Update releaseVersion to 2.282.0

This optional flag will configure the runner to only take one job, and let the service un-configure the runner after that job finishes.

docs/automate.md

@@ -26,6 +26,23 @@ Run as a one-liner. NOTE: replace with yourorg/yourrepo (repo level) or just you
 curl -s https://raw.githubusercontent.com/actions/runner/main/scripts/create-latest-svc.sh | bash -s yourorg/yourrepo
 ```
 
+You can call the script with additional arguments:
+```bash
+#   Usage:
+#       export RUNNER_CFG_PAT=<yourPAT>
+#       ./create-latest-svc -s scope -g [ghe_domain] -n [name] -u [user] -l [labels]
+#       -s          required  scope: repo (:owner/:repo) or org (:organization)
+#       -g          optional  ghe_hostname: the fully qualified domain name of your GitHub Enterprise Server deployment
+#       -n          optional  name of the runner, defaults to hostname
+#       -u          optional  user svc will run as, defaults to current
+#       -l          optional  list of labels (split by comma) applied on the runner"
+```
+
+Use `--` to pass any number of optional named parameters:
+
+```
+curl -s https://raw.githubusercontent.com/actions/runner/main/scripts/create-latest-svc.sh | bash -s -- -s myorg/myrepo -n myname -l label1,label2
+```
 ### Why can't I use a container?
 
 The runner is installed as a service using `systemd` and `systemctl`. Docker does not support `systemd` for service configuration on a container.

docs/checks/network.md

@@ -2,17 +2,19 @@
 
 ### Common things that can cause the runner to not working properly
 
-- Bug in the runner or the dotnet framework that causes actions runner can't make Http request in a certain network environment.
+- A bug in the runner or the dotnet framework that causes the actions runner to be unable to make Http requests in a certain network environment.
 
-- Proxy/Firewall block certain HTTP method, like it block all POST and PUT calls which the runner will use to upload logs.
+- A Proxy or Firewall may block certain HTTP method, such as blocking all POST and PUT calls which the runner will use to upload logs.
 
-- Proxy/Firewall only allows requests with certain user-agent to pass through and the actions runner user-agent is not in the allow list.
+- A Proxy or Firewall may only allows requests with certain user-agent to pass through and the actions runner user-agent is not in the allow list.
 
-- Proxy try to decrypt and exam HTTPS traffic for security purpose but cause the actions-runner to fail to finish SSL handshake due to the lack of trusting proxy's CA.
+- A Proxy try to decrypt and exam HTTPS traffic for security purpose but cause the actions-runner to fail to finish SSL handshake due to the lack of trusting proxy's CA.
 
-- Proxy try to modify the HTTPS request (like add or change some http headers) and causes the request become incompatible with the Actions Service (ASP.NetCore), Ex: [Nginx](https://github.com/dotnet/aspnetcore/issues/17081)
+- The SSL handshake may fail if the client and server do not support the same TLS version, or the same cipher suites.
 
-- Firewall rules that block action runner from accessing certain hosts, ex: `*.github.com`, `*.actions.githubusercontent.com`, etc.
+- A Proxy may try to modify the HTTPS request (like add or change some http headers) and causes the request become incompatible with the Actions Service (ASP.NetCore), Ex: [Nginx](https://github.com/dotnet/aspnetcore/issues/17081)
+
+- Firewall rules that block action runner from accessing certain hosts, ex: `*.github.com`, `*.actions.githubusercontent.com`, etc
 
 
 ### Identify and solve these problems
@@ -30,3 +32,30 @@ Use a 3rd party tool to make the same requests as the runner did would be a good
 If the 3rd party tool is also experiencing the same error as the runner does, then you might want to contact your network administrator for help.
 
 Otherwise, contact GitHub customer support or log an issue at https://github.com/actions/runner
+
+### Troubleshooting: Why can't I configure a runner?
+
+If you are having trouble connecting, try these steps:
+
+1. Validate you can reach our endpoints from your web browser. If not, double check your local network connection
+    - For hosted Github:
+      - https://api.github.com/
+      - https://vstoken.actions.githubusercontent.com/_apis/health
+      - https://pipelines.actions.githubusercontent.com/_apis/health
+    - For GHES/GHAE
+      - https://myGHES.com/_services/vstoken/_apis/health
+      - https://myGHES.com/_services/pipelines/_apis/health
+      - https://myGHES.com/api/v3
+2. Validate you can reach those endpoints in powershell core
+    - The runner runs on .net core, lets validate the local settings for that stack
+    - Open up `pwsh`
+    - Run the command using the urls above `Invoke-WebRequest {url}`
+3. If not, get a packet trace using a tool like wireshark and start looking at the TLS handshake. 
+    - If you see a Client Hello followed by a Server RST:
+      - You may need to configure your TLS settings to use the correct version
+        - You should support TLS version 1.2 or later
+      - You may need to configure your TLS settings to have up to date cipher suites, this may be solved by system updates and patches.
+      - Your firewall, proxy or network configuration may be blocking the connection
+      - You will want to reach out to whoever is in charge of your network with these pcap files to further troubleshoot
+    - If you see a failure later in the handshake:
+      - Try the fix in the [SSLCert Fix](./sslcert.md)

releaseNote.md

@@ -1,17 +1,20 @@
 ## Features
 
-- Adds support for composite actions if the server supports it (#1222)
-- Adds `generateIdTokenUri` to env variables for actions (#1234)
+- Support the `--ephemeral` flag (#660)
+  - This optional flag will configure the runner to only take one job, and let the service un-configure the runner after that job finishes.
+  - Expect to see more info in the Github API documentation soon. We'll link to those docs directly as they become generally available!
 
 ## Bugs
 
-- Prefer higher `libicu` versions in `installDependencies.sh` (#1228)
-
+- Fix a bug in `script/delete` wherein a repo with multiple runners would be unable to find the correct runner (#1268) (#1269)
+- Mitigate a race condition when requesting an OIDC `Id_token` (#1320)
+- Make client retries more resilient in JobServer (#1316)
 
 ## Misc
 
-- Send step telemetry to server on JobCompletion (#1229)
-- Print out the resolved SHA for each downloaded action (#1233)
+- Increase readability of colored console output (#1295) (#1319)
+- Add more network troubleshooting to the docs (#1325)
+- Bump [path-parse](https://github.com/jbgutierrez/path-parse) from 1.0.6 to 1.0.7 (#1256)
 
 ## Windows x64
 We recommend configuring the runner in a root folder of the Windows drive (e.g. "C:\actions-runner"). This will help avoid issues related to service identity folder permissions and long file path restrictions on Windows.

releaseVersion

@@ -1 +1 @@
-<Update to ./src/runnerversion when creating release>
+2.282.0

scripts/create-latest-svc.sh

@@ -2,36 +2,68 @@
 
 set -e
 
-#
-# Downloads latest releases (not pre-release) runner
-# Configures as a service
-#
-# Examples:
-# RUNNER_CFG_PAT=<yourPAT> ./create-latest-svc.sh myuser/myrepo my.ghe.deployment.net
-# RUNNER_CFG_PAT=<yourPAT> ./create-latest-svc.sh myorg my.ghe.deployment.net
-#
-# Usage:
-#     export RUNNER_CFG_PAT=<yourPAT>
-#     ./create-latest-svc scope [ghe_domain] [name] [user] [labels]
-#
-#      scope       required  repo (:owner/:repo) or org (:organization)
-#      ghe_domain  optional  the fully qualified domain name of your GitHub Enterprise Server deployment
-#      name        optional  defaults to hostname
-#      user        optional  user svc will run as. defaults to current
-#      labels      optional  list of labels (split by comma) applied on the runner
-#
 # Notes:
 # PATS over envvars are more secure
+# Downloads latest runner release (not pre-release)
+# Configures it as a service more secure
 # Should be used on VMs and not containers
 # Works on OSX and Linux
 # Assumes x64 arch
-#
+# See EXAMPLES below
 
-runner_scope=${1}
-ghe_hostname=${2}
-runner_name=${3:-$(hostname)}
-svc_user=${4:-$USER}
-labels=${5}
+flags_found=false
+
+while getopts 's:g:n:u:l:' opt; do
+    flags_found=true
+
+    case $opt in
+    s)
+        runner_scope=$OPTARG
+        ;;
+    g)
+        ghe_hostname=$OPTARG
+        ;;
+    n)
+        runner_name=$OPTARG
+        ;;
+    u)
+        svc_user=$OPTARG
+        ;;
+    l)
+        labels=$OPTARG
+        ;;
+    *)
+        echo "
+Runner Service Installer
+Examples:
+RUNNER_CFG_PAT=<yourPAT> ./create-latest-svc.sh myuser/myrepo my.ghe.deployment.net
+RUNNER_CFG_PAT=<yourPAT> ./create-latest-svc.sh -s myorg -u user_name -l label1,label2
+Usage:
+    export RUNNER_CFG_PAT=<yourPAT>
+    ./create-latest-svc scope [ghe_domain] [name] [user] [labels]
+    -s          required  scope: repo (:owner/:repo) or org (:organization)
+    -g          optional  ghe_hostname: the fully qualified domain name of your GitHub Enterprise Server deployment
+    -n          optional  name of the runner, defaults to hostname
+    -u          optional  user svc will run as, defaults to current
+    -l          optional  list of labels (split by comma) applied on the runner"
+        exit 0
+        ;;
+    esac
+done
+
+shift "$((OPTIND - 1))"
+
+if ! "$flags_found"; then
+    runner_scope=${1}
+    ghe_hostname=${2}
+    runner_name=${3:-$(hostname)}
+    svc_user=${4:-$USER}
+    labels=${5}
+fi
+
+# apply defaults
+runner_name=${runner_name:-$(hostname)}
+svc_user=${svc_user:-$USER}
 
 echo "Configuring runner @ ${runner_scope}"
 sudo echo
@@ -142,7 +174,7 @@ echo
 echo "Configuring as a service ..."
 prefix=""
 if [ "${runner_plat}" == "linux" ]; then
-prefix="sudo "
+    prefix="sudo "
 fi
 
 ${prefix}./svc.sh install ${svc_user}

scripts/delete.sh

@@ -51,7 +51,7 @@ fi
 # Ensure offline
 #--------------------------------------
 runner_status=$(curl -s -X GET ${base_api_url}/${runner_scope}/actions/runners?per_page=100  -H "accept: application/vnd.github.everest-preview+json" -H "authorization: token ${RUNNER_CFG_PAT}" \
-        | jq -M -j ".runners | .[] | [select(.name == \"${runner_name}\")] | .[0].status")
+        | jq -M -j ".runners | .[] | select(.name == \"${runner_name}\") | .status")
 
 if [ -z "${runner_status}" ]; then 
     fatal "Could not find runner with name ${runner_name}"
@@ -67,7 +67,7 @@ fi
 # Get id of runner to remove
 #--------------------------------------
 runner_id=$(curl -s -X GET ${base_api_url}/${runner_scope}/actions/runners?per_page=100  -H "accept: application/vnd.github.everest-preview+json" -H "authorization: token ${RUNNER_CFG_PAT}" \
-        | jq -M -j ".runners | .[] | [select(.name == \"${runner_name}\")] | .[0].id")
+        | jq -M -j ".runners | .[] | select(.name == \"${runner_name}\") | .id")
 
 if [ -z "${runner_id}" ]; then 
     fatal "Could not find runner with name ${runner_name}"

src/Misc/expressionFunc/hashFiles/package-lock.json

@@ -1947,9 +1947,9 @@
       "dev": true
     },
     "path-parse": {
-      "version": "1.0.6",
-      "resolved": "https://registry.npmjs.org/path-parse/-/path-parse-1.0.6.tgz",
-      "integrity": "sha512-GSmOT2EbHrINBf9SR7CDELwlJ8AENk3Qn7OikK4nFYAu3Ote2+JYNVvkpAEQm3/TLNEJFD/xZJjzyxg3KBWOzw==",
+      "version": "1.0.7",
+      "resolved": "https://registry.npmjs.org/path-parse/-/path-parse-1.0.7.tgz",
+      "integrity": "sha512-LDJzPVEEEPR+y48z93A0Ed0yXb8pAByGWo/k5YYdYgpY2/2EsOsksJrq7lOHxryrVOn1ejG6oAp8ahvOIQD8sw==",
       "dev": true
     },
     "path-type": {

src/Misc/layoutbin/update.sh.template

@@ -118,6 +118,43 @@ then
     exit 1
 fi
 
+# fix upgrade issue with macOS
+currentplatform=$(uname | awk '{print tolower($0)}')
+if [[ "$currentplatform" == 'darwin' ]]; then
+    # need a short-term fix for https://github.com/actions/runner/issues/743
+    # we will recreate all the ./externals/node12/bin/node of the past 5 versions
+    # v2.280.3 v2.280.2 v2.280.1 v2.279.0 v2.278.0
+    if [[ ! -e "$rootfolder/externals.2.280.3/node12/bin/node" ]]
+    then
+        mkdir -p "$rootfolder/externals.2.280.3/node12/bin"
+        cp "$rootfolder/externals/node12/bin/node" "$rootfolder/externals.2.280.3/node12/bin/node"
+    fi
+
+    if [[ ! -e "$rootfolder/externals.2.280.2/node12/bin/node" ]]
+    then
+        mkdir -p "$rootfolder/externals.2.280.2/node12/bin"
+        cp "$rootfolder/externals/node12/bin/node" "$rootfolder/externals.2.280.2/node12/bin/node"
+    fi
+
+    if [[ ! -e "$rootfolder/externals.2.280.1/node12/bin/node" ]]
+    then
+        mkdir -p "$rootfolder/externals.2.280.1/node12/bin"
+        cp "$rootfolder/externals/node12/bin/node" "$rootfolder/externals.2.280.1/node12/bin/node"
+    fi
+
+    if [[ ! -e "$rootfolder/externals.2.279.0/node12/bin/node" ]]
+    then
+        mkdir -p "$rootfolder/externals.2.279.0/node12/bin"
+        cp "$rootfolder/externals/node12/bin/node" "$rootfolder/externals.2.279.0/node12/bin/node"
+    fi
+
+    if [[ ! -e "$rootfolder/externals.2.278.0/node12/bin/node" ]]
+    then
+        mkdir -p "$rootfolder/externals.2.278.0/node12/bin"
+        cp "$rootfolder/externals/node12/bin/node" "$rootfolder/externals.2.278.0/node12/bin/node"
+    fi
+fi
+
 date "+[%F %T-%4N] Update succeed" >> "$logfile"
 
 # rename the update log file with %logfile%.succeed/.failed/succeedneedrestart

src/Runner.Common/ConfigurationStore.cs

@@ -33,6 +33,9 @@ namespace GitHub.Runner.Common
         [DataMember(EmitDefaultValue = false)]
         public string PoolName { get; set; }
 
+        [DataMember(EmitDefaultValue = false)]
+        public bool Ephemeral { get; set; }
+
         [DataMember(EmitDefaultValue = false)]
         public string ServerUrl { get; set; }
 

src/Runner.Common/Constants.cs

@@ -125,9 +125,10 @@ namespace GitHub.Runner.Common
                 {
                     public static readonly string Check = "check";
                     public static readonly string Commit = "commit";
+                    public static readonly string Ephemeral = "ephemeral";
                     public static readonly string Help = "help";
                     public static readonly string Replace = "replace";
-                    public static readonly string Once = "once";
+                    public static readonly string Once = "once"; // TODO: Remove in 10/2021
                     public static readonly string RunAsService = "runasservice";
                     public static readonly string Unattended = "unattended";
                     public static readonly string Version = "version";

src/Runner.Common/HostContext.cs

@@ -90,6 +90,8 @@ namespace GitHub.Runner.Common
             this.SecretMasker.AddValueEncoder(ValueEncoders.UriDataEscape);
             this.SecretMasker.AddValueEncoder(ValueEncoders.XmlDataEscape);
             this.SecretMasker.AddValueEncoder(ValueEncoders.TrimDoubleQuotes);
+            this.SecretMasker.AddValueEncoder(ValueEncoders.PowerShellPreAmpersandEscape);
+            this.SecretMasker.AddValueEncoder(ValueEncoders.PowerShellPostAmpersandEscape);
 
             // Create the trace manager.
             if (string.IsNullOrEmpty(logFile))

src/Runner.Common/JobServer.cs

@@ -2,16 +2,19 @@
 using System;
 using System.Collections.Generic;
 using System.IO;
+using System.Net.Http;
 using System.Threading;
 using System.Threading.Tasks;
+using GitHub.Runner.Sdk;
 using GitHub.Services.WebApi;
+using GitHub.Services.Common;
 
 namespace GitHub.Runner.Common
 {
     [ServiceLocator(Default = typeof(JobServer))]
     public interface IJobServer : IRunnerService
     {
-        Task ConnectAsync(VssConnection jobConnection);
+        Task ConnectAsync(Uri jobServerUrl, VssCredentials jobServerCredential, DelegatingHandler[] delegatingHandler = null);
 
         // logging and console
         Task<TaskLog> AppendLogContentAsync(Guid scopeIdentifier, string hubName, Guid planId, int logId, Stream uploadStream, CancellationToken cancellationToken);
@@ -32,20 +35,21 @@ namespace GitHub.Runner.Common
         private VssConnection _connection;
         private TaskHttpClient _taskClient;
 
-        public async Task ConnectAsync(VssConnection jobConnection)
+        public async Task ConnectAsync(Uri jobServerUrl, VssCredentials jobServerCredential, DelegatingHandler[] delegatingHandler = null)
         {
-            _connection = jobConnection;
+            Trace.Info($"Establishing connection for JobServer");
             int attemptCount = 5;
-            while (!_connection.HasAuthenticated && attemptCount-- > 0)
+
+            while (attemptCount-- > 0)
             {
                 try
                 {
-                    await _connection.ConnectAsync();
+                    await RefreshConnectionAsync(jobServerUrl, jobServerCredential, delegatingHandler);
                     break;
                 }
                 catch (Exception ex) when (attemptCount > 0)
                 {
-                    Trace.Info($"Catch exception during connect. {attemptCount} attemp left.");
+                    Trace.Info($"Catch exception during connect. {attemptCount} attempts left.");
                     Trace.Error(ex);
                 }
 
@@ -53,6 +57,15 @@ namespace GitHub.Runner.Common
             }
 
             _taskClient = _connection.GetClient<TaskHttpClient>();
+        }
+
+        private async Task RefreshConnectionAsync(Uri jobServerUrl, VssCredentials jobServerCredential, DelegatingHandler[] delegatingHandler)
+        {
+            Trace.Info($"Refresh JobServer VssConnection to get on a different AFD node.");
+            _hasConnection = false;
+            _connection?.Dispose();
+            _connection = VssUtil.CreateConnection(jobServerUrl, jobServerCredential, delegatingHandler);
+            await _connection.ConnectAsync();
             _hasConnection = true;
         }
 

src/Runner.Common/JobServerQueue.cs

@@ -15,6 +15,7 @@ namespace GitHub.Runner.Common
     [ServiceLocator(Default = typeof(JobServerQueue))]
     public interface IJobServerQueue : IRunnerService, IThrottlingReporter
     {
+        TaskCompletionSource<int> JobRecordUpdated { get; }
         event EventHandler<ThrottlingEventArgs> JobServerQueueThrottling;
         Task ShutdownAsync();
         void Start(Pipelines.AgentJobRequestMessage jobRequest);
@@ -62,8 +63,11 @@ namespace GitHub.Runner.Common
         private IJobServer _jobServer;
         private Task[] _allDequeueTasks;
         private readonly TaskCompletionSource<int> _jobCompletionSource = new TaskCompletionSource<int>();
+        private readonly TaskCompletionSource<int> _jobRecordUpdated = new TaskCompletionSource<int>();
         private bool _queueInProcess = false;
 
+        public TaskCompletionSource<int> JobRecordUpdated => _jobRecordUpdated;
+
         public event EventHandler<ThrottlingEventArgs> JobServerQueueThrottling;
 
         // Web console dequeue will start with process queue every 250ms for the first 60*4 times (~60 seconds).
@@ -455,6 +459,14 @@ namespace GitHub.Runner.Common
                             {
                                 Trace.Verbose("Cleanup buffered timeline record for timeline: {0}.", update.TimelineId);
                             }
+
+                            if (!_jobRecordUpdated.Task.IsCompleted &&
+                                update.PendingRecords.Any(x => x.Id == _jobTimelineRecordId && x.State != null))
+                            {
+                                // We have changed the state of the job
+                                Trace.Info("Job timeline record has been updated for the first time.");
+                                _jobRecordUpdated.TrySetResult(0);
+                            }
                         }
                         catch (Exception ex)
                         {

src/Runner.Common/Terminal.cs

@@ -164,9 +164,8 @@ namespace GitHub.Runner.Common
             if (!Silent)
             {
                 Console.WriteLine();
-                Console.ForegroundColor = ConsoleColor.White;
-                Console.WriteLine($"# {message}");
                 Console.ResetColor();
+                Console.WriteLine($"# {message}");
                 Console.WriteLine();
             }
         }
@@ -177,9 +176,8 @@ namespace GitHub.Runner.Common
             {
                 Console.ForegroundColor = ConsoleColor.Green;
                 Console.Write("√ ");
-                Console.ForegroundColor = ConsoleColor.White;
-                Console.WriteLine(message);
                 Console.ResetColor();
+                Console.WriteLine(message);
             }
         }
 

src/Runner.Listener/CommandSettings.cs

@@ -29,10 +29,10 @@ namespace GitHub.Runner.Listener
         {
             Constants.Runner.CommandLine.Flags.Check,
             Constants.Runner.CommandLine.Flags.Commit,
+            Constants.Runner.CommandLine.Flags.Ephemeral,
             Constants.Runner.CommandLine.Flags.Help,
             Constants.Runner.CommandLine.Flags.Replace,
             Constants.Runner.CommandLine.Flags.RunAsService,
-            Constants.Runner.CommandLine.Flags.Once,
             Constants.Runner.CommandLine.Flags.Unattended,
             Constants.Runner.CommandLine.Flags.Version
         };
@@ -66,7 +66,9 @@ namespace GitHub.Runner.Listener
         public bool Help => TestFlag(Constants.Runner.CommandLine.Flags.Help);
         public bool Unattended => TestFlag(Constants.Runner.CommandLine.Flags.Unattended);
         public bool Version => TestFlag(Constants.Runner.CommandLine.Flags.Version);
+        public bool Ephemeral => TestFlag(Constants.Runner.CommandLine.Flags.Ephemeral);
 
+        // TODO: Remove in 10/2021
         public bool RunOnce => TestFlag(Constants.Runner.CommandLine.Flags.Once);
 
         // Constructor.

src/Runner.Listener/Configuration/ConfigurationManager.cs

@@ -65,18 +65,18 @@ namespace GitHub.Runner.Listener.Configuration
         public async Task ConfigureAsync(CommandSettings command)
         {
             _term.WriteLine();
-            _term.WriteLine("--------------------------------------------------------------------------------", ConsoleColor.White);
-            _term.WriteLine("|        ____ _ _   _   _       _          _        _   _                      |", ConsoleColor.White);
-            _term.WriteLine("|       / ___(_) |_| | | |_   _| |__      / \\   ___| |_(_) ___  _ __  ___      |", ConsoleColor.White);
-            _term.WriteLine("|      | |  _| | __| |_| | | | | '_ \\    / _ \\ / __| __| |/ _ \\| '_ \\/ __|     |", ConsoleColor.White);
-            _term.WriteLine("|      | |_| | | |_|  _  | |_| | |_) |  / ___ \\ (__| |_| | (_) | | | \\__ \\     |", ConsoleColor.White);
-            _term.WriteLine("|       \\____|_|\\__|_| |_|\\__,_|_.__/  /_/   \\_\\___|\\__|_|\\___/|_| |_|___/     |", ConsoleColor.White);
-            _term.WriteLine("|                                                                              |", ConsoleColor.White);
-            _term.Write("|                       ", ConsoleColor.White);
+            _term.WriteLine("--------------------------------------------------------------------------------");
+            _term.WriteLine("|        ____ _ _   _   _       _          _        _   _                      |");
+            _term.WriteLine("|       / ___(_) |_| | | |_   _| |__      / \\   ___| |_(_) ___  _ __  ___      |");
+            _term.WriteLine("|      | |  _| | __| |_| | | | | '_ \\    / _ \\ / __| __| |/ _ \\| '_ \\/ __|     |");
+            _term.WriteLine("|      | |_| | | |_|  _  | |_| | |_) |  / ___ \\ (__| |_| | (_) | | | \\__ \\     |");
+            _term.WriteLine("|       \\____|_|\\__|_| |_|\\__,_|_.__/  /_/   \\_\\___|\\__|_|\\___/|_| |_|___/     |");
+            _term.WriteLine("|                                                                              |");
+            _term.Write("|                       ");
             _term.Write("Self-hosted runner registration", ConsoleColor.Cyan);
-            _term.WriteLine("                        |", ConsoleColor.White);
-            _term.WriteLine("|                                                                              |", ConsoleColor.White);
-            _term.WriteLine("--------------------------------------------------------------------------------", ConsoleColor.White);
+            _term.WriteLine("                        |");
+            _term.WriteLine("|                                                                              |");
+            _term.WriteLine("--------------------------------------------------------------------------------");
 
             Trace.Info(nameof(ConfigureAsync));
             if (IsConfigured())
@@ -117,6 +117,7 @@ namespace GitHub.Runner.Listener.Configuration
                 try
                 {
                     // Determine the service deployment type based on connection data. (Hosted/OnPremises)
+                    // Hosted usually means github.com or localhost, while OnPremises means GHES or GHAE
                     runnerSettings.IsHostedServer = runnerSettings.GitHubUrl == null || UrlUtil.IsHostedServer(new UriBuilder(runnerSettings.GitHubUrl));
 
                     // Warn if the Actions server url and GHES server url has different Host
@@ -194,6 +195,7 @@ namespace GitHub.Runner.Listener.Configuration
             TaskAgent agent;
             while (true)
             {
+                runnerSettings.Ephemeral = command.Ephemeral;
                 runnerSettings.AgentName = command.GetRunnerName();
 
                 _term.WriteLine();
@@ -210,7 +212,7 @@ namespace GitHub.Runner.Listener.Configuration
                     if (command.GetReplace())
                     {
                         // Update existing agent with new PublicKey, agent version.
-                        agent = UpdateExistingAgent(agent, publicKey, userLabels);
+                        agent = UpdateExistingAgent(agent, publicKey, userLabels, runnerSettings.Ephemeral);
 
                         try
                         {
@@ -233,7 +235,7 @@ namespace GitHub.Runner.Listener.Configuration
                 else
                 {
                     // Create a new agent.
-                    agent = CreateNewAgent(runnerSettings.AgentName, publicKey, userLabels);
+                    agent = CreateNewAgent(runnerSettings.AgentName, publicKey, userLabels, runnerSettings.Ephemeral);
 
                     try
                     {
@@ -346,12 +348,9 @@ namespace GitHub.Runner.Listener.Configuration
 
                     _term.WriteLine();
                     _term.WriteSuccessMessage("Runner service removed");
-#elif OS_LINUX
-                    // unconfig system D service first
-                    throw new Exception("Unconfigure service first");
-#elif OS_OSX
-                    // unconfig osx service first
-                    throw new Exception("Unconfigure service first");
+#else
+                    // unconfig systemd or osx service first
+                    throw new Exception("Uninstall service first");
 #endif
                 }
 
@@ -458,7 +457,7 @@ namespace GitHub.Runner.Listener.Configuration
         }
 
 
-        private TaskAgent UpdateExistingAgent(TaskAgent agent, RSAParameters publicKey, ISet<string> userLabels)
+        private TaskAgent UpdateExistingAgent(TaskAgent agent, RSAParameters publicKey, ISet<string> userLabels, bool ephemeral)
         {
             ArgUtil.NotNull(agent, nameof(agent));
             agent.Authorization = new TaskAgentAuthorization
@@ -469,6 +468,8 @@ namespace GitHub.Runner.Listener.Configuration
             // update should replace the existing labels
             agent.Version = BuildConstants.RunnerPackage.Version;
             agent.OSDescription = RuntimeInformation.OSDescription;
+            agent.Ephemeral = ephemeral;
+            agent.MaxParallelism = 1;
 
             agent.Labels.Clear();
 
@@ -484,7 +485,7 @@ namespace GitHub.Runner.Listener.Configuration
             return agent;
         }
 
-        private TaskAgent CreateNewAgent(string agentName, RSAParameters publicKey, ISet<string> userLabels)
+        private TaskAgent CreateNewAgent(string agentName, RSAParameters publicKey, ISet<string> userLabels, bool ephemeral)
         {
             TaskAgent agent = new TaskAgent(agentName)
             {
@@ -495,6 +496,7 @@ namespace GitHub.Runner.Listener.Configuration
                 MaxParallelism = 1,
                 Version = BuildConstants.RunnerPackage.Version,
                 OSDescription = RuntimeInformation.OSDescription,
+                Ephemeral = ephemeral,
             };
 
             agent.Labels.Add(new AgentLabel("self-hosted", LabelType.System));

src/Runner.Listener/Configuration/PromptManager.cs

@@ -85,7 +85,7 @@ namespace GitHub.Runner.Listener.Configuration
             while (true)
             {
                 // Write the message prompt.
-                _terminal.Write($"{description} ", ConsoleColor.White);
+                _terminal.Write($"{description} ");
 
                 if(!string.IsNullOrEmpty(defaultValue))
                 {

src/Runner.Listener/JobDispatcher.cs

@@ -510,9 +510,8 @@ namespace GitHub.Runner.Listener
 
                                     var jobServer = HostContext.GetService<IJobServer>();
                                     VssCredentials jobServerCredential = VssUtil.GetVssCredential(systemConnection);
-                                    VssConnection jobConnection = VssUtil.CreateConnection(systemConnection.Url, jobServerCredential);
-                                    await jobServer.ConnectAsync(jobConnection);
 
+                                    await jobServer.ConnectAsync(systemConnection.Url, jobServerCredential);
                                     await LogWorkerProcessUnhandledException(jobServer, message, detailInfo);
 
                                     // Go ahead to finish the job with result 'Failed' if the STDERR from worker is System.IO.IOException, since it typically means we are running out of disk space.
@@ -791,9 +790,8 @@ namespace GitHub.Runner.Listener
 
                 var jobServer = HostContext.GetService<IJobServer>();
                 VssCredentials jobServerCredential = VssUtil.GetVssCredential(systemConnection);
-                VssConnection jobConnection = VssUtil.CreateConnection(systemConnection.Url, jobServerCredential);
 
-                await jobServer.ConnectAsync(jobConnection);
+                await jobServer.ConnectAsync(systemConnection.Url, jobServerCredential);
 
                 var timeline = await jobServer.GetTimelineAsync(message.Plan.ScopeIdentifier, message.Plan.PlanType, message.Plan.PlanId, message.Timeline.Id, CancellationToken.None);
 

src/Runner.Listener/Runner.cs

@@ -234,7 +234,7 @@ namespace GitHub.Runner.Listener
                     HostContext.StartupType = startType;
 
                     // Run the runner interactively or as service
-                    return await RunAsync(settings, command.RunOnce);
+                    return await RunAsync(settings, command.RunOnce || settings.Ephemeral);  // TODO: Remove RunOnce later.
                 }
                 else
                 {
@@ -466,8 +466,16 @@ namespace GitHub.Runner.Listener
                         await jobDispatcher.ShutdownAsync();
                     }
 
-                    //TODO: make sure we don't mask more important exception
-                    await _listener.DeleteSessionAsync();
+                    try
+                    {
+                        await _listener.DeleteSessionAsync();
+                    }
+                    catch (Exception ex) when (runOnce)
+                    {
+                        // ignore exception during delete session for ephemeral runner since the runner might already be deleted from the server side
+                        // and the delete session call will ends up with 401.
+                        Trace.Info($"Ignore any exception during DeleteSession for an ephemeral runner. {ex}");
+                    }
 
                     messageQueueLoopTokenSource.Dispose();
                 }
@@ -512,7 +520,9 @@ Config Options:
  --labels string        Extra labels in addition to the default: 'self-hosted,{Constants.Runner.Platform},{Constants.Runner.PlatformArchitecture}'
  --work string          Relative runner work directory (default {Constants.Path.WorkDirectory})
  --replace              Replace any existing runner with the same name (default false)
- --pat                  GitHub personal access token used for checking network connectivity when executing `.{separator}run.{ext} --check`");
+ --pat                  GitHub personal access token used for checking network connectivity when executing `.{separator}run.{ext} --check`
+ --ephemeral            Configure the runner to only take one job and then let the service un-configure the runner after the job finishes (default false)");
+
 #if OS_WINDOWS
     _term.WriteLine($@" --runasservice   Run the runner as a service");
     _term.WriteLine($@" --windowslogonaccount string   Account to run the service as. Requires runasservice");

src/Runner.Listener/SelfUpdater.cs

@@ -74,10 +74,12 @@ namespace GitHub.Runner.Listener
                 await jobDispatcher.WaitAsync(token);
                 Trace.Info($"All running job has exited.");
 
+                // We need to keep runner backup around for macOS until we fixed https://github.com/actions/runner/issues/743
+#if !OS_OSX
                 // delete runner backup
                 DeletePreviousVersionRunnerBackup(token);
                 Trace.Info($"Delete old version runner backup.");
-
+#endif
                 // generate update script from template
                 await UpdateRunnerUpdateStateAsync("Generate and execute update script.");
 
@@ -96,7 +98,7 @@ namespace GitHub.Runner.Listener
                 invokeScript.Start();
                 Trace.Info($"Update script start running");
 
-                await UpdateRunnerUpdateStateAsync("Runner will exit shortly for update, should back online within 10 seconds.");
+                await UpdateRunnerUpdateStateAsync("Runner will exit shortly for update, should be back online within 10 seconds.");
 
                 return true;
             }

src/Runner.Worker/ActionManager.cs

@@ -610,6 +610,7 @@ namespace GitHub.Runner.Worker
                     {
                         NameWithOwner = repositoryReference.Name,
                         Ref = repositoryReference.Ref,
+                        Path = repositoryReference.Path,
                     };
                 })
                 .ToList();

src/Runner.Worker/ContainerOperationProvider.cs

@@ -494,7 +494,8 @@ namespace GitHub.Runner.Worker
         private void UpdateRegistryAuthForGitHubToken(IExecutionContext executionContext, ContainerInfo container)
         {
             var registryIsTokenCompatible = container.RegistryServer.Equals("ghcr.io", StringComparison.OrdinalIgnoreCase) || container.RegistryServer.Equals("containers.pkg.github.com", StringComparison.OrdinalIgnoreCase);
-            if (!registryIsTokenCompatible)
+            var isFallbackTokenFromHostedGithub = HostContext.GetService<IConfigurationStore>().GetSettings().IsHostedServer;
+            if (!registryIsTokenCompatible || !isFallbackTokenFromHostedGithub)
             {
                 return;
             }

src/Runner.Worker/ExecutionContext.cs

@@ -38,6 +38,7 @@ namespace GitHub.Runner.Worker
         Guid Id { get; }
         Guid EmbeddedId { get; }
         string ScopeName { get; }
+        string SiblingScopeName { get; }
         string ContextName { get; }
         Task ForceCompleted { get; }
         TaskResult? Result { get; set; }
@@ -74,8 +75,8 @@ namespace GitHub.Runner.Worker
         // Initialize
         void InitializeJob(Pipelines.AgentJobRequestMessage message, CancellationToken token);
         void CancelToken();
-        IExecutionContext CreateChild(Guid recordId, string displayName, string refName, string scopeName, string contextName, Dictionary<string, string> intraActionState = null, int? recordOrder = null, IPagingLogger logger = null, bool isEmbedded = false, CancellationTokenSource cancellationTokenSource = null, Guid embeddedId = default(Guid));
-        IExecutionContext CreateEmbeddedChild(string scopeName, string contextName, Guid embeddedId, Dictionary<string, string> intraActionState = null);
+        IExecutionContext CreateChild(Guid recordId, string displayName, string refName, string scopeName, string contextName, Dictionary<string, string> intraActionState = null, int? recordOrder = null, IPagingLogger logger = null, bool isEmbedded = false, CancellationTokenSource cancellationTokenSource = null, Guid embeddedId = default(Guid), string siblingScopeName = null);
+        IExecutionContext CreateEmbeddedChild(string scopeName, string contextName, Guid embeddedId, Dictionary<string, string> intraActionState = null, string siblingScopeName = null);
 
         // logging
         long Write(string tag, string message);
@@ -140,6 +141,7 @@ namespace GitHub.Runner.Worker
         public Guid Id => _record.Id;
         public Guid EmbeddedId { get; private set; }
         public string ScopeName { get; private set; }
+        public string SiblingScopeName { get; private set; }
         public string ContextName { get; private set; }
         public Task ForceCompleted => _forceCompleted.Task;
         public CancellationToken CancellationToken => _cancellationTokenSource.Token;
@@ -258,6 +260,7 @@ namespace GitHub.Runner.Worker
 
         public void RegisterPostJobStep(IStep step)
         {
+            string siblingScopeName = null;
             if (this.IsEmbedded)
             {
                 if (step is IActionRunner actionRunner && !Root.EmbeddedStepsWithPostRegistered.Add(actionRunner.Action.Id))
@@ -271,12 +274,16 @@ namespace GitHub.Runner.Worker
                 Trace.Info($"'post' of '{actionRunner.DisplayName}' already push to post step stack.");
                 return;
             }
+            if (step is IActionRunner runner)
+            {
+                siblingScopeName = runner.Action.ContextName;
+            }
 
-            step.ExecutionContext = Root.CreatePostChild(step.DisplayName, IntraActionState);
+            step.ExecutionContext = Root.CreatePostChild(step.DisplayName, IntraActionState, siblingScopeName);
             Root.PostJobSteps.Push(step);
         }
 
-        public IExecutionContext CreateChild(Guid recordId, string displayName, string refName, string scopeName, string contextName, Dictionary<string, string> intraActionState = null, int? recordOrder = null, IPagingLogger logger = null, bool isEmbedded = false, CancellationTokenSource cancellationTokenSource = null, Guid embeddedId = default(Guid))
+        public IExecutionContext CreateChild(Guid recordId, string displayName, string refName, string scopeName, string contextName, Dictionary<string, string> intraActionState = null, int? recordOrder = null, IPagingLogger logger = null, bool isEmbedded = false, CancellationTokenSource cancellationTokenSource = null, Guid embeddedId = default(Guid), string siblingScopeName = null)
         {
             Trace.Entering();
 
@@ -286,6 +293,7 @@ namespace GitHub.Runner.Worker
             child.ScopeName = scopeName;
             child.ContextName = contextName;
             child.EmbeddedId = embeddedId;
+            child.SiblingScopeName = siblingScopeName;
             if (intraActionState == null)
             {
                 child.IntraActionState = new Dictionary<string, string>(StringComparer.OrdinalIgnoreCase);
@@ -333,9 +341,9 @@ namespace GitHub.Runner.Worker
         /// An embedded execution context shares the same record ID, record name, logger,
         /// and a linked cancellation token.
         /// </summary>
-        public IExecutionContext CreateEmbeddedChild(string scopeName, string contextName, Guid embeddedId, Dictionary<string, string> intraActionState = null)
+        public IExecutionContext CreateEmbeddedChild(string scopeName, string contextName, Guid embeddedId, Dictionary<string, string> intraActionState = null, string siblingScopeName = null)
         {
-            return Root.CreateChild(_record.Id, _record.Name, _record.Id.ToString("N"), scopeName, contextName, logger: _logger, isEmbedded: true, cancellationTokenSource: CancellationTokenSource.CreateLinkedTokenSource(_cancellationTokenSource.Token), intraActionState: intraActionState, embeddedId: embeddedId);
+            return Root.CreateChild(_record.Id, _record.Name, _record.Id.ToString("N"), scopeName, contextName, logger: _logger, isEmbedded: true, cancellationTokenSource: CancellationTokenSource.CreateLinkedTokenSource(_cancellationTokenSource.Token), intraActionState: intraActionState, embeddedId: embeddedId, siblingScopeName: siblingScopeName);
         }
 
         public void Start(string currentOperation = null)
@@ -914,7 +922,7 @@ namespace GitHub.Runner.Worker
             }
         }
 
-        private IExecutionContext CreatePostChild(string displayName, Dictionary<string, string> intraActionState)
+        private IExecutionContext CreatePostChild(string displayName, Dictionary<string, string> intraActionState, string siblingScopeName = null)
         {
             if (!_expandedForPostJob)
             {
@@ -924,7 +932,7 @@ namespace GitHub.Runner.Worker
             }
 
             var newGuid = Guid.NewGuid();
-            return CreateChild(newGuid, displayName, newGuid.ToString("N"), null, null, intraActionState, _childTimelineRecordOrder - Root.PostJobSteps.Count);
+            return CreateChild(newGuid, displayName, newGuid.ToString("N"), null, null, intraActionState, _childTimelineRecordOrder - Root.PostJobSteps.Count, siblingScopeName: siblingScopeName);
         }
     }
 
@@ -972,18 +980,6 @@ namespace GitHub.Runner.Worker
             context.Write(null, message);
         }
 
-        public static void WriteDetails(this IExecutionContext context, string message)
-        {
-            if (context.IsEmbedded)
-            {
-                context.Debug(message);
-            }
-            else
-            {
-                context.Output(message);
-            }
-        }
-
         // Do not add a format string overload. See comment on ExecutionContext.Write().
         public static void Command(this IExecutionContext context, string message)
         {

src/Runner.Worker/Handlers/CompositeActionHandler.cs

@@ -120,7 +120,7 @@ namespace GitHub.Runner.Worker.Handlers
                 // only relevant for local composite actions that need to JIT download/setup containers
                 if (LocalActionContainerSetupSteps != null && LocalActionContainerSetupSteps.Count > 0)
                 {
-                    foreach(var step in LocalActionContainerSetupSteps)
+                    foreach (var step in LocalActionContainerSetupSteps)
                     {
                         ArgUtil.NotNull(step, step.DisplayName);
                         var stepId = $"__{Guid.NewGuid()}";
@@ -128,17 +128,31 @@ namespace GitHub.Runner.Worker.Handlers
                         embeddedSteps.Add(step);
                     }
                 }
-
                 foreach (Pipelines.ActionStep stepData in steps)
                 {
+                    // Compute child sibling scope names for post steps
+                    // We need to use the main's scope to keep step context correct, makes inputs flow correctly
+                    string siblingScopeName = null;
+                    if (!String.IsNullOrEmpty(ExecutionContext.SiblingScopeName) && stage == ActionRunStage.Post)
+                    {
+                        siblingScopeName = $"{ExecutionContext.SiblingScopeName}.{stepData.ContextName}";
+                    }
+
                     var step = HostContext.CreateService<IActionRunner>();
                     step.Action = stepData;
                     step.Stage = stage;
                     step.Condition = stepData.Condition;
                     ExecutionContext.Root.EmbeddedIntraActionState.TryGetValue(step.Action.Id, out var intraActionState);
-                    step.ExecutionContext = ExecutionContext.CreateEmbeddedChild(childScopeName, stepData.ContextName, step.Action.Id, intraActionState: intraActionState);
+                    step.ExecutionContext = ExecutionContext.CreateEmbeddedChild(childScopeName, stepData.ContextName, step.Action.Id, intraActionState: intraActionState, siblingScopeName: siblingScopeName);
                     step.ExecutionContext.ExpressionValues["inputs"] = inputsData;
-                    step.ExecutionContext.ExpressionValues["steps"] = ExecutionContext.Global.StepsContext.GetScope(childScopeName);
+                    if (!String.IsNullOrEmpty(ExecutionContext.SiblingScopeName))
+                    {
+                        step.ExecutionContext.ExpressionValues["steps"] = ExecutionContext.Global.StepsContext.GetScope(ExecutionContext.SiblingScopeName);
+                    }
+                    else
+                    {
+                        step.ExecutionContext.ExpressionValues["steps"] = ExecutionContext.Global.StepsContext.GetScope(childScopeName);   
+                    }
 
                     // Shallow copy github context
                     var gitHubContext = step.ExecutionContext.ExpressionValues["github"] as GitHubContext;
@@ -281,99 +295,108 @@ namespace GitHub.Runner.Worker.Handlers
                 CancellationTokenRegistration? jobCancelRegister = null;
                 try
                 {
-                    // Register job cancellation call back only if job cancellation token not been fire before each step run
-                    if (!ExecutionContext.Root.CancellationToken.IsCancellationRequested)
-                    {
-                        // Test the condition again. The job was canceled after the condition was originally evaluated.
-                        jobCancelRegister = ExecutionContext.Root.CancellationToken.Register(() =>
-                        {
-                            // Mark job as cancelled
-                            ExecutionContext.Root.Result = TaskResult.Canceled;
-                            ExecutionContext.Root.JobContext.Status = ExecutionContext.Root.Result?.ToActionResult();
-
-                            step.ExecutionContext.Debug($"Re-evaluate condition on job cancellation for step: '{step.DisplayName}'.");
-                            var conditionReTestTraceWriter = new ConditionTraceWriter(Trace, null); // host tracing only
-                            var conditionReTestResult = false;
-                            if (HostContext.RunnerShutdownToken.IsCancellationRequested)
-                            {
-                                step.ExecutionContext.Debug($"Skip Re-evaluate condition on runner shutdown.");
-                            }
-                            else
-                            {
-                                try
-                                {
-                                    var templateEvaluator = step.ExecutionContext.ToPipelineTemplateEvaluator(conditionReTestTraceWriter);
-                                    var condition = new BasicExpressionToken(null, null, null, step.Condition);
-                                    conditionReTestResult = templateEvaluator.EvaluateStepIf(condition, step.ExecutionContext.ExpressionValues, step.ExecutionContext.ExpressionFunctions, step.ExecutionContext.ToExpressionState());
-                                }
-                                catch (Exception ex)
-                                {
-                                    // Cancel the step since we get exception while re-evaluate step condition
-                                    Trace.Info("Caught exception from expression when re-test condition on job cancellation.");
-                                    step.ExecutionContext.Error(ex);
-                                }
-                            }
-
-                            if (!conditionReTestResult)
-                            {
-                                // Cancel the step
-                                Trace.Info("Cancel current running step.");
-                                step.ExecutionContext.CancelToken();
-                            }
-                        });
-                    }
-                    else
-                    {
-                        if (ExecutionContext.Root.Result != TaskResult.Canceled)
-                        {
-                            // Mark job as cancelled
-                            ExecutionContext.Root.Result = TaskResult.Canceled;
-                            ExecutionContext.Root.JobContext.Status = ExecutionContext.Root.Result?.ToActionResult();
-                        }
-                    }
-                    // Evaluate condition
-                    step.ExecutionContext.Debug($"Evaluating condition for step: '{step.DisplayName}'");
-                    var conditionTraceWriter = new ConditionTraceWriter(Trace, step.ExecutionContext);
-                    var conditionResult = false;
-                    var conditionEvaluateError = default(Exception);
-                    if (HostContext.RunnerShutdownToken.IsCancellationRequested)
-                    {
-                        step.ExecutionContext.Debug($"Skip evaluate condition on runner shutdown.");
-                    }
-                    else
-                    {
-                        try
-                        {
-                            var templateEvaluator = step.ExecutionContext.ToPipelineTemplateEvaluator(conditionTraceWriter);
-                            var condition = new BasicExpressionToken(null, null, null, step.Condition);
-                            conditionResult = templateEvaluator.EvaluateStepIf(condition, step.ExecutionContext.ExpressionValues, step.ExecutionContext.ExpressionFunctions, step.ExecutionContext.ToExpressionState());
-                        }
-                        catch (Exception ex)
-                        {
-                            Trace.Info("Caught exception from expression.");
-                            Trace.Error(ex);
-                            conditionEvaluateError = ex;
-                        }
-                    }
-                    if (!conditionResult && conditionEvaluateError == null)
-                    {
-                        // Condition is false
-                        Trace.Info("Skipping step due to condition evaluation.");
-                        step.ExecutionContext.Result = TaskResult.Skipped;
-                        continue;
-                    }
-                    else if (conditionEvaluateError != null)
-                    {
-                        // Condition error
-                        step.ExecutionContext.Error(conditionEvaluateError);
-                        step.ExecutionContext.Result = TaskResult.Failed;
-                        ExecutionContext.Result = TaskResult.Failed;
-                        break;
-                    }
-                    else
+                    // For main steps just run the action
+                    if (stage == ActionRunStage.Main)
                     {
                         await RunStepAsync(step);
                     }
+                    // We need to evaluate conditions for pre/post steps
+                    else
+                    {
+                        // Register job cancellation call back only if job cancellation token not been fire before each step run
+                        if (!ExecutionContext.Root.CancellationToken.IsCancellationRequested)
+                        {
+                            // Test the condition again. The job was canceled after the condition was originally evaluated.
+                            jobCancelRegister = ExecutionContext.Root.CancellationToken.Register(() =>
+                            {
+                                // Mark job as cancelled
+                                ExecutionContext.Root.Result = TaskResult.Canceled;
+                                ExecutionContext.Root.JobContext.Status = ExecutionContext.Root.Result?.ToActionResult();
+
+                                step.ExecutionContext.Debug($"Re-evaluate condition on job cancellation for step: '{step.DisplayName}'.");
+                                var conditionReTestTraceWriter = new ConditionTraceWriter(Trace, null); // host tracing only
+                                var conditionReTestResult = false;
+                                if (HostContext.RunnerShutdownToken.IsCancellationRequested)
+                                {
+                                    step.ExecutionContext.Debug($"Skip Re-evaluate condition on runner shutdown.");
+                                }
+                                else
+                                {
+                                    try
+                                    {
+                                        var templateEvaluator = step.ExecutionContext.ToPipelineTemplateEvaluator(conditionReTestTraceWriter);
+                                        var condition = new BasicExpressionToken(null, null, null, step.Condition);
+                                        conditionReTestResult = templateEvaluator.EvaluateStepIf(condition, step.ExecutionContext.ExpressionValues, step.ExecutionContext.ExpressionFunctions, step.ExecutionContext.ToExpressionState());
+                                    }
+                                    catch (Exception ex)
+                                    {
+                                        // Cancel the step since we get exception while re-evaluate step condition
+                                        Trace.Info("Caught exception from expression when re-test condition on job cancellation.");
+                                        step.ExecutionContext.Error(ex);
+                                    }
+                                }
+
+                                if (!conditionReTestResult)
+                                {
+                                    // Cancel the step
+                                    Trace.Info("Cancel current running step.");
+                                    step.ExecutionContext.CancelToken();
+                                }
+                            });
+                        }
+                        else
+                        {
+                            if (ExecutionContext.Root.Result != TaskResult.Canceled)
+                            {
+                                // Mark job as cancelled
+                                ExecutionContext.Root.Result = TaskResult.Canceled;
+                                ExecutionContext.Root.JobContext.Status = ExecutionContext.Root.Result?.ToActionResult();
+                            }
+                        }
+                        // Evaluate condition
+                        step.ExecutionContext.Debug($"Evaluating condition for step: '{step.DisplayName}'");
+                        var conditionTraceWriter = new ConditionTraceWriter(Trace, step.ExecutionContext);
+                        var conditionResult = false;
+                        var conditionEvaluateError = default(Exception);
+                        if (HostContext.RunnerShutdownToken.IsCancellationRequested)
+                        {
+                            step.ExecutionContext.Debug($"Skip evaluate condition on runner shutdown.");
+                        }
+                        else
+                        {
+                            try
+                            {
+                                var templateEvaluator = step.ExecutionContext.ToPipelineTemplateEvaluator(conditionTraceWriter);
+                                var condition = new BasicExpressionToken(null, null, null, step.Condition);
+                                conditionResult = templateEvaluator.EvaluateStepIf(condition, step.ExecutionContext.ExpressionValues, step.ExecutionContext.ExpressionFunctions, step.ExecutionContext.ToExpressionState());
+                            }
+                            catch (Exception ex)
+                            {
+                                Trace.Info("Caught exception from expression.");
+                                Trace.Error(ex);
+                                conditionEvaluateError = ex;
+                            }
+                        }
+                        if (!conditionResult && conditionEvaluateError == null)
+                        {
+                            // Condition is false
+                            Trace.Info("Skipping step due to condition evaluation.");
+                            step.ExecutionContext.Result = TaskResult.Skipped;
+                            continue;
+                        }
+                        else if (conditionEvaluateError != null)
+                        {
+                            // Condition error
+                            step.ExecutionContext.Error(conditionEvaluateError);
+                            step.ExecutionContext.Result = TaskResult.Failed;
+                            ExecutionContext.Result = TaskResult.Failed;
+                            break;
+                        }
+                        else
+                        {
+                            await RunStepAsync(step);
+                        }
+                    }
                 }
                 finally
                 {

src/Runner.Worker/Handlers/ContainerActionHandler.cs

@@ -50,8 +50,8 @@ namespace GitHub.Runner.Worker.Handlers
                 var dockerFile = Path.Combine(ActionDirectory, Data.Image);
                 ArgUtil.File(dockerFile, nameof(Data.Image));
 
-                ExecutionContext.WriteDetails(ExecutionContext.IsEmbedded ? "Building docker image" : $"##[group]Building docker image");
-                ExecutionContext.WriteDetails($"Dockerfile for action: '{dockerFile}'.");
+                ExecutionContext.Output($"##[group]Building docker image");
+                ExecutionContext.Output($"Dockerfile for action: '{dockerFile}'.");
                 var imageName = $"{dockerManager.DockerInstanceLabel}:{ExecutionContext.Id.ToString("N")}";
                 var buildExitCode = await dockerManager.DockerBuild(
                     ExecutionContext,
@@ -59,7 +59,7 @@ namespace GitHub.Runner.Worker.Handlers
                     dockerFile,
                     Directory.GetParent(dockerFile).FullName,
                     imageName);
-                ExecutionContext.WriteDetails(ExecutionContext.IsEmbedded ? "" : "##[endgroup]");
+                ExecutionContext.Output("##[endgroup]");
 
                 if (buildExitCode != 0)
                 {
@@ -217,6 +217,7 @@ namespace GitHub.Runner.Worker.Handlers
             if (systemConnection.Data.TryGetValue("GenerateIdTokenUrl", out var generateIdTokenUrl) && !string.IsNullOrEmpty(generateIdTokenUrl))
             {
                 Environment["ACTIONS_ID_TOKEN_REQUEST_URL"] = generateIdTokenUrl;
+                Environment["ACTIONS_ID_TOKEN_REQUEST_TOKEN"] = systemConnection.Authorization.Parameters[EndpointAuthorizationParameters.AccessToken];
             }
 
             foreach (var variable in this.Environment)

src/Runner.Worker/Handlers/Handler.cs

@@ -82,7 +82,7 @@ namespace GitHub.Runner.Worker.Handlers
             
             if (stage == ActionRunStage.Post)
             {
-                ExecutionContext.WriteDetails($"Post job cleanup.");
+                ExecutionContext.Output($"Post job cleanup.");
                 return;
             }
 
@@ -118,30 +118,30 @@ namespace GitHub.Runner.Worker.Handlers
                 groupName = "Action details";
             }
 
-            ExecutionContext.WriteDetails(ExecutionContext.IsEmbedded ? groupName : $"##[group]{groupName}");
+            ExecutionContext.Output($"##[group]{groupName}");
 
             if (this.Inputs?.Count > 0)
             {
-                ExecutionContext.WriteDetails("with:");
+                ExecutionContext.Output("with:");
                 foreach (var input in this.Inputs)
                 {
                     if (!string.IsNullOrEmpty(input.Value))
                     {
-                        ExecutionContext.WriteDetails($"  {input.Key}: {input.Value}");
+                        ExecutionContext.Output($"  {input.Key}: {input.Value}");
                     }
                 }
             }
 
             if (this.Environment?.Count > 0)
             {
-                ExecutionContext.WriteDetails("env:");
+                ExecutionContext.Output("env:");
                 foreach (var env in this.Environment)
                 {
-                    ExecutionContext.WriteDetails($"  {env.Key}: {env.Value}");
+                    ExecutionContext.Output($"  {env.Key}: {env.Value}");
                 }
             }
 
-            ExecutionContext.WriteDetails(ExecutionContext.IsEmbedded ? "" : "##[endgroup]");
+            ExecutionContext.Output("##[endgroup]");
         }
 
         public override void Initialize(IHostContext hostContext)

src/Runner.Worker/Handlers/NodeScriptActionHandler.cs

@@ -56,6 +56,7 @@ namespace GitHub.Runner.Worker.Handlers
             if (systemConnection.Data.TryGetValue("GenerateIdTokenUrl", out var generateIdTokenUrl) && !string.IsNullOrEmpty(generateIdTokenUrl))
             {
                 Environment["ACTIONS_ID_TOKEN_REQUEST_URL"] = generateIdTokenUrl;
+                Environment["ACTIONS_ID_TOKEN_REQUEST_TOKEN"] = systemConnection.Authorization.Parameters[EndpointAuthorizationParameters.AccessToken];
             }
 
             // Resolve the target script.

src/Runner.Worker/Handlers/ScriptHandler.cs

@@ -40,7 +40,7 @@ namespace GitHub.Runner.Worker.Handlers
                     firstLine = firstLine.Substring(0, firstNewLine);
                 }
 
-                ExecutionContext.WriteDetails(ExecutionContext.IsEmbedded ? $"Run {firstLine}" : $"##[group]Run {firstLine}");
+                ExecutionContext.Output($"##[group]Run {firstLine}");
             }
             else
             {
@@ -51,7 +51,7 @@ namespace GitHub.Runner.Worker.Handlers
             foreach (var line in multiLines)
             {
                 // Bright Cyan color
-                ExecutionContext.WriteDetails($"\x1b[36;1m{line}\x1b[0m");
+                ExecutionContext.Output($"\x1b[36;1m{line}\x1b[0m");
             }
 
             string argFormat;
@@ -110,23 +110,23 @@ namespace GitHub.Runner.Worker.Handlers
 
             if (!string.IsNullOrEmpty(shellCommandPath))
             {
-                ExecutionContext.WriteDetails($"shell: {shellCommandPath} {argFormat}");
+                ExecutionContext.Output($"shell: {shellCommandPath} {argFormat}");
             }
             else
             {
-                ExecutionContext.WriteDetails($"shell: {shellCommand} {argFormat}");
+                ExecutionContext.Output($"shell: {shellCommand} {argFormat}");
             }
 
             if (this.Environment?.Count > 0)
             {
-                ExecutionContext.WriteDetails("env:");
+                ExecutionContext.Output("env:");
                 foreach (var env in this.Environment)
                 {
-                    ExecutionContext.WriteDetails($"  {env.Key}: {env.Value}");
+                    ExecutionContext.Output($"  {env.Key}: {env.Value}");
                 }
             }
 
-            ExecutionContext.WriteDetails(ExecutionContext.IsEmbedded ? "" : "##[endgroup]");
+            ExecutionContext.Output("##[endgroup]");
         }
 
         public async Task RunAsync(ActionRunStage stage)
@@ -147,7 +147,8 @@ namespace GitHub.Runner.Worker.Handlers
             // Add Telemetry to JobContext to send with JobCompleteMessage
             if (stage == ActionRunStage.Main)
             {
-                var telemetry = new ActionsStepTelemetry {
+                var telemetry = new ActionsStepTelemetry
+                {
                     IsEmbedded = ExecutionContext.IsEmbedded,
                     Type = "run",
                 };
@@ -276,6 +277,13 @@ namespace GitHub.Runner.Worker.Handlers
                 fileName = node12;
             }
 #endif
+            var systemConnection = ExecutionContext.Global.Endpoints.Single(x => string.Equals(x.Name, WellKnownServiceEndpointNames.SystemVssConnection, StringComparison.OrdinalIgnoreCase));
+            if (systemConnection.Data.TryGetValue("GenerateIdTokenUrl", out var generateIdTokenUrl) && !string.IsNullOrEmpty(generateIdTokenUrl))
+            {
+                Environment["ACTIONS_ID_TOKEN_REQUEST_URL"] = generateIdTokenUrl;
+                Environment["ACTIONS_ID_TOKEN_REQUEST_TOKEN"] = systemConnection.Authorization.Parameters[EndpointAuthorizationParameters.AccessToken];
+            }
+
             ExecutionContext.Debug($"{fileName} {arguments}");
 
             using (var stdoutManager = new OutputManager(ExecutionContext, ActionCommandManager))

src/Runner.Worker/IssueMatcher.cs

@@ -350,6 +350,7 @@ namespace GitHub.Runner.Worker
                 case "":
                 case "ERROR":
                 case "WARNING":
+                case "NOTICE":
                     break;
                 default:
                     throw new ArgumentException($"Matcher '{_owner}' contains unexpected default severity '{_severity}'");

src/Runner.Worker/JobRunner.cs

@@ -48,8 +48,8 @@ namespace GitHub.Runner.Worker
             Trace.Info($"Creating job server with URL: {jobServerUrl}");
             // jobServerQueue is the throttling reporter.
             _jobServerQueue = HostContext.GetService<IJobServerQueue>();
-            VssConnection jobConnection = VssUtil.CreateConnection(jobServerUrl, jobServerCredential, new DelegatingHandler[] { new ThrottlingReportHandler(_jobServerQueue) });
-            await jobServer.ConnectAsync(jobConnection);
+            
+            await jobServer.ConnectAsync(jobServerUrl, jobServerCredential, new DelegatingHandler[] { new ThrottlingReportHandler(_jobServerQueue) });
 
             _jobServerQueue.Start(message);
             HostContext.WritePerfCounter($"WorkerJobServerQueueStarted_{message.RequestId.ToString()}");
@@ -145,6 +145,16 @@ namespace GitHub.Runner.Worker
                 Trace.Verbose($"Job steps: '{string.Join(", ", jobSteps.Select(x => x.DisplayName))}'");
                 HostContext.WritePerfCounter($"WorkerJobInitialized_{message.RequestId.ToString()}");
 
+                if (systemConnection.Data.TryGetValue("GenerateIdTokenUrl", out var generateIdTokenUrl) &&
+                    !string.IsNullOrEmpty(generateIdTokenUrl))
+                {
+                    // Server won't issue ID_TOKEN for non-inprogress job.
+                    // If the job is trying to use OIDC feature, we want the job to be marked as in-progress before running any customer's steps as much as we can.
+                    // Timeline record update background process runs every 500ms, so delay 1000ms is enough for most of the cases
+                    Trace.Info($"Waiting for job to be marked as started.");
+                    await Task.WhenAny(_jobServerQueue.JobRecordUpdated.Task, Task.Delay(1000));
+                }
+
                 // Run all job steps
                 Trace.Info("Run all job steps.");
                 var stepsRunner = HostContext.GetService<IStepsRunner>();

src/Sdk/DTLogging/Logging/ValueEncoders.cs

@@ -2,6 +2,7 @@
 using System.ComponentModel;
 using System.Security;
 using System.Text;
+using System.Text.RegularExpressions;
 using Newtonsoft.Json;
 
 namespace GitHub.DistributedTask.Logging
@@ -80,6 +81,65 @@ namespace GitHub.DistributedTask.Logging
             return trimmed;
         }
 
+        public static String PowerShellPreAmpersandEscape(String value)
+        {
+            // if the secret is passed to PS as a command and it causes an error, sections of it can be surrounded by color codes
+            // or printed individually. 
+            
+            // The secret secretpart1&secretpart2&secretpart3 would be split into 2 sections:
+            // 'secretpart1&secretpart2&' and 'secretpart3'. This method masks for the first section.
+            
+            // The secret secretpart1&+secretpart2&secretpart3 would be split into 2 sections:
+            // 'secretpart1&+' and (no 's') 'ecretpart2&secretpart3'. This method masks for the first section.
+
+            var trimmed = string.Empty;
+            if (!string.IsNullOrEmpty(value) && value.Contains("&"))
+            {
+                var secretSection = string.Empty;
+                if (value.Contains("&+"))
+                {
+                    secretSection = value.Substring(0, value.IndexOf("&+") + "&+".Length);
+                }
+                else
+                {
+                    secretSection = value.Substring(0, value.LastIndexOf("&") + "&".Length);
+                }
+
+                // Don't mask short secrets
+                if (secretSection.Length >= 6)
+                {
+                    trimmed = secretSection;
+                }
+            }
+
+            return trimmed;
+        }
+
+        public static String PowerShellPostAmpersandEscape(String value)
+        {
+            var trimmed = string.Empty;
+            if (!string.IsNullOrEmpty(value) && value.Contains("&"))
+            {
+                var secretSection = string.Empty;
+                if (value.Contains("&+"))
+                {
+                    // +1 to skip the letter that got colored
+                    secretSection = value.Substring(value.IndexOf("&+") + "&+".Length + 1);
+                }
+                else
+                {
+                    secretSection = value.Substring(value.LastIndexOf("&") + "&".Length);
+                }
+
+                if (secretSection.Length >= 6)
+                {
+                    trimmed = secretSection;
+                }
+            }
+
+            return trimmed;
+        }
+
         private static string Base64StringEscapeShift(String value, int shift)
         {
             var bytes = Encoding.UTF8.GetBytes(value);

src/Sdk/DTWebApi/WebApi/ActionReference.cs

@@ -18,5 +18,12 @@ namespace GitHub.DistributedTask.WebApi
             get;
             set;
         }
+
+        [DataMember]
+        public string Path
+        {
+            get;
+            set;
+        }
     }
 }

src/Sdk/DTWebApi/WebApi/TaskAgentReference.cs

@@ -24,6 +24,7 @@ namespace GitHub.DistributedTask.WebApi
             this.OSDescription = referenceToBeCloned.OSDescription;
             this.ProvisioningState = referenceToBeCloned.ProvisioningState;
             this.AccessPoint = referenceToBeCloned.AccessPoint;
+            this.Ephemeral = referenceToBeCloned.Ephemeral;
 
             if (referenceToBeCloned.m_links != null)
             {
@@ -81,6 +82,16 @@ namespace GitHub.DistributedTask.WebApi
             set;
         }
 
+        /// <summary>
+        /// Signifies that this Agent can only run one job and will be removed by the server after that one job finish.
+        /// </summary>
+        [DataMember]
+        public bool? Ephemeral
+        {
+            get;
+            set;
+        }
+
         /// <summary>
         /// Whether or not the agent is online.
         /// </summary>

src/Test/L0/HostContextL0.cs

@@ -112,6 +112,36 @@ namespace GitHub.Runner.Common.Tests
             }
         }
 
+        [Theory]
+        [InlineData("secret&secret&secret", "secret&secret&\x0033[96msecret\x0033[0m", "***\x0033[96m***\x0033[0m")]
+        [InlineData("secret&secret+secret", "secret&\x0033[96msecret+secret\x0033[0m", "***\x0033[96m***\x0033[0m")]
+        [InlineData("secret+secret&secret", "secret+secret&\x0033[96msecret\x0033[0m", "***\x0033[96m***\x0033[0m")]
+        [InlineData("secret&secret&+secretsecret", "secret&secret&+\x0033[96ms\x0033[0mecretsecret", "***\x0033[96ms\x0033[0m***")]
+        [InlineData("secret&+secret&secret", "secret&+\x0033[96ms\x0033[0mecret&secret", "***\x0033[96ms\x0033[0m***")]
+        [InlineData("secret&+secret&+secret", "secret&+\x0033[96ms\x0033[0mecret&+secret", "***\x0033[96ms\x0033[0m***")]
+        [InlineData("secret&+secret&secret&+secret", "secret&+\x0033[96ms\x0033[0mecret&secret&+secret", "***\x0033[96ms\x0033[0m***")]
+        [Trait("Level", "L0")]
+        [Trait("Category", "Common")]
+        public void SecretSectionMasking(string secret, string rawOutput, string maskedOutput)
+        {
+            try
+            {
+                // Arrange.
+                Setup();
+
+                // Act.
+                _hc.SecretMasker.AddValue(secret);
+
+                // Assert.
+                Assert.Equal(maskedOutput, _hc.SecretMasker.MaskSecrets(rawOutput));
+            }
+            finally
+            {
+                // Cleanup.
+                Teardown();
+            }
+        }
+
         [Fact]
         [Trait("Level", "L0")]
         [Trait("Category", "Common")]

src/Test/L0/Listener/RunnerL0.cs

@@ -243,7 +243,8 @@ namespace GitHub.Runner.Common.Tests.Listener
                 runner.Initialize(hc);
                 var settings = new RunnerSettings
                 {
-                    PoolId = 43242
+                    PoolId = 43242,
+                    Ephemeral = true
                 };
 
                 var message = new TaskAgentMessage()
@@ -294,7 +295,7 @@ namespace GitHub.Runner.Common.Tests.Listener
 
                 _configStore.Setup(x => x.IsServiceConfigured()).Returns(false);
                 //Act
-                var command = new CommandSettings(hc, new string[] { "run", "--once" });
+                var command = new CommandSettings(hc, new string[] { "run" });
                 Task<int> runnerTask = runner.ExecuteCommand(command);
 
                 //Assert
@@ -332,7 +333,8 @@ namespace GitHub.Runner.Common.Tests.Listener
                 runner.Initialize(hc);
                 var settings = new RunnerSettings
                 {
-                    PoolId = 43242
+                    PoolId = 43242,
+                    Ephemeral = true
                 };
 
                 var message1 = new TaskAgentMessage()
@@ -390,7 +392,7 @@ namespace GitHub.Runner.Common.Tests.Listener
 
                 _configStore.Setup(x => x.IsServiceConfigured()).Returns(false);
                 //Act
-                var command = new CommandSettings(hc, new string[] { "run", "--once" });
+                var command = new CommandSettings(hc, new string[] { "run" });
                 Task<int> runnerTask = runner.ExecuteCommand(command);
 
                 //Assert
@@ -431,7 +433,8 @@ namespace GitHub.Runner.Common.Tests.Listener
                 var settings = new RunnerSettings
                 {
                     PoolId = 43242,
-                    AgentId = 5678
+                    AgentId = 5678,
+                    Ephemeral = true
                 };
 
                 var message1 = new TaskAgentMessage()
@@ -475,7 +478,7 @@ namespace GitHub.Runner.Common.Tests.Listener
 
                 _configStore.Setup(x => x.IsServiceConfigured()).Returns(false);
                 //Act
-                var command = new CommandSettings(hc, new string[] { "run", "--once" });
+                var command = new CommandSettings(hc, new string[] { "run" });
                 Task<int> runnerTask = runner.ExecuteCommand(command);
 
                 //Assert

src/Test/L0/Worker/IssueMatcherL0.cs

@@ -392,6 +392,35 @@ namespace GitHub.Runner.Common.Tests.Worker
             Assert.Equal("not-working", match.Message);
         }
 
+        [Fact]
+        [Trait("Level", "L0")]
+        [Trait("Category", "Worker")]
+        public void Matcher_MultiplePatterns_DefaultSeverityNotice()
+        {
+            var config = JsonUtility.FromString<IssueMatchersConfig>(@"
+{
+  ""problemMatcher"": [
+    {
+      ""owner"": ""myMatcher"",
+      ""severity"": ""notice"",
+      ""pattern"": [
+        {
+          ""regexp"": ""^(.+)$"",
+          ""message"": 1
+        }
+      ]
+    }
+  ]
+}
+");
+            config.Validate();
+            var matcher = new IssueMatcher(config.Matchers[0], TimeSpan.FromSeconds(1));
+
+            var match = matcher.Match("just-a-notice");
+            Assert.Equal("notice", match.Severity);
+            Assert.Equal("just-a-notice", match.Message);
+        }
+
         [Fact]
         [Trait("Level", "L0")]
         [Trait("Category", "Worker")]

src/runnerversion

@@ -1 +1 @@
-2.280.0
+2.282.0