'
   secret.kind = 'Secret'
   secret.data = {
-    '.dockerconfigjson': Buffer.from(
+    '.dockerconfigjson': Buffer.from(JSON.stringify(authContent)).toString(
-      JSON.stringify(authContent),
       'base64'
-    ).toString()
+    )
   }
 
-  const { body } = await k8sApi.createNamespacedSecret(namespace(), secret)
+  return await k8sApi.createNamespacedSecret({
-  return body
+    namespace: namespace(),
+    body: secret
+  })
+}
+
+export async function createSecretForEnvs(envs: {
+  [key: string]: string
+}): Promise<string> {
+  const runnerInstanceLabel = new RunnerInstanceLabel()
+
+  const secret = new k8s.V1Secret()
+  const secretName = getSecretName()
+  secret.immutable = true
+  secret.apiVersion = 'v1'
+  secret.metadata = new k8s.V1ObjectMeta()
+  secret.metadata.name = secretName
+
+  secret.metadata.labels = {
+    [runnerInstanceLabel.key]: runnerInstanceLabel.value
+  }
+  secret.kind = 'Secret'
+  secret.data = {}
+  for (const [key, value] of Object.entries(envs)) {
+    secret.data[key] = Buffer.from(value).toString('base64')
+  }
+
+  await k8sApi.createNamespacedSecret({
+    namespace: namespace(),
+    body: secret
+  })
+  return secretName
+}
+
+export async function deleteSecret(name: string): Promise<void> {
+  await k8sApi.deleteNamespacedSecret({
+    name,
+    namespace: namespace()
+  })
+}
+
+export async function pruneSecrets(): Promise<void> {
+  const secretList = await k8sApi.listNamespacedSecret({
+    namespace: namespace(),
+    labelSelector: new RunnerInstanceLabel().toString()
+  })
+  if (!secretList.items.length) {
+    return
+  }
+
+  await Promise.all(
+    secretList.items.map(
+      async secret =>
+        secret.metadata?.name && (await deleteSecret(secret.metadata.name))
+    )
+  )
 }
 
 export async function waitForPodPhases(
   podName: string,
   awaitingPhases: Set<PodPhase>,
   backOffPhases: Set<PodPhase>,
-  maxTimeSeconds = 45 * 60 // 45 min
+  maxTimeSeconds = DEFAULT_WAIT_FOR_POD_TIME_SECONDS
 ): Promise<void> {
   const backOffManager = new BackOffManager(maxTimeSeconds)
   let phase: PodPhase = PodPhase.UNKNOWN
   try {
     while (true) {
       phase = await getPodPhase(podName)
-
       if (awaitingPhases.has(phase)) {
         return
       }
@@ -286,11 +658,32 @@ export async function waitForPodPhases(
       await backOffManager.backOff()
     }
   } catch (error) {
-    throw new Error(`Pod ${podName} is unhealthy with phase status ${phase}`)
+    throw new Error(
+      `Pod ${podName} is unhealthy with phase status ${phase}: ${JSON.stringify(error)}`
+    )
   }
 }
 
-async function getPodPhase(podName: string): Promise<PodPhase> {
+export function getPrepareJobTimeoutSeconds(): number {
+  const envTimeoutSeconds =
+    process.env['ACTIONS_RUNNER_PREPARE_JOB_TIMEOUT_SECONDS']
+
+  if (!envTimeoutSeconds) {
+    return DEFAULT_WAIT_FOR_POD_TIME_SECONDS
+  }
+
+  const timeoutSeconds = parseInt(envTimeoutSeconds, 10)
+  if (!timeoutSeconds || timeoutSeconds <= 0) {
+    core.warning(
+      `Prepare job timeout is invalid ("${timeoutSeconds}"): use an int > 0`
+    )
+    return DEFAULT_WAIT_FOR_POD_TIME_SECONDS
+  }
+
+  return timeoutSeconds
+}
+
+async function getPodPhase(name: string): Promise<PodPhase> {
   const podPhaseLookup = new Set<string>([
     PodPhase.PENDING,
     PodPhase.RUNNING,
@@ -298,20 +691,24 @@ async function getPodPhase(podName: string): Promise<PodPhase> {
     PodPhase.FAILED,
     PodPhase.UNKNOWN
   ])
-  const { body } = await k8sApi.readNamespacedPod(podName, namespace())
+  const pod = await k8sApi.readNamespacedPod({
-  const pod = body
+    name,
+    namespace: namespace()
+  })
 
   if (!pod.status?.phase || !podPhaseLookup.has(pod.status.phase)) {
     return PodPhase.UNKNOWN
   }
-  return pod.status?.phase
+  return pod.status?.phase as PodPhase
 }
 
-async function isJobSucceeded(jobName: string): Promise<boolean> {
+async function isJobSucceeded(name: string): Promise<boolean> {
-  const { body } = await k8sBatchV1Api.readNamespacedJob(jobName, namespace())
+  const job = await k8sBatchV1Api.readNamespacedJob({
-  const job = body
+    name,
+    namespace: namespace()
+  })
   if (job.status?.failed) {
-    throw new Error(`job ${jobName} has failed`)
+    throw new Error(`job ${name} has failed`)
   }
   return !!job.status?.succeeded
 }
@@ -328,34 +725,29 @@ export async function getPodLogs(
   })
 
   logStream.on('error', err => {
-    process.stderr.write(JSON.stringify(err))
+    process.stderr.write(err.message)
   })
 
-  const r = await log.log(namespace(), podName, containerName, logStream, {
+  await log.log(namespace(), podName, containerName, logStream, {
     follow: true,
-    tailLines: 50,
     pretty: false,
     timestamps: false
   })
-  await new Promise(resolve => r.on('close', () => resolve(null)))
+  await new Promise(resolve => logStream.on('end', () => resolve(null)))
 }
 
-export async function podPrune(): Promise<void> {
+export async function prunePods(): Promise<void> {
-  const podList = await k8sApi.listNamespacedPod(
+  const podList = await k8sApi.listNamespacedPod({
-    namespace(),
+    namespace: namespace(),
-    undefined,
+    labelSelector: new RunnerInstanceLabel().toString()
-    undefined,
+  })
-    undefined,
+  if (!podList.items.length) {
-    undefined,
-    new RunnerInstanceLabel().toString()
-  )
-  if (!podList.body.items.length) {
     return
   }
 
   await Promise.all(
-    podList.body.items.map(
+    podList.items.map(
-      pod => pod.metadata?.name && deletePod(pod.metadata.name)
+      async pod => pod.metadata?.name && (await deletePod(pod.metadata.name))
     )
   )
 }
@@ -363,16 +755,16 @@ export async function podPrune(): Promise<void> {
 export async function getPodStatus(
   name: string
 ): Promise<k8s.V1PodStatus | undefined> {
-  const { body } = await k8sApi.readNamespacedPod(name, namespace())
+  const pod = await k8sApi.readNamespacedPod({
-  return body.status
+    name,
+    namespace: namespace()
+  })
+  return pod.status
 }
 
 export async function isAuthPermissionsOK(): Promise<boolean> {
   const sar = new k8s.V1SelfSubjectAccessReview()
-  const asyncs: Promise<{
+  const asyncs: Promise<k8s.V1SelfSubjectAccessReview>[] = []
-    response: unknown
-    body: k8s.V1SelfSubjectAccessReview
-  }>[] = []
   for (const resource of requiredPermissions) {
     for (const verb of resource.verbs) {
       sar.spec = new k8s.V1SelfSubjectAccessReviewSpec()
@@ -382,31 +774,13 @@ export async function isAuthPermissionsOK(): Promise<boolean> {
       sar.spec.resourceAttributes.group = resource.group
       sar.spec.resourceAttributes.resource = resource.resource
       sar.spec.resourceAttributes.subresource = resource.subresource
-      asyncs.push(k8sAuthorizationV1Api.createSelfSubjectAccessReview(sar))
+      asyncs.push(
+        k8sAuthorizationV1Api.createSelfSubjectAccessReview({ body: sar })
+      )
     }
   }
   const responses = await Promise.all(asyncs)
-  return responses.every(resp => resp.body.status?.allowed)
+  return responses.every(resp => resp.status?.allowed)
-}
-
-export async function isSecretsAuthOK(): Promise<boolean> {
-  const sar = new k8s.V1SelfSubjectAccessReview()
-  const asyncs: Promise<{
-    response: unknown
-    body: k8s.V1SelfSubjectAccessReview
-  }>[] = []
-  for (const verb of secretPermission.verbs) {
-    sar.spec = new k8s.V1SelfSubjectAccessReviewSpec()
-    sar.spec.resourceAttributes = new k8s.V1ResourceAttributes()
-    sar.spec.resourceAttributes.verb = verb
-    sar.spec.resourceAttributes.namespace = namespace()
-    sar.spec.resourceAttributes.group = secretPermission.group
-    sar.spec.resourceAttributes.resource = secretPermission.resource
-    sar.spec.resourceAttributes.subresource = secretPermission.subresource
-    asyncs.push(k8sAuthorizationV1Api.createSelfSubjectAccessReview(sar))
-  }
-  const responses = await Promise.all(asyncs)
-  return responses.every(resp => resp.body.status?.allowed)
 }
 
 export async function isPodContainerAlpine(
@@ -419,27 +793,18 @@ export async function isPodContainerAlpine(
       [
         'sh',
         '-c',
-        "[ $(cat /etc/*release* | grep -i -e '^ID=*alpine*' -c) != 0 ] || exit 1"
+        `'[ $(cat /etc/*release* | grep -i -e "^ID=*alpine*" -c) != 0 ] || exit 1'`
       ],
       podName,
       containerName
     )
-  } catch (err) {
+  } catch {
     isAlpine = false
   }
 
   return isAlpine
 }
 
-async function getCurrentNodeName(): Promise<string> {
-  const resp = await k8sApi.readNamespacedPod(getRunnerPodName(), namespace())
-
-  const nodeName = resp.body.spec?.nodeName
-  if (!nodeName) {
-    throw new Error('Failed to determine node name')
-  }
-  return nodeName
-}
 export function namespace(): string {
   if (process.env['ACTIONS_RUNNER_KUBERNETES_NAMESPACE']) {
     return process.env['ACTIONS_RUNNER_KUBERNETES_NAMESPACE']
@@ -454,20 +819,6 @@ export function namespace(): string {
   return context.namespace
 }
 
-function generateSecretName(): string {
-  return `github-secret-${uuidv4()}`
-}
-
-function runnerName(): string {
-  const name = process.env.ACTIONS_RUNNER_POD_NAME
-  if (!name) {
-    throw new Error(
-      'Failed to determine runner name. "ACTIONS_RUNNER_POD_NAME" env variables should be set.'
-    )
-  }
-  return name
-}
-
 class BackOffManager {
   private backOffSeconds = 1
   totalTime = 0
@@ -497,28 +848,48 @@ class BackOffManager {
 export function containerPorts(
   container: ContainerInfo
 ): k8s.V1ContainerPort[] {
-  // 8080:8080/tcp
-  const portFormat = /(\d{1,5})(:(\d{1,5}))?(\/(tcp|udp))?/
-
   const ports: k8s.V1ContainerPort[] = []
+  if (!container.portMappings?.length) {
+    return ports
+  }
   for (const portDefinition of container.portMappings) {
-    const submatches = portFormat.exec(portDefinition)
+    const portProtoSplit = portDefinition.split('/')
-    if (!submatches) {
+    if (portProtoSplit.length > 2) {
-      throw new Error(
+      throw new Error(`Unexpected port format: ${portDefinition}`)
-        `Port definition "${portDefinition}" is in incorrect format`
-      )
     }
+
     const port = new k8s.V1ContainerPort()
-    port.hostPort = Number(submatches[1])
+    port.protocol =
-    if (submatches[3]) {
+      portProtoSplit.length === 2 ? portProtoSplit[1].toUpperCase() : 'TCP'
-      port.containerPort = Number(submatches[3])
+
+    const portSplit = portProtoSplit[0].split(':')
+    if (portSplit.length > 2) {
+      throw new Error('ports should have at most one ":" separator')
     }
-    if (submatches[5]) {
+
-      port.protocol = submatches[5].toUpperCase()
+    const parsePort = (p: string): number => {
+      const num = Number(p)
+      if (!Number.isInteger(num) || num < 1 || num > 65535) {
+        throw new Error(`invalid container port: ${p}`)
+      }
+      return num
+    }
+
+    if (portSplit.length === 1) {
+      port.containerPort = parsePort(portSplit[0])
     } else {
-      port.protocol = 'TCP'
+      port.hostPort = parsePort(portSplit[0])
+      port.containerPort = parsePort(portSplit[1])
     }
+
     ports.push(port)
   }
   return ports
 }
+
+export async function getPodByName(name): Promise<k8s.V1Pod> {
+  return await k8sApi.readNamespacedPod({
+    name,
+    namespace: namespace()
+  })
+}

packages/k8s/src/k8s/utils.ts

@@ -1,65 +1,295 @@
 import * as k8s from '@kubernetes/client-node'
+import * as fs from 'fs'
+import * as yaml from 'js-yaml'
+import * as core from '@actions/core'
+import { v1 as uuidv4 } from 'uuid'
+import { CONTAINER_EXTENSION_PREFIX } from '../hooks/constants'
+import * as shlex from 'shlex'
 import { Mount } from 'hooklib'
-import * as path from 'path'
-import { POD_VOLUME_NAME } from './index'
 
 export const DEFAULT_CONTAINER_ENTRY_POINT_ARGS = [`-f`, `/dev/null`]
 export const DEFAULT_CONTAINER_ENTRY_POINT = 'tail'
 
-export function containerVolumes(
+export const ENV_HOOK_TEMPLATE_PATH = 'ACTIONS_RUNNER_CONTAINER_HOOK_TEMPLATE'
-  userMountVolumes: Mount[] = [],
+export const ENV_USE_KUBE_SCHEDULER = 'ACTIONS_RUNNER_USE_KUBE_SCHEDULER'
-  jobContainer = true
+
-): k8s.V1VolumeMount[] {
+export const EXTERNALS_VOLUME_NAME = 'externals'
-  const mounts: k8s.V1VolumeMount[] = [
+export const GITHUB_VOLUME_NAME = 'github'
+
+export const CONTAINER_VOLUMES: k8s.V1VolumeMount[] = [
   {
-      name: POD_VOLUME_NAME,
+    name: EXTERNALS_VOLUME_NAME,
-      mountPath: '/__w'
+    mountPath: '/__e'
+  },
+  {
+    name: GITHUB_VOLUME_NAME,
+    mountPath: '/github'
   }
 ]
 
-  if (!jobContainer) {
+export function prepareJobScript(userVolumeMounts: Mount[]): {
-    return mounts
+  containerPath: string
+  runnerPath: string
+} {
+  let mountDirs = userVolumeMounts.map(m => m.targetVolumePath).join(' ')
+
+  const content = `#!/bin/sh -l
+set -e
+cp -R /__w/_temp/_github_home /github/home
+cp -R /__w/_temp/_github_workflow /github/workflow
+mkdir -p ${mountDirs}
+`
+
+  const filename = `${uuidv4()}.sh`
+  const entryPointPath = `${process.env.RUNNER_TEMP}/${filename}`
+  fs.writeFileSync(entryPointPath, content)
+  return {
+    containerPath: `/__w/_temp/${filename}`,
+    runnerPath: entryPointPath
+  }
 }
 
-  mounts.push(
+export function writeRunScript(
-    {
+  workingDirectory: string,
-      name: POD_VOLUME_NAME,
+  entryPoint: string,
-      mountPath: '/__e',
+  entryPointArgs?: string[],
-      subPath: 'externals'
+  prependPath?: string[],
-    },
+  environmentVariables?: { [key: string]: string }
-    {
+): { containerPath: string; runnerPath: string } {
-      name: POD_VOLUME_NAME,
+  let exportPath = ''
-      mountPath: '/github/home',
+  if (prependPath?.length) {
-      subPath: '_temp/_github_home'
+    // TODO: remove compatibility with typeof prependPath === 'string' as we bump to next major version, the hooks will lose PrependPath compat with runners 2.293.0 and older
-    },
+    const prepend =
-    {
+      typeof prependPath === 'string' ? prependPath : prependPath.join(':')
-      name: POD_VOLUME_NAME,
+    exportPath = `export PATH=${prepend}:$PATH`
-      mountPath: '/github/workflow',
-      subPath: '_temp/_github_workflow'
   }
+
+  let environmentPrefix = scriptEnv(environmentVariables)
+
+  const content = `#!/bin/sh -l
+set -e
+rm "$0" # remove script after running
+${exportPath}
+cd ${workingDirectory} && \
+exec ${environmentPrefix} ${entryPoint} ${
+    entryPointArgs?.length ? entryPointArgs.join(' ') : ''
+  }
+`
+  const filename = `${uuidv4()}.sh`
+  const entryPointPath = `${process.env.RUNNER_TEMP}/${filename}`
+  fs.writeFileSync(entryPointPath, content)
+  return {
+    containerPath: `/__w/_temp/${filename}`,
+    runnerPath: entryPointPath
+  }
+}
+
+export function writeContainerStepScript(
+  dst: string,
+  workingDirectory: string,
+  entryPoint: string,
+  entryPointArgs?: string[],
+  environmentVariables?: { [key: string]: string }
+): { containerPath: string; runnerPath: string } {
+  let environmentPrefix = scriptEnv(environmentVariables)
+
+  const parts = workingDirectory.split('/').slice(-2)
+  if (parts.length !== 2) {
+    throw new Error(`Invalid working directory: ${workingDirectory}`)
+  }
+
+  const content = `#!/bin/sh -l
+rm "$0" # remove script after running
+mv /__w/_temp/_github_home /github/home && \
+mv /__w/_temp/_github_workflow /github/workflow && \
+mv /__w/_temp/_runner_file_commands /github/file_commands && \
+mv /__w/${parts.join('/')}/ /github/workspace && \
+cd /github/workspace && \
+exec ${environmentPrefix} ${entryPoint} ${
+    entryPointArgs?.length ? entryPointArgs.join(' ') : ''
+  }
+`
+  const filename = `${uuidv4()}.sh`
+  const entryPointPath = `${dst}/${filename}`
+  core.debug(`Writing container step script to ${entryPointPath}`)
+  fs.writeFileSync(entryPointPath, content)
+  return {
+    containerPath: `/__w/_temp/${filename}`,
+    runnerPath: entryPointPath
+  }
+}
+
+function scriptEnv(envs?: { [key: string]: string }): string {
+  if (!envs || !Object.entries(envs).length) {
+    return ''
+  }
+  const envBuffer: string[] = []
+  for (const [key, value] of Object.entries(envs)) {
+    if (
+      key.includes(`=`) ||
+      key.includes(`'`) ||
+      key.includes(`"`) ||
+      key.includes(`$`)
+    ) {
+      throw new Error(
+        `environment key ${key} is invalid - the key must not contain =, $, ', or "`
       )
-
-  if (!userMountVolumes?.length) {
-    return mounts
     }
-
+    envBuffer.push(
-  for (const userVolume of userMountVolumes) {
+      `"${key}=${value
-    const sourceVolumePath = `${
+        .replace(/\\/g, '\\\\')
-      path.isAbsolute(userVolume.sourceVolumePath)
+        .replace(/"/g, '\\"')
-        ? userVolume.sourceVolumePath
+        .replace(/\$/g, '\\$')
-        : path.join(
+        .replace(/`/g, '\\`')}"`
-            process.env.GITHUB_WORKSPACE as string,
-            userVolume.sourceVolumePath
     )
-    }`
-
-    mounts.push({
-      name: POD_VOLUME_NAME,
-      mountPath: userVolume.targetVolumePath,
-      subPath: sourceVolumePath,
-      readOnly: userVolume.readOnly
-    })
   }
 
-  return mounts
+  if (!envBuffer?.length) {
+    return ''
+  }
+
+  return `env ${envBuffer.join(' ')} `
+}
+
+export function generateContainerName(image: string): string {
+  const nameWithTag = image.split('/').pop()
+  const name = nameWithTag?.split(':')[0]
+
+  if (!name) {
+    throw new Error(`Image definition '${image}' is invalid`)
+  }
+
+  return name
+}
+
+// Overwrite or append based on container options
+//
+// Keep in mind, envs and volumes could be passed as fields in container definition
+// so default volume mounts and envs are appended first, and then create options are used
+// to append more values
+//
+// Rest of the fields are just applied
+// For example, container.createOptions.container.image is going to overwrite container.image field
+export function mergeContainerWithOptions(
+  base: k8s.V1Container,
+  from: k8s.V1Container
+): void {
+  for (const [key, value] of Object.entries(from)) {
+    if (key === 'name') {
+      if (value !== CONTAINER_EXTENSION_PREFIX + base.name) {
+        core.warning("Skipping name override: name can't be overwritten")
+      }
+      continue
+    } else if (key === 'image') {
+      core.warning("Skipping image override: image can't be overwritten")
+      continue
+    } else if (key === 'env') {
+      const envs = value as k8s.V1EnvVar[]
+      base.env = mergeLists(base.env, envs)
+    } else if (key === 'volumeMounts' && value) {
+      const volumeMounts = value as k8s.V1VolumeMount[]
+      base.volumeMounts = mergeLists(base.volumeMounts, volumeMounts)
+    } else if (key === 'ports' && value) {
+      const ports = value as k8s.V1ContainerPort[]
+      base.ports = mergeLists(base.ports, ports)
+    } else {
+      base[key] = value
+    }
+  }
+}
+
+export function mergePodSpecWithOptions(
+  base: k8s.V1PodSpec,
+  from: k8s.V1PodSpec
+): void {
+  for (const [key, value] of Object.entries(from)) {
+    if (key === 'containers') {
+      base.containers.push(
+        ...from.containers.filter(
+          e => !e.name?.startsWith(CONTAINER_EXTENSION_PREFIX)
+        )
+      )
+    } else if (key === 'volumes' && value) {
+      const volumes = value as k8s.V1Volume[]
+      base.volumes = mergeLists(base.volumes, volumes)
+    } else {
+      base[key] = value
+    }
+  }
+}
+
+export function mergeObjectMeta(
+  base: { metadata?: k8s.V1ObjectMeta },
+  from: k8s.V1ObjectMeta
+): void {
+  if (!base.metadata?.labels || !base.metadata?.annotations) {
+    throw new Error(
+      "Can't merge metadata: base.metadata or base.annotations field is undefined"
+    )
+  }
+  if (from?.labels) {
+    for (const [key, value] of Object.entries(from.labels)) {
+      if (base.metadata?.labels?.[key]) {
+        core.warning(`Label ${key} is already defined and will be overwritten`)
+      }
+      base.metadata.labels[key] = value
+    }
+  }
+
+  if (from?.annotations) {
+    for (const [key, value] of Object.entries(from.annotations)) {
+      if (base.metadata?.annotations?.[key]) {
+        core.warning(
+          `Annotation ${key} is already defined and will be overwritten`
+        )
+      }
+      base.metadata.annotations[key] = value
+    }
+  }
+}
+
+export function readExtensionFromFile(): k8s.V1PodTemplateSpec | undefined {
+  const filePath = process.env[ENV_HOOK_TEMPLATE_PATH]
+  if (!filePath) {
+    return undefined
+  }
+  const doc = yaml.load(fs.readFileSync(filePath, 'utf8'))
+  if (!doc || typeof doc !== 'object') {
+    throw new Error(`Failed to parse ${filePath}`)
+  }
+  return doc as k8s.V1PodTemplateSpec
+}
+
+export function useKubeScheduler(): boolean {
+  return process.env[ENV_USE_KUBE_SCHEDULER] === 'true'
+}
+
+export enum PodPhase {
+  PENDING = 'Pending',
+  RUNNING = 'Running',
+  SUCCEEDED = 'Succeeded',
+  FAILED = 'Failed',
+  UNKNOWN = 'Unknown',
+  COMPLETED = 'Completed'
+}
+
+function mergeLists<T>(base?: T[], from?: T[]): T[] {
+  const b: T[] = base || []
+  if (!from?.length) {
+    return b
+  }
+  b.push(...from)
+  return b
+}
+
+export function fixArgs(args: string[]): string[] {
+  return shlex.split(args.join(' '))
+}
+
+export async function sleep(ms: number): Promise<void> {
+  return new Promise(resolve => setTimeout(resolve, ms))
+}
+
+export function listDirAllCommand(dir: string): string {
+  return `cd ${shlex.quote(dir)} && find . -not -path '*/_runner_hook_responses*' -exec stat -c '%b %n' {} \\;`
 }

packages/k8s/tests/cleanup-job-test.ts

@@ -1,31 +1,61 @@
-import * as path from 'path'
+import * as k8s from '@kubernetes/client-node'
-import * as fs from 'fs'
+import { cleanupJob, prepareJob } from '../src/hooks'
-import { prepareJob, cleanupJob } from '../src/hooks'
+import { RunnerInstanceLabel } from '../src/hooks/constants'
-import { TestTempOutput } from './test-setup'
+import { namespace } from '../src/k8s'
+import { TestHelper } from './test-setup'
+import { PrepareJobArgs } from 'hooklib'
 
-let testTempOutput: TestTempOutput
+let testHelper: TestHelper
-
-const prepareJobJsonPath = path.resolve(
-  `${__dirname}/../../../examples/prepare-job.json`
-)
-
-let prepareJobOutputFilePath: string
 
 describe('Cleanup Job', () => {
   beforeEach(async () => {
-    const prepareJobJson = fs.readFileSync(prepareJobJsonPath)
+    testHelper = new TestHelper()
-    let prepareJobData = JSON.parse(prepareJobJson.toString())
+    await testHelper.initialize()
-
+    let prepareJobData = testHelper.getPrepareJobDefinition()
-    testTempOutput = new TestTempOutput()
+    const prepareJobOutputFilePath = testHelper.createFile(
-    testTempOutput.initialize()
-    prepareJobOutputFilePath = testTempOutput.createFile(
       'prepare-job-output.json'
     )
-    await prepareJob(prepareJobData.args, prepareJobOutputFilePath)
+    await prepareJob(
+      prepareJobData.args as PrepareJobArgs,
+      prepareJobOutputFilePath
+    )
   })
+
+  afterEach(async () => {
+    await testHelper.cleanup()
+  })
+
   it('should not throw', async () => {
-    const outputJson = fs.readFileSync(prepareJobOutputFilePath)
-    const outputData = JSON.parse(outputJson.toString())
     await expect(cleanupJob()).resolves.not.toThrow()
   })
+
+  it('should have no runner linked pods running', async () => {
+    await cleanupJob()
+    const kc = new k8s.KubeConfig()
+
+    kc.loadFromDefault()
+    const k8sApi = kc.makeApiClient(k8s.CoreV1Api)
+
+    const podList = await k8sApi.listNamespacedPod({
+      namespace: namespace(),
+      labelSelector: new RunnerInstanceLabel().toString()
+    })
+
+    expect(podList.items.length).toBe(0)
+  })
+
+  it('should have no runner linked secrets', async () => {
+    await cleanupJob()
+    const kc = new k8s.KubeConfig()
+
+    kc.loadFromDefault()
+    const k8sApi = kc.makeApiClient(k8s.CoreV1Api)
+
+    const secretList = await k8sApi.listNamespacedSecret({
+      namespace: namespace(),
+      labelSelector: new RunnerInstanceLabel().toString()
+    })
+
+    expect(secretList.items.length).toBe(0)
+  })
 })

packages/k8s/tests/constants-test.ts

@@ -0,0 +1,182 @@
+import {
+  getJobPodName,
+  getRunnerPodName,
+  getSecretName,
+  getStepPodName,
+  getVolumeClaimName,
+  JOB_CONTAINER_NAME,
+  MAX_POD_NAME_LENGTH,
+  RunnerInstanceLabel,
+  STEP_POD_NAME_SUFFIX_LENGTH
+} from '../src/hooks/constants'
+
+describe('constants', () => {
+  describe('runner instance label', () => {
+    beforeEach(() => {
+      process.env.ACTIONS_RUNNER_POD_NAME = 'example'
+    })
+    it('should throw if ACTIONS_RUNNER_POD_NAME env is not set', () => {
+      delete process.env.ACTIONS_RUNNER_POD_NAME
+      expect(() => new RunnerInstanceLabel()).toThrow()
+    })
+
+    it('should have key truthy', () => {
+      const runnerInstanceLabel = new RunnerInstanceLabel()
+      expect(typeof runnerInstanceLabel.key).toBe('string')
+      expect(runnerInstanceLabel.key).toBeTruthy()
+      expect(runnerInstanceLabel.key.length).toBeGreaterThan(0)
+    })
+
+    it('should have value as runner pod name', () => {
+      const name = process.env.ACTIONS_RUNNER_POD_NAME as string
+      const runnerInstanceLabel = new RunnerInstanceLabel()
+      expect(typeof runnerInstanceLabel.value).toBe('string')
+      expect(runnerInstanceLabel.value).toBe(name)
+    })
+
+    it('should have toString combination of key and value', () => {
+      const runnerInstanceLabel = new RunnerInstanceLabel()
+      expect(runnerInstanceLabel.toString()).toBe(
+        `${runnerInstanceLabel.key}=${runnerInstanceLabel.value}`
+      )
+    })
+  })
+
+  describe('getRunnerPodName', () => {
+    it('should throw if ACTIONS_RUNNER_POD_NAME env is not set', () => {
+      delete process.env.ACTIONS_RUNNER_POD_NAME
+      expect(() => getRunnerPodName()).toThrow()
+
+      process.env.ACTIONS_RUNNER_POD_NAME = ''
+      expect(() => getRunnerPodName()).toThrow()
+    })
+
+    it('should return corrent ACTIONS_RUNNER_POD_NAME name', () => {
+      const name = 'example'
+      process.env.ACTIONS_RUNNER_POD_NAME = name
+      expect(getRunnerPodName()).toBe(name)
+    })
+  })
+
+  describe('getJobPodName', () => {
+    it('should throw on getJobPodName if ACTIONS_RUNNER_POD_NAME env is not set', () => {
+      delete process.env.ACTIONS_RUNNER_POD_NAME
+      expect(() => getJobPodName()).toThrow()
+
+      process.env.ACTIONS_RUNNER_POD_NAME = ''
+      expect(() => getRunnerPodName()).toThrow()
+    })
+
+    it('should contain suffix -workflow', () => {
+      const tableTests = [
+        {
+          podName: 'test',
+          expect: 'test-workflow'
+        },
+        {
+          // podName.length == 63
+          podName:
+            'abcdaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa',
+          expect:
+            'abcdaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-workflow'
+        }
+      ]
+
+      for (const tt of tableTests) {
+        process.env.ACTIONS_RUNNER_POD_NAME = tt.podName
+        const actual = getJobPodName()
+        expect(actual).toBe(tt.expect)
+      }
+    })
+  })
+
+  describe('getVolumeClaimName', () => {
+    it('should throw if ACTIONS_RUNNER_POD_NAME env is not set', () => {
+      delete process.env.ACTIONS_RUNNER_CLAIM_NAME
+      delete process.env.ACTIONS_RUNNER_POD_NAME
+      expect(() => getVolumeClaimName()).toThrow()
+
+      process.env.ACTIONS_RUNNER_POD_NAME = ''
+      expect(() => getVolumeClaimName()).toThrow()
+    })
+
+    it('should return ACTIONS_RUNNER_CLAIM_NAME env if set', () => {
+      const claimName = 'testclaim'
+      process.env.ACTIONS_RUNNER_CLAIM_NAME = claimName
+      process.env.ACTIONS_RUNNER_POD_NAME = 'example'
+      expect(getVolumeClaimName()).toBe(claimName)
+    })
+
+    it('should contain suffix -work if ACTIONS_RUNNER_CLAIM_NAME is not set', () => {
+      delete process.env.ACTIONS_RUNNER_CLAIM_NAME
+      process.env.ACTIONS_RUNNER_POD_NAME = 'example'
+      expect(getVolumeClaimName()).toBe('example-work')
+    })
+  })
+
+  describe('getSecretName', () => {
+    it('should throw if ACTIONS_RUNNER_POD_NAME env is not set', () => {
+      delete process.env.ACTIONS_RUNNER_POD_NAME
+      expect(() => getSecretName()).toThrow()
+
+      process.env.ACTIONS_RUNNER_POD_NAME = ''
+      expect(() => getSecretName()).toThrow()
+    })
+
+    it('should contain suffix -secret- and name trimmed', () => {
+      const podNames = [
+        'test',
+        'abcdaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'
+      ]
+
+      for (const podName of podNames) {
+        process.env.ACTIONS_RUNNER_POD_NAME = podName
+        const actual = getSecretName()
+        const re = new RegExp(
+          `${podName.substring(
+            MAX_POD_NAME_LENGTH -
+              '-secret-'.length -
+              STEP_POD_NAME_SUFFIX_LENGTH
+          )}-secret-[a-z0-9]{8,}`
+        )
+        expect(actual).toMatch(re)
+      }
+    })
+  })
+
+  describe('getStepPodName', () => {
+    it('should throw if ACTIONS_RUNNER_POD_NAME env is not set', () => {
+      delete process.env.ACTIONS_RUNNER_POD_NAME
+      expect(() => getStepPodName()).toThrow()
+
+      process.env.ACTIONS_RUNNER_POD_NAME = ''
+      expect(() => getStepPodName()).toThrow()
+    })
+
+    it('should contain suffix -step- and name trimmed', () => {
+      const podNames = [
+        'test',
+        'abcdaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'
+      ]
+
+      for (const podName of podNames) {
+        process.env.ACTIONS_RUNNER_POD_NAME = podName
+        const actual = getStepPodName()
+        const re = new RegExp(
+          `${podName.substring(
+            MAX_POD_NAME_LENGTH - '-step-'.length - STEP_POD_NAME_SUFFIX_LENGTH
+          )}-step-[a-z0-9]{8,}`
+        )
+        expect(actual).toMatch(re)
+      }
+    })
+  })
+
+  describe('const values', () => {
+    it('should have constants set', () => {
+      expect(JOB_CONTAINER_NAME).toBeTruthy()
+      expect(MAX_POD_NAME_LENGTH).toBeGreaterThan(0)
+      expect(STEP_POD_NAME_SUFFIX_LENGTH).toBeGreaterThan(0)
+    })
+  })
+})

packages/k8s/tests/e2e-test.ts

@@ -1,64 +1,52 @@
 import * as fs from 'fs'
-import * as path from 'path'
 import {
   cleanupJob,
   prepareJob,
   runContainerStep,
   runScriptStep
 } from '../src/hooks'
-import { TestTempOutput } from './test-setup'
+import { TestHelper } from './test-setup'
+import { RunContainerStepArgs, RunScriptStepArgs } from 'hooklib'
 
 jest.useRealTimers()
 
-let testTempOutput: TestTempOutput
+let testHelper: TestHelper
-
-const prepareJobJsonPath = path.resolve(
-  `${__dirname}/../../../../examples/prepare-job.json`
-)
-const runScriptStepJsonPath = path.resolve(
-  `${__dirname}/../../../../examples/run-script-step.json`
-)
-let runContainerStepJsonPath = path.resolve(
-  `${__dirname}/../../../../examples/run-container-step.json`
-)
 
 let prepareJobData: any
 
 let prepareJobOutputFilePath: string
 describe('e2e', () => {
-  beforeEach(() => {
+  beforeEach(async () => {
-    const prepareJobJson = fs.readFileSync(prepareJobJsonPath)
+    testHelper = new TestHelper()
-    prepareJobData = JSON.parse(prepareJobJson.toString())
+    await testHelper.initialize()
 
-    testTempOutput = new TestTempOutput()
+    prepareJobData = testHelper.getPrepareJobDefinition()
-    testTempOutput.initialize()
+    prepareJobOutputFilePath = testHelper.createFile('prepare-job-output.json')
-    prepareJobOutputFilePath = testTempOutput.createFile(
-      'prepare-job-output.json'
-    )
   })
   afterEach(async () => {
-    testTempOutput.cleanup()
+    await testHelper.cleanup()
   })
   it('should prepare job, run script step, run container step then cleanup without errors', async () => {
     await expect(
       prepareJob(prepareJobData.args, prepareJobOutputFilePath)
     ).resolves.not.toThrow()
 
-    const scriptStepContent = fs.readFileSync(runScriptStepJsonPath)
+    const scriptStepData = testHelper.getRunScriptStepDefinition()
-    const scriptStepData = JSON.parse(scriptStepContent.toString())
 
     const prepareJobOutputJson = fs.readFileSync(prepareJobOutputFilePath)
     const prepareJobOutputData = JSON.parse(prepareJobOutputJson.toString())
 
     await expect(
-      runScriptStep(scriptStepData.args, prepareJobOutputData.state, null)
+      runScriptStep(
+        scriptStepData.args as RunScriptStepArgs,
+        prepareJobOutputData.state
+      )
     ).resolves.not.toThrow()
 
-    const runContainerStepContent = fs.readFileSync(runContainerStepJsonPath)
+    const runContainerStepData = testHelper.getRunContainerStepDefinition()
-    const runContainerStepData = JSON.parse(runContainerStepContent.toString())
 
     await expect(
-      runContainerStep(runContainerStepData.args)
+      runContainerStep(runContainerStepData.args as RunContainerStepArgs)
     ).resolves.not.toThrow()
 
     await expect(cleanupJob()).resolves.not.toThrow()

packages/k8s/tests/k8s-utils-test.ts

@@ -0,0 +1,409 @@
+import * as fs from 'fs'
+import { containerPorts } from '../src/k8s'
+import {
+  generateContainerName,
+  writeRunScript,
+  mergePodSpecWithOptions,
+  mergeContainerWithOptions,
+  readExtensionFromFile,
+  ENV_HOOK_TEMPLATE_PATH
+} from '../src/k8s/utils'
+import * as k8s from '@kubernetes/client-node'
+import { TestHelper } from './test-setup'
+
+let testHelper: TestHelper
+
+describe('k8s utils', () => {
+  describe('write entrypoint', () => {
+    beforeEach(async () => {
+      testHelper = new TestHelper()
+      await testHelper.initialize()
+    })
+
+    afterEach(async () => {
+      await testHelper.cleanup()
+    })
+
+    it('should not throw', () => {
+      expect(() =>
+        writeRunScript('/test', 'sh', ['-e', 'script.sh'], ['/prepend/path'], {
+          SOME_ENV: 'SOME_VALUE'
+        })
+      ).not.toThrow()
+    })
+
+    it('should throw if RUNNER_TEMP is not set', () => {
+      delete process.env.RUNNER_TEMP
+      expect(() =>
+        writeRunScript('/test', 'sh', ['-e', 'script.sh'], ['/prepend/path'], {
+          SOME_ENV: 'SOME_VALUE'
+        })
+      ).toThrow()
+    })
+
+    it('should throw if environment variable name contains double quote', () => {
+      expect(() =>
+        writeRunScript('/test', 'sh', ['-e', 'script.sh'], ['/prepend/path'], {
+          'SOME"_ENV': 'SOME_VALUE'
+        })
+      ).toThrow()
+    })
+
+    it('should throw if environment variable name contains =', () => {
+      expect(() =>
+        writeRunScript('/test', 'sh', ['-e', 'script.sh'], ['/prepend/path'], {
+          'SOME=ENV': 'SOME_VALUE'
+        })
+      ).toThrow()
+    })
+
+    it('should throw if environment variable name contains single quote', () => {
+      expect(() =>
+        writeRunScript('/test', 'sh', ['-e', 'script.sh'], ['/prepend/path'], {
+          "SOME'_ENV": 'SOME_VALUE'
+        })
+      ).toThrow()
+    })
+
+    it('should throw if environment variable name contains dollar', () => {
+      expect(() =>
+        writeRunScript('/test', 'sh', ['-e', 'script.sh'], ['/prepend/path'], {
+          SOME_$_ENV: 'SOME_VALUE'
+        })
+      ).toThrow()
+    })
+
+    it('should escape double quote, dollar and backslash in environment variable values', () => {
+      const { runnerPath } = writeRunScript(
+        '/test',
+        'sh',
+        ['-e', 'script.sh'],
+        ['/prepend/path'],
+        {
+          DQUOTE: '"',
+          BACK_SLASH: '\\',
+          DOLLAR: '$'
+        }
+      )
+      expect(fs.existsSync(runnerPath)).toBe(true)
+      const script = fs.readFileSync(runnerPath, 'utf8')
+      expect(script).toContain('"DQUOTE=\\"')
+      expect(script).toContain('"BACK_SLASH=\\\\"')
+      expect(script).toContain('"DOLLAR=\\$"')
+    })
+
+    it('should return object with containerPath and runnerPath', () => {
+      const { containerPath, runnerPath } = writeRunScript(
+        '/test',
+        'sh',
+        ['-e', 'script.sh'],
+        ['/prepend/path'],
+        {
+          SOME_ENV: 'SOME_VALUE'
+        }
+      )
+      expect(containerPath).toMatch(/\/__w\/_temp\/.*\.sh/)
+      const re = new RegExp(`${process.env.RUNNER_TEMP}/.*\\.sh`)
+      expect(runnerPath).toMatch(re)
+    })
+
+    it('should write entrypoint path and the file should exist', () => {
+      const { runnerPath } = writeRunScript(
+        '/test',
+        'sh',
+        ['-e', 'script.sh'],
+        ['/prepend/path'],
+        {
+          SOME_ENV: 'SOME_VALUE'
+        }
+      )
+      expect(fs.existsSync(runnerPath)).toBe(true)
+    })
+  })
+
+  describe('container volumes', () => {
+    beforeEach(async () => {
+      testHelper = new TestHelper()
+      await testHelper.initialize()
+    })
+
+    afterEach(async () => {
+      await testHelper.cleanup()
+    })
+
+    it('should parse container ports', () => {
+      const tt = [
+        {
+          spec: '8080:80',
+          want: {
+            containerPort: 80,
+            hostPort: 8080,
+            protocol: 'TCP'
+          }
+        },
+        {
+          spec: '8080:80/udp',
+          want: {
+            containerPort: 80,
+            hostPort: 8080,
+            protocol: 'UDP'
+          }
+        },
+        {
+          spec: '8080/udp',
+          want: {
+            containerPort: 8080,
+            hostPort: undefined,
+            protocol: 'UDP'
+          }
+        },
+        {
+          spec: '8080',
+          want: {
+            containerPort: 8080,
+            hostPort: undefined,
+            protocol: 'TCP'
+          }
+        }
+      ]
+
+      for (const tc of tt) {
+        const got = containerPorts({ portMappings: [tc.spec] })
+        for (const [key, value] of Object.entries(tc.want)) {
+          expect(got[0][key]).toBe(value)
+        }
+      }
+    })
+
+    it('should throw when ports are out of range (0, 65536)', () => {
+      expect(() => containerPorts({ portMappings: ['65536'] })).toThrow()
+      expect(() => containerPorts({ portMappings: ['0'] })).toThrow()
+      expect(() => containerPorts({ portMappings: ['65536/udp'] })).toThrow()
+      expect(() => containerPorts({ portMappings: ['0/udp'] })).toThrow()
+      expect(() => containerPorts({ portMappings: ['1:65536'] })).toThrow()
+      expect(() => containerPorts({ portMappings: ['65536:1'] })).toThrow()
+      expect(() => containerPorts({ portMappings: ['1:65536/tcp'] })).toThrow()
+      expect(() => containerPorts({ portMappings: ['65536:1/tcp'] })).toThrow()
+      expect(() => containerPorts({ portMappings: ['1:'] })).toThrow()
+      expect(() => containerPorts({ portMappings: [':1'] })).toThrow()
+      expect(() => containerPorts({ portMappings: ['1:/tcp'] })).toThrow()
+      expect(() => containerPorts({ portMappings: [':1/tcp'] })).toThrow()
+    })
+
+    it('should throw on multi ":" splits', () => {
+      expect(() => containerPorts({ portMappings: ['1:1:1'] })).toThrow()
+    })
+
+    it('should throw on multi "/" splits', () => {
+      expect(() => containerPorts({ portMappings: ['1:1/tcp/udp'] })).toThrow()
+      expect(() => containerPorts({ portMappings: ['1/tcp/udp'] })).toThrow()
+    })
+  })
+
+  describe('generate container name', () => {
+    it('should return the container name from image string', () => {
+      expect(
+        generateContainerName('public.ecr.aws/localstack/localstack')
+      ).toEqual('localstack')
+      expect(
+        generateContainerName(
+          'public.ecr.aws/url/with/multiple/slashes/postgres:latest'
+        )
+      ).toEqual('postgres')
+      expect(generateContainerName('postgres')).toEqual('postgres')
+      expect(generateContainerName('postgres:latest')).toEqual('postgres')
+      expect(generateContainerName('localstack/localstack')).toEqual(
+        'localstack'
+      )
+      expect(generateContainerName('localstack/localstack:latest')).toEqual(
+        'localstack'
+      )
+    })
+
+    it('should throw on invalid image string', () => {
+      expect(() =>
+        generateContainerName('localstack/localstack/:latest')
+      ).toThrow()
+      expect(() => generateContainerName(':latest')).toThrow()
+    })
+  })
+
+  describe('read extension', () => {
+    beforeEach(async () => {
+      testHelper = new TestHelper()
+      await testHelper.initialize()
+    })
+
+    afterEach(async () => {
+      await testHelper.cleanup()
+    })
+
+    it('should throw if env variable is set but file does not exist', () => {
+      process.env[ENV_HOOK_TEMPLATE_PATH] =
+        '/path/that/does/not/exist/data.yaml'
+      expect(() => readExtensionFromFile()).toThrow()
+    })
+
+    it('should return undefined if env variable is not set', () => {
+      delete process.env[ENV_HOOK_TEMPLATE_PATH]
+      expect(readExtensionFromFile()).toBeUndefined()
+    })
+
+    it('should throw if file is empty', () => {
+      let filePath = testHelper.createFile('data.yaml')
+      process.env[ENV_HOOK_TEMPLATE_PATH] = filePath
+      expect(() => readExtensionFromFile()).toThrow()
+    })
+
+    it('should throw if file is not valid yaml', () => {
+      let filePath = testHelper.createFile('data.yaml')
+      fs.writeFileSync(filePath, 'invalid yaml')
+      process.env[ENV_HOOK_TEMPLATE_PATH] = filePath
+      expect(() => readExtensionFromFile()).toThrow()
+    })
+
+    it('should return object if file is valid', () => {
+      let filePath = testHelper.createFile('data.yaml')
+      fs.writeFileSync(
+        filePath,
+        `
+metadata:
+  labels:
+    label-name: label-value
+  annotations:
+    annotation-name: annotation-value
+spec:
+  containers:
+    - name: test
+      image: node:22
+    - name: job
+      image: ubuntu:latest`
+      )
+
+      process.env[ENV_HOOK_TEMPLATE_PATH] = filePath
+      const extension = readExtensionFromFile()
+      expect(extension).toBeDefined()
+    })
+  })
+
+  it('should merge container spec', () => {
+    const base = {
+      image: 'node:22',
+      name: 'test',
+      env: [
+        {
+          name: 'TEST',
+          value: 'TEST'
+        }
+      ],
+      ports: [
+        {
+          containerPort: 8080,
+          hostPort: 8080,
+          protocol: 'TCP'
+        }
+      ]
+    } as k8s.V1Container
+
+    const from = {
+      ports: [
+        {
+          containerPort: 9090,
+          hostPort: 9090,
+          protocol: 'TCP'
+        }
+      ],
+      env: [
+        {
+          name: 'TEST_TWO',
+          value: 'TEST_TWO'
+        }
+      ],
+      image: 'ubuntu:latest',
+      name: 'overwrite'
+    } as k8s.V1Container
+
+    const expectContainer = {
+      name: base.name,
+      image: base.image,
+      ports: [
+        ...(base.ports as k8s.V1ContainerPort[]),
+        ...(from.ports as k8s.V1ContainerPort[])
+      ],
+      env: [...(base.env as k8s.V1EnvVar[]), ...(from.env as k8s.V1EnvVar[])]
+    }
+
+    const expectJobContainer = JSON.parse(JSON.stringify(expectContainer))
+    expectJobContainer.name = base.name
+    mergeContainerWithOptions(base, from)
+    expect(base).toStrictEqual(expectContainer)
+  })
+
+  it('should merge pod spec', () => {
+    const base = {
+      containers: [
+        {
+          image: 'node:22',
+          name: 'test',
+          env: [
+            {
+              name: 'TEST',
+              value: 'TEST'
+            }
+          ],
+          ports: [
+            {
+              containerPort: 8080,
+              hostPort: 8080,
+              protocol: 'TCP'
+            }
+          ]
+        }
+      ],
+      restartPolicy: 'Never'
+    } as k8s.V1PodSpec
+
+    const from = {
+      securityContext: {
+        runAsUser: 1000,
+        fsGroup: 2000
+      },
+      restartPolicy: 'Always',
+      volumes: [
+        {
+          name: 'work',
+          emptyDir: {}
+        }
+      ],
+      containers: [
+        {
+          image: 'ubuntu:latest',
+          name: 'side-car',
+          env: [
+            {
+              name: 'TEST',
+              value: 'TEST'
+            }
+          ],
+          ports: [
+            {
+              containerPort: 8080,
+              hostPort: 8080,
+              protocol: 'TCP'
+            }
+          ]
+        }
+      ]
+    } as k8s.V1PodSpec
+
+    const expected = JSON.parse(JSON.stringify(base))
+    expected.securityContext = from.securityContext
+    expected.restartPolicy = from.restartPolicy
+    expected.volumes = from.volumes
+    expected.containers.push(from.containers[0])
+
+    mergePodSpecWithOptions(base, from)
+
+    expect(base).toStrictEqual(expected)
+  })
+})

packages/k8s/tests/prepare-job-test.ts

@@ -1,36 +1,31 @@
 import * as fs from 'fs'
 import * as path from 'path'
 import { cleanupJob } from '../src/hooks'
-import { prepareJob } from '../src/hooks/prepare-job'
+import { createContainerSpec, prepareJob } from '../src/hooks/prepare-job'
-import { TestTempOutput } from './test-setup'
+import { TestHelper } from './test-setup'
+import { ENV_HOOK_TEMPLATE_PATH, generateContainerName } from '../src/k8s/utils'
+import { execPodStep, getPodByName } from '../src/k8s'
+import { V1Container } from '@kubernetes/client-node'
+import { JOB_CONTAINER_NAME } from '../src/hooks/constants'
 
 jest.useRealTimers()
 
-let testTempOutput: TestTempOutput
+let testHelper: TestHelper
 
-const prepareJobJsonPath = path.resolve(
-  `${__dirname}/../../../examples/prepare-job.json`
-)
 let prepareJobData: any
 
 let prepareJobOutputFilePath: string
 
 describe('Prepare job', () => {
-  beforeEach(() => {
+  beforeEach(async () => {
-    const prepareJobJson = fs.readFileSync(prepareJobJsonPath)
+    testHelper = new TestHelper()
-    prepareJobData = JSON.parse(prepareJobJson.toString())
+    await testHelper.initialize()
-
+    prepareJobData = testHelper.getPrepareJobDefinition()
-    testTempOutput = new TestTempOutput()
+    prepareJobOutputFilePath = testHelper.createFile('prepare-job-output.json')
-    testTempOutput.initialize()
-    prepareJobOutputFilePath = testTempOutput.createFile(
-      'prepare-job-output.json'
-    )
   })
   afterEach(async () => {
-    const outputJson = fs.readFileSync(prepareJobOutputFilePath)
-    const outputData = JSON.parse(outputJson.toString())
     await cleanupJob()
-    testTempOutput.cleanup()
+    await testHelper.cleanup()
   })
 
   it('should not throw exception', async () => {
@@ -44,4 +39,196 @@ describe('Prepare job', () => {
     const content = fs.readFileSync(prepareJobOutputFilePath)
     expect(() => JSON.parse(content.toString())).not.toThrow()
   })
+
+  it('should prepare job with absolute path for userVolumeMount', async () => {
+    const userVolumeMount = path.join(
+      process.env.GITHUB_WORKSPACE as string,
+      'myvolume'
+    )
+    fs.mkdirSync(userVolumeMount)
+    fs.writeFileSync(path.join(userVolumeMount, 'file.txt'), 'hello')
+    prepareJobData.args.container.userMountVolumes = [
+      {
+        sourceVolumePath: userVolumeMount,
+        targetVolumePath: '/__w/myvolume',
+        readOnly: false
+      }
+    ]
+    await expect(
+      prepareJob(prepareJobData.args, prepareJobOutputFilePath)
+    ).resolves.not.toThrow()
+
+    const content = JSON.parse(
+      fs.readFileSync(prepareJobOutputFilePath).toString()
+    )
+
+    await execPodStep(
+      [
+        'sh',
+        '-c',
+        '\'[ "$(cat /__w/myvolume/file.txt)" = "hello" ] || exit 5\''
+      ],
+      content!.state!.jobPod,
+      JOB_CONTAINER_NAME
+    ).then(output => {
+      expect(output).toBe(0)
+    })
+  })
+
+  it('should prepare job with envs CI and GITHUB_ACTIONS', async () => {
+    await prepareJob(prepareJobData.args, prepareJobOutputFilePath)
+
+    const content = JSON.parse(
+      fs.readFileSync(prepareJobOutputFilePath).toString()
+    )
+
+    const got = await getPodByName(content.state.jobPod)
+    expect(got.spec?.containers[0].env).toEqual(
+      expect.arrayContaining([
+        { name: 'CI', value: 'true' },
+        { name: 'GITHUB_ACTIONS', value: 'true' }
+      ])
+    )
+    expect(got.spec?.containers[1].env).toEqual(
+      expect.arrayContaining([
+        { name: 'CI', value: 'true' },
+        { name: 'GITHUB_ACTIONS', value: 'true' }
+      ])
+    )
+  })
+
+  it('should not override CI env var if already set', async () => {
+    prepareJobData.args.container.environmentVariables = {
+      CI: 'false'
+    }
+
+    await prepareJob(prepareJobData.args, prepareJobOutputFilePath)
+
+    const content = JSON.parse(
+      fs.readFileSync(prepareJobOutputFilePath).toString()
+    )
+
+    const got = await getPodByName(content.state.jobPod)
+    expect(got.spec?.containers[0].env).toEqual(
+      expect.arrayContaining([
+        { name: 'CI', value: 'false' },
+        { name: 'GITHUB_ACTIONS', value: 'true' }
+      ])
+    )
+    expect(got.spec?.containers[1].env).toEqual(
+      expect.arrayContaining([
+        { name: 'CI', value: 'true' },
+        { name: 'GITHUB_ACTIONS', value: 'true' }
+      ])
+    )
+  })
+
+  it('should not run prepare job without the job container', async () => {
+    prepareJobData.args.container = undefined
+    await expect(
+      prepareJob(prepareJobData.args, prepareJobOutputFilePath)
+    ).rejects.toThrow()
+  })
+
+  it('should not set command + args for service container if not passed in args', async () => {
+    const services = prepareJobData.args.services.map(service => {
+      return createContainerSpec(service, generateContainerName(service.image))
+    }) as [V1Container]
+
+    expect(services[0].command).toBe(undefined)
+    expect(services[0].args).toBe(undefined)
+  })
+
+  it('should determine alpine correctly', async () => {
+    prepareJobData.args.container.image = 'alpine:latest'
+    await prepareJob(prepareJobData.args, prepareJobOutputFilePath)
+    const content = JSON.parse(
+      fs.readFileSync(prepareJobOutputFilePath).toString()
+    )
+    expect(content.isAlpine).toBe(true)
+  })
+
+  it('should run pod with extensions applied', async () => {
+    process.env[ENV_HOOK_TEMPLATE_PATH] = path.join(
+      __dirname,
+      '../../../examples/extension.yaml'
+    )
+
+    await expect(
+      prepareJob(prepareJobData.args, prepareJobOutputFilePath)
+    ).resolves.not.toThrow()
+
+    delete process.env[ENV_HOOK_TEMPLATE_PATH]
+
+    const content = JSON.parse(
+      fs.readFileSync(prepareJobOutputFilePath).toString()
+    )
+
+    const got = await getPodByName(content.state.jobPod)
+
+    expect(got.metadata?.annotations?.['annotated-by']).toBe('extension')
+    expect(got.metadata?.labels?.['labeled-by']).toBe('extension')
+    expect(got.spec?.restartPolicy).toBe('Never')
+
+    // job container
+    expect(got.spec?.containers[0].name).toBe(JOB_CONTAINER_NAME)
+    expect(got.spec?.containers[0].image).toBe('node:22')
+    expect(got.spec?.containers[0].command).toEqual(['sh'])
+    expect(got.spec?.containers[0].args).toEqual(['-c', 'sleep 50'])
+
+    // service container
+    expect(got.spec?.containers[1].image).toBe('redis')
+    expect(got.spec?.containers[1].command).toBeFalsy()
+    expect(got.spec?.containers[1].args).toBeFalsy()
+    expect(got.spec?.containers[1].env).toEqual(
+      expect.arrayContaining([
+        { name: 'CI', value: 'true' },
+        { name: 'GITHUB_ACTIONS', value: 'true' },
+        { name: 'ENV2', value: 'value2' }
+      ])
+    )
+    expect(got.spec?.containers[1].resources).toEqual({
+      requests: { memory: '1Mi', cpu: '1' },
+      limits: { memory: '1Gi', cpu: '2' }
+    })
+    // side-car
+    expect(got.spec?.containers[2].name).toBe('side-car')
+    expect(got.spec?.containers[2].image).toBe('ubuntu:latest')
+    expect(got.spec?.containers[2].command).toEqual(['sh'])
+    expect(got.spec?.containers[2].args).toEqual(['-c', 'sleep 60'])
+  })
+
+  it('should put only job and services in output context file', async () => {
+    process.env[ENV_HOOK_TEMPLATE_PATH] = path.join(
+      __dirname,
+      '../../../examples/extension.yaml'
+    )
+
+    await expect(
+      prepareJob(prepareJobData.args, prepareJobOutputFilePath)
+    ).resolves.not.toThrow()
+
+    const content = JSON.parse(
+      fs.readFileSync(prepareJobOutputFilePath).toString()
+    )
+
+    expect(content.state.jobPod).toBeTruthy()
+    expect(content.context.container).toBeTruthy()
+    expect(content.context.services).toBeTruthy()
+    expect(content.context.services.length).toBe(1)
+  })
+
+  test.each([undefined, null, []])(
+    'should not throw exception when portMapping=%p',
+    async pm => {
+      prepareJobData.args.services.forEach(s => {
+        s.portMappings = pm
+      })
+      await prepareJob(prepareJobData.args, prepareJobOutputFilePath)
+      const content = JSON.parse(
+        fs.readFileSync(prepareJobOutputFilePath).toString()
+      )
+      expect(() => content.context.services[0].image).not.toThrow()
+    }
+  )
 })

packages/k8s/tests/run-container-step-test.ts

@@ -1,25 +1,86 @@
-import { TestTempOutput } from './test-setup'
+import { prepareJob, runContainerStep } from '../src/hooks'
-import * as path from 'path'
+import { TestHelper } from './test-setup'
-import { runContainerStep } from '../src/hooks'
+import { ENV_HOOK_TEMPLATE_PATH } from '../src/k8s/utils'
 import * as fs from 'fs'
+import * as yaml from 'js-yaml'
+import { JOB_CONTAINER_EXTENSION_NAME } from '../src/hooks/constants'
 
 jest.useRealTimers()
 
-let testTempOutput: TestTempOutput
+let testHelper: TestHelper
-
-let runContainerStepJsonPath = path.resolve(
-  `${__dirname}/../../../examples/run-container-step.json`
-)
 
 let runContainerStepData: any
+let prepareJobData: any
+let prepareJobOutputFilePath: string
 
 describe('Run container step', () => {
-  beforeAll(() => {
+  beforeEach(async () => {
-    const content = fs.readFileSync(runContainerStepJsonPath)
+    testHelper = new TestHelper()
-    runContainerStepData = JSON.parse(content.toString())
+    await testHelper.initialize()
-    process.env.RUNNER_NAME = 'testjob'
+    prepareJobData = testHelper.getPrepareJobDefinition()
+    prepareJobOutputFilePath = testHelper.createFile('prepare-job-output.json')
+    await prepareJob(prepareJobData.args, prepareJobOutputFilePath)
+    runContainerStepData = testHelper.getRunContainerStepDefinition()
   })
-  it('should not throw', async () => {
+
+  afterEach(async () => {
+    await testHelper.cleanup()
+  })
+
+  it('should run pod with extensions applied', async () => {
+    const extension = {
+      metadata: {
+        annotations: {
+          foo: 'bar'
+        },
+        labels: {
+          bar: 'baz'
+        }
+      },
+      spec: {
+        containers: [
+          {
+            name: JOB_CONTAINER_EXTENSION_NAME,
+            command: ['sh'],
+            args: ['-c', 'sleep 10000']
+          },
+          {
+            name: 'side-container',
+            image: 'ubuntu:latest',
+            command: ['sh'],
+            args: ['-c', 'echo test']
+          }
+        ],
+        restartPolicy: 'Never'
+      }
+    }
+
+    let filePath = testHelper.createFile()
+    fs.writeFileSync(filePath, yaml.dump(extension))
+    process.env[ENV_HOOK_TEMPLATE_PATH] = filePath
+    await expect(
+      runContainerStep(runContainerStepData.args)
+    ).resolves.not.toThrow()
+    delete process.env[ENV_HOOK_TEMPLATE_PATH]
+  })
+
+  it('should shold have env variables available', async () => {
+    runContainerStepData.args.entryPoint = 'bash'
+    runContainerStepData.args.entryPointArgs = [
+      '-c',
+      "'if [[ -z $NODE_ENV ]]; then exit 1; fi'"
+    ]
+    await expect(
+      runContainerStep(runContainerStepData.args)
+    ).resolves.not.toThrow()
+  })
+
+  it('should run container step with envs CI and GITHUB_ACTIONS', async () => {
+    runContainerStepData.args.entryPoint = 'bash'
+    runContainerStepData.args.entryPointArgs = [
+      '-c',
+      "'if [[ -z $GITHUB_ACTIONS  ]] || [[ -z $CI ]]; then exit 1; fi'"
+    ]
     await expect(
       runContainerStep(runContainerStepData.args)
     ).resolves.not.toThrow()

packages/k8s/tests/run-script-step-test.ts

@@ -1,39 +1,42 @@
-import { prepareJob, cleanupJob, runScriptStep } from '../src/hooks'
-import { TestTempOutput } from './test-setup'
-import * as path from 'path'
 import * as fs from 'fs'
+import { cleanupJob, prepareJob, runScriptStep } from '../src/hooks'
+import { TestHelper } from './test-setup'
+import { PrepareJobArgs, RunScriptStepArgs } from 'hooklib'
 
 jest.useRealTimers()
 
-let testTempOutput: TestTempOutput
+let testHelper: TestHelper
 
-const prepareJobJsonPath = path.resolve(
-  `${__dirname}/../../../examples/prepare-job.json`
-)
-let prepareJobData: any
-
-let prepareJobOutputFilePath: string
 let prepareJobOutputData: any
 
+let runScriptStepDefinition: {
+  args: RunScriptStepArgs
+}
+
 describe('Run script step', () => {
   beforeEach(async () => {
-    const prepareJobJson = fs.readFileSync(prepareJobJsonPath)
+    testHelper = new TestHelper()
-    prepareJobData = JSON.parse(prepareJobJson.toString())
+    await testHelper.initialize()
-    console.log(prepareJobData)
+    const prepareJobOutputFilePath = testHelper.createFile(
-
-    testTempOutput = new TestTempOutput()
-    testTempOutput.initialize()
-    prepareJobOutputFilePath = testTempOutput.createFile(
       'prepare-job-output.json'
     )
-    await prepareJob(prepareJobData.args, prepareJobOutputFilePath)
+
+    const prepareJobData = testHelper.getPrepareJobDefinition()
+    runScriptStepDefinition = testHelper.getRunScriptStepDefinition() as {
+      args: RunScriptStepArgs
+    }
+
+    await prepareJob(
+      prepareJobData.args as PrepareJobArgs,
+      prepareJobOutputFilePath
+    )
     const outputContent = fs.readFileSync(prepareJobOutputFilePath)
     prepareJobOutputData = JSON.parse(outputContent.toString())
   })
 
   afterEach(async () => {
     await cleanupJob()
-    testTempOutput.cleanup()
+    await testHelper.cleanup()
   })
 
   // NOTE: To use this test, do kubectl apply -f podspec.yaml (from podspec examples)
@@ -41,21 +44,73 @@ describe('Run script step', () => {
   // npm run test run-script-step
 
   it('should not throw an exception', async () => {
-    const args = {
-      entryPointArgs: ['echo "test"'],
-      entryPoint: '/bin/bash',
-      environmentVariables: {
-        NODE_ENV: 'development'
-      },
-      prependPath: ['/foo/bar', 'bar/foo'],
-      workingDirectory: '/__w/thboop-test2/thboop-test2'
-    }
-    const state = {
-      jobPod: prepareJobOutputData.state.jobPod
-    }
-    const responseFile = null
     await expect(
-      runScriptStep(args, state, responseFile)
+      runScriptStep(runScriptStepDefinition.args, prepareJobOutputData.state)
+    ).resolves.not.toThrow()
+  })
+
+  it('should fail if the working directory does not exist', async () => {
+    runScriptStepDefinition.args.workingDirectory = '/foo/bar'
+    await expect(
+      runScriptStep(runScriptStepDefinition.args, prepareJobOutputData.state)
+    ).rejects.toThrow()
+  })
+
+  it('should shold have env variables available', async () => {
+    runScriptStepDefinition.args.entryPoint = 'bash'
+
+    runScriptStepDefinition.args.entryPointArgs = [
+      '-c',
+      "'if [[ -z $NODE_ENV ]]; then exit 1; fi'"
+    ]
+    await expect(
+      runScriptStep(runScriptStepDefinition.args, prepareJobOutputData.state)
+    ).resolves.not.toThrow()
+  })
+
+  it('Should have path variable changed in container with prepend path string', async () => {
+    runScriptStepDefinition.args.prependPath = ['/some/path']
+    runScriptStepDefinition.args.entryPoint = '/bin/bash'
+    runScriptStepDefinition.args.entryPointArgs = [
+      '-c',
+      `'if [[ ! $(env | grep "^PATH=") = "PATH=${runScriptStepDefinition.args.prependPath}:"* ]]; then exit 1; fi'`
+    ]
+
+    await expect(
+      runScriptStep(runScriptStepDefinition.args, prepareJobOutputData.state)
+    ).resolves.not.toThrow()
+  })
+
+  it('Dollar symbols in environment variables should not be expanded', async () => {
+    runScriptStepDefinition.args.environmentVariables = {
+      VARIABLE1: '$VAR',
+      VARIABLE2: '${VAR}',
+      VARIABLE3: '$(VAR)'
+    }
+    runScriptStepDefinition.args.entryPointArgs = [
+      '-c',
+      '\'if [[ -z "$VARIABLE1" ]]; then exit 1; fi\'',
+      '\'if [[ -z "$VARIABLE2" ]]; then exit 2; fi\'',
+      '\'if [[ -z "$VARIABLE3" ]]; then exit 3; fi\''
+    ]
+
+    await expect(
+      runScriptStep(runScriptStepDefinition.args, prepareJobOutputData.state)
+    ).resolves.not.toThrow()
+  })
+
+  it('Should have path variable changed in container with prepend path string array', async () => {
+    runScriptStepDefinition.args.prependPath = ['/some/other/path']
+    runScriptStepDefinition.args.entryPoint = '/bin/bash'
+    runScriptStepDefinition.args.entryPointArgs = [
+      '-c',
+      `'if [[ ! $(env | grep "^PATH=") = "PATH=${runScriptStepDefinition.args.prependPath.join(
+        ':'
+      )}:"* ]]; then exit 1; fi'`
+    ]
+
+    await expect(
+      runScriptStep(runScriptStepDefinition.args, prepareJobOutputData.state)
     ).resolves.not.toThrow()
   })
 })

packages/k8s/tests/test-kind.yaml

@@ -0,0 +1,18 @@
+kind: Cluster
+apiVersion: kind.x-k8s.io/v1alpha4
+nodes:
+- role: control-plane
+  # add a mount from /path/to/my/files on the host to /files on the node
+  extraMounts:
+  - hostPath: {{PATHTOREPO}}
+    containerPath: {{PATHTOREPO}}
+    # optional: if set, the mount is read-only.
+    # default false
+    readOnly: false
+    # optional: if set, the mount needs SELinux relabeling.
+    # default false
+    selinuxRelabel: false
+    # optional: set propagation mode (None, HostToContainer or Bidirectional)
+    # see https://kubernetes.io/docs/concepts/storage/volumes/#mount-propagation
+    # default None
+    propagation: None

packages/k8s/tests/test-setup.ts

@@ -1,28 +1,165 @@
+import * as k8s from '@kubernetes/client-node'
 import * as fs from 'fs'
+import { HookData } from 'hooklib/lib'
+import * as path from 'path'
 import { v4 as uuidv4 } from 'uuid'
 
-export class TestTempOutput {
+const kc = new k8s.KubeConfig()
+
+kc.loadFromDefault()
+
+const k8sApi = kc.makeApiClient(k8s.CoreV1Api)
+
+export class TestHelper {
   private tempDirPath: string
+  private podName: string
+  private runnerWorkdir: string
+  private runnerTemp: string
+
   constructor() {
-    this.tempDirPath = `${__dirname}/_temp/${uuidv4()}`
+    this.tempDirPath = `${__dirname}/_temp/runner`
+    this.runnerWorkdir = `${this.tempDirPath}/_work`
+    this.runnerTemp = `${this.tempDirPath}/_work/_temp`
+    this.podName = uuidv4().replace(/-/g, '')
   }
 
-  public initialize(): void {
+  async initialize(): Promise<void> {
-    fs.mkdirSync(this.tempDirPath, { recursive: true })
+    process.env['ACTIONS_RUNNER_POD_NAME'] = `${this.podName}`
+    process.env['RUNNER_WORKSPACE'] = `${this.runnerWorkdir}/repo`
+    process.env['RUNNER_TEMP'] = `${this.runnerTemp}`
+    process.env['GITHUB_WORKSPACE'] = `${this.runnerWorkdir}/repo/repo`
+    process.env['ACTIONS_RUNNER_KUBERNETES_NAMESPACE'] = 'default'
+
+    fs.mkdirSync(`${this.runnerWorkdir}/repo/repo`, { recursive: true })
+    fs.mkdirSync(`${this.tempDirPath}/externals`, { recursive: true })
+    fs.mkdirSync(this.runnerTemp, { recursive: true })
+    fs.mkdirSync(`${this.runnerTemp}/_github_workflow`, { recursive: true })
+    fs.mkdirSync(`${this.runnerTemp}/_github_home`, { recursive: true })
+    fs.mkdirSync(`${this.runnerTemp}/_runner_file_commands`, {
+      recursive: true
+    })
+
+    fs.copyFileSync(
+      path.resolve(`${__dirname}/../../../examples/example-script.sh`),
+      `${this.runnerTemp}/example-script.sh`
+    )
+
+    await this.cleanupK8sResources()
+    try {
+      await this.createTestJobPod()
+    } catch (e) {
+      console.log(e)
+    }
   }
 
-  public cleanup(): void {
+  async cleanup(): Promise<void> {
+    try {
+      await this.cleanupK8sResources()
       fs.rmSync(this.tempDirPath, { recursive: true })
+    } catch {
+      // Ignore errors during cleanup
+    }
   }
 
-  public createFile(fileName?: string): string {
+  async cleanupK8sResources(): Promise<void> {
+    await k8sApi
+      .deleteNamespacedPod({
+        name: this.podName,
+        namespace: 'default',
+        gracePeriodSeconds: 0
+      })
+      .catch((e: k8s.ApiException<any>) => {
+        if (e.code !== 404) {
+          console.error(JSON.stringify(e))
+        }
+      })
+    await k8sApi
+      .deleteNamespacedPod({
+        name: `${this.podName}-workflow`,
+        namespace: 'default',
+        gracePeriodSeconds: 0
+      })
+      .catch((e: k8s.ApiException<any>) => {
+        if (e.code !== 404) {
+          console.error(JSON.stringify(e))
+        }
+      })
+  }
+  createFile(fileName?: string): string {
     const filePath = `${this.tempDirPath}/${fileName || uuidv4()}`
     fs.writeFileSync(filePath, '')
     return filePath
   }
 
-  public removeFile(fileName: string): void {
+  removeFile(fileName: string): void {
     const filePath = `${this.tempDirPath}/${fileName}`
     fs.rmSync(filePath)
   }
+
+  async createTestJobPod(): Promise<void> {
+    const container = {
+      name: 'runner',
+      image: 'ghcr.io/actions/actions-runner:latest',
+      imagePullPolicy: 'IfNotPresent'
+    } as k8s.V1Container
+
+    const pod: k8s.V1Pod = {
+      metadata: {
+        name: this.podName
+      },
+      spec: {
+        restartPolicy: 'Never',
+        containers: [container],
+        securityContext: {
+          runAsUser: 1001,
+          runAsGroup: 1001,
+          fsGroup: 1001
+        }
+      }
+    } as k8s.V1Pod
+    await k8sApi.createNamespacedPod({ namespace: 'default', body: pod })
+  }
+
+  getPrepareJobDefinition(): HookData {
+    const prepareJob = JSON.parse(
+      fs.readFileSync(
+        path.resolve(__dirname + '/../../../examples/prepare-job.json'),
+        'utf8'
+      )
+    )
+
+    prepareJob.args.container.userMountVolumes = undefined
+    prepareJob.args.container.registry = null
+    prepareJob.args.services.forEach(s => {
+      s.registry = null
+    })
+
+    return prepareJob
+  }
+
+  getRunScriptStepDefinition(): HookData {
+    const runScriptStep = JSON.parse(
+      fs.readFileSync(
+        path.resolve(__dirname + '/../../../examples/run-script-step.json'),
+        'utf8'
+      )
+    )
+
+    runScriptStep.args.entryPointArgs[1] = `/__w/_temp/example-script.sh`
+    return runScriptStep
+  }
+
+  getRunContainerStepDefinition(): HookData {
+    const runContainerStep = JSON.parse(
+      fs.readFileSync(
+        path.resolve(__dirname + '/../../../examples/run-container-step.json'),
+        'utf8'
+      )
+    )
+
+    runContainerStep.args.entryPointArgs[1] = `/__w/_temp/example-script.sh`
+    runContainerStep.args.userMountVolumes = undefined
+    runContainerStep.args.registry = null
+    return runContainerStep
+  }
 }

packages/k8s/tsconfig.json

@@ -5,7 +5,8 @@
       "outDir": "./lib",
       "rootDir": "./src"
     },
+    "esModuleInterop": true, /* Emit additional JavaScript to ease support for importing CommonJS modules. This enables 'allowSyntheticDefaultImports' for type compatibility. */
     "include": [
-      "./src"
+      "src/**/*",
     ]
 }

packages/k8s/tsconfig.test.json

@@ -0,0 +1,6 @@
+{
+  "compilerOptions": {
+    "allowJs": true
+  },
+  "extends": "./tsconfig.json"
+}

releaseNotes.md

@@ -1,7 +1,19 @@
 ## Features
-- Initial Release
+
+- k8s: remove dependency on the runner's volume [#244]
 
 ## Bugs
 
+- docker: fix readOnly volumes in createContainer [#236]
 
 ## Misc
+
+- bump all dependencies [#234] [#240] [#239] [#238]
+- bump actions [#254]
+
+## SHA-256 Checksums
+
+The SHA-256 checksums for the packages included in this build are shown below:
+
+- actions-runner-hooks-docker-<HOOK_VERSION>.zip <DOCKER_SHA>
+- actions-runner-hooks-k8s-<HOOK_VERSION>.zip <K8S_SHA>