Release notes for 0.4.0 version (#104)

* [ADR] Hook extensions

* Add ADR number

* Add image field to specify that it is going to be ignored

* Update env name, explain that the file is going to be applied to both job and container step pods

* rewphrase job container to job pod

* update name for the job to $job

.gitattributes

@@ -0,0 +1 @@
+*.png filter=lfs diff=lfs merge=lfs -text

.github/workflows/release.yaml

@@ -12,6 +12,20 @@ jobs:
         name: Bootstrap the packages
       - run: npm run build-all
         name: Build packages
+      - name: Zip up releases
+        run: |
+          zip -r -j actions-runner-hooks-docker-${{ steps.releaseNotes.outputs.version }}.zip packages/docker/dist
+          zip -r -j actions-runner-hooks-k8s-${{ steps.releaseNotes.outputs.version }}.zip packages/k8s/dist
+      - name: Calculate SHA
+        id: sha
+        shell: bash
+        run: |
+          sha_docker=$(sha256sum actions-runner-hooks-docker-${{ steps.releaseNotes.outputs.version }}.zip | awk '{print $1}')
+          echo "Docker SHA: $sha_docker"
+          echo "docker-sha=$sha_docker" >> $GITHUB_OUTPUT
+          sha_k8s=$(sha256sum actions-runner-hooks-k8s-${{ steps.releaseNotes.outputs.version }}.zip | awk '{print $1}')
+          echo "K8s SHA: $sha_k8s"
+          echo "k8s-sha=$sha_k8s" >> $GITHUB_OUTPUT
       - uses: actions/github-script@v6
         id: releaseNotes
         with:
@@ -20,13 +34,11 @@ jobs:
             const fs = require('fs');
             const hookVersion = require('./package.json').version
             var releaseNotes = fs.readFileSync('${{ github.workspace }}/releaseNotes.md', 'utf8').replace(/<HOOK_VERSION>/g, hookVersion)
+            releaseNotes = releaseNotes.replace(/<DOCKER_SHA>/g, '${{ steps.sha.outputs.docker-sha }}')
+            releaseNotes = releaseNotes.replace(/<K8S_SHA>/g, '${{ steps.sha.outputs.k8s-sha }}')
             console.log(releaseNotes)
             core.setOutput('version', hookVersion);
             core.setOutput('note', releaseNotes);
-      - name: Zip up releases
-        run: |
-          zip -r -j actions-runner-hooks-docker-${{ steps.releaseNotes.outputs.version }}.zip packages/docker/dist
-          zip -r -j actions-runner-hooks-k8s-${{ steps.releaseNotes.outputs.version }}.zip packages/k8s/dist
       - uses: actions/create-release@v1
         id: createRelease
         name: Create ${{ steps.releaseNotes.outputs.version }} Hook Release

CODEOWNERS

@@ -1 +1 @@
-* @actions/actions-runtime
+* @actions/actions-runtime @actions/runner-akvelon

CONTRIBUTING.md

@@ -13,7 +13,7 @@ You'll need a runner compatible with hooks, a repository with container workflow
 - You'll need a runner compatible with hooks, a repository with container workflows to which you can register the runner and the hooks from this repository.
 - See [the runner contributing.md](../../github/CONTRIBUTING.MD) for how to get started with runner development.
 - Build your hook using `npm run build`
-- Enable the hooks by setting `ACTIONS_RUNNER_CONTAINER_HOOK=./packages/{libraryname}/dist/index.js` file generated by [ncc](https://github.com/vercel/ncc)
+- Enable the hooks by setting `ACTIONS_RUNNER_CONTAINER_HOOKS=./packages/{libraryname}/dist/index.js` file generated by [ncc](https://github.com/vercel/ncc)
 - Configure your self hosted runner against the a repository you have admin access
 - Run a workflow with a container job, for example
 ```

docs/adrs/0072-using-ephemeral-containers.md

@@ -0,0 +1,184 @@
+# ADR 0072: Using Ephemeral Containers
+
+**Date:** 27 March 2023
+
+**Status**: Rejected <!--Accepted|Rejected|Superceded|Deprecated-->
+
+## Context
+
+We are evaluating using Kubernetes [ephemeral containers](https://kubernetes.io/docs/concepts/workloads/pods/ephemeral-containers/) as a drop-in replacement for creating pods for [jobs that run in containers](https://docs.github.com/en/actions/using-jobs/running-jobs-in-a-container) and [service containers](https://docs.github.com/en/actions/using-containerized-services/about-service-containers).
+
+The main motivator behind using ephemeral containers is to eliminate the need for [Persistent Volumes](https://kubernetes.io/docs/concepts/storage/persistent-volumes/). Persistent Volume implementations vary depending on the provider and we want to avoid building a dependency on it in order to provide our end-users a consistent experience.
+
+With ephemeral containers we could leverage [emptyDir volumes](https://kubernetes.io/docs/concepts/storage/volumes/#emptydir) which fits our use case better and its behaviour is consistent across providers.
+
+However, it's important to acknowledge that ephemeral containers were not designed to handle workloads but rather provide a mechanism to inspect running containers for debugging and troubleshooting purposes.
+
+## Evaluation
+
+The criteria that we are using to evaluate whether ephemeral containers are fit for purpose are:
+
+- Networking
+- Storage
+- Security
+- Resource limits
+- Logs
+- Customizability
+
+### Networking
+
+Ephemeral containers share the networking namespace of the pod they are attached to. This means that ephemeral containers can access the same network interfaces as the pod and can communicate with other containers in the same pod. However, ephemeral containers cannot have ports configured and as such the fields ports, livenessProbe, and readinessProbe are not available [^1][^2]
+
+In this scenario we have 3 containers in a pod:
+
+- `runner`: the main container that runs the GitHub Actions job
+- `debugger`: the first ephemeral container
+- `debugger2`: the second ephemeral container
+
+By sequentially opening ports on each of these containers and connecting to them we can demonstrate that the communication flow between the runner and the debuggers is feasible.
+
+<details>
+<summary>1. Runner -> Debugger communication</summary>
+
+![runner->debugger](./images/runner-debugger.png)
+</details>
+
+<details>
+<summary>2. Debugger -> Runner communication</summary>
+
+![debugger->runner](./images/debugger-runner.png)
+</details>
+
+<details>
+<summary>3. Debugger2 -> Debugger communication</summary>
+
+![debugger2->debugger](./images/debugger2-debugger.png)
+</details>
+
+### Storage
+
+An emptyDir volume can be successfully mounted (read/write) by the runner as well as the ephemeral containers. This means that ephemeral containers can share data with the runner and other ephemeral containers.
+
+<details>
+<summary>Configuration</summary>
+
+```yaml
+# Extracted from the values.yaml for the gha-runner-scale-set helm chart
+  spec:
+    containers:
+    - name: runner
+      image: ghcr.io/actions/actions-runner:latest
+      command: ["/home/runner/run.sh"]
+      volumeMounts:
+      - mountPath: /workspace
+        name: work-volume
+    volumes:
+      - name: work-volume
+        emptyDir:
+          sizeLimit: 1Gi
+```
+
+```bash
+# The API call to the Kubernetes API used to create the ephemeral containers
+
+POD_NAME="arc-runner-set-6sfwd-runner-k7qq6"
+NAMESPACE="arc-runners"
+
+curl -v "https://<IP>:<PORT>/api/v1/namespaces/$NAMESPACE/pods/$POD_NAME/ephemeralcontainers" \
+  -X PATCH \
+  -H 'Content-Type: application/strategic-merge-patch+json' \
+  --cacert <PATH_TO_CACERT> \
+  --cert <PATH_TO_CERT> \
+  --key <PATH_TO_CLIENT_KEY> \
+  -d '
+{
+    "spec":
+    {
+        "ephemeralContainers":
+        [
+            {
+                "name": "debugger",
+                "command": ["sh"],
+                "image": "ghcr.io/actions/actions-runner:latest",
+                "targetContainerName": "runner",
+                "stdin": true,
+                "tty": true,
+                "volumeMounts": [{
+                    "mountPath": "/workspace",
+                    "name": "work-volume",
+                    "readOnly": false
+                }]
+            },
+            {
+                "name": "debugger2",
+                "command": ["sh"],
+                "image": "ghcr.io/actions/actions-runner:latest",
+                "targetContainerName": "runner",
+                "stdin": true,
+                "tty": true,
+                "volumeMounts": [{
+                    "mountPath": "/workspace",
+                    "name": "work-volume",
+                    "readOnly": false
+                }]
+            }
+        ]
+    }
+}'
+```
+
+</details>
+
+<details>
+<summary>emptyDir volume mount</summary>
+
+![emptyDir volume mount](./images/emptyDir_volume.png)
+
+</details>
+
+### Security
+
+According to the [ephemeral containers API specification](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#ephemeralcontainer-v1-core) the configuration of the `securityContext` field is possible.
+
+Ephemeral containers share the same network namespace as the pod they are attached to. This means that ephemeral containers can access the same network interfaces as the pod and can communicate with other containers in the same pod.
+
+It is also possible for ephemeral containers to [share the process namespace](https://kubernetes.io/docs/tasks/configure-pod-container/share-process-namespace/) with the other containers in the pod. This is disabled by default.
+
+The above could have unpredictable security implications.
+
+### Resource limits
+
+Resources are not allowed for ephemeral containers. Ephemeral containers use spare resources already allocated to the pod. [^1] This is a major drawback as it means that ephemeral containers cannot be configured to have resource limits.
+
+There are no guaranteed resources for ad-hoc troubleshooting. If troubleshooting causes a pod to exceed its resource limit it may be evicted. [^3]
+
+### Logs
+
+Since ephemeral containers can share volumes with the runner container, it's possible to write logs to the same volume and have them available to the runner container.
+
+### Customizability
+
+Ephemeral containers can run any image and tag provided, they can be customized to run any arbitrary job. However, it's important to note that the following are not feasible:
+
+- Lifecycle is not allowed for ephemeral containers
+    - Ephemeral containers will stop when their command exits, such as exiting a shell, and they will not be restarted. Unlike `kubectl exec`, processes in Ephemeral Containers will not receive an `EOF` if their connections are interrupted, so shells won't automatically exit on disconnect. There is no API support for killing or restarting an ephemeral container. The only way to exit the container is to send it an OS signal. [^4]
+- Probes are not allowed for ephemeral containers.
+- Ports are not allowed for ephemeral containers.
+
+## Decision
+
+While the evaluation shows that ephemeral containers can be used to run jobs in containers, it's important to acknowledge that ephemeral containers were not designed to handle workloads but rather provide a mechanism to inspect running containers for debugging and troubleshooting purposes.
+
+Given the limitations of ephemeral containers, we decided not to use them outside of their intended purpose.
+
+## Consequences
+
+Proposal rejected, no further action required. This document will be used as a reference for future discussions.
+
+[^1]: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#ephemeralcontainer-v1-core
+
+[^2]: https://kubernetes.io/docs/concepts/workloads/pods/ephemeral-containers/
+
+[^3]: https://github.com/kubernetes/enhancements/blob/master/keps/sig-node/277-ephemeral-containers/README.md#notesconstraintscaveats
+
+[^4]: https://github.com/kubernetes/enhancements/blob/master/keps/sig-node/277-ephemeral-containers/README.md#ephemeral-container-lifecycle

docs/adrs/0096-hook-extensions.md

@@ -0,0 +1,32 @@
+# ADR 0096: Hook extensions
+
+**Date:** 3 August 2023
+
+**Status**: Proposed <!--Accepted|Rejected|Superceded|Deprecated-->
+
+## Context
+
+The current implementation of container hooks does not allow users to customize the pods created by the hook. While the implementation is designed to be used as is or as a starting point, building and maintaining a custom hook implementation just to specify additional fields is not a good user experience.
+
+## Decision
+
+We have decided to add hook extensions to the container hook implementation. This will allow users to customize the pods created by the hook by specifying additional fields. The hook extensions will be implemented in a way that is backwards-compatible with the existing hook implementation.
+
+To allow customization, the runner executing the hook should have `ACTIONS_RUNNER_CONTAINER_HOOK_TEMPLATE` environment variable pointing to a yaml file on the runner system. The extension specified in that file will be applied both for job pods, and container steps.
+
+If environment variable is set, but the file can't be read, the hook will fail, signaling incorrect configuration.
+
+If the environment variable does not exist, the hook will apply the default spec.
+
+In case the hook is able to read the extended spec, it will first create a default configuration, and then merged modified fields in the following way:
+
+1. The `.metadata` fields that will be appended if they are not reserved are `labels` and `annotations`.
+2. The pod spec fields except for `containers` and `volumes` are applied from the template, possibly overwriting the field.
+3. The volumes are applied in form of appending additional volumes to the default volumes.
+4. The containers are merged based on the name assigned to them:
+    1. If the name of the container *is not* "$job", the entire spec of the container will be added to the pod definition.
+    2. If the name of the container *is* "$job", the `name` and the `image` fields are going to be ignored and the spec will be applied so that `env`, `volumeMounts`, `ports` are appended to the default container spec created by the hook, while the rest of the fields are going to be applied to the newly created container spec.
+
+## Consequences
+
+The addition of hook extensions will provide a better user experience for users who need to customize the pods created by the container hook. However, it will require additional effort to provide the template to the runner pod, and configure it properly.

examples/extension.yaml

@@ -0,0 +1,30 @@
+metadata:
+  annotations:
+    annotated-by: "extension"
+  labels:
+    labeled-by: "extension"
+spec:
+  securityContext:
+    runAsUser: 1000
+    runAsGroup: 3000
+  restartPolicy: Never
+  containers:
+  - name: $job # overwirtes job container
+    env:
+    - name: ENV1
+      value: "value1"
+    imagePullPolicy: Always
+    image: "busybox:1.28" # Ignored
+    command:
+    - sh
+    args:
+    - -c
+    - sleep 50
+  - name: side-car
+    image: "ubuntu:latest" # required
+    command:
+    - sh
+    args:
+    - -c
+    - sleep 60
+    

examples/prepare-job.json

@@ -73,6 +73,8 @@
         "contextName": "redis",
         "image": "redis",
         "createOptions": "--cpus 1",
+        "entrypoint": null,
+        "entryPointArgs": [],
         "environmentVariables": {},
         "userMountVolumes": [
           {

package-lock.json

@@ -1,12 +1,12 @@
 {
   "name": "hooks",
-  "version": "0.1.1",
+  "version": "0.4.0",
   "lockfileVersion": 2,
   "requires": true,
   "packages": {
     "": {
       "name": "hooks",
-      "version": "0.1.1",
+      "version": "0.4.0",
       "license": "MIT",
       "devDependencies": {
         "@types/jest": "^27.5.1",
@@ -1800,9 +1800,9 @@
       "dev": true
     },
     "node_modules/json5": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/json5/-/json5-1.0.1.tgz",
-      "integrity": "sha512-aKS4WQjPenRxiQsC93MNfjx+nbF4PAdYzmd/1JIj8HYzqfbu86beTuNgXDzPknWk0n0uARlyewZo4s++ES36Ow==",
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/json5/-/json5-1.0.2.tgz",
+      "integrity": "sha512-g1MWMLBiz8FKi1e4w0UyVL3w+iJceWAFBAaBnnGKOpNa5f8TLktkbre1+s6oICydWAm+HRUGTmI+//xv2hvXYA==",
       "dev": true,
       "dependencies": {
         "minimist": "^1.2.0"
@@ -2625,9 +2625,9 @@
       }
     },
     "node_modules/word-wrap": {
-      "version": "1.2.3",
-      "resolved": "https://registry.npmjs.org/word-wrap/-/word-wrap-1.2.3.tgz",
-      "integrity": "sha512-Hz/mrNwitNRh/HUAtM/VT/5VH+ygD6DV7mYKZAtHOrbs8U7lvPS6xf7EJKMF0uW1KJCl0H701g3ZGus+muE5vQ==",
+      "version": "1.2.4",
+      "resolved": "https://registry.npmjs.org/word-wrap/-/word-wrap-1.2.4.tgz",
+      "integrity": "sha512-2V81OA4ugVo5pRo46hAoD2ivUJx8jXmWXfUkY4KFNw0hEptvN0QfH3K4nHiwzGeKl5rFKedV48QVoqYavy4YpA==",
       "dev": true,
       "engines": {
         "node": ">=0.10.0"
@@ -3926,9 +3926,9 @@
       "dev": true
     },
     "json5": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/json5/-/json5-1.0.1.tgz",
-      "integrity": "sha512-aKS4WQjPenRxiQsC93MNfjx+nbF4PAdYzmd/1JIj8HYzqfbu86beTuNgXDzPknWk0n0uARlyewZo4s++ES36Ow==",
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/json5/-/json5-1.0.2.tgz",
+      "integrity": "sha512-g1MWMLBiz8FKi1e4w0UyVL3w+iJceWAFBAaBnnGKOpNa5f8TLktkbre1+s6oICydWAm+HRUGTmI+//xv2hvXYA==",
       "dev": true,
       "requires": {
         "minimist": "^1.2.0"
@@ -4509,9 +4509,9 @@
       }
     },
     "word-wrap": {
-      "version": "1.2.3",
-      "resolved": "https://registry.npmjs.org/word-wrap/-/word-wrap-1.2.3.tgz",
-      "integrity": "sha512-Hz/mrNwitNRh/HUAtM/VT/5VH+ygD6DV7mYKZAtHOrbs8U7lvPS6xf7EJKMF0uW1KJCl0H701g3ZGus+muE5vQ==",
+      "version": "1.2.4",
+      "resolved": "https://registry.npmjs.org/word-wrap/-/word-wrap-1.2.4.tgz",
+      "integrity": "sha512-2V81OA4ugVo5pRo46hAoD2ivUJx8jXmWXfUkY4KFNw0hEptvN0QfH3K4nHiwzGeKl5rFKedV48QVoqYavy4YpA==",
       "dev": true
     },
     "wrappy": {

package.json

@@ -1,6 +1,6 @@
 {
   "name": "hooks",
-  "version": "0.1.1",
+  "version": "0.4.0",
   "description": "Three projects are included - k8s: a kubernetes hook implementation that spins up pods dynamically to run a job - docker: A hook implementation of the runner's docker implementation  - A hook lib, which contains shared typescript definitions and utilities that the other packages consume",
   "main": "",
   "directories": {

packages/docker/package-lock.json

@@ -9,7 +9,7 @@
       "version": "0.1.0",
       "license": "MIT",
       "dependencies": {
-        "@actions/core": "^1.6.0",
+        "@actions/core": "^1.9.1",
         "@actions/exec": "^1.1.1",
         "hooklib": "file:../hooklib",
         "uuid": "^8.3.2"
@@ -30,7 +30,7 @@
       "version": "0.1.0",
       "license": "MIT",
       "dependencies": {
-        "@actions/core": "^1.6.0"
+        "@actions/core": "^1.9.1"
       },
       "devDependencies": {
         "@types/node": "^17.0.23",
@@ -43,11 +43,12 @@
       }
     },
     "node_modules/@actions/core": {
-      "version": "1.6.0",
-      "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.6.0.tgz",
-      "integrity": "sha512-NB1UAZomZlCV/LmJqkLhNTqtKfFXJZAUPcfl/zqG7EfsQdeUJtaWO98SGbuQ3pydJ3fHl2CvI/51OKYlCYYcaw==",
+      "version": "1.9.1",
+      "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.9.1.tgz",
+      "integrity": "sha512-5ad+U2YGrmmiw6du20AQW5XuWo7UKN2052FjSV7MX+Wfjf8sCqcsZe62NfgHys4QI4/Y+vQvLKYL8jWtA1ZBTA==",
       "dependencies": {
-        "@actions/http-client": "^1.0.11"
+        "@actions/http-client": "^2.0.1",
+        "uuid": "^8.3.2"
       }
     },
     "node_modules/@actions/exec": {
@@ -59,11 +60,11 @@
       }
     },
     "node_modules/@actions/http-client": {
-      "version": "1.0.11",
-      "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-1.0.11.tgz",
-      "integrity": "sha512-VRYHGQV1rqnROJqdMvGUbY/Kn8vriQe/F9HR2AlYHzmKuM/p3kjNuXhmdBfcVgsvRWTz5C5XW5xvndZrVBuAYg==",
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-2.0.1.tgz",
+      "integrity": "sha512-PIXiMVtz6VvyaRsGY268qvj57hXQEpsYogYOu2nrQhlf+XCGmZstmuZBbAybUl1nQGnvS1k1eEsQ69ZoD7xlSw==",
       "dependencies": {
-        "tunnel": "0.0.6"
+        "tunnel": "^0.0.6"
       }
     },
     "node_modules/@actions/io": {
@@ -135,9 +136,9 @@
       }
     },
     "node_modules/@babel/core/node_modules/semver": {
-      "version": "6.3.0",
-      "resolved": "https://registry.npmjs.org/semver/-/semver-6.3.0.tgz",
-      "integrity": "sha512-b39TBaTSfV6yBrapU89p5fKekE2m/NwnDocOVruQFS1/veMgdzuPcnOM34M6CwxW8jH/lxEa5rBoDeUwu5HHTw==",
+      "version": "6.3.1",
+      "resolved": "https://registry.npmjs.org/semver/-/semver-6.3.1.tgz",
+      "integrity": "sha512-BR7VvDCVHO+q2xBEWskxS6DJE1qRnb7DxzUrogb71CWoSficBxYsiAGd+Kl0mmq/MprG9yArRkyrQxTO6XjMzA==",
       "dev": true,
       "bin": {
         "semver": "bin/semver.js"
@@ -185,9 +186,9 @@
       }
     },
     "node_modules/@babel/helper-compilation-targets/node_modules/semver": {
-      "version": "6.3.0",
-      "resolved": "https://registry.npmjs.org/semver/-/semver-6.3.0.tgz",
-      "integrity": "sha512-b39TBaTSfV6yBrapU89p5fKekE2m/NwnDocOVruQFS1/veMgdzuPcnOM34M6CwxW8jH/lxEa5rBoDeUwu5HHTw==",
+      "version": "6.3.1",
+      "resolved": "https://registry.npmjs.org/semver/-/semver-6.3.1.tgz",
+      "integrity": "sha512-BR7VvDCVHO+q2xBEWskxS6DJE1qRnb7DxzUrogb71CWoSficBxYsiAGd+Kl0mmq/MprG9yArRkyrQxTO6XjMzA==",
       "dev": true,
       "bin": {
         "semver": "bin/semver.js"
@@ -3018,9 +3019,9 @@
       }
     },
     "node_modules/istanbul-lib-instrument/node_modules/semver": {
-      "version": "6.3.0",
-      "resolved": "https://registry.npmjs.org/semver/-/semver-6.3.0.tgz",
-      "integrity": "sha512-b39TBaTSfV6yBrapU89p5fKekE2m/NwnDocOVruQFS1/veMgdzuPcnOM34M6CwxW8jH/lxEa5rBoDeUwu5HHTw==",
+      "version": "6.3.1",
+      "resolved": "https://registry.npmjs.org/semver/-/semver-6.3.1.tgz",
+      "integrity": "sha512-BR7VvDCVHO+q2xBEWskxS6DJE1qRnb7DxzUrogb71CWoSficBxYsiAGd+Kl0mmq/MprG9yArRkyrQxTO6XjMzA==",
       "dev": true,
       "bin": {
         "semver": "bin/semver.js"
@@ -3778,9 +3779,9 @@
       "peer": true
     },
     "node_modules/json5": {
-      "version": "2.2.1",
-      "resolved": "https://registry.npmjs.org/json5/-/json5-2.2.1.tgz",
-      "integrity": "sha512-1hqLFMSrGHRHxav9q9gNjJ5EXznIxGVO09xQRrwplcS8qs28pZ8s8hupZAmqDwZUmVZ2Qb2jnyPOWcDH8m8dlA==",
+      "version": "2.2.3",
+      "resolved": "https://registry.npmjs.org/json5/-/json5-2.2.3.tgz",
+      "integrity": "sha512-XmOWe7eyHYH14cLdVPoyg+GOH3rYX++KpzrylJwSW98t3Nk+U8XOl8FWKOgwtzdb8lXGf6zYwDUzeHMWfxasyg==",
       "dev": true,
       "bin": {
         "json5": "lib/cli.js"
@@ -3847,12 +3848,15 @@
       "peer": true
     },
     "node_modules/lru-cache": {
-      "version": "7.8.1",
-      "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-7.8.1.tgz",
-      "integrity": "sha512-E1v547OCgJvbvevfjgK9sNKIVXO96NnsTsFPBlg4ZxjhsJSODoH9lk8Bm0OxvHNm6Vm5Yqkl/1fErDxhYL8Skg==",
+      "version": "6.0.0",
+      "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-6.0.0.tgz",
+      "integrity": "sha512-Jo6dJ04CmSjuznwJSS3pUeWmd/H0ffTlkXXgwZi+eq1UCmqQwCh+eLsYOYCwY991i2Fah4h1BEMCx4qThGbsiA==",
       "dev": true,
+      "dependencies": {
+        "yallist": "^4.0.0"
+      },
       "engines": {
-        "node": ">=12"
+        "node": ">=10"
       }
     },
     "node_modules/make-dir": {
@@ -3871,9 +3875,9 @@
       }
     },
     "node_modules/make-dir/node_modules/semver": {
-      "version": "6.3.0",
-      "resolved": "https://registry.npmjs.org/semver/-/semver-6.3.0.tgz",
-      "integrity": "sha512-b39TBaTSfV6yBrapU89p5fKekE2m/NwnDocOVruQFS1/veMgdzuPcnOM34M6CwxW8jH/lxEa5rBoDeUwu5HHTw==",
+      "version": "6.3.1",
+      "resolved": "https://registry.npmjs.org/semver/-/semver-6.3.1.tgz",
+      "integrity": "sha512-BR7VvDCVHO+q2xBEWskxS6DJE1qRnb7DxzUrogb71CWoSficBxYsiAGd+Kl0mmq/MprG9yArRkyrQxTO6XjMzA==",
       "dev": true,
       "bin": {
         "semver": "bin/semver.js"
@@ -4306,6 +4310,12 @@
         "node": ">=6"
       }
     },
+    "node_modules/querystringify": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/querystringify/-/querystringify-2.2.0.tgz",
+      "integrity": "sha512-FIqgj2EUvTa7R50u0rGsyTftzjYmv/a3hO345bZNrqabNqjtgiDMgmo4mkUjd+nzU5oF3dClKqFIPUKybUyqoQ==",
+      "dev": true
+    },
     "node_modules/queue-microtask": {
       "version": "1.2.3",
       "resolved": "https://registry.npmjs.org/queue-microtask/-/queue-microtask-1.2.3.tgz",
@@ -4354,6 +4364,12 @@
         "node": ">=0.10.0"
       }
     },
+    "node_modules/requires-port": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/requires-port/-/requires-port-1.0.0.tgz",
+      "integrity": "sha512-KigOCHcocU3XODJxsu8i/j8T9tzT4adHiecwORRQ0ZZFcp7ahwXuRU1m+yuO90C5ZUyGeGfocHDI14M3L3yDAQ==",
+      "dev": true
+    },
     "node_modules/resolve": {
       "version": "1.22.0",
       "resolved": "https://registry.npmjs.org/resolve/-/resolve-1.22.0.tgz",
@@ -4484,18 +4500,18 @@
       }
     },
     "node_modules/semver": {
-      "version": "7.3.6",
-      "resolved": "https://registry.npmjs.org/semver/-/semver-7.3.6.tgz",
-      "integrity": "sha512-HZWqcgwLsjaX1HBD31msI/rXktuIhS+lWvdE4kN9z+8IVT4Itc7vqU2WvYsyD6/sjYCt4dEKH/m1M3dwI9CC5w==",
+      "version": "7.5.4",
+      "resolved": "https://registry.npmjs.org/semver/-/semver-7.5.4.tgz",
+      "integrity": "sha512-1bCSESV6Pv+i21Hvpxp3Dx+pSD8lIPt8uVjRrxAUt/nbswYc+tK6Y2btiULjd4+fnq15PX+nqQDC7Oft7WkwcA==",
       "dev": true,
       "dependencies": {
-        "lru-cache": "^7.4.0"
+        "lru-cache": "^6.0.0"
       },
       "bin": {
         "semver": "bin/semver.js"
       },
       "engines": {
-        "node": "^10.0.0 || ^12.0.0 || ^14.0.0 || >=16.0.0"
+        "node": ">=10"
       }
     },
     "node_modules/shebang-command": {
@@ -4769,14 +4785,15 @@
       }
     },
     "node_modules/tough-cookie": {
-      "version": "4.0.0",
-      "resolved": "https://registry.npmjs.org/tough-cookie/-/tough-cookie-4.0.0.tgz",
-      "integrity": "sha512-tHdtEpQCMrc1YLrMaqXXcj6AxhYi/xgit6mZu1+EDWUn+qhUf8wMQoFIy9NXuq23zAwtcB0t/MjACGR18pcRbg==",
+      "version": "4.1.3",
+      "resolved": "https://registry.npmjs.org/tough-cookie/-/tough-cookie-4.1.3.tgz",
+      "integrity": "sha512-aX/y5pVRkfRnfmuX+OdbSdXvPe6ieKX/G2s7e98f4poJHnqH3281gDPm/metm6E/WRamfx7WC4HUqkWHfQHprw==",
       "dev": true,
       "dependencies": {
         "psl": "^1.1.33",
         "punycode": "^2.1.1",
-        "universalify": "^0.1.2"
+        "universalify": "^0.2.0",
+        "url-parse": "^1.5.3"
       },
       "engines": {
         "node": ">=6"
@@ -4902,9 +4919,9 @@
       }
     },
     "node_modules/tsconfig-paths/node_modules/json5": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/json5/-/json5-1.0.1.tgz",
-      "integrity": "sha512-aKS4WQjPenRxiQsC93MNfjx+nbF4PAdYzmd/1JIj8HYzqfbu86beTuNgXDzPknWk0n0uARlyewZo4s++ES36Ow==",
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/json5/-/json5-1.0.2.tgz",
+      "integrity": "sha512-g1MWMLBiz8FKi1e4w0UyVL3w+iJceWAFBAaBnnGKOpNa5f8TLktkbre1+s6oICydWAm+HRUGTmI+//xv2hvXYA==",
       "dev": true,
       "dependencies": {
         "minimist": "^1.2.0"
@@ -5009,9 +5026,9 @@
       }
     },
     "node_modules/universalify": {
-      "version": "0.1.2",
-      "resolved": "https://registry.npmjs.org/universalify/-/universalify-0.1.2.tgz",
-      "integrity": "sha512-rBJeI5CXAlmy1pV+617WB9J63U6XcazHHF2f2dbJix4XzpUF0RS3Zbj0FGIOCAva5P/d/GBOYaACQ1w+0azUkg==",
+      "version": "0.2.0",
+      "resolved": "https://registry.npmjs.org/universalify/-/universalify-0.2.0.tgz",
+      "integrity": "sha512-CJ1QgKmNg3CwvAv/kOFmtnEN05f0D/cn9QntgNOQlQF9dgvVTHj3t+8JPdjqawCHk7V/KA+fbUqzZ9XWhcqPUg==",
       "dev": true,
       "engines": {
         "node": ">= 4.0.0"
@@ -5027,6 +5044,16 @@
         "punycode": "^2.1.0"
       }
     },
+    "node_modules/url-parse": {
+      "version": "1.5.10",
+      "resolved": "https://registry.npmjs.org/url-parse/-/url-parse-1.5.10.tgz",
+      "integrity": "sha512-WypcfiRhfeUP9vvF0j6rw0J3hrWrw6iZv3+22h6iRMJ/8z1Tj6XfLP4DsUix5MhMPnXpiHDoKyoZ/bdCkwBCiQ==",
+      "dev": true,
+      "dependencies": {
+        "querystringify": "^2.1.1",
+        "requires-port": "^1.0.0"
+      }
+    },
     "node_modules/uuid": {
       "version": "8.3.2",
       "resolved": "https://registry.npmjs.org/uuid/-/uuid-8.3.2.tgz",
@@ -5155,9 +5182,9 @@
       }
     },
     "node_modules/word-wrap": {
-      "version": "1.2.3",
-      "resolved": "https://registry.npmjs.org/word-wrap/-/word-wrap-1.2.3.tgz",
-      "integrity": "sha512-Hz/mrNwitNRh/HUAtM/VT/5VH+ygD6DV7mYKZAtHOrbs8U7lvPS6xf7EJKMF0uW1KJCl0H701g3ZGus+muE5vQ==",
+      "version": "1.2.5",
+      "resolved": "https://registry.npmjs.org/word-wrap/-/word-wrap-1.2.5.tgz",
+      "integrity": "sha512-BN22B5eaMMI9UMtjrGd5g5eCYPpCPDUy0FJXbYsaT5zYxjFOckS53SQDE3pWkVoWpHXVb3BrYcEN4Twa55B5cA==",
       "dev": true,
       "engines": {
         "node": ">=0.10.0"
@@ -5240,6 +5267,12 @@
         "node": ">=10"
       }
     },
+    "node_modules/yallist": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/yallist/-/yallist-4.0.0.tgz",
+      "integrity": "sha512-3wdGidZyq5PB084XLES5TpOSRA3wjXAlIWMhum2kRcv/41Sn2emQ0dycQW4uZXLejwKvg6EsvbdlVL+FYEct7A==",
+      "dev": true
+    },
     "node_modules/yargs": {
       "version": "16.2.0",
       "resolved": "https://registry.npmjs.org/yargs/-/yargs-16.2.0.tgz",
@@ -5279,11 +5312,12 @@
   },
   "dependencies": {
     "@actions/core": {
-      "version": "1.6.0",
-      "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.6.0.tgz",
-      "integrity": "sha512-NB1UAZomZlCV/LmJqkLhNTqtKfFXJZAUPcfl/zqG7EfsQdeUJtaWO98SGbuQ3pydJ3fHl2CvI/51OKYlCYYcaw==",
+      "version": "1.9.1",
+      "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.9.1.tgz",
+      "integrity": "sha512-5ad+U2YGrmmiw6du20AQW5XuWo7UKN2052FjSV7MX+Wfjf8sCqcsZe62NfgHys4QI4/Y+vQvLKYL8jWtA1ZBTA==",
       "requires": {
-        "@actions/http-client": "^1.0.11"
+        "@actions/http-client": "^2.0.1",
+        "uuid": "^8.3.2"
       }
     },
     "@actions/exec": {
@@ -5295,11 +5329,11 @@
       }
     },
     "@actions/http-client": {
-      "version": "1.0.11",
-      "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-1.0.11.tgz",
-      "integrity": "sha512-VRYHGQV1rqnROJqdMvGUbY/Kn8vriQe/F9HR2AlYHzmKuM/p3kjNuXhmdBfcVgsvRWTz5C5XW5xvndZrVBuAYg==",
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-2.0.1.tgz",
+      "integrity": "sha512-PIXiMVtz6VvyaRsGY268qvj57hXQEpsYogYOu2nrQhlf+XCGmZstmuZBbAybUl1nQGnvS1k1eEsQ69ZoD7xlSw==",
       "requires": {
-        "tunnel": "0.0.6"
+        "tunnel": "^0.0.6"
       }
     },
     "@actions/io": {
@@ -5355,9 +5389,9 @@
       },
       "dependencies": {
         "semver": {
-          "version": "6.3.0",
-          "resolved": "https://registry.npmjs.org/semver/-/semver-6.3.0.tgz",
-          "integrity": "sha512-b39TBaTSfV6yBrapU89p5fKekE2m/NwnDocOVruQFS1/veMgdzuPcnOM34M6CwxW8jH/lxEa5rBoDeUwu5HHTw==",
+          "version": "6.3.1",
+          "resolved": "https://registry.npmjs.org/semver/-/semver-6.3.1.tgz",
+          "integrity": "sha512-BR7VvDCVHO+q2xBEWskxS6DJE1qRnb7DxzUrogb71CWoSficBxYsiAGd+Kl0mmq/MprG9yArRkyrQxTO6XjMzA==",
           "dev": true
         }
       }
@@ -5394,9 +5428,9 @@
       },
       "dependencies": {
         "semver": {
-          "version": "6.3.0",
-          "resolved": "https://registry.npmjs.org/semver/-/semver-6.3.0.tgz",
-          "integrity": "sha512-b39TBaTSfV6yBrapU89p5fKekE2m/NwnDocOVruQFS1/veMgdzuPcnOM34M6CwxW8jH/lxEa5rBoDeUwu5HHTw==",
+          "version": "6.3.1",
+          "resolved": "https://registry.npmjs.org/semver/-/semver-6.3.1.tgz",
+          "integrity": "sha512-BR7VvDCVHO+q2xBEWskxS6DJE1qRnb7DxzUrogb71CWoSficBxYsiAGd+Kl0mmq/MprG9yArRkyrQxTO6XjMzA==",
           "dev": true
         }
       }
@@ -7376,7 +7410,7 @@
     "hooklib": {
       "version": "file:../hooklib",
       "requires": {
-        "@actions/core": "^1.6.0",
+        "@actions/core": "^1.9.1",
         "@types/node": "^17.0.23",
         "@typescript-eslint/parser": "^5.18.0",
         "@zeit/ncc": "^0.22.3",
@@ -7578,9 +7612,9 @@
       },
       "dependencies": {
         "semver": {
-          "version": "6.3.0",
-          "resolved": "https://registry.npmjs.org/semver/-/semver-6.3.0.tgz",
-          "integrity": "sha512-b39TBaTSfV6yBrapU89p5fKekE2m/NwnDocOVruQFS1/veMgdzuPcnOM34M6CwxW8jH/lxEa5rBoDeUwu5HHTw==",
+          "version": "6.3.1",
+          "resolved": "https://registry.npmjs.org/semver/-/semver-6.3.1.tgz",
+          "integrity": "sha512-BR7VvDCVHO+q2xBEWskxS6DJE1qRnb7DxzUrogb71CWoSficBxYsiAGd+Kl0mmq/MprG9yArRkyrQxTO6XjMzA==",
           "dev": true
         }
       }
@@ -8174,9 +8208,9 @@
       "peer": true
     },
     "json5": {
-      "version": "2.2.1",
-      "resolved": "https://registry.npmjs.org/json5/-/json5-2.2.1.tgz",
-      "integrity": "sha512-1hqLFMSrGHRHxav9q9gNjJ5EXznIxGVO09xQRrwplcS8qs28pZ8s8hupZAmqDwZUmVZ2Qb2jnyPOWcDH8m8dlA==",
+      "version": "2.2.3",
+      "resolved": "https://registry.npmjs.org/json5/-/json5-2.2.3.tgz",
+      "integrity": "sha512-XmOWe7eyHYH14cLdVPoyg+GOH3rYX++KpzrylJwSW98t3Nk+U8XOl8FWKOgwtzdb8lXGf6zYwDUzeHMWfxasyg==",
       "dev": true
     },
     "kleur": {
@@ -8228,10 +8262,13 @@
       "peer": true
     },
     "lru-cache": {
-      "version": "7.8.1",
-      "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-7.8.1.tgz",
-      "integrity": "sha512-E1v547OCgJvbvevfjgK9sNKIVXO96NnsTsFPBlg4ZxjhsJSODoH9lk8Bm0OxvHNm6Vm5Yqkl/1fErDxhYL8Skg==",
-      "dev": true
+      "version": "6.0.0",
+      "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-6.0.0.tgz",
+      "integrity": "sha512-Jo6dJ04CmSjuznwJSS3pUeWmd/H0ffTlkXXgwZi+eq1UCmqQwCh+eLsYOYCwY991i2Fah4h1BEMCx4qThGbsiA==",
+      "dev": true,
+      "requires": {
+        "yallist": "^4.0.0"
+      }
     },
     "make-dir": {
       "version": "3.1.0",
@@ -8243,9 +8280,9 @@
       },
       "dependencies": {
         "semver": {
-          "version": "6.3.0",
-          "resolved": "https://registry.npmjs.org/semver/-/semver-6.3.0.tgz",
-          "integrity": "sha512-b39TBaTSfV6yBrapU89p5fKekE2m/NwnDocOVruQFS1/veMgdzuPcnOM34M6CwxW8jH/lxEa5rBoDeUwu5HHTw==",
+          "version": "6.3.1",
+          "resolved": "https://registry.npmjs.org/semver/-/semver-6.3.1.tgz",
+          "integrity": "sha512-BR7VvDCVHO+q2xBEWskxS6DJE1qRnb7DxzUrogb71CWoSficBxYsiAGd+Kl0mmq/MprG9yArRkyrQxTO6XjMzA==",
           "dev": true
         }
       }
@@ -8579,6 +8616,12 @@
       "integrity": "sha512-XRsRjdf+j5ml+y/6GKHPZbrF/8p2Yga0JPtdqTIY2Xe5ohJPD9saDJJLPvp9+NSBprVvevdXZybnj2cv8OEd0A==",
       "dev": true
     },
+    "querystringify": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/querystringify/-/querystringify-2.2.0.tgz",
+      "integrity": "sha512-FIqgj2EUvTa7R50u0rGsyTftzjYmv/a3hO345bZNrqabNqjtgiDMgmo4mkUjd+nzU5oF3dClKqFIPUKybUyqoQ==",
+      "dev": true
+    },
     "queue-microtask": {
       "version": "1.2.3",
       "resolved": "https://registry.npmjs.org/queue-microtask/-/queue-microtask-1.2.3.tgz",
@@ -8604,6 +8647,12 @@
       "integrity": "sha1-jGStX9MNqxyXbiNE/+f3kqam30I=",
       "dev": true
     },
+    "requires-port": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/requires-port/-/requires-port-1.0.0.tgz",
+      "integrity": "sha512-KigOCHcocU3XODJxsu8i/j8T9tzT4adHiecwORRQ0ZZFcp7ahwXuRU1m+yuO90C5ZUyGeGfocHDI14M3L3yDAQ==",
+      "dev": true
+    },
     "resolve": {
       "version": "1.22.0",
       "resolved": "https://registry.npmjs.org/resolve/-/resolve-1.22.0.tgz",
@@ -8691,12 +8740,12 @@
       }
     },
     "semver": {
-      "version": "7.3.6",
-      "resolved": "https://registry.npmjs.org/semver/-/semver-7.3.6.tgz",
-      "integrity": "sha512-HZWqcgwLsjaX1HBD31msI/rXktuIhS+lWvdE4kN9z+8IVT4Itc7vqU2WvYsyD6/sjYCt4dEKH/m1M3dwI9CC5w==",
+      "version": "7.5.4",
+      "resolved": "https://registry.npmjs.org/semver/-/semver-7.5.4.tgz",
+      "integrity": "sha512-1bCSESV6Pv+i21Hvpxp3Dx+pSD8lIPt8uVjRrxAUt/nbswYc+tK6Y2btiULjd4+fnq15PX+nqQDC7Oft7WkwcA==",
       "dev": true,
       "requires": {
-        "lru-cache": "^7.4.0"
+        "lru-cache": "^6.0.0"
       }
     },
     "shebang-command": {
@@ -8906,14 +8955,15 @@
       }
     },
     "tough-cookie": {
-      "version": "4.0.0",
-      "resolved": "https://registry.npmjs.org/tough-cookie/-/tough-cookie-4.0.0.tgz",
-      "integrity": "sha512-tHdtEpQCMrc1YLrMaqXXcj6AxhYi/xgit6mZu1+EDWUn+qhUf8wMQoFIy9NXuq23zAwtcB0t/MjACGR18pcRbg==",
+      "version": "4.1.3",
+      "resolved": "https://registry.npmjs.org/tough-cookie/-/tough-cookie-4.1.3.tgz",
+      "integrity": "sha512-aX/y5pVRkfRnfmuX+OdbSdXvPe6ieKX/G2s7e98f4poJHnqH3281gDPm/metm6E/WRamfx7WC4HUqkWHfQHprw==",
       "dev": true,
       "requires": {
         "psl": "^1.1.33",
         "punycode": "^2.1.1",
-        "universalify": "^0.1.2"
+        "universalify": "^0.2.0",
+        "url-parse": "^1.5.3"
       }
     },
     "tr46": {
@@ -8983,9 +9033,9 @@
       },
       "dependencies": {
         "json5": {
-          "version": "1.0.1",
-          "resolved": "https://registry.npmjs.org/json5/-/json5-1.0.1.tgz",
-          "integrity": "sha512-aKS4WQjPenRxiQsC93MNfjx+nbF4PAdYzmd/1JIj8HYzqfbu86beTuNgXDzPknWk0n0uARlyewZo4s++ES36Ow==",
+          "version": "1.0.2",
+          "resolved": "https://registry.npmjs.org/json5/-/json5-1.0.2.tgz",
+          "integrity": "sha512-g1MWMLBiz8FKi1e4w0UyVL3w+iJceWAFBAaBnnGKOpNa5f8TLktkbre1+s6oICydWAm+HRUGTmI+//xv2hvXYA==",
           "dev": true,
           "requires": {
             "minimist": "^1.2.0"
@@ -9058,9 +9108,9 @@
       "dev": true
     },
     "universalify": {
-      "version": "0.1.2",
-      "resolved": "https://registry.npmjs.org/universalify/-/universalify-0.1.2.tgz",
-      "integrity": "sha512-rBJeI5CXAlmy1pV+617WB9J63U6XcazHHF2f2dbJix4XzpUF0RS3Zbj0FGIOCAva5P/d/GBOYaACQ1w+0azUkg==",
+      "version": "0.2.0",
+      "resolved": "https://registry.npmjs.org/universalify/-/universalify-0.2.0.tgz",
+      "integrity": "sha512-CJ1QgKmNg3CwvAv/kOFmtnEN05f0D/cn9QntgNOQlQF9dgvVTHj3t+8JPdjqawCHk7V/KA+fbUqzZ9XWhcqPUg==",
       "dev": true
     },
     "uri-js": {
@@ -9073,6 +9123,16 @@
         "punycode": "^2.1.0"
       }
     },
+    "url-parse": {
+      "version": "1.5.10",
+      "resolved": "https://registry.npmjs.org/url-parse/-/url-parse-1.5.10.tgz",
+      "integrity": "sha512-WypcfiRhfeUP9vvF0j6rw0J3hrWrw6iZv3+22h6iRMJ/8z1Tj6XfLP4DsUix5MhMPnXpiHDoKyoZ/bdCkwBCiQ==",
+      "dev": true,
+      "requires": {
+        "querystringify": "^2.1.1",
+        "requires-port": "^1.0.0"
+      }
+    },
     "uuid": {
       "version": "8.3.2",
       "resolved": "https://registry.npmjs.org/uuid/-/uuid-8.3.2.tgz",
@@ -9179,9 +9239,9 @@
       }
     },
     "word-wrap": {
-      "version": "1.2.3",
-      "resolved": "https://registry.npmjs.org/word-wrap/-/word-wrap-1.2.3.tgz",
-      "integrity": "sha512-Hz/mrNwitNRh/HUAtM/VT/5VH+ygD6DV7mYKZAtHOrbs8U7lvPS6xf7EJKMF0uW1KJCl0H701g3ZGus+muE5vQ==",
+      "version": "1.2.5",
+      "resolved": "https://registry.npmjs.org/word-wrap/-/word-wrap-1.2.5.tgz",
+      "integrity": "sha512-BN22B5eaMMI9UMtjrGd5g5eCYPpCPDUy0FJXbYsaT5zYxjFOckS53SQDE3pWkVoWpHXVb3BrYcEN4Twa55B5cA==",
       "dev": true
     },
     "wrap-ansi": {
@@ -9238,6 +9298,12 @@
       "integrity": "sha512-0pfFzegeDWJHJIAmTLRP2DwHjdF5s7jo9tuztdQxAhINCdvS+3nGINqPd00AphqJR/0LhANUS6/+7SCb98YOfA==",
       "dev": true
     },
+    "yallist": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/yallist/-/yallist-4.0.0.tgz",
+      "integrity": "sha512-3wdGidZyq5PB084XLES5TpOSRA3wjXAlIWMhum2kRcv/41Sn2emQ0dycQW4uZXLejwKvg6EsvbdlVL+FYEct7A==",
+      "dev": true
+    },
     "yargs": {
       "version": "16.2.0",
       "resolved": "https://registry.npmjs.org/yargs/-/yargs-16.2.0.tgz",

packages/docker/package.json

@@ -10,7 +10,7 @@
   "author": "",
   "license": "MIT",
   "dependencies": {
-    "@actions/core": "^1.6.0",
+    "@actions/core": "^1.9.1",
     "@actions/exec": "^1.1.1",
     "hooklib": "file:../hooklib",
     "uuid": "^8.3.2"

packages/docker/src/dockerCommands/container.ts

@@ -91,11 +91,12 @@ export async function containerPull(
   image: string,
   configLocation: string
 ): Promise<void> {
-  const dockerArgs: string[] = ['pull']
+  const dockerArgs: string[] = []
   if (configLocation) {
     dockerArgs.push('--config')
     dockerArgs.push(configLocation)
   }
+  dockerArgs.push('pull')
   dockerArgs.push(image)
   for (let i = 0; i < 3; i++) {
     try {
@@ -427,6 +428,9 @@ export async function containerRun(
   dockerArgs.push(args.image)
   if (args.entryPointArgs) {
     for (const entryPointArg of args.entryPointArgs) {
+      if (!entryPointArg) {
+        continue
+      }
       dockerArgs.push(entryPointArg)
     }
   }

packages/docker/src/hooks/prepare-job.ts

@@ -40,7 +40,7 @@ export async function prepareJob(
   if (!container?.image) {
     core.info('No job container provided, skipping')
   } else {
-    setupContainer(container)
+    setupContainer(container, true)
 
     const configLocation = await registryLogin(container.registry)
     try {
@@ -174,9 +174,11 @@ function generateResponseFile(
   writeToResponseFile(responseFile, JSON.stringify(response))
 }
 
-function setupContainer(container): void {
-  container.entryPointArgs = [`-f`, `/dev/null`]
-  container.entryPoint = 'tail'
+function setupContainer(container, jobContainer = false): void {
+  if (!container.entryPoint && jobContainer) {
+    container.entryPointArgs = [`-f`, `/dev/null`]
+    container.entryPoint = 'tail'
+  }
 }
 
 function generateNetworkName(): string {

packages/docker/src/index.ts

@@ -16,15 +16,14 @@ import {
 import { checkEnvironment } from './utils'
 
 async function run(): Promise<void> {
-  const input = await getInputFromStdin()
-
-  const args = input['args']
-  const command = input['command']
-  const responseFile = input['responseFile']
-  const state = input['state']
-
   try {
     checkEnvironment()
+    const input = await getInputFromStdin()
+
+    const args = input['args']
+    const command = input['command']
+    const responseFile = input['responseFile']
+    const state = input['state']
     switch (command) {
       case Command.PrepareJob:
         await prepareJob(args as PrepareJobArgs, responseFile)

packages/docker/src/utils.ts

@@ -16,6 +16,7 @@ export async function runDockerCommand(
   args: string[],
   options?: RunDockerCommandOptions
 ): Promise<string> {
+  options = optionsWithDockerEnvs(options)
   const pipes = await exec.getExecOutput('docker', args, options)
   if (pipes.exitCode !== 0) {
     core.error(`Docker failed with exit code ${pipes.exitCode}`)
@@ -24,6 +25,45 @@ export async function runDockerCommand(
   return Promise.resolve(pipes.stdout)
 }
 
+export function optionsWithDockerEnvs(
+  options?: RunDockerCommandOptions
+): RunDockerCommandOptions | undefined {
+  // From https://docs.docker.com/engine/reference/commandline/cli/#environment-variables
+  const dockerCliEnvs = new Set([
+    'DOCKER_API_VERSION',
+    'DOCKER_CERT_PATH',
+    'DOCKER_CONFIG',
+    'DOCKER_CONTENT_TRUST_SERVER',
+    'DOCKER_CONTENT_TRUST',
+    'DOCKER_CONTEXT',
+    'DOCKER_DEFAULT_PLATFORM',
+    'DOCKER_HIDE_LEGACY_COMMANDS',
+    'DOCKER_HOST',
+    'DOCKER_STACK_ORCHESTRATOR',
+    'DOCKER_TLS_VERIFY',
+    'BUILDKIT_PROGRESS'
+  ])
+  const dockerEnvs = {}
+  for (const key in process.env) {
+    if (dockerCliEnvs.has(key)) {
+      dockerEnvs[key] = process.env[key]
+    }
+  }
+
+  const newOptions = {
+    workingDir: options?.workingDir,
+    input: options?.input,
+    env: options?.env || {}
+  }
+
+  // Set docker envs or overwrite provided ones
+  for (const [key, value] of Object.entries(dockerEnvs)) {
+    newOptions.env[key] = value as string
+  }
+
+  return newOptions
+}
+
 export function sanitize(val: string): string {
   if (!val || typeof val !== 'string') {
     return ''

packages/docker/tests/run-script-step-test.ts

@@ -52,7 +52,9 @@ describe('run script step', () => {
     definitions.runScriptStep.args.entryPoint = '/bin/bash'
     definitions.runScriptStep.args.entryPointArgs = [
       '-c',
-      `if [[ ! $(env | grep "^PATH=") = "PATH=${definitions.runScriptStep.args.prependPath}:"* ]]; then exit 1; fi`
+      `if [[ ! $(env | grep "^PATH=") = "PATH=${definitions.runScriptStep.args.prependPath.join(
+        ':'
+      )}:"* ]]; then exit 1; fi`
     ]
     await expect(
       runScriptStep(definitions.runScriptStep.args, prepareJobResponse.state)

packages/docker/tests/utils-test.ts

@@ -1,4 +1,4 @@
-import { sanitize } from '../src/utils'
+import { optionsWithDockerEnvs, sanitize } from '../src/utils'
 
 describe('Utilities', () => {
   it('should return sanitized image name', () => {
@@ -9,4 +9,41 @@ describe('Utilities', () => {
     const validStr = 'teststr8_one'
     expect(sanitize(validStr)).toBe(validStr)
   })
+
+  describe('with docker options', () => {
+    it('should augment options with docker environment variables', () => {
+      process.env.DOCKER_HOST = 'unix:///run/user/1001/docker.sock'
+      process.env.DOCKER_NOTEXIST = 'notexist'
+
+      const optionDefinitions: any = [
+        undefined,
+        {},
+        { env: {} },
+        { env: { DOCKER_HOST: 'unix://var/run/docker.sock' } }
+      ]
+      for (const opt of optionDefinitions) {
+        let options = optionsWithDockerEnvs(opt)
+        expect(options).toBeDefined()
+        expect(options?.env).toBeDefined()
+        expect(options?.env?.DOCKER_HOST).toBe(process.env.DOCKER_HOST)
+        expect(options?.env?.DOCKER_NOTEXIST).toBeUndefined()
+      }
+    })
+
+    it('should not overwrite other options', () => {
+      process.env.DOCKER_HOST = 'unix:///run/user/1001/docker.sock'
+      const opt = {
+        workingDir: 'test',
+        input: Buffer.from('test')
+      }
+
+      const options = optionsWithDockerEnvs(opt)
+      expect(options).toBeDefined()
+      expect(options?.workingDir).toBe(opt.workingDir)
+      expect(options?.input).toBe(opt.input)
+      expect(options?.env).toStrictEqual({
+        DOCKER_HOST: process.env.DOCKER_HOST
+      })
+    })
+  })
 })

packages/hooklib/package-lock.json

@@ -9,7 +9,7 @@
       "version": "0.1.0",
       "license": "MIT",
       "dependencies": {
-        "@actions/core": "^1.6.0"
+        "@actions/core": "^1.9.1"
       },
       "devDependencies": {
         "@types/node": "^17.0.23",
@@ -22,19 +22,20 @@
       }
     },
     "node_modules/@actions/core": {
-      "version": "1.6.0",
-      "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.6.0.tgz",
-      "integrity": "sha512-NB1UAZomZlCV/LmJqkLhNTqtKfFXJZAUPcfl/zqG7EfsQdeUJtaWO98SGbuQ3pydJ3fHl2CvI/51OKYlCYYcaw==",
+      "version": "1.9.1",
+      "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.9.1.tgz",
+      "integrity": "sha512-5ad+U2YGrmmiw6du20AQW5XuWo7UKN2052FjSV7MX+Wfjf8sCqcsZe62NfgHys4QI4/Y+vQvLKYL8jWtA1ZBTA==",
       "dependencies": {
-        "@actions/http-client": "^1.0.11"
+        "@actions/http-client": "^2.0.1",
+        "uuid": "^8.3.2"
       }
     },
     "node_modules/@actions/http-client": {
-      "version": "1.0.11",
-      "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-1.0.11.tgz",
-      "integrity": "sha512-VRYHGQV1rqnROJqdMvGUbY/Kn8vriQe/F9HR2AlYHzmKuM/p3kjNuXhmdBfcVgsvRWTz5C5XW5xvndZrVBuAYg==",
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-2.0.1.tgz",
+      "integrity": "sha512-PIXiMVtz6VvyaRsGY268qvj57hXQEpsYogYOu2nrQhlf+XCGmZstmuZBbAybUl1nQGnvS1k1eEsQ69ZoD7xlSw==",
       "dependencies": {
-        "tunnel": "0.0.6"
+        "tunnel": "^0.0.6"
       }
     },
     "node_modules/@eslint/eslintrc": {
@@ -1741,9 +1742,9 @@
       "dev": true
     },
     "node_modules/json5": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/json5/-/json5-1.0.1.tgz",
-      "integrity": "sha512-aKS4WQjPenRxiQsC93MNfjx+nbF4PAdYzmd/1JIj8HYzqfbu86beTuNgXDzPknWk0n0uARlyewZo4s++ES36Ow==",
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/json5/-/json5-1.0.2.tgz",
+      "integrity": "sha512-g1MWMLBiz8FKi1e4w0UyVL3w+iJceWAFBAaBnnGKOpNa5f8TLktkbre1+s6oICydWAm+HRUGTmI+//xv2hvXYA==",
       "dev": true,
       "dependencies": {
         "minimist": "^1.2.0"
@@ -2214,9 +2215,9 @@
       }
     },
     "node_modules/semver": {
-      "version": "7.3.7",
-      "resolved": "https://registry.npmjs.org/semver/-/semver-7.3.7.tgz",
-      "integrity": "sha512-QlYTucUYOews+WeEujDoEGziz4K6c47V/Bd+LjSSYcA94p+DmINdf7ncaUinThfvZyu13lN9OY1XDxt8C0Tw0g==",
+      "version": "7.5.4",
+      "resolved": "https://registry.npmjs.org/semver/-/semver-7.5.4.tgz",
+      "integrity": "sha512-1bCSESV6Pv+i21Hvpxp3Dx+pSD8lIPt8uVjRrxAUt/nbswYc+tK6Y2btiULjd4+fnq15PX+nqQDC7Oft7WkwcA==",
       "dev": true,
       "dependencies": {
         "lru-cache": "^6.0.0"
@@ -2485,6 +2486,14 @@
         "punycode": "^2.1.0"
       }
     },
+    "node_modules/uuid": {
+      "version": "8.3.2",
+      "resolved": "https://registry.npmjs.org/uuid/-/uuid-8.3.2.tgz",
+      "integrity": "sha512-+NYs2QeMWy+GWFOEm9xnn6HCDp0l7QBD7ml8zLUmJ+93Q5NF0NocErnwkTkXVFNiX3/fpC6afS8Dhb/gz7R7eg==",
+      "bin": {
+        "uuid": "dist/bin/uuid"
+      }
+    },
     "node_modules/v8-compile-cache": {
       "version": "2.3.0",
       "resolved": "https://registry.npmjs.org/v8-compile-cache/-/v8-compile-cache-2.3.0.tgz",
@@ -2523,9 +2532,9 @@
       }
     },
     "node_modules/word-wrap": {
-      "version": "1.2.3",
-      "resolved": "https://registry.npmjs.org/word-wrap/-/word-wrap-1.2.3.tgz",
-      "integrity": "sha512-Hz/mrNwitNRh/HUAtM/VT/5VH+ygD6DV7mYKZAtHOrbs8U7lvPS6xf7EJKMF0uW1KJCl0H701g3ZGus+muE5vQ==",
+      "version": "1.2.4",
+      "resolved": "https://registry.npmjs.org/word-wrap/-/word-wrap-1.2.4.tgz",
+      "integrity": "sha512-2V81OA4ugVo5pRo46hAoD2ivUJx8jXmWXfUkY4KFNw0hEptvN0QfH3K4nHiwzGeKl5rFKedV48QVoqYavy4YpA==",
       "dev": true,
       "engines": {
         "node": ">=0.10.0"
@@ -2546,19 +2555,20 @@
   },
   "dependencies": {
     "@actions/core": {
-      "version": "1.6.0",
-      "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.6.0.tgz",
-      "integrity": "sha512-NB1UAZomZlCV/LmJqkLhNTqtKfFXJZAUPcfl/zqG7EfsQdeUJtaWO98SGbuQ3pydJ3fHl2CvI/51OKYlCYYcaw==",
+      "version": "1.9.1",
+      "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.9.1.tgz",
+      "integrity": "sha512-5ad+U2YGrmmiw6du20AQW5XuWo7UKN2052FjSV7MX+Wfjf8sCqcsZe62NfgHys4QI4/Y+vQvLKYL8jWtA1ZBTA==",
       "requires": {
-        "@actions/http-client": "^1.0.11"
+        "@actions/http-client": "^2.0.1",
+        "uuid": "^8.3.2"
       }
     },
     "@actions/http-client": {
-      "version": "1.0.11",
-      "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-1.0.11.tgz",
-      "integrity": "sha512-VRYHGQV1rqnROJqdMvGUbY/Kn8vriQe/F9HR2AlYHzmKuM/p3kjNuXhmdBfcVgsvRWTz5C5XW5xvndZrVBuAYg==",
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-2.0.1.tgz",
+      "integrity": "sha512-PIXiMVtz6VvyaRsGY268qvj57hXQEpsYogYOu2nrQhlf+XCGmZstmuZBbAybUl1nQGnvS1k1eEsQ69ZoD7xlSw==",
       "requires": {
-        "tunnel": "0.0.6"
+        "tunnel": "^0.0.6"
       }
     },
     "@eslint/eslintrc": {
@@ -3779,9 +3789,9 @@
       "dev": true
     },
     "json5": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/json5/-/json5-1.0.1.tgz",
-      "integrity": "sha512-aKS4WQjPenRxiQsC93MNfjx+nbF4PAdYzmd/1JIj8HYzqfbu86beTuNgXDzPknWk0n0uARlyewZo4s++ES36Ow==",
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/json5/-/json5-1.0.2.tgz",
+      "integrity": "sha512-g1MWMLBiz8FKi1e4w0UyVL3w+iJceWAFBAaBnnGKOpNa5f8TLktkbre1+s6oICydWAm+HRUGTmI+//xv2hvXYA==",
       "dev": true,
       "requires": {
         "minimist": "^1.2.0"
@@ -4109,9 +4119,9 @@
       }
     },
     "semver": {
-      "version": "7.3.7",
-      "resolved": "https://registry.npmjs.org/semver/-/semver-7.3.7.tgz",
-      "integrity": "sha512-QlYTucUYOews+WeEujDoEGziz4K6c47V/Bd+LjSSYcA94p+DmINdf7ncaUinThfvZyu13lN9OY1XDxt8C0Tw0g==",
+      "version": "7.5.4",
+      "resolved": "https://registry.npmjs.org/semver/-/semver-7.5.4.tgz",
+      "integrity": "sha512-1bCSESV6Pv+i21Hvpxp3Dx+pSD8lIPt8uVjRrxAUt/nbswYc+tK6Y2btiULjd4+fnq15PX+nqQDC7Oft7WkwcA==",
       "dev": true,
       "requires": {
         "lru-cache": "^6.0.0"
@@ -4300,6 +4310,11 @@
         "punycode": "^2.1.0"
       }
     },
+    "uuid": {
+      "version": "8.3.2",
+      "resolved": "https://registry.npmjs.org/uuid/-/uuid-8.3.2.tgz",
+      "integrity": "sha512-+NYs2QeMWy+GWFOEm9xnn6HCDp0l7QBD7ml8zLUmJ+93Q5NF0NocErnwkTkXVFNiX3/fpC6afS8Dhb/gz7R7eg=="
+    },
     "v8-compile-cache": {
       "version": "2.3.0",
       "resolved": "https://registry.npmjs.org/v8-compile-cache/-/v8-compile-cache-2.3.0.tgz",
@@ -4329,9 +4344,9 @@
       }
     },
     "word-wrap": {
-      "version": "1.2.3",
-      "resolved": "https://registry.npmjs.org/word-wrap/-/word-wrap-1.2.3.tgz",
-      "integrity": "sha512-Hz/mrNwitNRh/HUAtM/VT/5VH+ygD6DV7mYKZAtHOrbs8U7lvPS6xf7EJKMF0uW1KJCl0H701g3ZGus+muE5vQ==",
+      "version": "1.2.4",
+      "resolved": "https://registry.npmjs.org/word-wrap/-/word-wrap-1.2.4.tgz",
+      "integrity": "sha512-2V81OA4ugVo5pRo46hAoD2ivUJx8jXmWXfUkY4KFNw0hEptvN0QfH3K4nHiwzGeKl5rFKedV48QVoqYavy4YpA==",
       "dev": true
     },
     "wrappy": {

packages/hooklib/package.json

@@ -23,6 +23,6 @@
     "typescript": "^4.6.3"
   },
   "dependencies": {
-    "@actions/core": "^1.6.0"
+    "@actions/core": "^1.9.1"
   }
 }

packages/k8s/package.json

@@ -13,11 +13,12 @@
   "author": "",
   "license": "MIT",
   "dependencies": {
-    "@actions/core": "^1.6.0",
+    "@actions/core": "^1.9.1",
     "@actions/exec": "^1.1.1",
     "@actions/io": "^1.1.2",
-    "@kubernetes/client-node": "^0.16.3",
-    "hooklib": "file:../hooklib"
+    "@kubernetes/client-node": "^0.18.1",
+    "hooklib": "file:../hooklib",
+    "js-yaml": "^4.1.0"
   },
   "devDependencies": {
     "@types/jest": "^27.4.1",

packages/k8s/src/hooks/constants.ts

@@ -39,14 +39,15 @@ export function getSecretName(): string {
   )}-secret-${uuidv4().substring(0, STEP_POD_NAME_SUFFIX_LENGTH)}`
 }
 
-const MAX_POD_NAME_LENGTH = 63
-const STEP_POD_NAME_SUFFIX_LENGTH = 8
+export const MAX_POD_NAME_LENGTH = 63
+export const STEP_POD_NAME_SUFFIX_LENGTH = 8
 export const JOB_CONTAINER_NAME = 'job'
+export const JOB_CONTAINER_EXTENSION_NAME = '$job'
 
 export class RunnerInstanceLabel {
-  runnerhook: string
+  private podName: string
   constructor() {
-    this.runnerhook = process.env.ACTIONS_RUNNER_POD_NAME as string
+    this.podName = getRunnerPodName()
   }
 
   get key(): string {
@@ -54,10 +55,10 @@ export class RunnerInstanceLabel {
   }
 
   get value(): string {
-    return this.runnerhook
+    return this.podName
   }
 
   toString(): string {
-    return `runner-pod=${this.runnerhook}`
+    return `runner-pod=${this.podName}`
   }
 }

packages/k8s/src/hooks/prepare-job.ts

@@ -1,7 +1,12 @@
 import * as core from '@actions/core'
 import * as io from '@actions/io'
 import * as k8s from '@kubernetes/client-node'
-import { ContextPorts, prepareJobArgs, writeToResponseFile } from 'hooklib'
+import {
+  JobContainerInfo,
+  ContextPorts,
+  PrepareJobArgs,
+  writeToResponseFile
+} from 'hooklib'
 import path from 'path'
 import {
   containerPorts,
@@ -14,12 +19,15 @@ import {
   containerVolumes,
   DEFAULT_CONTAINER_ENTRY_POINT,
   DEFAULT_CONTAINER_ENTRY_POINT_ARGS,
+  generateContainerName,
+  mergeContainerWithOptions,
+  readExtensionFromFile,
   PodPhase
 } from '../k8s/utils'
-import { JOB_CONTAINER_NAME } from './constants'
+import { JOB_CONTAINER_EXTENSION_NAME, JOB_CONTAINER_NAME } from './constants'
 
 export async function prepareJob(
-  args: prepareJobArgs,
+  args: PrepareJobArgs,
   responseFile
 ): Promise<void> {
   if (!args.container) {
@@ -27,29 +35,49 @@ export async function prepareJob(
   }
 
   await prunePods()
+
+  const extension = readExtensionFromFile()
   await copyExternalsToRoot()
+
   let container: k8s.V1Container | undefined = undefined
   if (args.container?.image) {
     core.debug(`Using image '${args.container.image}' for job image`)
-    container = createPodSpec(args.container, JOB_CONTAINER_NAME, true)
+    container = createContainerSpec(
+      args.container,
+      JOB_CONTAINER_NAME,
+      true,
+      extension
+    )
   }
 
   let services: k8s.V1Container[] = []
   if (args.services?.length) {
     services = args.services.map(service => {
       core.debug(`Adding service '${service.image}' to pod definition`)
-      return createPodSpec(service, service.image.split(':')[0])
+      return createContainerSpec(
+        service,
+        generateContainerName(service.image),
+        false,
+        undefined
+      )
     })
   }
+
   if (!container && !services?.length) {
     throw new Error('No containers exist, skipping hook invocation')
   }
+
   let createdPod: k8s.V1Pod | undefined = undefined
   try {
-    createdPod = await createPod(container, services, args.registry)
+    createdPod = await createPod(
+      container,
+      services,
+      args.container.registry,
+      extension
+    )
   } catch (err) {
     await prunePods()
-    throw new Error(`failed to create job pod: ${JSON.stringify(err)}`)
+    throw new Error(`failed to create job pod: ${err}`)
   }
 
   if (!createdPod?.metadata?.name) {
@@ -124,13 +152,11 @@ function generateResponseFile(
   )
   if (serviceContainers?.length) {
     response.context['services'] = serviceContainers.map(c => {
-      if (!c.ports) {
-        return
-      }
-
       const ctxPorts: ContextPorts = {}
-      for (const port of c.ports) {
-        ctxPorts[port.containerPort] = port.hostPort
+      if (c.ports?.length) {
+        for (const port of c.ports) {
+          ctxPorts[port.containerPort] = port.hostPort
+        }
       }
 
       return {
@@ -153,12 +179,13 @@ async function copyExternalsToRoot(): Promise<void> {
   }
 }
 
-function createPodSpec(
-  container,
+export function createContainerSpec(
+  container: JobContainerInfo,
   name: string,
-  jobContainer = false
+  jobContainer = false,
+  extension?: k8s.V1PodTemplateSpec
 ): k8s.V1Container {
-  if (!container.entryPoint) {
+  if (!container.entryPoint && jobContainer) {
     container.entryPoint = DEFAULT_CONTAINER_ENTRY_POINT
     container.entryPointArgs = DEFAULT_CONTAINER_ENTRY_POINT_ARGS
   }
@@ -166,14 +193,20 @@ function createPodSpec(
   const podContainer = {
     name,
     image: container.image,
-    command: [container.entryPoint],
-    args: container.entryPointArgs,
     ports: containerPorts(container)
   } as k8s.V1Container
   if (container.workingDirectory) {
     podContainer.workingDir = container.workingDirectory
   }
 
+  if (container.entryPoint) {
+    podContainer.command = [container.entryPoint]
+  }
+
+  if (container.entryPointArgs?.length > 0) {
+    podContainer.args = container.entryPointArgs
+  }
+
   podContainer.env = []
   for (const [key, value] of Object.entries(
     container['environmentVariables']
@@ -188,5 +221,17 @@ function createPodSpec(
     jobContainer
   )
 
+  if (!extension) {
+    return podContainer
+  }
+
+  const from = extension.spec?.containers?.find(
+    c => c.name === JOB_CONTAINER_EXTENSION_NAME
+  )
+
+  if (from) {
+    mergeContainerWithOptions(podContainer, from)
+  }
+
   return podContainer
 }

packages/k8s/src/hooks/run-container-step.ts

@@ -12,12 +12,11 @@ import {
 } from '../k8s'
 import {
   containerVolumes,
-  DEFAULT_CONTAINER_ENTRY_POINT,
-  DEFAULT_CONTAINER_ENTRY_POINT_ARGS,
   PodPhase,
-  writeEntryPointScript
+  mergeContainerWithOptions,
+  readExtensionFromFile
 } from '../k8s/utils'
-import { JOB_CONTAINER_NAME } from './constants'
+import { JOB_CONTAINER_EXTENSION_NAME, JOB_CONTAINER_NAME } from './constants'
 
 export async function runContainerStep(
   stepContainer: RunContainerStepArgs
@@ -31,10 +30,12 @@ export async function runContainerStep(
     secretName = await createSecretForEnvs(stepContainer.environmentVariables)
   }
 
-  core.debug(`Created secret ${secretName} for container job envs`)
-  const container = createPodSpec(stepContainer, secretName)
+  const extension = readExtensionFromFile()
 
-  const job = await createJob(container)
+  core.debug(`Created secret ${secretName} for container job envs`)
+  const container = createContainerSpec(stepContainer, secretName, extension)
+
+  const job = await createJob(container, extension)
   if (!job.metadata?.name) {
     throw new Error(
       `Expected job ${JSON.stringify(
@@ -75,24 +76,21 @@ export async function runContainerStep(
   return Number(exitCode) || 1
 }
 
-function createPodSpec(
+function createContainerSpec(
   container: RunContainerStepArgs,
-  secretName?: string
+  secretName?: string,
+  extension?: k8s.V1PodTemplateSpec
 ): k8s.V1Container {
   const podContainer = new k8s.V1Container()
   podContainer.name = JOB_CONTAINER_NAME
   podContainer.image = container.image
-
-  const { entryPoint, entryPointArgs } = container
-  container.entryPoint = 'sh'
-
-  const { containerPath } = writeEntryPointScript(
-    container.workingDirectory,
-    entryPoint || DEFAULT_CONTAINER_ENTRY_POINT,
-    entryPoint ? entryPointArgs || [] : DEFAULT_CONTAINER_ENTRY_POINT_ARGS
-  )
-  container.entryPointArgs = ['-e', containerPath]
-  podContainer.command = [container.entryPoint, ...container.entryPointArgs]
+  podContainer.workingDir = container.workingDirectory
+  podContainer.command = container.entryPoint
+    ? [container.entryPoint]
+    : undefined
+  podContainer.args = container.entryPointArgs?.length
+    ? container.entryPointArgs
+    : undefined
 
   if (secretName) {
     podContainer.envFrom = [
@@ -106,5 +104,16 @@ function createPodSpec(
   }
   podContainer.volumeMounts = containerVolumes(undefined, false, true)
 
+  if (!extension) {
+    return podContainer
+  }
+
+  const from = extension.spec?.containers?.find(
+    c => c.name === JOB_CONTAINER_EXTENSION_NAME
+  )
+  if (from) {
+    mergeContainerWithOptions(podContainer, from)
+  }
+
   return podContainer
 }

packages/k8s/src/hooks/run-script-step.ts

@@ -28,7 +28,7 @@ export async function runScriptStep(
       JOB_CONTAINER_NAME
     )
   } catch (err) {
-    throw new Error(`failed to run script step: ${JSON.stringify(err)}`)
+    throw new Error(`failed to run script step: ${err}`)
   } finally {
     fs.rmSync(runnerPath)
   }

packages/k8s/src/index.ts

@@ -9,44 +9,42 @@ import {
 import { isAuthPermissionsOK, namespace, requiredPermissions } from './k8s'
 
 async function run(): Promise<void> {
-  const input = await getInputFromStdin()
-
-  const args = input['args']
-  const command = input['command']
-  const responseFile = input['responseFile']
-  const state = input['state']
-
-  let exitCode = 0
   try {
+    const input = await getInputFromStdin()
+
+    const args = input['args']
+    const command = input['command']
+    const responseFile = input['responseFile']
+    const state = input['state']
     if (!(await isAuthPermissionsOK())) {
       throw new Error(
         `The Service account needs the following permissions ${JSON.stringify(
           requiredPermissions
-        )} on the pod resource in the '${namespace}' namespace. Please contact your self hosted runner administrator.`
+        )} on the pod resource in the '${namespace()}' namespace. Please contact your self hosted runner administrator.`
       )
     }
+
+    let exitCode = 0
     switch (command) {
       case Command.PrepareJob:
         await prepareJob(args as prepareJobArgs, responseFile)
-        break
+        return process.exit(0)
       case Command.CleanupJob:
         await cleanupJob()
-        break
+        return process.exit(0)
       case Command.RunScriptStep:
         await runScriptStep(args, state, null)
-        break
+        return process.exit(0)
       case Command.RunContainerStep:
         exitCode = await runContainerStep(args)
-        break
-      case Command.runContainerStep:
+        return process.exit(exitCode)
       default:
         throw new Error(`Command not recognized: ${command}`)
     }
   } catch (error) {
     core.error(error as Error)
-    exitCode = 1
+    process.exit(1)
   }
-  process.exitCode = exitCode
 }
 
 void run()

packages/k8s/src/k8s/index.ts

@@ -1,3 +1,4 @@
+import * as core from '@actions/core'
 import * as k8s from '@kubernetes/client-node'
 import { ContainerInfo, Registry } from 'hooklib'
 import * as stream from 'stream'
@@ -9,7 +10,7 @@ import {
   getVolumeClaimName,
   RunnerInstanceLabel
 } from '../hooks/constants'
-import { PodPhase } from './utils'
+import { PodPhase, mergePodSpecWithOptions, mergeObjectMeta } from './utils'
 
 const kc = new k8s.KubeConfig()
 
@@ -57,7 +58,8 @@ export const requiredPermissions = [
 export async function createPod(
   jobContainer?: k8s.V1Container,
   services?: k8s.V1Container[],
-  registry?: Registry
+  registry?: Registry,
+  extension?: k8s.V1PodTemplateSpec
 ): Promise<k8s.V1Pod> {
   const containers: k8s.V1Container[] = []
   if (jobContainer) {
@@ -79,6 +81,7 @@ export async function createPod(
   appPod.metadata.labels = {
     [instanceLabel.key]: instanceLabel.value
   }
+  appPod.metadata.annotations = {}
 
   appPod.spec = new k8s.V1PodSpec()
   appPod.spec.containers = containers
@@ -102,20 +105,31 @@ export async function createPod(
     appPod.spec.imagePullSecrets = [secretReference]
   }
 
+  if (extension?.metadata) {
+    mergeObjectMeta(appPod, extension.metadata)
+  }
+
+  if (extension?.spec) {
+    mergePodSpecWithOptions(appPod.spec, extension.spec)
+  }
+
   const { body } = await k8sApi.createNamespacedPod(namespace(), appPod)
   return body
 }
 
 export async function createJob(
-  container: k8s.V1Container
+  container: k8s.V1Container,
+  extension?: k8s.V1PodTemplateSpec
 ): Promise<k8s.V1Job> {
-  const job = new k8s.V1Job()
+  const runnerInstanceLabel = new RunnerInstanceLabel()
 
+  const job = new k8s.V1Job()
   job.apiVersion = 'batch/v1'
   job.kind = 'Job'
   job.metadata = new k8s.V1ObjectMeta()
   job.metadata.name = getStepPodName()
-  job.metadata.labels = { 'runner-pod': getRunnerPodName() }
+  job.metadata.labels = { [runnerInstanceLabel.key]: runnerInstanceLabel.value }
+  job.metadata.annotations = {}
 
   job.spec = new k8s.V1JobSpec()
   job.spec.ttlSecondsAfterFinished = 300
@@ -123,11 +137,14 @@ export async function createJob(
   job.spec.template = new k8s.V1PodTemplateSpec()
 
   job.spec.template.spec = new k8s.V1PodSpec()
+  job.spec.template.metadata = new k8s.V1ObjectMeta()
+  job.spec.template.metadata.labels = {}
+  job.spec.template.metadata.annotations = {}
   job.spec.template.spec.containers = [container]
   job.spec.template.spec.restartPolicy = 'Never'
   job.spec.template.spec.nodeName = await getCurrentNodeName()
 
-  const claimName = `${runnerName()}-work`
+  const claimName = getVolumeClaimName()
   job.spec.template.spec.volumes = [
     {
       name: 'work',
@@ -135,6 +152,17 @@ export async function createJob(
     }
   ]
 
+  if (extension) {
+    if (extension.metadata) {
+      // apply metadata both to the job and the pod created by the job
+      mergeObjectMeta(job, extension.metadata)
+      mergeObjectMeta(job.spec.template, extension.metadata)
+    }
+    if (extension.spec) {
+      mergePodSpecWithOptions(job.spec.template.spec, extension.spec)
+    }
+  }
+
   const { body } = await k8sBatchV1Api.createNamespacedJob(namespace(), job)
   return body
 }
@@ -185,33 +213,30 @@ export async function execPodStep(
 ): Promise<void> {
   const exec = new k8s.Exec(kc)
   await new Promise(async function (resolve, reject) {
-    try {
-      await exec.exec(
-        namespace(),
-        podName,
-        containerName,
-        command,
-        process.stdout,
-        process.stderr,
-        stdin ?? null,
-        false /* tty */,
-        resp => {
-          // kube.exec returns an error if exit code is not 0, but we can't actually get the exit code
-          if (resp.status === 'Success') {
-            resolve(resp.code)
-          } else {
-            reject(
-              JSON.stringify({
-                message: resp?.message,
-                details: resp?.details
-              })
-            )
-          }
+    await exec.exec(
+      namespace(),
+      podName,
+      containerName,
+      command,
+      process.stdout,
+      process.stderr,
+      stdin ?? null,
+      false /* tty */,
+      resp => {
+        // kube.exec returns an error if exit code is not 0, but we can't actually get the exit code
+        if (resp.status === 'Success') {
+          resolve(resp.code)
+        } else {
+          core.debug(
+            JSON.stringify({
+              message: resp?.message,
+              details: resp?.details
+            })
+          )
+          reject(resp?.message)
         }
-      )
-    } catch (error) {
-      reject(JSON.stringify(error))
-    }
+      }
+    )
   })
 }
 
@@ -234,29 +259,34 @@ export async function createDockerSecret(
 ): Promise<k8s.V1Secret> {
   const authContent = {
     auths: {
-      [registry.serverUrl]: {
+      [registry.serverUrl || 'https://index.docker.io/v1/']: {
         username: registry.username,
         password: registry.password,
-        auth: Buffer.from(
-          `${registry.username}:${registry.password}`,
+        auth: Buffer.from(`${registry.username}:${registry.password}`).toString(
           'base64'
-        ).toString()
+        )
       }
     }
   }
+
+  const runnerInstanceLabel = new RunnerInstanceLabel()
+
   const secretName = getSecretName()
   const secret = new k8s.V1Secret()
   secret.immutable = true
   secret.apiVersion = 'v1'
   secret.metadata = new k8s.V1ObjectMeta()
   secret.metadata.name = secretName
-  secret.metadata.labels = { 'runner-pod': getRunnerPodName() }
+  secret.metadata.namespace = namespace()
+  secret.metadata.labels = {
+    [runnerInstanceLabel.key]: runnerInstanceLabel.value
+  }
+  secret.type = 'kubernetes.io/dockerconfigjson'
   secret.kind = 'Secret'
   secret.data = {
-    '.dockerconfigjson': Buffer.from(
-      JSON.stringify(authContent),
+    '.dockerconfigjson': Buffer.from(JSON.stringify(authContent)).toString(
       'base64'
-    ).toString()
+    )
   }
 
   const { body } = await k8sApi.createNamespacedSecret(namespace(), secret)
@@ -266,13 +296,18 @@ export async function createDockerSecret(
 export async function createSecretForEnvs(envs: {
   [key: string]: string
 }): Promise<string> {
+  const runnerInstanceLabel = new RunnerInstanceLabel()
+
   const secret = new k8s.V1Secret()
   const secretName = getSecretName()
   secret.immutable = true
   secret.apiVersion = 'v1'
   secret.metadata = new k8s.V1ObjectMeta()
   secret.metadata.name = secretName
-  secret.metadata.labels = { 'runner-pod': getRunnerPodName() }
+
+  secret.metadata.labels = {
+    [runnerInstanceLabel.key]: runnerInstanceLabel.value
+  }
   secret.kind = 'Secret'
   secret.data = {}
   for (const [key, value] of Object.entries(envs)) {
@@ -372,7 +407,7 @@ export async function getPodLogs(
   })
 
   logStream.on('error', err => {
-    process.stderr.write(JSON.stringify(err))
+    process.stderr.write(err.message)
   })
 
   const r = await log.log(namespace(), podName, containerName, logStream, {
@@ -464,6 +499,7 @@ async function getCurrentNodeName(): Promise<string> {
   }
   return nodeName
 }
+
 export function namespace(): string {
   if (process.env['ACTIONS_RUNNER_KUBERNETES_NAMESPACE']) {
     return process.env['ACTIONS_RUNNER_KUBERNETES_NAMESPACE']
@@ -478,16 +514,6 @@ export function namespace(): string {
   return context.namespace
 }
 
-function runnerName(): string {
-  const name = process.env.ACTIONS_RUNNER_POD_NAME
-  if (!name) {
-    throw new Error(
-      'Failed to determine runner name. "ACTIONS_RUNNER_POD_NAME" env variables should be set.'
-    )
-  }
-  return name
-}
-
 class BackOffManager {
   private backOffSeconds = 1
   totalTime = 0
@@ -517,28 +543,46 @@ class BackOffManager {
 export function containerPorts(
   container: ContainerInfo
 ): k8s.V1ContainerPort[] {
-  // 8080:8080/tcp
-  const portFormat = /(\d{1,5})(:(\d{1,5}))?(\/(tcp|udp))?/
-
   const ports: k8s.V1ContainerPort[] = []
+  if (!container.portMappings?.length) {
+    return ports
+  }
   for (const portDefinition of container.portMappings) {
-    const submatches = portFormat.exec(portDefinition)
-    if (!submatches) {
-      throw new Error(
-        `Port definition "${portDefinition}" is in incorrect format`
-      )
+    const portProtoSplit = portDefinition.split('/')
+    if (portProtoSplit.length > 2) {
+      throw new Error(`Unexpected port format: ${portDefinition}`)
     }
+
     const port = new k8s.V1ContainerPort()
-    port.hostPort = Number(submatches[1])
-    if (submatches[3]) {
-      port.containerPort = Number(submatches[3])
+    port.protocol =
+      portProtoSplit.length === 2 ? portProtoSplit[1].toUpperCase() : 'TCP'
+
+    const portSplit = portProtoSplit[0].split(':')
+    if (portSplit.length > 2) {
+      throw new Error('ports should have at most one ":" separator')
     }
-    if (submatches[5]) {
-      port.protocol = submatches[5].toUpperCase()
+
+    const parsePort = (p: string): number => {
+      const num = Number(p)
+      if (!Number.isInteger(num) || num < 1 || num > 65535) {
+        throw new Error(`invalid container port: ${p}`)
+      }
+      return num
+    }
+
+    if (portSplit.length === 1) {
+      port.containerPort = parsePort(portSplit[0])
     } else {
-      port.protocol = 'TCP'
+      port.hostPort = parsePort(portSplit[0])
+      port.containerPort = parsePort(portSplit[1])
     }
+
     ports.push(port)
   }
   return ports
 }
+
+export async function getPodByName(name): Promise<k8s.V1Pod> {
+  const { body } = await k8sApi.readNamespacedPod(name, namespace())
+  return body
+}

packages/k8s/src/k8s/utils.ts

@@ -1,5 +1,7 @@
 import * as k8s from '@kubernetes/client-node'
 import * as fs from 'fs'
+import * as yaml from 'js-yaml'
+import * as core from '@actions/core'
 import { Mount } from 'hooklib'
 import * as path from 'path'
 import { v1 as uuidv4 } from 'uuid'
@@ -8,6 +10,8 @@ import { POD_VOLUME_NAME } from './index'
 export const DEFAULT_CONTAINER_ENTRY_POINT_ARGS = [`-f`, `/dev/null`]
 export const DEFAULT_CONTAINER_ENTRY_POINT = 'tail'
 
+export const ENV_HOOK_TEMPLATE_PATH = 'ACTIONS_RUNNER_CONTAINER_HOOK_TEMPLATE'
+
 export function containerVolumes(
   userMountVolumes: Mount[] = [],
   jobContainer = true,
@@ -20,18 +24,20 @@ export function containerVolumes(
     }
   ]
 
+  const workspacePath = process.env.GITHUB_WORKSPACE as string
   if (containerAction) {
-    const workspace = process.env.GITHUB_WORKSPACE as string
+    const i = workspacePath.lastIndexOf('_work/')
+    const workspaceRelativePath = workspacePath.slice(i + '_work/'.length)
     mounts.push(
       {
         name: POD_VOLUME_NAME,
         mountPath: '/github/workspace',
-        subPath: workspace.substring(workspace.indexOf('work/') + 1)
+        subPath: workspaceRelativePath
       },
       {
         name: POD_VOLUME_NAME,
         mountPath: '/github/file_commands',
-        subPath: workspace.substring(workspace.indexOf('work/') + 1)
+        subPath: '_temp/_runner_file_commands'
       }
     )
     return mounts
@@ -63,7 +69,6 @@ export function containerVolumes(
     return mounts
   }
 
-  const workspacePath = process.env.GITHUB_WORKSPACE as string
   for (const userVolume of userMountVolumes) {
     let sourceVolumePath = ''
     if (path.isAbsolute(userVolume.sourceVolumePath)) {
@@ -110,11 +115,22 @@ export function writeEntryPointScript(
   if (environmentVariables && Object.entries(environmentVariables).length) {
     const envBuffer: string[] = []
     for (const [key, value] of Object.entries(environmentVariables)) {
+      if (
+        key.includes(`=`) ||
+        key.includes(`'`) ||
+        key.includes(`"`) ||
+        key.includes(`$`)
+      ) {
+        throw new Error(
+          `environment key ${key} is invalid - the key must not contain =, $, ', or "`
+        )
+      }
       envBuffer.push(
         `"${key}=${value
           .replace(/\\/g, '\\\\')
           .replace(/"/g, '\\"')
-          .replace(/=/g, '\\=')}"`
+          .replace(/\$/g, '\\$')
+          .replace(/`/g, '\\`')}"`
       )
     }
     environmentPrefix = `env ${envBuffer.join(' ')} `
@@ -136,6 +152,111 @@ exec ${environmentPrefix} ${entryPoint} ${
   }
 }
 
+export function generateContainerName(image: string): string {
+  const nameWithTag = image.split('/').pop()
+  const name = nameWithTag?.split(':').at(0)
+
+  if (!name) {
+    throw new Error(`Image definition '${image}' is invalid`)
+  }
+
+  return name
+}
+
+// Overwrite or append based on container options
+//
+// Keep in mind, envs and volumes could be passed as fields in container definition
+// so default volume mounts and envs are appended first, and then create options are used
+// to append more values
+//
+// Rest of the fields are just applied
+// For example, container.createOptions.container.image is going to overwrite container.image field
+export function mergeContainerWithOptions(
+  base: k8s.V1Container,
+  from: k8s.V1Container
+): void {
+  for (const [key, value] of Object.entries(from)) {
+    if (key === 'name') {
+      core.warning("Skipping name override: name can't be overwritten")
+      continue
+    } else if (key === 'image') {
+      core.warning("Skipping image override: image can't be overwritten")
+      continue
+    } else if (key === 'env') {
+      const envs = value as k8s.V1EnvVar[]
+      base.env = mergeLists(base.env, envs)
+    } else if (key === 'volumeMounts' && value) {
+      const volumeMounts = value as k8s.V1VolumeMount[]
+      base.volumeMounts = mergeLists(base.volumeMounts, volumeMounts)
+    } else if (key === 'ports' && value) {
+      const ports = value as k8s.V1ContainerPort[]
+      base.ports = mergeLists(base.ports, ports)
+    } else {
+      base[key] = value
+    }
+  }
+}
+
+export function mergePodSpecWithOptions(
+  base: k8s.V1PodSpec,
+  from: k8s.V1PodSpec
+): void {
+  for (const [key, value] of Object.entries(from)) {
+    if (key === 'containers') {
+      base.containers.push(
+        ...from.containers.filter(e => !e.name?.startsWith('$'))
+      )
+    } else if (key === 'volumes' && value) {
+      const volumes = value as k8s.V1Volume[]
+      base.volumes = mergeLists(base.volumes, volumes)
+    } else {
+      base[key] = value
+    }
+  }
+}
+
+export function mergeObjectMeta(
+  base: { metadata?: k8s.V1ObjectMeta },
+  from: k8s.V1ObjectMeta
+): void {
+  if (!base.metadata?.labels || !base.metadata?.annotations) {
+    throw new Error(
+      "Can't merge metadata: base.metadata or base.annotations field is undefined"
+    )
+  }
+  if (from?.labels) {
+    for (const [key, value] of Object.entries(from.labels)) {
+      if (base.metadata?.labels?.[key]) {
+        core.warning(`Label ${key} is already defined and will be overwritten`)
+      }
+      base.metadata.labels[key] = value
+    }
+  }
+
+  if (from?.annotations) {
+    for (const [key, value] of Object.entries(from.annotations)) {
+      if (base.metadata?.annotations?.[key]) {
+        core.warning(
+          `Annotation ${key} is already defined and will be overwritten`
+        )
+      }
+      base.metadata.annotations[key] = value
+    }
+  }
+}
+
+export function readExtensionFromFile(): k8s.V1PodTemplateSpec | undefined {
+  const filePath = process.env[ENV_HOOK_TEMPLATE_PATH]
+  if (!filePath) {
+    return undefined
+  }
+  const doc = yaml.load(fs.readFileSync(filePath, 'utf8'))
+  if (!doc || typeof doc !== 'object') {
+    throw new Error(`Failed to parse ${filePath}`)
+  }
+  return doc as k8s.V1PodTemplateSpec
+}
+
 export enum PodPhase {
   PENDING = 'Pending',
   RUNNING = 'Running',
@@ -144,3 +265,12 @@ export enum PodPhase {
   UNKNOWN = 'Unknown',
   COMPLETED = 'Completed'
 }
+
+function mergeLists<T>(base?: T[], from?: T[]): T[] {
+  const b: T[] = base || []
+  if (!from?.length) {
+    return b
+  }
+  b.push(...from)
+  return b
+}

packages/k8s/tests/cleanup-job-test.ts

@@ -1,4 +1,7 @@
+import * as k8s from '@kubernetes/client-node'
 import { cleanupJob, prepareJob } from '../src/hooks'
+import { RunnerInstanceLabel } from '../src/hooks/constants'
+import { namespace } from '../src/k8s'
 import { TestHelper } from './test-setup'
 
 let testHelper: TestHelper
@@ -13,10 +16,50 @@ describe('Cleanup Job', () => {
     )
     await prepareJob(prepareJobData.args, prepareJobOutputFilePath)
   })
-  it('should not throw', async () => {
-    await expect(cleanupJob()).resolves.not.toThrow()
-  })
+
   afterEach(async () => {
     await testHelper.cleanup()
   })
+
+  it('should not throw', async () => {
+    await expect(cleanupJob()).resolves.not.toThrow()
+  })
+
+  it('should have no runner linked pods running', async () => {
+    await cleanupJob()
+    const kc = new k8s.KubeConfig()
+
+    kc.loadFromDefault()
+    const k8sApi = kc.makeApiClient(k8s.CoreV1Api)
+
+    const podList = await k8sApi.listNamespacedPod(
+      namespace(),
+      undefined,
+      undefined,
+      undefined,
+      undefined,
+      new RunnerInstanceLabel().toString()
+    )
+
+    expect(podList.body.items.length).toBe(0)
+  })
+
+  it('should have no runner linked secrets', async () => {
+    await cleanupJob()
+    const kc = new k8s.KubeConfig()
+
+    kc.loadFromDefault()
+    const k8sApi = kc.makeApiClient(k8s.CoreV1Api)
+
+    const secretList = await k8sApi.listNamespacedSecret(
+      namespace(),
+      undefined,
+      undefined,
+      undefined,
+      undefined,
+      new RunnerInstanceLabel().toString()
+    )
+
+    expect(secretList.body.items.length).toBe(0)
+  })
 })

packages/k8s/tests/constants-test.ts

@@ -0,0 +1,182 @@
+import {
+  getJobPodName,
+  getRunnerPodName,
+  getSecretName,
+  getStepPodName,
+  getVolumeClaimName,
+  JOB_CONTAINER_NAME,
+  MAX_POD_NAME_LENGTH,
+  RunnerInstanceLabel,
+  STEP_POD_NAME_SUFFIX_LENGTH
+} from '../src/hooks/constants'
+
+describe('constants', () => {
+  describe('runner instance label', () => {
+    beforeEach(() => {
+      process.env.ACTIONS_RUNNER_POD_NAME = 'example'
+    })
+    it('should throw if ACTIONS_RUNNER_POD_NAME env is not set', () => {
+      delete process.env.ACTIONS_RUNNER_POD_NAME
+      expect(() => new RunnerInstanceLabel()).toThrow()
+    })
+
+    it('should have key truthy', () => {
+      const runnerInstanceLabel = new RunnerInstanceLabel()
+      expect(typeof runnerInstanceLabel.key).toBe('string')
+      expect(runnerInstanceLabel.key).toBeTruthy()
+      expect(runnerInstanceLabel.key.length).toBeGreaterThan(0)
+    })
+
+    it('should have value as runner pod name', () => {
+      const name = process.env.ACTIONS_RUNNER_POD_NAME as string
+      const runnerInstanceLabel = new RunnerInstanceLabel()
+      expect(typeof runnerInstanceLabel.value).toBe('string')
+      expect(runnerInstanceLabel.value).toBe(name)
+    })
+
+    it('should have toString combination of key and value', () => {
+      const runnerInstanceLabel = new RunnerInstanceLabel()
+      expect(runnerInstanceLabel.toString()).toBe(
+        `${runnerInstanceLabel.key}=${runnerInstanceLabel.value}`
+      )
+    })
+  })
+
+  describe('getRunnerPodName', () => {
+    it('should throw if ACTIONS_RUNNER_POD_NAME env is not set', () => {
+      delete process.env.ACTIONS_RUNNER_POD_NAME
+      expect(() => getRunnerPodName()).toThrow()
+
+      process.env.ACTIONS_RUNNER_POD_NAME = ''
+      expect(() => getRunnerPodName()).toThrow()
+    })
+
+    it('should return corrent ACTIONS_RUNNER_POD_NAME name', () => {
+      const name = 'example'
+      process.env.ACTIONS_RUNNER_POD_NAME = name
+      expect(getRunnerPodName()).toBe(name)
+    })
+  })
+
+  describe('getJobPodName', () => {
+    it('should throw on getJobPodName if ACTIONS_RUNNER_POD_NAME env is not set', () => {
+      delete process.env.ACTIONS_RUNNER_POD_NAME
+      expect(() => getJobPodName()).toThrow()
+
+      process.env.ACTIONS_RUNNER_POD_NAME = ''
+      expect(() => getRunnerPodName()).toThrow()
+    })
+
+    it('should contain suffix -workflow', () => {
+      const tableTests = [
+        {
+          podName: 'test',
+          expect: 'test-workflow'
+        },
+        {
+          // podName.length == 63
+          podName:
+            'abcdaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa',
+          expect:
+            'abcdaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-workflow'
+        }
+      ]
+
+      for (const tt of tableTests) {
+        process.env.ACTIONS_RUNNER_POD_NAME = tt.podName
+        const actual = getJobPodName()
+        expect(actual).toBe(tt.expect)
+      }
+    })
+  })
+
+  describe('getVolumeClaimName', () => {
+    it('should throw if ACTIONS_RUNNER_POD_NAME env is not set', () => {
+      delete process.env.ACTIONS_RUNNER_CLAIM_NAME
+      delete process.env.ACTIONS_RUNNER_POD_NAME
+      expect(() => getVolumeClaimName()).toThrow()
+
+      process.env.ACTIONS_RUNNER_POD_NAME = ''
+      expect(() => getVolumeClaimName()).toThrow()
+    })
+
+    it('should return ACTIONS_RUNNER_CLAIM_NAME env if set', () => {
+      const claimName = 'testclaim'
+      process.env.ACTIONS_RUNNER_CLAIM_NAME = claimName
+      process.env.ACTIONS_RUNNER_POD_NAME = 'example'
+      expect(getVolumeClaimName()).toBe(claimName)
+    })
+
+    it('should contain suffix -work if ACTIONS_RUNNER_CLAIM_NAME is not set', () => {
+      delete process.env.ACTIONS_RUNNER_CLAIM_NAME
+      process.env.ACTIONS_RUNNER_POD_NAME = 'example'
+      expect(getVolumeClaimName()).toBe('example-work')
+    })
+  })
+
+  describe('getSecretName', () => {
+    it('should throw if ACTIONS_RUNNER_POD_NAME env is not set', () => {
+      delete process.env.ACTIONS_RUNNER_POD_NAME
+      expect(() => getSecretName()).toThrow()
+
+      process.env.ACTIONS_RUNNER_POD_NAME = ''
+      expect(() => getSecretName()).toThrow()
+    })
+
+    it('should contain suffix -secret- and name trimmed', () => {
+      const podNames = [
+        'test',
+        'abcdaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'
+      ]
+
+      for (const podName of podNames) {
+        process.env.ACTIONS_RUNNER_POD_NAME = podName
+        const actual = getSecretName()
+        const re = new RegExp(
+          `${podName.substring(
+            MAX_POD_NAME_LENGTH -
+              '-secret-'.length -
+              STEP_POD_NAME_SUFFIX_LENGTH
+          )}-secret-[a-z0-9]{8,}`
+        )
+        expect(actual).toMatch(re)
+      }
+    })
+  })
+
+  describe('getStepPodName', () => {
+    it('should throw if ACTIONS_RUNNER_POD_NAME env is not set', () => {
+      delete process.env.ACTIONS_RUNNER_POD_NAME
+      expect(() => getStepPodName()).toThrow()
+
+      process.env.ACTIONS_RUNNER_POD_NAME = ''
+      expect(() => getStepPodName()).toThrow()
+    })
+
+    it('should contain suffix -step- and name trimmed', () => {
+      const podNames = [
+        'test',
+        'abcdaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'
+      ]
+
+      for (const podName of podNames) {
+        process.env.ACTIONS_RUNNER_POD_NAME = podName
+        const actual = getStepPodName()
+        const re = new RegExp(
+          `${podName.substring(
+            MAX_POD_NAME_LENGTH - '-step-'.length - STEP_POD_NAME_SUFFIX_LENGTH
+          )}-step-[a-z0-9]{8,}`
+        )
+        expect(actual).toMatch(re)
+      }
+    })
+  })
+
+  describe('const values', () => {
+    it('should have constants set', () => {
+      expect(JOB_CONTAINER_NAME).toBeTruthy()
+      expect(MAX_POD_NAME_LENGTH).toBeGreaterThan(0)
+      expect(STEP_POD_NAME_SUFFIX_LENGTH).toBeGreaterThan(0)
+    })
+  })
+})

packages/k8s/tests/k8s-utils-test.ts

@@ -0,0 +1,515 @@
+import * as fs from 'fs'
+import { containerPorts, POD_VOLUME_NAME } from '../src/k8s'
+import {
+  containerVolumes,
+  generateContainerName,
+  writeEntryPointScript,
+  mergePodSpecWithOptions,
+  mergeContainerWithOptions,
+  readExtensionFromFile,
+  ENV_HOOK_TEMPLATE_PATH
+} from '../src/k8s/utils'
+import * as k8s from '@kubernetes/client-node'
+import { TestHelper } from './test-setup'
+
+let testHelper: TestHelper
+
+describe('k8s utils', () => {
+  describe('write entrypoint', () => {
+    beforeEach(async () => {
+      testHelper = new TestHelper()
+      await testHelper.initialize()
+    })
+
+    afterEach(async () => {
+      await testHelper.cleanup()
+    })
+
+    it('should not throw', () => {
+      expect(() =>
+        writeEntryPointScript(
+          '/test',
+          'sh',
+          ['-e', 'script.sh'],
+          ['/prepend/path'],
+          {
+            SOME_ENV: 'SOME_VALUE'
+          }
+        )
+      ).not.toThrow()
+    })
+
+    it('should throw if RUNNER_TEMP is not set', () => {
+      delete process.env.RUNNER_TEMP
+      expect(() =>
+        writeEntryPointScript(
+          '/test',
+          'sh',
+          ['-e', 'script.sh'],
+          ['/prepend/path'],
+          {
+            SOME_ENV: 'SOME_VALUE'
+          }
+        )
+      ).toThrow()
+    })
+
+    it('should throw if environment variable name contains double quote', () => {
+      expect(() =>
+        writeEntryPointScript(
+          '/test',
+          'sh',
+          ['-e', 'script.sh'],
+          ['/prepend/path'],
+          {
+            'SOME"_ENV': 'SOME_VALUE'
+          }
+        )
+      ).toThrow()
+    })
+
+    it('should throw if environment variable name contains =', () => {
+      expect(() =>
+        writeEntryPointScript(
+          '/test',
+          'sh',
+          ['-e', 'script.sh'],
+          ['/prepend/path'],
+          {
+            'SOME=ENV': 'SOME_VALUE'
+          }
+        )
+      ).toThrow()
+    })
+
+    it('should throw if environment variable name contains single quote', () => {
+      expect(() =>
+        writeEntryPointScript(
+          '/test',
+          'sh',
+          ['-e', 'script.sh'],
+          ['/prepend/path'],
+          {
+            "SOME'_ENV": 'SOME_VALUE'
+          }
+        )
+      ).toThrow()
+    })
+
+    it('should throw if environment variable name contains dollar', () => {
+      expect(() =>
+        writeEntryPointScript(
+          '/test',
+          'sh',
+          ['-e', 'script.sh'],
+          ['/prepend/path'],
+          {
+            SOME_$_ENV: 'SOME_VALUE'
+          }
+        )
+      ).toThrow()
+    })
+
+    it('should escape double quote, dollar and backslash in environment variable values', () => {
+      const { runnerPath } = writeEntryPointScript(
+        '/test',
+        'sh',
+        ['-e', 'script.sh'],
+        ['/prepend/path'],
+        {
+          DQUOTE: '"',
+          BACK_SLASH: '\\',
+          DOLLAR: '$'
+        }
+      )
+      expect(fs.existsSync(runnerPath)).toBe(true)
+      const script = fs.readFileSync(runnerPath, 'utf8')
+      expect(script).toContain('"DQUOTE=\\"')
+      expect(script).toContain('"BACK_SLASH=\\\\"')
+      expect(script).toContain('"DOLLAR=\\$"')
+    })
+
+    it('should return object with containerPath and runnerPath', () => {
+      const { containerPath, runnerPath } = writeEntryPointScript(
+        '/test',
+        'sh',
+        ['-e', 'script.sh'],
+        ['/prepend/path'],
+        {
+          SOME_ENV: 'SOME_VALUE'
+        }
+      )
+      expect(containerPath).toMatch(/\/__w\/_temp\/.*\.sh/)
+      const re = new RegExp(`${process.env.RUNNER_TEMP}/.*\\.sh`)
+      expect(runnerPath).toMatch(re)
+    })
+
+    it('should write entrypoint path and the file should exist', () => {
+      const { runnerPath } = writeEntryPointScript(
+        '/test',
+        'sh',
+        ['-e', 'script.sh'],
+        ['/prepend/path'],
+        {
+          SOME_ENV: 'SOME_VALUE'
+        }
+      )
+      expect(fs.existsSync(runnerPath)).toBe(true)
+    })
+  })
+
+  describe('container volumes', () => {
+    beforeEach(async () => {
+      testHelper = new TestHelper()
+      await testHelper.initialize()
+    })
+
+    afterEach(async () => {
+      await testHelper.cleanup()
+    })
+
+    it('should throw if container action and GITHUB_WORKSPACE env is not set', () => {
+      delete process.env.GITHUB_WORKSPACE
+      expect(() => containerVolumes([], true, true)).toThrow()
+      expect(() => containerVolumes([], false, true)).toThrow()
+    })
+
+    it('should always have work mount', () => {
+      let volumes = containerVolumes([], true, true)
+      expect(volumes.find(e => e.mountPath === '/__w')).toBeTruthy()
+      volumes = containerVolumes([], true, false)
+      expect(volumes.find(e => e.mountPath === '/__w')).toBeTruthy()
+      volumes = containerVolumes([], false, true)
+      expect(volumes.find(e => e.mountPath === '/__w')).toBeTruthy()
+      volumes = containerVolumes([], false, false)
+      expect(volumes.find(e => e.mountPath === '/__w')).toBeTruthy()
+    })
+
+    it('should have container action volumes', () => {
+      let volumes = containerVolumes([], true, true)
+      let workspace = volumes.find(e => e.mountPath === '/github/workspace')
+      let fileCommands = volumes.find(
+        e => e.mountPath === '/github/file_commands'
+      )
+      expect(workspace).toBeTruthy()
+      expect(workspace?.subPath).toBe('repo/repo')
+      expect(fileCommands).toBeTruthy()
+      expect(fileCommands?.subPath).toBe('_temp/_runner_file_commands')
+
+      volumes = containerVolumes([], false, true)
+      workspace = volumes.find(e => e.mountPath === '/github/workspace')
+      fileCommands = volumes.find(e => e.mountPath === '/github/file_commands')
+      expect(workspace).toBeTruthy()
+      expect(workspace?.subPath).toBe('repo/repo')
+      expect(fileCommands).toBeTruthy()
+      expect(fileCommands?.subPath).toBe('_temp/_runner_file_commands')
+    })
+
+    it('should have externals, github home and github workflow mounts if job container', () => {
+      const volumes = containerVolumes()
+      expect(volumes.find(e => e.mountPath === '/__e')).toBeTruthy()
+      expect(volumes.find(e => e.mountPath === '/github/home')).toBeTruthy()
+      expect(volumes.find(e => e.mountPath === '/github/workflow')).toBeTruthy()
+    })
+
+    it('should throw if user volume source volume path is not in workspace', () => {
+      expect(() =>
+        containerVolumes(
+          [
+            {
+              sourceVolumePath: '/outside/of/workdir'
+            }
+          ],
+          true,
+          false
+        )
+      ).toThrow()
+    })
+
+    it(`all volumes should have name ${POD_VOLUME_NAME}`, () => {
+      let volumes = containerVolumes([], true, true)
+      expect(volumes.every(e => e.name === POD_VOLUME_NAME)).toBeTruthy()
+      volumes = containerVolumes([], true, false)
+      expect(volumes.every(e => e.name === POD_VOLUME_NAME)).toBeTruthy()
+      volumes = containerVolumes([], false, true)
+      expect(volumes.every(e => e.name === POD_VOLUME_NAME)).toBeTruthy()
+      volumes = containerVolumes([], false, false)
+      expect(volumes.every(e => e.name === POD_VOLUME_NAME)).toBeTruthy()
+    })
+
+    it('should parse container ports', () => {
+      const tt = [
+        {
+          spec: '8080:80',
+          want: {
+            containerPort: 80,
+            hostPort: 8080,
+            protocol: 'TCP'
+          }
+        },
+        {
+          spec: '8080:80/udp',
+          want: {
+            containerPort: 80,
+            hostPort: 8080,
+            protocol: 'UDP'
+          }
+        },
+        {
+          spec: '8080/udp',
+          want: {
+            containerPort: 8080,
+            hostPort: undefined,
+            protocol: 'UDP'
+          }
+        },
+        {
+          spec: '8080',
+          want: {
+            containerPort: 8080,
+            hostPort: undefined,
+            protocol: 'TCP'
+          }
+        }
+      ]
+
+      for (const tc of tt) {
+        const got = containerPorts({ portMappings: [tc.spec] })
+        for (const [key, value] of Object.entries(tc.want)) {
+          expect(got[0][key]).toBe(value)
+        }
+      }
+    })
+
+    it('should throw when ports are out of range (0, 65536)', () => {
+      expect(() => containerPorts({ portMappings: ['65536'] })).toThrow()
+      expect(() => containerPorts({ portMappings: ['0'] })).toThrow()
+      expect(() => containerPorts({ portMappings: ['65536/udp'] })).toThrow()
+      expect(() => containerPorts({ portMappings: ['0/udp'] })).toThrow()
+      expect(() => containerPorts({ portMappings: ['1:65536'] })).toThrow()
+      expect(() => containerPorts({ portMappings: ['65536:1'] })).toThrow()
+      expect(() => containerPorts({ portMappings: ['1:65536/tcp'] })).toThrow()
+      expect(() => containerPorts({ portMappings: ['65536:1/tcp'] })).toThrow()
+      expect(() => containerPorts({ portMappings: ['1:'] })).toThrow()
+      expect(() => containerPorts({ portMappings: [':1'] })).toThrow()
+      expect(() => containerPorts({ portMappings: ['1:/tcp'] })).toThrow()
+      expect(() => containerPorts({ portMappings: [':1/tcp'] })).toThrow()
+    })
+
+    it('should throw on multi ":" splits', () => {
+      expect(() => containerPorts({ portMappings: ['1:1:1'] })).toThrow()
+    })
+
+    it('should throw on multi "/" splits', () => {
+      expect(() => containerPorts({ portMappings: ['1:1/tcp/udp'] })).toThrow()
+      expect(() => containerPorts({ portMappings: ['1/tcp/udp'] })).toThrow()
+    })
+  })
+
+  describe('generate container name', () => {
+    it('should return the container name from image string', () => {
+      expect(
+        generateContainerName('public.ecr.aws/localstack/localstack')
+      ).toEqual('localstack')
+      expect(
+        generateContainerName(
+          'public.ecr.aws/url/with/multiple/slashes/postgres:latest'
+        )
+      ).toEqual('postgres')
+      expect(generateContainerName('postgres')).toEqual('postgres')
+      expect(generateContainerName('postgres:latest')).toEqual('postgres')
+      expect(generateContainerName('localstack/localstack')).toEqual(
+        'localstack'
+      )
+      expect(generateContainerName('localstack/localstack:latest')).toEqual(
+        'localstack'
+      )
+    })
+
+    it('should throw on invalid image string', () => {
+      expect(() =>
+        generateContainerName('localstack/localstack/:latest')
+      ).toThrow()
+      expect(() => generateContainerName(':latest')).toThrow()
+    })
+  })
+
+  describe('read extension', () => {
+    beforeEach(async () => {
+      testHelper = new TestHelper()
+      await testHelper.initialize()
+    })
+
+    afterEach(async () => {
+      await testHelper.cleanup()
+    })
+
+    it('should throw if env variable is set but file does not exist', () => {
+      process.env[ENV_HOOK_TEMPLATE_PATH] =
+        '/path/that/does/not/exist/data.yaml'
+      expect(() => readExtensionFromFile()).toThrow()
+    })
+
+    it('should return undefined if env variable is not set', () => {
+      delete process.env[ENV_HOOK_TEMPLATE_PATH]
+      expect(readExtensionFromFile()).toBeUndefined()
+    })
+
+    it('should throw if file is empty', () => {
+      let filePath = testHelper.createFile('data.yaml')
+      process.env[ENV_HOOK_TEMPLATE_PATH] = filePath
+      expect(() => readExtensionFromFile()).toThrow()
+    })
+
+    it('should throw if file is not valid yaml', () => {
+      let filePath = testHelper.createFile('data.yaml')
+      fs.writeFileSync(filePath, 'invalid yaml')
+      process.env[ENV_HOOK_TEMPLATE_PATH] = filePath
+      expect(() => readExtensionFromFile()).toThrow()
+    })
+
+    it('should return object if file is valid', () => {
+      let filePath = testHelper.createFile('data.yaml')
+      fs.writeFileSync(
+        filePath,
+        `
+metadata:
+  labels:
+    label-name: label-value
+  annotations:
+    annotation-name: annotation-value
+spec:
+  containers:
+    - name: test
+      image: node:14.16
+    - name: job
+      image: ubuntu:latest`
+      )
+
+      process.env[ENV_HOOK_TEMPLATE_PATH] = filePath
+      const extension = readExtensionFromFile()
+      expect(extension).toBeDefined()
+    })
+  })
+
+  it('should merge container spec', () => {
+    const base = {
+      image: 'node:14.16',
+      name: 'test',
+      env: [
+        {
+          name: 'TEST',
+          value: 'TEST'
+        }
+      ],
+      ports: [
+        {
+          containerPort: 8080,
+          hostPort: 8080,
+          protocol: 'TCP'
+        }
+      ]
+    } as k8s.V1Container
+
+    const from = {
+      ports: [
+        {
+          containerPort: 9090,
+          hostPort: 9090,
+          protocol: 'TCP'
+        }
+      ],
+      env: [
+        {
+          name: 'TEST_TWO',
+          value: 'TEST_TWO'
+        }
+      ],
+      image: 'ubuntu:latest',
+      name: 'overwrite'
+    } as k8s.V1Container
+
+    const expectContainer = {
+      name: base.name,
+      image: base.image,
+      ports: [
+        ...(base.ports as k8s.V1ContainerPort[]),
+        ...(from.ports as k8s.V1ContainerPort[])
+      ],
+      env: [...(base.env as k8s.V1EnvVar[]), ...(from.env as k8s.V1EnvVar[])]
+    }
+
+    const expectJobContainer = JSON.parse(JSON.stringify(expectContainer))
+    expectJobContainer.name = base.name
+    mergeContainerWithOptions(base, from)
+    expect(base).toStrictEqual(expectContainer)
+  })
+
+  it('should merge pod spec', () => {
+    const base = {
+      containers: [
+        {
+          image: 'node:14.16',
+          name: 'test',
+          env: [
+            {
+              name: 'TEST',
+              value: 'TEST'
+            }
+          ],
+          ports: [
+            {
+              containerPort: 8080,
+              hostPort: 8080,
+              protocol: 'TCP'
+            }
+          ]
+        }
+      ],
+      restartPolicy: 'Never'
+    } as k8s.V1PodSpec
+
+    const from = {
+      securityContext: {
+        runAsUser: 1000,
+        fsGroup: 2000
+      },
+      restartPolicy: 'Always',
+      volumes: [
+        {
+          name: 'work',
+          emptyDir: {}
+        }
+      ],
+      containers: [
+        {
+          image: 'ubuntu:latest',
+          name: 'side-car',
+          env: [
+            {
+              name: 'TEST',
+              value: 'TEST'
+            }
+          ],
+          ports: [
+            {
+              containerPort: 8080,
+              hostPort: 8080,
+              protocol: 'TCP'
+            }
+          ]
+        }
+      ]
+    } as k8s.V1PodSpec
+
+    const expected = JSON.parse(JSON.stringify(base))
+    expected.securityContext = from.securityContext
+    expected.restartPolicy = from.restartPolicy
+    expected.volumes = from.volumes
+    expected.containers.push(from.containers[0])
+
+    mergePodSpecWithOptions(base, from)
+
+    expect(base).toStrictEqual(expected)
+  })
+})

packages/k8s/tests/prepare-job-test.ts

@@ -1,8 +1,17 @@
 import * as fs from 'fs'
 import * as path from 'path'
 import { cleanupJob } from '../src/hooks'
-import { prepareJob } from '../src/hooks/prepare-job'
+import { createContainerSpec, prepareJob } from '../src/hooks/prepare-job'
 import { TestHelper } from './test-setup'
+import {
+  ENV_HOOK_TEMPLATE_PATH,
+  generateContainerName,
+  readExtensionFromFile
+} from '../src/k8s/utils'
+import { getPodByName } from '../src/k8s'
+import { V1Container } from '@kubernetes/client-node'
+import * as yaml from 'js-yaml'
+import { JOB_CONTAINER_NAME } from '../src/hooks/constants'
 
 jest.useRealTimers()
 
@@ -71,4 +80,67 @@ describe('Prepare job', () => {
       prepareJob(prepareJobData.args, prepareJobOutputFilePath)
     ).rejects.toThrow()
   })
+
+  it('should not set command + args for service container if not passed in args', async () => {
+    const services = prepareJobData.args.services.map(service => {
+      return createContainerSpec(service, generateContainerName(service.image))
+    }) as [V1Container]
+
+    expect(services[0].command).toBe(undefined)
+    expect(services[0].args).toBe(undefined)
+  })
+
+  it('should run pod with extensions applied', async () => {
+    process.env[ENV_HOOK_TEMPLATE_PATH] = path.join(
+      __dirname,
+      '../../../examples/extension.yaml'
+    )
+
+    await expect(
+      prepareJob(prepareJobData.args, prepareJobOutputFilePath)
+    ).resolves.not.toThrow()
+
+    delete process.env[ENV_HOOK_TEMPLATE_PATH]
+
+    const content = JSON.parse(
+      fs.readFileSync(prepareJobOutputFilePath).toString()
+    )
+
+    const got = await getPodByName(content.state.jobPod)
+
+    expect(got.metadata?.annotations?.['annotated-by']).toBe('extension')
+    expect(got.metadata?.labels?.['labeled-by']).toBe('extension')
+    expect(got.spec?.securityContext?.runAsUser).toBe(1000)
+    expect(got.spec?.securityContext?.runAsGroup).toBe(3000)
+
+    // job container
+    expect(got.spec?.containers[0].name).toBe(JOB_CONTAINER_NAME)
+    expect(got.spec?.containers[0].image).toBe('node:14.16')
+    expect(got.spec?.containers[0].command).toEqual(['sh'])
+    expect(got.spec?.containers[0].args).toEqual(['-c', 'sleep 50'])
+
+    // service container
+    expect(got.spec?.containers[1].image).toBe('redis')
+    expect(got.spec?.containers[1].command).toBeFalsy()
+    expect(got.spec?.containers[1].args).toBeFalsy()
+    // side-car
+    expect(got.spec?.containers[2].name).toBe('side-car')
+    expect(got.spec?.containers[2].image).toBe('ubuntu:latest')
+    expect(got.spec?.containers[2].command).toEqual(['sh'])
+    expect(got.spec?.containers[2].args).toEqual(['-c', 'sleep 60'])
+  })
+
+  test.each([undefined, null, []])(
+    'should not throw exception when portMapping=%p',
+    async pm => {
+      prepareJobData.args.services.forEach(s => {
+        s.portMappings = pm
+      })
+      await prepareJob(prepareJobData.args, prepareJobOutputFilePath)
+      const content = JSON.parse(
+        fs.readFileSync(prepareJobOutputFilePath).toString()
+      )
+      expect(() => content.context.services[0].image).not.toThrow()
+    }
+  )
 })

packages/k8s/tests/run-container-step-test.ts

@@ -1,5 +1,9 @@
 import { runContainerStep } from '../src/hooks'
 import { TestHelper } from './test-setup'
+import { ENV_HOOK_TEMPLATE_PATH } from '../src/k8s/utils'
+import * as fs from 'fs'
+import * as yaml from 'js-yaml'
+import { JOB_CONTAINER_EXTENSION_NAME } from '../src/hooks/constants'
 
 jest.useRealTimers()
 
@@ -23,16 +27,52 @@ describe('Run container step', () => {
     expect(exitCode).toBe(0)
   })
 
-  it('should fail if the working directory does not exist', async () => {
-    runContainerStepData.args.workingDirectory = '/foo/bar'
-    await expect(runContainerStep(runContainerStepData.args)).rejects.toThrow()
+  it('should run pod with extensions applied', async () => {
+    const extension = {
+      metadata: {
+        annotations: {
+          foo: 'bar'
+        },
+        labels: {
+          bar: 'baz'
+        }
+      },
+      spec: {
+        containers: [
+          {
+            name: JOB_CONTAINER_EXTENSION_NAME,
+            command: ['sh'],
+            args: ['-c', 'echo test']
+          },
+          {
+            name: 'side-container',
+            image: 'ubuntu:latest',
+            command: ['sh'],
+            args: ['-c', 'echo test']
+          }
+        ],
+        restartPolicy: 'Never',
+        securityContext: {
+          runAsUser: 1000,
+          runAsGroup: 3000
+        }
+      }
+    }
+
+    let filePath = testHelper.createFile()
+    fs.writeFileSync(filePath, yaml.dump(extension))
+    process.env[ENV_HOOK_TEMPLATE_PATH] = filePath
+    await expect(
+      runContainerStep(runContainerStepData.args)
+    ).resolves.not.toThrow()
+    delete process.env[ENV_HOOK_TEMPLATE_PATH]
   })
 
   it('should shold have env variables available', async () => {
     runContainerStepData.args.entryPoint = 'bash'
     runContainerStepData.args.entryPointArgs = [
       '-c',
-      "'if [[ -z $NODE_ENV ]]; then exit 1; fi'"
+      'if [[ -z $NODE_ENV ]]; then exit 1; fi'
     ]
     await expect(
       runContainerStep(runContainerStepData.args)

packages/k8s/tests/run-script-step-test.ts

@@ -89,12 +89,36 @@ describe('Run script step', () => {
     ).resolves.not.toThrow()
   })
 
+  it('Dollar symbols in environment variables should not be expanded', async () => {
+    runScriptStepDefinition.args.environmentVariables = {
+      VARIABLE1: '$VAR',
+      VARIABLE2: '${VAR}',
+      VARIABLE3: '$(VAR)'
+    }
+    runScriptStepDefinition.args.entryPointArgs = [
+      '-c',
+      '\'if [[ -z "$VARIABLE1" ]]; then exit 1; fi\'',
+      '\'if [[ -z "$VARIABLE2" ]]; then exit 2; fi\'',
+      '\'if [[ -z "$VARIABLE3" ]]; then exit 3; fi\''
+    ]
+
+    await expect(
+      runScriptStep(
+        runScriptStepDefinition.args,
+        prepareJobOutputData.state,
+        null
+      )
+    ).resolves.not.toThrow()
+  })
+
   it('Should have path variable changed in container with prepend path string array', async () => {
     runScriptStepDefinition.args.prependPath = ['/some/other/path']
     runScriptStepDefinition.args.entryPoint = '/bin/bash'
     runScriptStepDefinition.args.entryPointArgs = [
       '-c',
-      `'if [[ ! $(env | grep "^PATH=") = "PATH=${runScriptStepDefinition.args.prependPath}:"* ]]; then exit 1; fi'`
+      `'if [[ ! $(env | grep "^PATH=") = "PATH=${runScriptStepDefinition.args.prependPath.join(
+        ':'
+      )}:"* ]]; then exit 1; fi'`
     ]
 
     await expect(

packages/k8s/tests/test-setup.ts

@@ -40,7 +40,7 @@ export class TestHelper {
       await this.createTestVolume()
       await this.createTestJobPod()
     } catch (e) {
-      console.log(JSON.stringify(e))
+      console.log(e)
     }
   }
 

releaseNotes.md

@@ -1,7 +1,18 @@
-## Features
-- Loosened the restriction on `ACTIONS_RUNNER_CLAIM_NAME` to be optional, not required for k8s hooks
-
+<!-- ## Features -->
 ## Bugs
 
+- Fix argument order for 'docker pull' [#85]
+- Do not overwrite entrypoint if it has already been set or if it is Service container [#83]
+- Throw if an entrypoint is not specified for container step [#77]
+- Include sha256 checksums in releaseNotes [#98]
+- Escape backtick in writeEntryPointScript [#101]
+- Implement yaml extensions overwriting the default pod/container spec [#75]
 
-## Misc 
+<!-- ## Misc -->
+
+## SHA-256 Checksums
+
+The SHA-256 checksums for the packages included in this build are shown below:
+
+- actions-runner-hooks-docker-<HOOK_VERSION>.zip <DOCKER_SHA>
+- actions-runner-hooks-k8s-<HOOK_VERSION>.zip <K8S_SHA>