Update workflow around runner docker image. (#4133)

.github/workflows/build.yml

@@ -14,6 +14,9 @@ on:
     paths-ignore:
     - '**.md'
 
+permissions:
+  contents: read
+
 jobs:
   build:
     strategy:
@@ -80,3 +83,48 @@ jobs:
         name: runner-package-${{ matrix.runtime }}
         path: |
           _package
+
+  docker:
+    strategy:
+      matrix:
+        os: [ ubuntu-latest, ubuntu-24.04-arm ]
+        include:
+          - os: ubuntu-latest
+            docker_platform: linux/amd64
+          - os: ubuntu-24.04-arm
+            docker_platform: linux/arm64
+    runs-on: ${{ matrix.os }}
+    steps:
+    - uses: actions/checkout@v5
+
+    - name: Get latest runner version
+      id: latest_runner
+      uses: actions/github-script@v7
+      with:
+        github-token: ${{secrets.GITHUB_TOKEN}}
+        script: |
+          const release = await github.rest.repos.getLatestRelease({
+            owner: 'actions',
+            repo: 'runner',
+          });
+          const version = release.data.tag_name.replace(/^v/, '');
+          core.setOutput('version', version);
+
+    - name: Setup Docker buildx
+      uses: docker/setup-buildx-action@v3
+
+    - name: Build Docker image
+      uses: docker/build-push-action@v6
+      with:
+        context: ./images
+        load: true
+        platforms: ${{ matrix.docker_platform }}
+        tags: |
+          ${{ github.sha }}:latest
+        build-args: |
+          RUNNER_VERSION=${{ steps.latest_runner.outputs.version }}
+
+    - name: Test Docker image
+      run: |
+        docker run --rm ${{ github.sha }}:latest ./run.sh --version
+  

.github/workflows/docker-publish.yml

@@ -0,0 +1,75 @@
+name: Publish DockerImage from Release Branch
+
+on:
+  workflow_dispatch:
+    inputs:
+      releaseBranch:
+        description: 'Release Branch (releases/mXXX)'
+        required: true
+
+jobs:
+  publish-image:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+      attestations: write
+    env:
+      REGISTRY: ghcr.io
+      IMAGE_NAME: ${{ github.repository_owner }}/actions-runner
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v5
+        with:
+          ref: ${{ github.event.inputs.releaseBranch }}
+
+      - name: Compute image version
+        id: image
+        uses: actions/github-script@v8.0.0
+        with:
+          script: |
+            const fs = require('fs');
+            const runnerVersion = fs.readFileSync('${{ github.workspace }}/releaseVersion', 'utf8').replace(/\n$/g, '');
+            console.log(`Using runner version ${runnerVersion}`);
+            if (!/^\\d+\\.\\d+\\.\\d+$/.test(runnerVersion)) {
+              throw new Error(`Invalid runner version: ${runnerVersion}`);
+            }
+            core.setOutput('version', runnerVersion);
+
+      - name: Setup Docker buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log into registry ${{ env.REGISTRY }}
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push Docker image
+        id: build-and-push
+        uses: docker/build-push-action@v6
+        with:
+          context: ./images
+          platforms: |
+            linux/amd64
+            linux/arm64
+          tags: |
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.image.outputs.version }}
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
+          build-args: |
+            RUNNER_VERSION=${{ steps.image.outputs.version }}
+          push: true
+          labels: |
+            org.opencontainers.image.source=${{github.server_url}}/${{github.repository}}
+            org.opencontainers.image.licenses=MIT
+          annotations: |
+            org.opencontainers.image.description=https://github.com/actions/runner/releases/tag/v${{ steps.image.outputs.version }}
+
+      - name: Generate attestation
+        uses: actions/attest-build-provenance@v3
+        with:
+          subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          subject-digest: ${{ steps.build-and-push.outputs.digest }}
+          push-to-registry: true

.github/workflows/release.yml

@@ -334,8 +334,9 @@ jobs:
           push: true
           labels: |
             org.opencontainers.image.source=${{github.server_url}}/${{github.repository}}
-            org.opencontainers.image.description=https://github.com/actions/runner/releases/tag/v${{ steps.image.outputs.version }}
             org.opencontainers.image.licenses=MIT
+          annotations: |
+            org.opencontainers.image.description=https://github.com/actions/runner/releases/tag/v${{ steps.image.outputs.version }}
 
       - name: Generate attestation
         uses: actions/attest-build-provenance@v3