Merge branch 'main' of https://github.com/actions/runner-container-hooks into fhammerl+nikola-jokic/kaniko

* Update releaseNotes.md

* Bump version to 0.2.0

CODEOWNERS

@@ -1 +1 @@
-* @actions/actions-runtime
+* @actions/actions-runtime @actions/runner-akvelon

CONTRIBUTING.md

@@ -13,7 +13,7 @@ You'll need a runner compatible with hooks, a repository with container workflow
 - You'll need a runner compatible with hooks, a repository with container workflows to which you can register the runner and the hooks from this repository.
 - See [the runner contributing.md](../../github/CONTRIBUTING.MD) for how to get started with runner development.
 - Build your hook using `npm run build`
-- Enable the hooks by setting `ACTIONS_RUNNER_CONTAINER_HOOK=./packages/{libraryname}/dist/index.js` file generated by [ncc](https://github.com/vercel/ncc)
+- Enable the hooks by setting `ACTIONS_RUNNER_CONTAINER_HOOKS=./packages/{libraryname}/dist/index.js` file generated by [ncc](https://github.com/vercel/ncc)
 - Configure your self hosted runner against the a repository you have admin access
 - Run a workflow with a container job, for example
 ```

package-lock.json

@@ -1,12 +1,12 @@
 {
   "name": "hooks",
-  "version": "0.1.1",
+  "version": "0.1.3",
   "lockfileVersion": 2,
   "requires": true,
   "packages": {
     "": {
       "name": "hooks",
-      "version": "0.1.1",
+      "version": "0.1.3",
       "license": "MIT",
       "devDependencies": {
         "@types/jest": "^27.5.1",

package.json

@@ -1,6 +1,6 @@
 {
   "name": "hooks",
-  "version": "0.1.1",
+  "version": "0.2.0",
   "description": "Three projects are included - k8s: a kubernetes hook implementation that spins up pods dynamically to run a job - docker: A hook implementation of the runner's docker implementation  - A hook lib, which contains shared typescript definitions and utilities that the other packages consume",
   "main": "",
   "directories": {

packages/docker/package-lock.json

@@ -9,7 +9,7 @@
       "version": "0.1.0",
       "license": "MIT",
       "dependencies": {
-        "@actions/core": "^1.6.0",
+        "@actions/core": "^1.9.1",
         "@actions/exec": "^1.1.1",
         "hooklib": "file:../hooklib",
         "uuid": "^8.3.2"
@@ -30,7 +30,7 @@
       "version": "0.1.0",
       "license": "MIT",
       "dependencies": {
-        "@actions/core": "^1.6.0"
+        "@actions/core": "^1.9.1"
       },
       "devDependencies": {
         "@types/node": "^17.0.23",
@@ -43,11 +43,12 @@
       }
     },
     "node_modules/@actions/core": {
-      "version": "1.6.0",
-      "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.6.0.tgz",
-      "integrity": "sha512-NB1UAZomZlCV/LmJqkLhNTqtKfFXJZAUPcfl/zqG7EfsQdeUJtaWO98SGbuQ3pydJ3fHl2CvI/51OKYlCYYcaw==",
+      "version": "1.9.1",
+      "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.9.1.tgz",
+      "integrity": "sha512-5ad+U2YGrmmiw6du20AQW5XuWo7UKN2052FjSV7MX+Wfjf8sCqcsZe62NfgHys4QI4/Y+vQvLKYL8jWtA1ZBTA==",
       "dependencies": {
-        "@actions/http-client": "^1.0.11"
+        "@actions/http-client": "^2.0.1",
+        "uuid": "^8.3.2"
       }
     },
     "node_modules/@actions/exec": {
@@ -59,11 +60,11 @@
       }
     },
     "node_modules/@actions/http-client": {
-      "version": "1.0.11",
-      "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-1.0.11.tgz",
-      "integrity": "sha512-VRYHGQV1rqnROJqdMvGUbY/Kn8vriQe/F9HR2AlYHzmKuM/p3kjNuXhmdBfcVgsvRWTz5C5XW5xvndZrVBuAYg==",
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-2.0.1.tgz",
+      "integrity": "sha512-PIXiMVtz6VvyaRsGY268qvj57hXQEpsYogYOu2nrQhlf+XCGmZstmuZBbAybUl1nQGnvS1k1eEsQ69ZoD7xlSw==",
       "dependencies": {
-        "tunnel": "0.0.6"
+        "tunnel": "^0.0.6"
       }
     },
     "node_modules/@actions/io": {
@@ -5279,11 +5280,12 @@
   },
   "dependencies": {
     "@actions/core": {
-      "version": "1.6.0",
-      "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.6.0.tgz",
-      "integrity": "sha512-NB1UAZomZlCV/LmJqkLhNTqtKfFXJZAUPcfl/zqG7EfsQdeUJtaWO98SGbuQ3pydJ3fHl2CvI/51OKYlCYYcaw==",
+      "version": "1.9.1",
+      "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.9.1.tgz",
+      "integrity": "sha512-5ad+U2YGrmmiw6du20AQW5XuWo7UKN2052FjSV7MX+Wfjf8sCqcsZe62NfgHys4QI4/Y+vQvLKYL8jWtA1ZBTA==",
       "requires": {
-        "@actions/http-client": "^1.0.11"
+        "@actions/http-client": "^2.0.1",
+        "uuid": "^8.3.2"
       }
     },
     "@actions/exec": {
@@ -5295,11 +5297,11 @@
       }
     },
     "@actions/http-client": {
-      "version": "1.0.11",
-      "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-1.0.11.tgz",
-      "integrity": "sha512-VRYHGQV1rqnROJqdMvGUbY/Kn8vriQe/F9HR2AlYHzmKuM/p3kjNuXhmdBfcVgsvRWTz5C5XW5xvndZrVBuAYg==",
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-2.0.1.tgz",
+      "integrity": "sha512-PIXiMVtz6VvyaRsGY268qvj57hXQEpsYogYOu2nrQhlf+XCGmZstmuZBbAybUl1nQGnvS1k1eEsQ69ZoD7xlSw==",
       "requires": {
-        "tunnel": "0.0.6"
+        "tunnel": "^0.0.6"
       }
     },
     "@actions/io": {
@@ -7376,7 +7378,7 @@
     "hooklib": {
       "version": "file:../hooklib",
       "requires": {
-        "@actions/core": "^1.6.0",
+        "@actions/core": "^1.9.1",
         "@types/node": "^17.0.23",
         "@typescript-eslint/parser": "^5.18.0",
         "@zeit/ncc": "^0.22.3",

packages/docker/package.json

@@ -10,7 +10,7 @@
   "author": "",
   "license": "MIT",
   "dependencies": {
-    "@actions/core": "^1.6.0",
+    "@actions/core": "^1.9.1",
     "@actions/exec": "^1.1.1",
     "hooklib": "file:../hooklib",
     "uuid": "^8.3.2"

packages/docker/src/dockerCommands/container.ts

@@ -427,6 +427,9 @@ export async function containerRun(
   dockerArgs.push(args.image)
   if (args.entryPointArgs) {
     for (const entryPointArg of args.entryPointArgs) {
+      if (!entryPointArg) {
+        continue
+      }
       dockerArgs.push(entryPointArg)
     }
   }

packages/docker/src/utils.ts

@@ -16,6 +16,7 @@ export async function runDockerCommand(
   args: string[],
   options?: RunDockerCommandOptions
 ): Promise<string> {
+  options = optionsWithDockerEnvs(options)
   const pipes = await exec.getExecOutput('docker', args, options)
   if (pipes.exitCode !== 0) {
     core.error(`Docker failed with exit code ${pipes.exitCode}`)
@@ -24,6 +25,45 @@ export async function runDockerCommand(
   return Promise.resolve(pipes.stdout)
 }
 
+export function optionsWithDockerEnvs(
+  options?: RunDockerCommandOptions
+): RunDockerCommandOptions | undefined {
+  // From https://docs.docker.com/engine/reference/commandline/cli/#environment-variables
+  const dockerCliEnvs = new Set([
+    'DOCKER_API_VERSION',
+    'DOCKER_CERT_PATH',
+    'DOCKER_CONFIG',
+    'DOCKER_CONTENT_TRUST_SERVER',
+    'DOCKER_CONTENT_TRUST',
+    'DOCKER_CONTEXT',
+    'DOCKER_DEFAULT_PLATFORM',
+    'DOCKER_HIDE_LEGACY_COMMANDS',
+    'DOCKER_HOST',
+    'DOCKER_STACK_ORCHESTRATOR',
+    'DOCKER_TLS_VERIFY',
+    'BUILDKIT_PROGRESS'
+  ])
+  const dockerEnvs = {}
+  for (const key in process.env) {
+    if (dockerCliEnvs.has(key)) {
+      dockerEnvs[key] = process.env[key]
+    }
+  }
+
+  const newOptions = {
+    workingDir: options?.workingDir,
+    input: options?.input,
+    env: options?.env || {}
+  }
+
+  // Set docker envs or overwrite provided ones
+  for (const [key, value] of Object.entries(dockerEnvs)) {
+    newOptions.env[key] = value as string
+  }
+
+  return newOptions
+}
+
 export function sanitize(val: string): string {
   if (!val || typeof val !== 'string') {
     return ''

packages/docker/tests/run-script-step-test.ts

@@ -52,7 +52,9 @@ describe('run script step', () => {
     definitions.runScriptStep.args.entryPoint = '/bin/bash'
     definitions.runScriptStep.args.entryPointArgs = [
       '-c',
-      `if [[ ! $(env | grep "^PATH=") = "PATH=${definitions.runScriptStep.args.prependPath}:"* ]]; then exit 1; fi`
+      `if [[ ! $(env | grep "^PATH=") = "PATH=${definitions.runScriptStep.args.prependPath.join(
+        ':'
+      )}:"* ]]; then exit 1; fi`
     ]
     await expect(
       runScriptStep(definitions.runScriptStep.args, prepareJobResponse.state)

packages/docker/tests/utils-test.ts

@@ -1,4 +1,4 @@
-import { sanitize } from '../src/utils'
+import { optionsWithDockerEnvs, sanitize } from '../src/utils'
 
 describe('Utilities', () => {
   it('should return sanitized image name', () => {
@@ -9,4 +9,41 @@ describe('Utilities', () => {
     const validStr = 'teststr8_one'
     expect(sanitize(validStr)).toBe(validStr)
   })
+
+  describe('with docker options', () => {
+    it('should augment options with docker environment variables', () => {
+      process.env.DOCKER_HOST = 'unix:///run/user/1001/docker.sock'
+      process.env.DOCKER_NOTEXIST = 'notexist'
+
+      const optionDefinitions: any = [
+        undefined,
+        {},
+        { env: {} },
+        { env: { DOCKER_HOST: 'unix://var/run/docker.sock' } }
+      ]
+      for (const opt of optionDefinitions) {
+        let options = optionsWithDockerEnvs(opt)
+        expect(options).toBeDefined()
+        expect(options?.env).toBeDefined()
+        expect(options?.env?.DOCKER_HOST).toBe(process.env.DOCKER_HOST)
+        expect(options?.env?.DOCKER_NOTEXIST).toBeUndefined()
+      }
+    })
+
+    it('should not overwrite other options', () => {
+      process.env.DOCKER_HOST = 'unix:///run/user/1001/docker.sock'
+      const opt = {
+        workingDir: 'test',
+        input: Buffer.from('test')
+      }
+
+      const options = optionsWithDockerEnvs(opt)
+      expect(options).toBeDefined()
+      expect(options?.workingDir).toBe(opt.workingDir)
+      expect(options?.input).toBe(opt.input)
+      expect(options?.env).toStrictEqual({
+        DOCKER_HOST: process.env.DOCKER_HOST
+      })
+    })
+  })
 })

packages/hooklib/package-lock.json

@@ -9,7 +9,7 @@
       "version": "0.1.0",
       "license": "MIT",
       "dependencies": {
-        "@actions/core": "^1.6.0"
+        "@actions/core": "^1.9.1"
       },
       "devDependencies": {
         "@types/node": "^17.0.23",
@@ -22,19 +22,20 @@
       }
     },
     "node_modules/@actions/core": {
-      "version": "1.6.0",
-      "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.6.0.tgz",
-      "integrity": "sha512-NB1UAZomZlCV/LmJqkLhNTqtKfFXJZAUPcfl/zqG7EfsQdeUJtaWO98SGbuQ3pydJ3fHl2CvI/51OKYlCYYcaw==",
+      "version": "1.9.1",
+      "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.9.1.tgz",
+      "integrity": "sha512-5ad+U2YGrmmiw6du20AQW5XuWo7UKN2052FjSV7MX+Wfjf8sCqcsZe62NfgHys4QI4/Y+vQvLKYL8jWtA1ZBTA==",
       "dependencies": {
-        "@actions/http-client": "^1.0.11"
+        "@actions/http-client": "^2.0.1",
+        "uuid": "^8.3.2"
       }
     },
     "node_modules/@actions/http-client": {
-      "version": "1.0.11",
-      "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-1.0.11.tgz",
-      "integrity": "sha512-VRYHGQV1rqnROJqdMvGUbY/Kn8vriQe/F9HR2AlYHzmKuM/p3kjNuXhmdBfcVgsvRWTz5C5XW5xvndZrVBuAYg==",
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-2.0.1.tgz",
+      "integrity": "sha512-PIXiMVtz6VvyaRsGY268qvj57hXQEpsYogYOu2nrQhlf+XCGmZstmuZBbAybUl1nQGnvS1k1eEsQ69ZoD7xlSw==",
       "dependencies": {
-        "tunnel": "0.0.6"
+        "tunnel": "^0.0.6"
       }
     },
     "node_modules/@eslint/eslintrc": {
@@ -2485,6 +2486,14 @@
         "punycode": "^2.1.0"
       }
     },
+    "node_modules/uuid": {
+      "version": "8.3.2",
+      "resolved": "https://registry.npmjs.org/uuid/-/uuid-8.3.2.tgz",
+      "integrity": "sha512-+NYs2QeMWy+GWFOEm9xnn6HCDp0l7QBD7ml8zLUmJ+93Q5NF0NocErnwkTkXVFNiX3/fpC6afS8Dhb/gz7R7eg==",
+      "bin": {
+        "uuid": "dist/bin/uuid"
+      }
+    },
     "node_modules/v8-compile-cache": {
       "version": "2.3.0",
       "resolved": "https://registry.npmjs.org/v8-compile-cache/-/v8-compile-cache-2.3.0.tgz",
@@ -2546,19 +2555,20 @@
   },
   "dependencies": {
     "@actions/core": {
-      "version": "1.6.0",
-      "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.6.0.tgz",
-      "integrity": "sha512-NB1UAZomZlCV/LmJqkLhNTqtKfFXJZAUPcfl/zqG7EfsQdeUJtaWO98SGbuQ3pydJ3fHl2CvI/51OKYlCYYcaw==",
+      "version": "1.9.1",
+      "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.9.1.tgz",
+      "integrity": "sha512-5ad+U2YGrmmiw6du20AQW5XuWo7UKN2052FjSV7MX+Wfjf8sCqcsZe62NfgHys4QI4/Y+vQvLKYL8jWtA1ZBTA==",
       "requires": {
-        "@actions/http-client": "^1.0.11"
+        "@actions/http-client": "^2.0.1",
+        "uuid": "^8.3.2"
       }
     },
     "@actions/http-client": {
-      "version": "1.0.11",
-      "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-1.0.11.tgz",
-      "integrity": "sha512-VRYHGQV1rqnROJqdMvGUbY/Kn8vriQe/F9HR2AlYHzmKuM/p3kjNuXhmdBfcVgsvRWTz5C5XW5xvndZrVBuAYg==",
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-2.0.1.tgz",
+      "integrity": "sha512-PIXiMVtz6VvyaRsGY268qvj57hXQEpsYogYOu2nrQhlf+XCGmZstmuZBbAybUl1nQGnvS1k1eEsQ69ZoD7xlSw==",
       "requires": {
-        "tunnel": "0.0.6"
+        "tunnel": "^0.0.6"
       }
     },
     "@eslint/eslintrc": {
@@ -4300,6 +4310,11 @@
         "punycode": "^2.1.0"
       }
     },
+    "uuid": {
+      "version": "8.3.2",
+      "resolved": "https://registry.npmjs.org/uuid/-/uuid-8.3.2.tgz",
+      "integrity": "sha512-+NYs2QeMWy+GWFOEm9xnn6HCDp0l7QBD7ml8zLUmJ+93Q5NF0NocErnwkTkXVFNiX3/fpC6afS8Dhb/gz7R7eg=="
+    },
     "v8-compile-cache": {
       "version": "2.3.0",
       "resolved": "https://registry.npmjs.org/v8-compile-cache/-/v8-compile-cache-2.3.0.tgz",

packages/hooklib/package.json

@@ -23,6 +23,6 @@
     "typescript": "^4.6.3"
   },
   "dependencies": {
-    "@actions/core": "^1.6.0"
+    "@actions/core": "^1.9.1"
   }
 }

packages/k8s/package-lock.json

@@ -9,7 +9,7 @@
       "version": "0.1.0",
       "license": "MIT",
       "dependencies": {
-        "@actions/core": "^1.6.0",
+        "@actions/core": "^1.9.1",
         "@actions/exec": "^1.1.1",
         "@actions/io": "^1.1.2",
         "@kubernetes/client-node": "^0.16.3",
@@ -28,7 +28,7 @@
       "version": "0.1.0",
       "license": "MIT",
       "dependencies": {
-        "@actions/core": "^1.6.0"
+        "@actions/core": "^1.9.1"
       },
       "devDependencies": {
         "@types/node": "^17.0.23",
@@ -41,11 +41,20 @@
       }
     },
     "node_modules/@actions/core": {
-      "version": "1.8.2",
-      "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.8.2.tgz",
-      "integrity": "sha512-FXcBL7nyik8K5ODeCKlxi+vts7torOkoDAKfeh61EAkAy1HAvwn9uVzZBY0f15YcQTcZZ2/iSGBFHEuioZWfDA==",
+      "version": "1.9.1",
+      "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.9.1.tgz",
+      "integrity": "sha512-5ad+U2YGrmmiw6du20AQW5XuWo7UKN2052FjSV7MX+Wfjf8sCqcsZe62NfgHys4QI4/Y+vQvLKYL8jWtA1ZBTA==",
       "dependencies": {
-        "@actions/http-client": "^2.0.1"
+        "@actions/http-client": "^2.0.1",
+        "uuid": "^8.3.2"
+      }
+    },
+    "node_modules/@actions/core/node_modules/uuid": {
+      "version": "8.3.2",
+      "resolved": "https://registry.npmjs.org/uuid/-/uuid-8.3.2.tgz",
+      "integrity": "sha512-+NYs2QeMWy+GWFOEm9xnn6HCDp0l7QBD7ml8zLUmJ+93Q5NF0NocErnwkTkXVFNiX3/fpC6afS8Dhb/gz7R7eg==",
+      "bin": {
+        "uuid": "dist/bin/uuid"
       }
     },
     "node_modules/@actions/exec": {
@@ -3428,9 +3437,9 @@
       }
     },
     "node_modules/jose": {
-      "version": "2.0.5",
-      "resolved": "https://registry.npmjs.org/jose/-/jose-2.0.5.tgz",
-      "integrity": "sha512-BAiDNeDKTMgk4tvD0BbxJ8xHEHBZgpeRZ1zGPPsitSyMgjoMWiLGYAE7H7NpP5h0lPppQajQs871E8NHUrzVPA==",
+      "version": "2.0.6",
+      "resolved": "https://registry.npmjs.org/jose/-/jose-2.0.6.tgz",
+      "integrity": "sha512-FVoPY7SflDodE4lknJmbAHSUjLCzE2H1F6MS0RYKMQ8SR+lNccpMf8R4eqkNYyyUjR5qZReOzZo5C5YiHOCjjg==",
       "dependencies": {
         "@panva/asn1.js": "^1.0.0"
       },
@@ -5145,11 +5154,19 @@
   },
   "dependencies": {
     "@actions/core": {
-      "version": "1.8.2",
-      "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.8.2.tgz",
-      "integrity": "sha512-FXcBL7nyik8K5ODeCKlxi+vts7torOkoDAKfeh61EAkAy1HAvwn9uVzZBY0f15YcQTcZZ2/iSGBFHEuioZWfDA==",
+      "version": "1.9.1",
+      "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.9.1.tgz",
+      "integrity": "sha512-5ad+U2YGrmmiw6du20AQW5XuWo7UKN2052FjSV7MX+Wfjf8sCqcsZe62NfgHys4QI4/Y+vQvLKYL8jWtA1ZBTA==",
       "requires": {
-        "@actions/http-client": "^2.0.1"
+        "@actions/http-client": "^2.0.1",
+        "uuid": "^8.3.2"
+      },
+      "dependencies": {
+        "uuid": {
+          "version": "8.3.2",
+          "resolved": "https://registry.npmjs.org/uuid/-/uuid-8.3.2.tgz",
+          "integrity": "sha512-+NYs2QeMWy+GWFOEm9xnn6HCDp0l7QBD7ml8zLUmJ+93Q5NF0NocErnwkTkXVFNiX3/fpC6afS8Dhb/gz7R7eg=="
+        }
       }
     },
     "@actions/exec": {
@@ -7074,7 +7091,7 @@
     "hooklib": {
       "version": "file:../hooklib",
       "requires": {
-        "@actions/core": "^1.6.0",
+        "@actions/core": "^1.9.1",
         "@types/node": "^17.0.23",
         "@typescript-eslint/parser": "^5.18.0",
         "@zeit/ncc": "^0.22.3",
@@ -7804,9 +7821,9 @@
       }
     },
     "jose": {
-      "version": "2.0.5",
-      "resolved": "https://registry.npmjs.org/jose/-/jose-2.0.5.tgz",
-      "integrity": "sha512-BAiDNeDKTMgk4tvD0BbxJ8xHEHBZgpeRZ1zGPPsitSyMgjoMWiLGYAE7H7NpP5h0lPppQajQs871E8NHUrzVPA==",
+      "version": "2.0.6",
+      "resolved": "https://registry.npmjs.org/jose/-/jose-2.0.6.tgz",
+      "integrity": "sha512-FVoPY7SflDodE4lknJmbAHSUjLCzE2H1F6MS0RYKMQ8SR+lNccpMf8R4eqkNYyyUjR5qZReOzZo5C5YiHOCjjg==",
       "requires": {
         "@panva/asn1.js": "^1.0.0"
       }

packages/k8s/package.json

@@ -13,7 +13,7 @@
   "author": "",
   "license": "MIT",
   "dependencies": {
-    "@actions/core": "^1.6.0",
+    "@actions/core": "^1.9.1",
     "@actions/exec": "^1.1.1",
     "@actions/io": "^1.1.2",
     "@kubernetes/client-node": "^0.16.3",

packages/k8s/src/hooks/constants.ts

@@ -39,14 +39,14 @@ export function getSecretName(): string {
   )}-secret-${uuidv4().substring(0, STEP_POD_NAME_SUFFIX_LENGTH)}`
 }
 
-const MAX_POD_NAME_LENGTH = 63
-const STEP_POD_NAME_SUFFIX_LENGTH = 8
+export const MAX_POD_NAME_LENGTH = 63
+export const STEP_POD_NAME_SUFFIX_LENGTH = 8
 export const JOB_CONTAINER_NAME = 'job'
 
 export class RunnerInstanceLabel {
-  runnerhook: string
+  private podName: string
   constructor() {
-    this.runnerhook = process.env.ACTIONS_RUNNER_POD_NAME as string
+    this.podName = getRunnerPodName()
   }
 
   get key(): string {
@@ -54,10 +54,10 @@ export class RunnerInstanceLabel {
   }
 
   get value(): string {
-    return this.runnerhook
+    return this.podName
   }
 
   toString(): string {
-    return `runner-pod=${this.runnerhook}`
+    return `runner-pod=${this.podName}`
   }
 }

packages/k8s/src/hooks/prepare-job.ts

@@ -46,10 +46,10 @@ export async function prepareJob(
   }
   let createdPod: k8s.V1Pod | undefined = undefined
   try {
-    createdPod = await createPod(container, services, args.registry)
+    createdPod = await createPod(container, services, args.container.registry)
   } catch (err) {
     await prunePods()
-    throw new Error(`failed to create job pod: ${JSON.stringify(err)}`)
+    throw new Error(`failed to create job pod: ${err}`)
   }
 
   if (!createdPod?.metadata?.name) {
@@ -158,7 +158,7 @@ function createPodSpec(
   name: string,
   jobContainer = false
 ): k8s.V1Container {
-  if (!container.entryPoint) {
+  if (!container.entryPoint && jobContainer) {
     container.entryPoint = DEFAULT_CONTAINER_ENTRY_POINT
     container.entryPointArgs = DEFAULT_CONTAINER_ENTRY_POINT_ARGS
   }

packages/k8s/src/hooks/run-container-step.ts

@@ -8,7 +8,8 @@ import {
   getPodLogs,
   getPodStatus,
   waitForJobToComplete,
-  waitForPodPhases
+  waitForPodPhases,
+  containerBuild
 } from '../k8s'
 import {
   containerVolumes,
@@ -23,7 +24,8 @@ export async function runContainerStep(
   stepContainer: RunContainerStepArgs
 ): Promise<number> {
   if (stepContainer.dockerfile) {
-    throw new Error('Building container actions is not currently supported')
+    const imageUrl = await containerBuild(stepContainer)
+    stepContainer.image = imageUrl
   }
 
   let secretName: string | undefined = undefined

packages/k8s/src/hooks/run-script-step.ts

@@ -28,7 +28,7 @@ export async function runScriptStep(
       JOB_CONTAINER_NAME
     )
   } catch (err) {
-    throw new Error(`failed to run script step: ${JSON.stringify(err)}`)
+    throw new Error(`failed to run script step: ${err}`)
   } finally {
     fs.rmSync(runnerPath)
   }

packages/k8s/src/index.ts

@@ -22,7 +22,7 @@ async function run(): Promise<void> {
       throw new Error(
         `The Service account needs the following permissions ${JSON.stringify(
           requiredPermissions
-        )} on the pod resource in the '${namespace}' namespace. Please contact your self hosted runner administrator.`
+        )} on the pod resource in the '${namespace()}' namespace. Please contact your self hosted runner administrator.`
       )
     }
     switch (command) {

packages/k8s/src/k8s/index.ts

@@ -1,5 +1,6 @@
+import * as core from '@actions/core'
 import * as k8s from '@kubernetes/client-node'
-import { ContainerInfo, Registry } from 'hooklib'
+import { RunContainerStepArgs, ContainerInfo, Registry } from 'hooklib'
 import * as stream from 'stream'
 import {
   getJobPodName,
@@ -9,15 +10,25 @@ import {
   getVolumeClaimName,
   RunnerInstanceLabel
 } from '../hooks/constants'
+import { kanikoPod } from './kaniko'
+import { v4 as uuidv4 } from 'uuid'
 import { PodPhase } from './utils'
+import {
+  namespace,
+  kc,
+  k8sApi,
+  k8sBatchV1Api,
+  k8sAuthorizationV1Api,
+  localRegistryNodePort,
+  localRegistryHost,
+  localRegistryPort,
+  remoteRegistryHost,
+  remoteRegistryHandle,
+  remoteRegistrySecretName,
+  isLocalRegistrySet
+} from './settings'
 
-const kc = new k8s.KubeConfig()
-
-kc.loadFromDefault()
-
-const k8sApi = kc.makeApiClient(k8s.CoreV1Api)
-const k8sBatchV1Api = kc.makeApiClient(k8s.BatchV1Api)
-const k8sAuthorizationV1Api = kc.makeApiClient(k8s.AuthorizationV1Api)
+export * from './settings'
 
 export const POD_VOLUME_NAME = 'work'
 
@@ -45,12 +56,6 @@ export const requiredPermissions = [
     verbs: ['get', 'list', 'create', 'delete'],
     resource: 'jobs',
     subresource: ''
-  },
-  {
-    group: '',
-    verbs: ['create', 'delete', 'get', 'list'],
-    resource: 'secrets',
-    subresource: ''
   }
 ]
 
@@ -109,13 +114,14 @@ export async function createPod(
 export async function createJob(
   container: k8s.V1Container
 ): Promise<k8s.V1Job> {
-  const job = new k8s.V1Job()
+  const runnerInstanceLabel = new RunnerInstanceLabel()
 
+  const job = new k8s.V1Job()
   job.apiVersion = 'batch/v1'
   job.kind = 'Job'
   job.metadata = new k8s.V1ObjectMeta()
   job.metadata.name = getStepPodName()
-  job.metadata.labels = { 'runner-pod': getRunnerPodName() }
+  job.metadata.labels = { [runnerInstanceLabel.key]: runnerInstanceLabel.value }
 
   job.spec = new k8s.V1JobSpec()
   job.spec.ttlSecondsAfterFinished = 300
@@ -127,7 +133,7 @@ export async function createJob(
   job.spec.template.spec.restartPolicy = 'Never'
   job.spec.template.spec.nodeName = await getCurrentNodeName()
 
-  const claimName = `${runnerName()}-work`
+  const claimName = getVolumeClaimName()
   job.spec.template.spec.volumes = [
     {
       name: 'work',
@@ -185,33 +191,30 @@ export async function execPodStep(
 ): Promise<void> {
   const exec = new k8s.Exec(kc)
   await new Promise(async function (resolve, reject) {
-    try {
-      await exec.exec(
-        namespace(),
-        podName,
-        containerName,
-        command,
-        process.stdout,
-        process.stderr,
-        stdin ?? null,
-        false /* tty */,
-        resp => {
-          // kube.exec returns an error if exit code is not 0, but we can't actually get the exit code
-          if (resp.status === 'Success') {
-            resolve(resp.code)
-          } else {
-            reject(
-              JSON.stringify({
-                message: resp?.message,
-                details: resp?.details
-              })
-            )
-          }
+    await exec.exec(
+      namespace(),
+      podName,
+      containerName,
+      command,
+      process.stdout,
+      process.stderr,
+      stdin ?? null,
+      false /* tty */,
+      resp => {
+        // kube.exec returns an error if exit code is not 0, but we can't actually get the exit code
+        if (resp.status === 'Success') {
+          resolve(resp.code)
+        } else {
+          core.debug(
+            JSON.stringify({
+              message: resp?.message,
+              details: resp?.details
+            })
+          )
+          reject(resp?.message)
         }
-      )
-    } catch (error) {
-      reject(JSON.stringify(error))
-    }
+      }
+    )
   })
 }
 
@@ -234,29 +237,34 @@ export async function createDockerSecret(
 ): Promise<k8s.V1Secret> {
   const authContent = {
     auths: {
-      [registry.serverUrl]: {
+      [registry.serverUrl || 'https://index.docker.io/v1/']: {
         username: registry.username,
         password: registry.password,
-        auth: Buffer.from(
-          `${registry.username}:${registry.password}`,
+        auth: Buffer.from(`${registry.username}:${registry.password}`).toString(
           'base64'
-        ).toString()
+        )
       }
     }
   }
+
+  const runnerInstanceLabel = new RunnerInstanceLabel()
+
   const secretName = getSecretName()
   const secret = new k8s.V1Secret()
   secret.immutable = true
   secret.apiVersion = 'v1'
   secret.metadata = new k8s.V1ObjectMeta()
   secret.metadata.name = secretName
-  secret.metadata.labels = { 'runner-pod': getRunnerPodName() }
+  secret.metadata.namespace = namespace()
+  secret.metadata.labels = {
+    [runnerInstanceLabel.key]: runnerInstanceLabel.value
+  }
+  secret.type = 'kubernetes.io/dockerconfigjson'
   secret.kind = 'Secret'
   secret.data = {
-    '.dockerconfigjson': Buffer.from(
-      JSON.stringify(authContent),
+    '.dockerconfigjson': Buffer.from(JSON.stringify(authContent)).toString(
       'base64'
-    ).toString()
+    )
   }
 
   const { body } = await k8sApi.createNamespacedSecret(namespace(), secret)
@@ -266,13 +274,18 @@ export async function createDockerSecret(
 export async function createSecretForEnvs(envs: {
   [key: string]: string
 }): Promise<string> {
+  const runnerInstanceLabel = new RunnerInstanceLabel()
+
   const secret = new k8s.V1Secret()
   const secretName = getSecretName()
   secret.immutable = true
   secret.apiVersion = 'v1'
   secret.metadata = new k8s.V1ObjectMeta()
   secret.metadata.name = secretName
-  secret.metadata.labels = { 'runner-pod': getRunnerPodName() }
+
+  secret.metadata.labels = {
+    [runnerInstanceLabel.key]: runnerInstanceLabel.value
+  }
   secret.kind = 'Secret'
   secret.data = {}
   for (const [key, value] of Object.entries(envs)) {
@@ -316,8 +329,20 @@ export async function waitForPodPhases(
   const backOffManager = new BackOffManager(maxTimeSeconds)
   let phase: PodPhase = PodPhase.UNKNOWN
   try {
-    while (true) {
-      phase = await getPodPhase(podName)
+    let retryCount = 0
+    while (retryCount < 3) {
+      try {
+        phase = await getPodPhase(podName)
+      } catch (err) {
+        const e = err as k8s.HttpError
+        if (e?.body?.reason === 'NotFound') {
+          retryCount++
+          await backOffManager.backOff()
+          continue
+        } else {
+          throw err
+        }
+      }
       if (awaitingPhases.has(phase)) {
         return
       }
@@ -329,6 +354,7 @@ export async function waitForPodPhases(
       }
       await backOffManager.backOff()
     }
+    throw new Error(`Failed to get pod phase after ${retryCount} attempts`)
   } catch (error) {
     throw new Error(`Pod ${podName} is unhealthy with phase status ${phase}`)
   }
@@ -372,7 +398,7 @@ export async function getPodLogs(
   })
 
   logStream.on('error', err => {
-    process.stderr.write(JSON.stringify(err))
+    process.stderr.write(err.message)
   })
 
   const r = await log.log(namespace(), podName, containerName, logStream, {
@@ -455,6 +481,42 @@ export async function isPodContainerAlpine(
   return isAlpine
 }
 
+export async function containerBuild(
+  args: RunContainerStepArgs
+): Promise<string> {
+  let kanikoRegistry = ''
+  let pullRegistry = ''
+  let secretName: string | undefined = undefined
+  if (isLocalRegistrySet()) {
+    const host = `${localRegistryHost()}.${namespace()}.svc.cluster.local`
+    const port = localRegistryPort()
+    const uri = `${generateBuildHandle()}/${generateBuildImage()}`
+    kanikoRegistry = `${host}:${port}/${uri}`
+    pullRegistry = `localhost:${localRegistryNodePort()}/${uri}`
+  } else {
+    const uri = `${remoteRegistryHandle()}/${generateBuildImage()}`
+    if (remoteRegistryHost()) {
+      kanikoRegistry = `${remoteRegistryHost()}/${uri}`
+    } else {
+      kanikoRegistry = uri
+    }
+    pullRegistry = kanikoRegistry
+    secretName = remoteRegistrySecretName()
+  }
+
+  const pod = kanikoPod(args.dockerfile, kanikoRegistry, secretName)
+  if (!pod.metadata?.name) {
+    throw new Error('kaniko pod name is not set')
+  }
+  await k8sApi.createNamespacedPod(namespace(), pod)
+  await waitForPodPhases(
+    pod.metadata.name,
+    new Set([PodPhase.SUCCEEDED]),
+    new Set([PodPhase.PENDING, PodPhase.UNKNOWN, PodPhase.RUNNING])
+  )
+  return pullRegistry
+}
+
 async function getCurrentNodeName(): Promise<string> {
   const resp = await k8sApi.readNamespacedPod(getRunnerPodName(), namespace())
 
@@ -464,29 +526,6 @@ async function getCurrentNodeName(): Promise<string> {
   }
   return nodeName
 }
-export function namespace(): string {
-  if (process.env['ACTIONS_RUNNER_KUBERNETES_NAMESPACE']) {
-    return process.env['ACTIONS_RUNNER_KUBERNETES_NAMESPACE']
-  }
-
-  const context = kc.getContexts().find(ctx => ctx.namespace)
-  if (!context?.namespace) {
-    throw new Error(
-      'Failed to determine namespace, falling back to `default`. Namespace should be set in context, or in env variable "ACTIONS_RUNNER_KUBERNETES_NAMESPACE"'
-    )
-  }
-  return context.namespace
-}
-
-function runnerName(): string {
-  const name = process.env.ACTIONS_RUNNER_POD_NAME
-  if (!name) {
-    throw new Error(
-      'Failed to determine runner name. "ACTIONS_RUNNER_POD_NAME" env variables should be set.'
-    )
-  }
-  return name
-}
 
 class BackOffManager {
   private backOffSeconds = 1
@@ -517,28 +556,46 @@ class BackOffManager {
 export function containerPorts(
   container: ContainerInfo
 ): k8s.V1ContainerPort[] {
-  // 8080:8080/tcp
-  const portFormat = /(\d{1,5})(:(\d{1,5}))?(\/(tcp|udp))?/
-
   const ports: k8s.V1ContainerPort[] = []
   for (const portDefinition of container.portMappings) {
-    const submatches = portFormat.exec(portDefinition)
-    if (!submatches) {
-      throw new Error(
-        `Port definition "${portDefinition}" is in incorrect format`
-      )
+    const portProtoSplit = portDefinition.split('/')
+    if (portProtoSplit.length > 2) {
+      throw new Error(`Unexpected port format: ${portDefinition}`)
     }
+
     const port = new k8s.V1ContainerPort()
-    port.hostPort = Number(submatches[1])
-    if (submatches[3]) {
-      port.containerPort = Number(submatches[3])
+    port.protocol =
+      portProtoSplit.length === 2 ? portProtoSplit[1].toUpperCase() : 'TCP'
+
+    const portSplit = portProtoSplit[0].split(':')
+    if (portSplit.length > 2) {
+      throw new Error('ports should have at most one ":" separator')
     }
-    if (submatches[5]) {
-      port.protocol = submatches[5].toUpperCase()
+
+    const parsePort = (p: string): number => {
+      const num = Number(p)
+      if (!Number.isInteger(num) || num < 1 || num > 65535) {
+        throw new Error(`invalid container port: ${p}`)
+      }
+      return num
+    }
+
+    if (portSplit.length === 1) {
+      port.containerPort = parsePort(portSplit[0])
     } else {
-      port.protocol = 'TCP'
+      port.hostPort = parsePort(portSplit[0])
+      port.containerPort = parsePort(portSplit[1])
     }
+
     ports.push(port)
   }
   return ports
 }
+
+function generateBuildImage(): string {
+  return `${uuidv4()}:${uuidv4()}`
+}
+
+function generateBuildHandle(): string {
+  return uuidv4()
+}

packages/k8s/src/k8s/kaniko.ts

@@ -0,0 +1,95 @@
+import * as k8s from '@kubernetes/client-node'
+import * as path from 'path'
+import {
+  getRunnerPodName,
+  getVolumeClaimName,
+  MAX_POD_NAME_LENGTH,
+  RunnerInstanceLabel
+} from '../hooks/constants'
+import { POD_VOLUME_NAME } from '.'
+
+export const KANIKO_MOUNT_PATH = '/mnt/kaniko'
+
+function getKanikoName(): string {
+  return `${getRunnerPodName().substring(
+    0,
+    MAX_POD_NAME_LENGTH - '-kaniko'.length
+  )}-kaniko`
+}
+
+export function kanikoPod(
+  dockerfile: string,
+  destination: string,
+  secretName?: string
+): k8s.V1Pod {
+  const pod = new k8s.V1Pod()
+  pod.apiVersion = 'v1'
+  pod.kind = 'Pod'
+  pod.metadata = new k8s.V1ObjectMeta()
+  pod.metadata.name = getKanikoName()
+  const instanceLabel = new RunnerInstanceLabel()
+  pod.metadata.labels = {
+    [instanceLabel.key]: instanceLabel.value
+  }
+
+  const spec = new k8s.V1PodSpec()
+  const c = new k8s.V1Container()
+  c.image = 'gcr.io/kaniko-project/executor:latest'
+  c.name = 'kaniko'
+  c.imagePullPolicy = 'Always'
+  const prefix = (process.env.RUNNER_WORKSPACE as string).split('_work')[0]
+  const subPath = path
+    .dirname(dockerfile)
+    .substring(prefix.length + '_work/'.length)
+
+  c.volumeMounts = [
+    {
+      name: POD_VOLUME_NAME,
+      mountPath: KANIKO_MOUNT_PATH,
+      subPath,
+      readOnly: true
+    }
+  ]
+  c.args = [
+    `--dockerfile=${path.basename(dockerfile)}`,
+    `--context=dir://${KANIKO_MOUNT_PATH}`,
+    `--destination=${destination}`
+  ]
+  spec.containers = [c]
+  spec.dnsPolicy = 'ClusterFirst'
+  spec.restartPolicy = 'Never'
+  pod.spec = spec
+  const claimName: string = getVolumeClaimName()
+  pod.spec.volumes = [
+    {
+      name: POD_VOLUME_NAME,
+      persistentVolumeClaim: { claimName }
+    }
+  ]
+  if (secretName) {
+    const volumeName = 'docker-registry'
+    pod.spec.volumes.push({
+      name: volumeName,
+      projected: {
+        sources: [
+          {
+            secret: {
+              name: secretName,
+              items: [
+                {
+                  key: '.dockerconfigjson',
+                  path: 'config.json'
+                }
+              ]
+            }
+          }
+        ]
+      }
+    })
+    c.volumeMounts.push({
+      name: volumeName,
+      mountPath: '/kaniko/.docker/'
+    })
+  }
+  return pod
+}

packages/k8s/src/k8s/settings.ts

@@ -0,0 +1,73 @@
+import * as k8s from '@kubernetes/client-node'
+export const kc = new k8s.KubeConfig()
+
+kc.loadFromDefault()
+
+export const k8sApi = kc.makeApiClient(k8s.CoreV1Api)
+export const k8sBatchV1Api = kc.makeApiClient(k8s.BatchV1Api)
+export const k8sAuthorizationV1Api = kc.makeApiClient(k8s.AuthorizationV1Api)
+
+export const POD_VOLUME_NAME = 'work'
+export function namespace(): string {
+  if (process.env['ACTIONS_RUNNER_KUBERNETES_NAMESPACE']) {
+    return process.env['ACTIONS_RUNNER_KUBERNETES_NAMESPACE']
+  }
+
+  const context = kc.getContexts().find(ctx => ctx.namespace)
+  if (!context?.namespace) {
+    throw new Error(
+      'Failed to determine namespace, falling back to `default`. Namespace should be set in context, or in env variable "ACTIONS_RUNNER_KUBERNETES_NAMESPACE"'
+    )
+  }
+  return context.namespace
+}
+
+export function isLocalRegistrySet(): boolean {
+  const name = 'ACTIONS_RUNNER_CONTAINER_HOOKS_LOCAL_REGISTRY_HOST'
+  return !!process.env[name]
+}
+
+export function localRegistryHost(): string {
+  const name = 'ACTIONS_RUNNER_CONTAINER_HOOKS_LOCAL_REGISTRY_HOST'
+  if (process.env[name]) {
+    return process.env[name]
+  }
+  throw new Error(`environment variable ${name} is not set`)
+}
+
+export function localRegistryPort(): number {
+  const name = 'ACTIONS_RUNNER_CONTAINER_HOOKS_LOCAL_REGISTRY_PORT'
+  if (process.env[name]) {
+    return parseInt(process.env[name])
+  }
+  throw new Error(`environment variable ${name} is not set`)
+}
+
+export function localRegistryNodePort(): number {
+  const name = 'ACTIONS_RUNNER_CONTAINER_HOOKS_LOCAL_REGISTRY_NODE_PORT'
+  if (process.env[name]) {
+    return parseInt(process.env[name])
+  }
+  throw new Error(`environment variable ${name} is not set`)
+}
+
+export function remoteRegistryHost(): string {
+  const name = 'ACTIONS_RUNNER_CONTAINER_HOOKS_REMOTE_REGISTRY_HOST'
+  return process.env[name] || ''
+}
+
+export function remoteRegistryHandle(): string {
+  const name = 'ACTIONS_RUNNER_CONTAINER_HOOKS_REMOTE_REGISTRY_HANDLE'
+  if (process.env[name]) {
+    return process.env[name]
+  }
+  throw new Error(`environment variable ${name} is not set`)
+}
+
+export function remoteRegistrySecretName(): string {
+  const name = 'ACTIONS_RUNNER_CONTAINER_HOOKS_REMOTE_REGISTRY_SECRET_NAME'
+  if (process.env[name]) {
+    return process.env[name]
+  }
+  throw new Error(`environment variable ${name} is not set`)
+}

packages/k8s/src/k8s/utils.ts

@@ -20,18 +20,20 @@ export function containerVolumes(
     }
   ]
 
+  const workspacePath = process.env.GITHUB_WORKSPACE as string
   if (containerAction) {
-    const workspace = process.env.GITHUB_WORKSPACE as string
+    const i = workspacePath.lastIndexOf('_work/')
+    const workspaceRelativePath = workspacePath.slice(i + '_work/'.length)
     mounts.push(
       {
         name: POD_VOLUME_NAME,
         mountPath: '/github/workspace',
-        subPath: workspace.substring(workspace.indexOf('work/') + 1)
+        subPath: workspaceRelativePath
       },
       {
         name: POD_VOLUME_NAME,
         mountPath: '/github/file_commands',
-        subPath: workspace.substring(workspace.indexOf('work/') + 1)
+        subPath: '_temp/_runner_file_commands'
       }
     )
     return mounts
@@ -63,7 +65,6 @@ export function containerVolumes(
     return mounts
   }
 
-  const workspacePath = process.env.GITHUB_WORKSPACE as string
   for (const userVolume of userMountVolumes) {
     let sourceVolumePath = ''
     if (path.isAbsolute(userVolume.sourceVolumePath)) {

packages/k8s/tests/cleanup-job-test.ts

@@ -1,4 +1,7 @@
+import * as k8s from '@kubernetes/client-node'
 import { cleanupJob, prepareJob } from '../src/hooks'
+import { RunnerInstanceLabel } from '../src/hooks/constants'
+import { namespace } from '../src/k8s'
 import { TestHelper } from './test-setup'
 
 let testHelper: TestHelper
@@ -13,10 +16,50 @@ describe('Cleanup Job', () => {
     )
     await prepareJob(prepareJobData.args, prepareJobOutputFilePath)
   })
-  it('should not throw', async () => {
-    await expect(cleanupJob()).resolves.not.toThrow()
-  })
+
   afterEach(async () => {
     await testHelper.cleanup()
   })
+
+  it('should not throw', async () => {
+    await expect(cleanupJob()).resolves.not.toThrow()
+  })
+
+  it('should have no runner linked pods running', async () => {
+    await cleanupJob()
+    const kc = new k8s.KubeConfig()
+
+    kc.loadFromDefault()
+    const k8sApi = kc.makeApiClient(k8s.CoreV1Api)
+
+    const podList = await k8sApi.listNamespacedPod(
+      namespace(),
+      undefined,
+      undefined,
+      undefined,
+      undefined,
+      new RunnerInstanceLabel().toString()
+    )
+
+    expect(podList.body.items.length).toBe(0)
+  })
+
+  it('should have no runner linked secrets', async () => {
+    await cleanupJob()
+    const kc = new k8s.KubeConfig()
+
+    kc.loadFromDefault()
+    const k8sApi = kc.makeApiClient(k8s.CoreV1Api)
+
+    const secretList = await k8sApi.listNamespacedSecret(
+      namespace(),
+      undefined,
+      undefined,
+      undefined,
+      undefined,
+      new RunnerInstanceLabel().toString()
+    )
+
+    expect(secretList.body.items.length).toBe(0)
+  })
 })

packages/k8s/tests/constants-test.ts

@@ -0,0 +1,182 @@
+import {
+  getJobPodName,
+  getRunnerPodName,
+  getSecretName,
+  getStepPodName,
+  getVolumeClaimName,
+  JOB_CONTAINER_NAME,
+  MAX_POD_NAME_LENGTH,
+  RunnerInstanceLabel,
+  STEP_POD_NAME_SUFFIX_LENGTH
+} from '../src/hooks/constants'
+
+describe('constants', () => {
+  describe('runner instance label', () => {
+    beforeEach(() => {
+      process.env.ACTIONS_RUNNER_POD_NAME = 'example'
+    })
+    it('should throw if ACTIONS_RUNNER_POD_NAME env is not set', () => {
+      delete process.env.ACTIONS_RUNNER_POD_NAME
+      expect(() => new RunnerInstanceLabel()).toThrow()
+    })
+
+    it('should have key truthy', () => {
+      const runnerInstanceLabel = new RunnerInstanceLabel()
+      expect(typeof runnerInstanceLabel.key).toBe('string')
+      expect(runnerInstanceLabel.key).toBeTruthy()
+      expect(runnerInstanceLabel.key.length).toBeGreaterThan(0)
+    })
+
+    it('should have value as runner pod name', () => {
+      const name = process.env.ACTIONS_RUNNER_POD_NAME as string
+      const runnerInstanceLabel = new RunnerInstanceLabel()
+      expect(typeof runnerInstanceLabel.value).toBe('string')
+      expect(runnerInstanceLabel.value).toBe(name)
+    })
+
+    it('should have toString combination of key and value', () => {
+      const runnerInstanceLabel = new RunnerInstanceLabel()
+      expect(runnerInstanceLabel.toString()).toBe(
+        `${runnerInstanceLabel.key}=${runnerInstanceLabel.value}`
+      )
+    })
+  })
+
+  describe('getRunnerPodName', () => {
+    it('should throw if ACTIONS_RUNNER_POD_NAME env is not set', () => {
+      delete process.env.ACTIONS_RUNNER_POD_NAME
+      expect(() => getRunnerPodName()).toThrow()
+
+      process.env.ACTIONS_RUNNER_POD_NAME = ''
+      expect(() => getRunnerPodName()).toThrow()
+    })
+
+    it('should return corrent ACTIONS_RUNNER_POD_NAME name', () => {
+      const name = 'example'
+      process.env.ACTIONS_RUNNER_POD_NAME = name
+      expect(getRunnerPodName()).toBe(name)
+    })
+  })
+
+  describe('getJobPodName', () => {
+    it('should throw on getJobPodName if ACTIONS_RUNNER_POD_NAME env is not set', () => {
+      delete process.env.ACTIONS_RUNNER_POD_NAME
+      expect(() => getJobPodName()).toThrow()
+
+      process.env.ACTIONS_RUNNER_POD_NAME = ''
+      expect(() => getRunnerPodName()).toThrow()
+    })
+
+    it('should contain suffix -workflow', () => {
+      const tableTests = [
+        {
+          podName: 'test',
+          expect: 'test-workflow'
+        },
+        {
+          // podName.length == 63
+          podName:
+            'abcdaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa',
+          expect:
+            'abcdaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-workflow'
+        }
+      ]
+
+      for (const tt of tableTests) {
+        process.env.ACTIONS_RUNNER_POD_NAME = tt.podName
+        const actual = getJobPodName()
+        expect(actual).toBe(tt.expect)
+      }
+    })
+  })
+
+  describe('getVolumeClaimName', () => {
+    it('should throw if ACTIONS_RUNNER_POD_NAME env is not set', () => {
+      delete process.env.ACTIONS_RUNNER_CLAIM_NAME
+      delete process.env.ACTIONS_RUNNER_POD_NAME
+      expect(() => getVolumeClaimName()).toThrow()
+
+      process.env.ACTIONS_RUNNER_POD_NAME = ''
+      expect(() => getVolumeClaimName()).toThrow()
+    })
+
+    it('should return ACTIONS_RUNNER_CLAIM_NAME env if set', () => {
+      const claimName = 'testclaim'
+      process.env.ACTIONS_RUNNER_CLAIM_NAME = claimName
+      process.env.ACTIONS_RUNNER_POD_NAME = 'example'
+      expect(getVolumeClaimName()).toBe(claimName)
+    })
+
+    it('should contain suffix -work if ACTIONS_RUNNER_CLAIM_NAME is not set', () => {
+      delete process.env.ACTIONS_RUNNER_CLAIM_NAME
+      process.env.ACTIONS_RUNNER_POD_NAME = 'example'
+      expect(getVolumeClaimName()).toBe('example-work')
+    })
+  })
+
+  describe('getSecretName', () => {
+    it('should throw if ACTIONS_RUNNER_POD_NAME env is not set', () => {
+      delete process.env.ACTIONS_RUNNER_POD_NAME
+      expect(() => getSecretName()).toThrow()
+
+      process.env.ACTIONS_RUNNER_POD_NAME = ''
+      expect(() => getSecretName()).toThrow()
+    })
+
+    it('should contain suffix -secret- and name trimmed', () => {
+      const podNames = [
+        'test',
+        'abcdaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'
+      ]
+
+      for (const podName of podNames) {
+        process.env.ACTIONS_RUNNER_POD_NAME = podName
+        const actual = getSecretName()
+        const re = new RegExp(
+          `${podName.substring(
+            MAX_POD_NAME_LENGTH -
+              '-secret-'.length -
+              STEP_POD_NAME_SUFFIX_LENGTH
+          )}-secret-[a-z0-9]{8,}`
+        )
+        expect(actual).toMatch(re)
+      }
+    })
+  })
+
+  describe('getStepPodName', () => {
+    it('should throw if ACTIONS_RUNNER_POD_NAME env is not set', () => {
+      delete process.env.ACTIONS_RUNNER_POD_NAME
+      expect(() => getStepPodName()).toThrow()
+
+      process.env.ACTIONS_RUNNER_POD_NAME = ''
+      expect(() => getStepPodName()).toThrow()
+    })
+
+    it('should contain suffix -step- and name trimmed', () => {
+      const podNames = [
+        'test',
+        'abcdaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'
+      ]
+
+      for (const podName of podNames) {
+        process.env.ACTIONS_RUNNER_POD_NAME = podName
+        const actual = getStepPodName()
+        const re = new RegExp(
+          `${podName.substring(
+            MAX_POD_NAME_LENGTH - '-step-'.length - STEP_POD_NAME_SUFFIX_LENGTH
+          )}-step-[a-z0-9]{8,}`
+        )
+        expect(actual).toMatch(re)
+      }
+    })
+  })
+
+  describe('const values', () => {
+    it('should have constants set', () => {
+      expect(JOB_CONTAINER_NAME).toBeTruthy()
+      expect(MAX_POD_NAME_LENGTH).toBeGreaterThan(0)
+      expect(STEP_POD_NAME_SUFFIX_LENGTH).toBeGreaterThan(0)
+    })
+  })
+})

packages/k8s/tests/k8s-utils-test.ts

@@ -0,0 +1,224 @@
+import * as fs from 'fs'
+import { containerPorts, POD_VOLUME_NAME } from '../src/k8s'
+import { containerVolumes, writeEntryPointScript } from '../src/k8s/utils'
+import { TestHelper } from './test-setup'
+
+let testHelper: TestHelper
+
+describe('k8s utils', () => {
+  describe('write entrypoint', () => {
+    beforeEach(async () => {
+      testHelper = new TestHelper()
+      await testHelper.initialize()
+    })
+
+    afterEach(async () => {
+      await testHelper.cleanup()
+    })
+
+    it('should not throw', () => {
+      expect(() =>
+        writeEntryPointScript(
+          '/test',
+          'sh',
+          ['-e', 'script.sh'],
+          ['/prepend/path'],
+          {
+            SOME_ENV: 'SOME_VALUE'
+          }
+        )
+      ).not.toThrow()
+    })
+
+    it('should throw if RUNNER_TEMP is not set', () => {
+      delete process.env.RUNNER_TEMP
+      expect(() =>
+        writeEntryPointScript(
+          '/test',
+          'sh',
+          ['-e', 'script.sh'],
+          ['/prepend/path'],
+          {
+            SOME_ENV: 'SOME_VALUE'
+          }
+        )
+      ).toThrow()
+    })
+
+    it('should return object with containerPath and runnerPath', () => {
+      const { containerPath, runnerPath } = writeEntryPointScript(
+        '/test',
+        'sh',
+        ['-e', 'script.sh'],
+        ['/prepend/path'],
+        {
+          SOME_ENV: 'SOME_VALUE'
+        }
+      )
+      expect(containerPath).toMatch(/\/__w\/_temp\/.*\.sh/)
+      const re = new RegExp(`${process.env.RUNNER_TEMP}/.*\\.sh`)
+      expect(runnerPath).toMatch(re)
+    })
+
+    it('should write entrypoint path and the file should exist', () => {
+      const { runnerPath } = writeEntryPointScript(
+        '/test',
+        'sh',
+        ['-e', 'script.sh'],
+        ['/prepend/path'],
+        {
+          SOME_ENV: 'SOME_VALUE'
+        }
+      )
+      expect(fs.existsSync(runnerPath)).toBe(true)
+    })
+  })
+
+  describe('container volumes', () => {
+    beforeEach(async () => {
+      testHelper = new TestHelper()
+      await testHelper.initialize()
+    })
+
+    afterEach(async () => {
+      await testHelper.cleanup()
+    })
+
+    it('should throw if container action and GITHUB_WORKSPACE env is not set', () => {
+      delete process.env.GITHUB_WORKSPACE
+      expect(() => containerVolumes([], true, true)).toThrow()
+      expect(() => containerVolumes([], false, true)).toThrow()
+    })
+
+    it('should always have work mount', () => {
+      let volumes = containerVolumes([], true, true)
+      expect(volumes.find(e => e.mountPath === '/__w')).toBeTruthy()
+      volumes = containerVolumes([], true, false)
+      expect(volumes.find(e => e.mountPath === '/__w')).toBeTruthy()
+      volumes = containerVolumes([], false, true)
+      expect(volumes.find(e => e.mountPath === '/__w')).toBeTruthy()
+      volumes = containerVolumes([], false, false)
+      expect(volumes.find(e => e.mountPath === '/__w')).toBeTruthy()
+    })
+
+    it('should have container action volumes', () => {
+      let volumes = containerVolumes([], true, true)
+      let workspace = volumes.find(e => e.mountPath === '/github/workspace')
+      let fileCommands = volumes.find(
+        e => e.mountPath === '/github/file_commands'
+      )
+      expect(workspace).toBeTruthy()
+      expect(workspace?.subPath).toBe('repo/repo')
+      expect(fileCommands).toBeTruthy()
+      expect(fileCommands?.subPath).toBe('_temp/_runner_file_commands')
+
+      volumes = containerVolumes([], false, true)
+      workspace = volumes.find(e => e.mountPath === '/github/workspace')
+      fileCommands = volumes.find(e => e.mountPath === '/github/file_commands')
+      expect(workspace).toBeTruthy()
+      expect(workspace?.subPath).toBe('repo/repo')
+      expect(fileCommands).toBeTruthy()
+      expect(fileCommands?.subPath).toBe('_temp/_runner_file_commands')
+    })
+
+    it('should have externals, github home and github workflow mounts if job container', () => {
+      const volumes = containerVolumes()
+      expect(volumes.find(e => e.mountPath === '/__e')).toBeTruthy()
+      expect(volumes.find(e => e.mountPath === '/github/home')).toBeTruthy()
+      expect(volumes.find(e => e.mountPath === '/github/workflow')).toBeTruthy()
+    })
+
+    it('should throw if user volume source volume path is not in workspace', () => {
+      expect(() =>
+        containerVolumes(
+          [
+            {
+              sourceVolumePath: '/outside/of/workdir'
+            }
+          ],
+          true,
+          false
+        )
+      ).toThrow()
+    })
+
+    it(`all volumes should have name ${POD_VOLUME_NAME}`, () => {
+      let volumes = containerVolumes([], true, true)
+      expect(volumes.every(e => e.name === POD_VOLUME_NAME)).toBeTruthy()
+      volumes = containerVolumes([], true, false)
+      expect(volumes.every(e => e.name === POD_VOLUME_NAME)).toBeTruthy()
+      volumes = containerVolumes([], false, true)
+      expect(volumes.every(e => e.name === POD_VOLUME_NAME)).toBeTruthy()
+      volumes = containerVolumes([], false, false)
+      expect(volumes.every(e => e.name === POD_VOLUME_NAME)).toBeTruthy()
+    })
+
+    it('should parse container ports', () => {
+      const tt = [
+        {
+          spec: '8080:80',
+          want: {
+            containerPort: 80,
+            hostPort: 8080,
+            protocol: 'TCP'
+          }
+        },
+        {
+          spec: '8080:80/udp',
+          want: {
+            containerPort: 80,
+            hostPort: 8080,
+            protocol: 'UDP'
+          }
+        },
+        {
+          spec: '8080/udp',
+          want: {
+            containerPort: 8080,
+            hostPort: undefined,
+            protocol: 'UDP'
+          }
+        },
+        {
+          spec: '8080',
+          want: {
+            containerPort: 8080,
+            hostPort: undefined,
+            protocol: 'TCP'
+          }
+        }
+      ]
+
+      for (const tc of tt) {
+        const got = containerPorts({ portMappings: [tc.spec] })
+        for (const [key, value] of Object.entries(tc.want)) {
+          expect(got[0][key]).toBe(value)
+        }
+      }
+    })
+
+    it('should throw when ports are out of range (0, 65536)', () => {
+      expect(() => containerPorts({ portMappings: ['65536'] })).toThrow()
+      expect(() => containerPorts({ portMappings: ['0'] })).toThrow()
+      expect(() => containerPorts({ portMappings: ['65536/udp'] })).toThrow()
+      expect(() => containerPorts({ portMappings: ['0/udp'] })).toThrow()
+      expect(() => containerPorts({ portMappings: ['1:65536'] })).toThrow()
+      expect(() => containerPorts({ portMappings: ['65536:1'] })).toThrow()
+      expect(() => containerPorts({ portMappings: ['1:65536/tcp'] })).toThrow()
+      expect(() => containerPorts({ portMappings: ['65536:1/tcp'] })).toThrow()
+      expect(() => containerPorts({ portMappings: ['1:'] })).toThrow()
+      expect(() => containerPorts({ portMappings: [':1'] })).toThrow()
+      expect(() => containerPorts({ portMappings: ['1:/tcp'] })).toThrow()
+      expect(() => containerPorts({ portMappings: [':1/tcp'] })).toThrow()
+    })
+
+    it('should throw on multi ":" splits', () => {
+      expect(() => containerPorts({ portMappings: ['1:1:1'] })).toThrow()
+    })
+
+    it('should throw on multi "/" splits', () => {
+      expect(() => containerPorts({ portMappings: ['1:1/tcp/udp'] })).toThrow()
+      expect(() => containerPorts({ portMappings: ['1/tcp/udp'] })).toThrow()
+    })
+  })
+})

packages/k8s/tests/run-container-step-test.ts

@@ -3,11 +3,10 @@ import { TestHelper } from './test-setup'
 
 jest.useRealTimers()
 
-let testHelper: TestHelper
+describe('Run container step with image', () => {
+  let testHelper: TestHelper
+  let runContainerStepData: any
 
-let runContainerStepData: any
-
-describe('Run container step', () => {
   beforeEach(async () => {
     testHelper = new TestHelper()
     await testHelper.initialize()
@@ -39,3 +38,33 @@ describe('Run container step', () => {
     ).resolves.not.toThrow()
   })
 })
+
+describe('run container step with docker build', () => {
+  let testHelper: TestHelper
+  let runContainerStepData: any
+  beforeEach(async () => {
+    testHelper = new TestHelper()
+    await testHelper.initialize()
+    runContainerStepData = testHelper.getRunContainerStepDefinition()
+  })
+
+  afterEach(async () => {
+    await testHelper.cleanup()
+  })
+
+  it('should build container and execute docker action', async () => {
+    const { registryName, localRegistryPort, nodePort } =
+      await testHelper.createContainerRegistry()
+
+    process.env.ACTIONS_RUNNER_CONTAINER_HOOKS_LOCAL_REGISTRY_HOST =
+      registryName
+    process.env.ACTIONS_RUNNER_CONTAINER_HOOKS_LOCAL_REGISTRY_PORT =
+      localRegistryPort.toString()
+    process.env.ACTIONS_RUNNER_CONTAINER_HOOKS_LOCAL_REGISTRY_NODE_PORT =
+      nodePort.toString()
+    const actionPath = testHelper.initializeDockerAction()
+    const data = JSON.parse(JSON.stringify(runContainerStepData))
+    data.args.dockerfile = `${actionPath}/Dockerfile`
+    await expect(runContainerStep(data.args)).resolves.not.toThrow()
+  })
+})

packages/k8s/tests/run-script-step-test.ts

@@ -59,6 +59,7 @@ describe('Run script step', () => {
   it('should shold have env variables available', async () => {
     runScriptStepDefinition.args.entryPoint = 'bash'
 
+    runScriptStepDefinition.args.workingDirectory = '/' // set to '/' so that cd does not throw
     runScriptStepDefinition.args.entryPointArgs = [
       '-c',
       "'if [[ -z $NODE_ENV ]]; then exit 1; fi'"
@@ -94,7 +95,9 @@ describe('Run script step', () => {
     runScriptStepDefinition.args.entryPoint = '/bin/bash'
     runScriptStepDefinition.args.entryPointArgs = [
       '-c',
-      `'if [[ ! $(env | grep "^PATH=") = "PATH=${runScriptStepDefinition.args.prependPath}:"* ]]; then exit 1; fi'`
+      `'if [[ ! $(env | grep "^PATH=") = "PATH=${runScriptStepDefinition.args.prependPath.join(
+        ':'
+      )}:"* ]]; then exit 1; fi'`
     ]
 
     await expect(

packages/k8s/tests/test-setup.ts

@@ -2,7 +2,10 @@ import * as k8s from '@kubernetes/client-node'
 import * as fs from 'fs'
 import { HookData } from 'hooklib/lib'
 import * as path from 'path'
+import internal from 'stream'
 import { v4 as uuidv4 } from 'uuid'
+import { waitForPodPhases } from '../src/k8s'
+import { PodPhase } from '../src/k8s/utils'
 
 const kc = new k8s.KubeConfig()
 
@@ -10,6 +13,7 @@ kc.loadFromDefault()
 
 const k8sApi = kc.makeApiClient(k8s.CoreV1Api)
 const k8sStorageApi = kc.makeApiClient(k8s.StorageV1Api)
+const k8sAppsV1 = kc.makeApiClient(k8s.AppsV1Api)
 
 export class TestHelper {
   private tempDirPath: string
@@ -40,7 +44,7 @@ export class TestHelper {
       await this.createTestVolume()
       await this.createTestJobPod()
     } catch (e) {
-      console.log(JSON.stringify(e))
+      console.log(e)
     }
   }
 
@@ -74,10 +78,19 @@ export class TestHelper {
         0
       )
       .catch(e => {})
+    await k8sApi
+      .deleteNamespacedPod(
+        `${this.podName}-kaniko`,
+        'default',
+        undefined,
+        undefined,
+        0
+      )
+      .catch(e => {})
   }
-  public createFile(fileName?: string): string {
+  public createFile(fileName?: string, content = ''): string {
     const filePath = `${this.tempDirPath}/${fileName || uuidv4()}`
-    fs.writeFileSync(filePath, '')
+    fs.writeFileSync(filePath, content)
     return filePath
   }
 
@@ -193,4 +206,237 @@ export class TestHelper {
     runContainerStep.args.registry = null
     return runContainerStep
   }
+
+  public async createContainerRegistry(): Promise<{
+    registryName: string
+    localRegistryPort: number
+    nodePort: number
+  }> {
+    const registryName = 'docker-registry'
+    const localRegistryPort = 5000
+    const nodePort = 31500
+
+    const cm = registryConfigMap(registryName, localRegistryPort)
+    const secret = registrySecret(registryName)
+    const ss = registryStatefulSet(registryName, localRegistryPort)
+    const svc = registryService(registryName, localRegistryPort, nodePort)
+    const namespace =
+      process.env['ACTIONS_RUNNER_KUBERNETES_NAMESPACE'] || 'default'
+
+    await Promise.all([
+      k8sApi.createNamespacedConfigMap(namespace, cm),
+      k8sApi.createNamespacedSecret(namespace, secret)
+    ])
+    await k8sAppsV1.createNamespacedStatefulSet(namespace, ss)
+    await waitForPodPhases(
+      `${registryName}-0`,
+      new Set([PodPhase.RUNNING]),
+      new Set([PodPhase.PENDING])
+    )
+    await k8sApi.createNamespacedService(namespace, svc)
+    return {
+      registryName,
+      localRegistryPort,
+      nodePort
+    }
+  }
+
+  public initializeDockerAction(): string {
+    const actionPath = `${this.tempDirPath}/_work/_actions/example-handle/example-repo/example-branch/mock-directory`
+    fs.mkdirSync(actionPath, { recursive: true })
+    this.writeDockerfile(actionPath)
+    this.writeEntrypoint(actionPath)
+    return actionPath
+  }
+
+  private writeDockerfile(actionPath: string) {
+    const content = `FROM ubuntu:latest
+COPY entrypoint.sh /entrypoint.sh
+ENTRYPOINT ["/entrypoint.sh"]`
+    fs.writeFileSync(`${actionPath}/Dockerfile`, content)
+  }
+
+  private writeEntrypoint(actionPath) {
+    const content = `#!/bin/sh -l
+echo "Hello $1"
+time=$(date)
+echo "::set-output name=time::$time"`
+    const entryPointPath = `${actionPath}/entrypoint.sh`
+    fs.writeFileSync(entryPointPath, content)
+    fs.chmodSync(entryPointPath, 0o755)
+  }
+}
+
+function registryConfigMap(name: string, port: number): k8s.V1ConfigMap {
+  const REGISTRY_CONFIG_MAP_YAML = `
+storage:
+  filesystem:
+    rootdirectory: /var/lib/registry
+    maxthreads: 100
+health:
+  storagedriver:
+    enabled: true
+    interval: 10s
+    threshold: 3
+http:
+  addr: :${port}
+  headers:
+    X-Content-Type-Options:
+    - nosniff
+log:
+  fields:
+    service: registry
+storage:
+  cache:
+    blobdescriptor: inmemory
+version: 0.1
+`.trim()
+  const cm = new k8s.V1ConfigMap()
+  cm.apiVersion = 'v1'
+  cm.data = {
+    'config.yaml': REGISTRY_CONFIG_MAP_YAML
+  }
+  cm.kind = 'ConfigMap'
+  cm.metadata = new k8s.V1ObjectMeta()
+  cm.metadata.labels = { app: name }
+  cm.metadata.name = `${name}-config`
+
+  return cm
+}
+
+function registryStatefulSet(name: string, port: number): k8s.V1StatefulSet {
+  const ss = new k8s.V1StatefulSet()
+  ss.apiVersion = 'apps/v1'
+  ss.metadata = new k8s.V1ObjectMeta()
+  ss.metadata.name = name
+
+  const spec = new k8s.V1StatefulSetSpec()
+  spec.selector = new k8s.V1LabelSelector()
+  spec.selector.matchLabels = { app: 'docker-registry' }
+  spec.serviceName = 'registry'
+  spec.replicas = 1
+
+  const tmpl = new k8s.V1PodTemplateSpec()
+  tmpl.metadata = new k8s.V1ObjectMeta()
+  tmpl.metadata.labels = { app: name }
+  tmpl.spec = new k8s.V1PodSpec()
+  tmpl.spec.terminationGracePeriodSeconds = 5 // TODO: figure out for how long
+
+  const c = new k8s.V1Container()
+  c.command = ['/bin/registry', 'serve', '/etc/docker/registry/config.yaml']
+  c.env = [
+    {
+      name: 'REGISTRY_HTTP_SECRET',
+      valueFrom: {
+        secretKeyRef: {
+          key: 'haSharedSecret',
+          name: `${name}-secret`
+        }
+      }
+    },
+    {
+      name: 'REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY',
+      value: '/var/lib/registry'
+    }
+  ]
+  c.image = 'registry:2.6.2'
+  c.name = name
+  c.imagePullPolicy = 'IfNotPresent'
+  c.ports = [
+    {
+      containerPort: port,
+      protocol: 'TCP'
+    }
+  ]
+
+  c.volumeMounts = [
+    {
+      mountPath: '/etc/docker/registry',
+      name: 'docker-registry-config'
+    }
+  ]
+
+  c.livenessProbe = new k8s.V1Probe()
+  c.livenessProbe.failureThreshold = 3
+  c.livenessProbe.periodSeconds = 10
+  c.livenessProbe.successThreshold = 1
+  c.livenessProbe.timeoutSeconds = 1
+  c.livenessProbe.httpGet = new k8s.V1HTTPGetAction()
+  c.livenessProbe.httpGet.path = '/'
+  c.livenessProbe.httpGet.port = port
+  c.livenessProbe.httpGet.scheme = 'HTTP'
+
+  c.readinessProbe = new k8s.V1Probe()
+  c.readinessProbe.failureThreshold = 3
+  c.readinessProbe.periodSeconds = 10
+  c.readinessProbe.successThreshold = 1
+  c.readinessProbe.timeoutSeconds = 1
+  c.readinessProbe.httpGet = new k8s.V1HTTPGetAction()
+  c.readinessProbe.httpGet.path = '/'
+  c.readinessProbe.httpGet.port = port
+  c.readinessProbe.httpGet.scheme = 'HTTP'
+
+  tmpl.spec.containers = [c]
+  tmpl.spec.volumes = [
+    {
+      name: `${name}-config`,
+      configMap: {
+        name: `${name}-config`
+      }
+    }
+  ]
+
+  spec.template = tmpl
+  ss.spec = spec
+
+  return ss
+}
+function registryService(
+  name: string,
+  port: number,
+  nodePort: number
+): k8s.V1Service {
+  const svc = new k8s.V1Service()
+  svc.apiVersion = 'v1'
+  svc.kind = 'Service'
+  svc.metadata = new k8s.V1ObjectMeta()
+  svc.metadata.name = name
+  svc.metadata.labels = {
+    app: name
+  }
+  const spec = new k8s.V1ServiceSpec()
+  spec.externalTrafficPolicy = 'Cluster'
+  spec.ports = [
+    {
+      name: 'registry',
+      nodePort: nodePort,
+      port: port,
+      protocol: 'TCP',
+      targetPort: port
+    }
+  ]
+  spec.selector = {
+    app: name
+  }
+  spec.sessionAffinity = 'None'
+  spec.type = 'NodePort'
+  svc.spec = spec
+
+  return svc
+}
+
+function registrySecret(name: string): k8s.V1Secret {
+  const secret = new k8s.V1Secret()
+  secret.apiVersion = 'v1'
+  secret.data = { haSharedSecret: 'U29tZVZlcnlTdHJpbmdTZWNyZXQK' }
+  secret.kind = 'Secret'
+  secret.metadata = new k8s.V1ObjectMeta()
+  secret.metadata.labels = {
+    app: name,
+    chart: `${name}-1.4.3`
+  }
+  secret.metadata.name = `${name}-secret`
+  secret.type = 'Opaque'
+
+  return secret
 }

releaseNotes.md

@@ -1,7 +1,9 @@
 ## Features
-- Loosened the restriction on `ACTIONS_RUNNER_CLAIM_NAME` to be optional, not required for k8s hooks
+- Always use the Docker related ENVs from the host machine instead of ENVs from the runner job [#40]
+- Use user defined entrypoints for service containers (instead of `tail -f /dev/null`)
 
 ## Bugs
+- Fixed substring issue with /github/workspace and /github/file_commands [#35]
+- Fixed issue related to setting hostPort and containerPort when formatting is not recognized by k8s default [#38]
 
-
-## Misc 
+<!-- ## Misc