Revert "Avastancu/joannaakl/service container error log (#2110)"

This reverts commit 949269104d.

.github/workflows/build.yml

@@ -10,7 +10,7 @@ on:
     - '**.md'
   pull_request:
     branches:
-    - '*'
+    - '**'
     paths-ignore:
     - '**.md'
 
@@ -18,7 +18,7 @@ jobs:
   build:
     strategy:
       matrix:
-        runtime: [ linux-x64, linux-arm64, linux-arm, win-x64, osx-x64, osx-arm64 ]
+        runtime: [ linux-x64, linux-arm64, linux-arm, win-x64, win-arm64, osx-x64, osx-arm64 ]
         include:
         - runtime: linux-x64
           os: ubuntu-latest
@@ -44,6 +44,10 @@ jobs:
           os: windows-2019
           devScript: ./dev
 
+        - runtime: win-arm64
+          os: windows-latest
+          devScript: ./dev
+
     runs-on: ${{ matrix.os }}
     steps:
     - uses: actions/checkout@v3
@@ -82,7 +86,7 @@ jobs:
       run: |
         ${{ matrix.devScript }} test
       working-directory: src
-      if: matrix.runtime != 'linux-arm64' && matrix.runtime != 'linux-arm' && matrix.runtime != 'osx-arm64'
+      if: matrix.runtime != 'linux-arm64' && matrix.runtime != 'linux-arm' && matrix.runtime != 'osx-arm64' && matrix.runtime != 'win-arm64'
 
     # Create runner package tar.gz/zip
     - name: Package Release
@@ -97,7 +101,7 @@ jobs:
       uses: actions/upload-artifact@v2
       with:
         name: runner-package-${{ matrix.runtime }}
-        path: | 
+        path: |
           _package
           _package_trims/trim_externals
           _package_trims/trim_runtime

.github/workflows/release.yml

@@ -50,29 +50,33 @@ jobs:
       linux-arm64-sha: ${{ steps.sha.outputs.linux-arm64-sha256 }}
       linux-arm-sha: ${{ steps.sha.outputs.linux-arm-sha256 }}
       win-x64-sha: ${{ steps.sha.outputs.win-x64-sha256 }}
+      win-arm64-sha: ${{ steps.sha.outputs.win-arm64-sha256 }}
       osx-x64-sha: ${{ steps.sha.outputs.osx-x64-sha256 }}
       osx-arm64-sha: ${{ steps.sha.outputs.osx-arm64-sha256 }}
       linux-x64-sha-noexternals: ${{ steps.sha_noexternals.outputs.linux-x64-sha256 }}
       linux-arm64-sha-noexternals: ${{ steps.sha_noexternals.outputs.linux-arm64-sha256 }}
       linux-arm-sha-noexternals: ${{ steps.sha_noexternals.outputs.linux-arm-sha256 }}
       win-x64-sha-noexternals: ${{ steps.sha_noexternals.outputs.win-x64-sha256 }}
+      win-arm64-sha-noexternals: ${{ steps.sha_noexternals.outputs.win-arm64-sha256 }}
       osx-x64-sha-noexternals: ${{ steps.sha_noexternals.outputs.osx-x64-sha256 }}
       osx-arm64-sha-noexternals: ${{ steps.sha_noexternals.outputs.osx-arm64-sha256 }}
       linux-x64-sha-noruntime: ${{ steps.sha_noruntime.outputs.linux-x64-sha256 }}
       linux-arm64-sha-noruntime: ${{ steps.sha_noruntime.outputs.linux-arm64-sha256 }}
       linux-arm-sha-noruntime: ${{ steps.sha_noruntime.outputs.linux-arm-sha256 }}
       win-x64-sha-noruntime: ${{ steps.sha_noruntime.outputs.win-x64-sha256 }}
+      win-arm64-sha-noruntime: ${{ steps.sha_noruntime.outputs.win-arm64-sha256 }}
       osx-x64-sha-noruntime: ${{ steps.sha_noruntime.outputs.osx-x64-sha256 }}
       osx-arm64-sha-noruntime: ${{ steps.sha_noruntime.outputs.osx-arm64-sha256 }}
       linux-x64-sha-noruntime-noexternals: ${{ steps.sha_noruntime_noexternals.outputs.linux-x64-sha256 }}
       linux-arm64-sha-noruntime-noexternals: ${{ steps.sha_noruntime_noexternals.outputs.linux-arm64-sha256 }}
       linux-arm-sha-noruntime-noexternals: ${{ steps.sha_noruntime_noexternals.outputs.linux-arm-sha256 }}
       win-x64-sha-noruntime-noexternals: ${{ steps.sha_noruntime_noexternals.outputs.win-x64-sha256 }}
+      win-arm64-sha-noruntime-noexternals: ${{ steps.sha_noruntime_noexternals.outputs.win-arm64-sha256 }}
       osx-x64-sha-noruntime-noexternals: ${{ steps.sha_noruntime_noexternals.outputs.osx-x64-sha256 }}
       osx-arm64-sha-noruntime-noexternals: ${{ steps.sha_noruntime_noexternals.outputs.osx-arm64-sha256 }}
     strategy:
       matrix:
-        runtime: [ linux-x64, linux-arm64, linux-arm, win-x64, osx-x64, osx-arm64 ]
+        runtime: [ linux-x64, linux-arm64, linux-arm, win-x64, osx-x64, osx-arm64, win-arm64 ]
         include:
         - runtime: linux-x64
           os: ubuntu-latest
@@ -89,7 +93,7 @@ jobs:
         - runtime: osx-x64
           os: macOS-latest
           devScript: ./dev.sh
-        
+
         - runtime: osx-arm64
           os: macOS-latest
           devScript: ./dev.sh
@@ -98,6 +102,10 @@ jobs:
           os: windows-2019
           devScript: ./dev
 
+        - runtime: win-arm64
+          os: windows-latest
+          devScript: ./dev
+
     runs-on: ${{ matrix.os }}
     steps:
     - uses: actions/checkout@v3
@@ -158,9 +166,9 @@ jobs:
       id: sha_noruntime_noexternals
       name: Compute SHA256
       working-directory: _package_trims/trim_runtime_externals
-    
+
     - name: Create trimmedpackages.json for ${{ matrix.runtime }}
-      if: matrix.runtime == 'win-x64'
+      if: matrix.runtime == 'win-x64' || matrix.runtime == 'win-arm64'
       uses: actions/github-script@0.3.0
       with:
         github-token: ${{secrets.GITHUB_TOKEN}}
@@ -180,7 +188,7 @@ jobs:
           fs.writeFileSync('${{ matrix.runtime }}-trimmedpackages.json', trimmedPackages)
 
     - name: Create trimmedpackages.json for ${{ matrix.runtime }}
-      if: matrix.runtime != 'win-x64'
+      if: matrix.runtime != 'win-x64' && matrix.runtime != 'win-arm64'
       uses: actions/github-script@0.3.0
       with:
         github-token: ${{secrets.GITHUB_TOKEN}}
@@ -239,24 +247,28 @@ jobs:
           const runnerVersion = fs.readFileSync('${{ github.workspace }}/src/runnerversion', 'utf8').replace(/\n$/g, '')
           var releaseNote = fs.readFileSync('${{ github.workspace }}/releaseNote.md', 'utf8').replace(/<RUNNER_VERSION>/g, runnerVersion)
           releaseNote = releaseNote.replace(/<WIN_X64_SHA>/g, '${{needs.build.outputs.win-x64-sha}}')
+          releaseNote = releaseNote.replace(/<WIN_ARM64_SHA>/g, '${{needs.build.outputs.win-arm64-sha}}')
           releaseNote = releaseNote.replace(/<OSX_X64_SHA>/g, '${{needs.build.outputs.osx-x64-sha}}')
           releaseNote = releaseNote.replace(/<OSX_ARM64_SHA>/g, '${{needs.build.outputs.osx-arm64-sha}}')
           releaseNote = releaseNote.replace(/<LINUX_X64_SHA>/g, '${{needs.build.outputs.linux-x64-sha}}')
           releaseNote = releaseNote.replace(/<LINUX_ARM_SHA>/g, '${{needs.build.outputs.linux-arm-sha}}')
           releaseNote = releaseNote.replace(/<LINUX_ARM64_SHA>/g, '${{needs.build.outputs.linux-arm64-sha}}')
           releaseNote = releaseNote.replace(/<WIN_X64_SHA_NOEXTERNALS>/g, '${{needs.build.outputs.win-x64-sha-noexternals}}')
+          releaseNote = releaseNote.replace(/<WIN_ARM64_SHA_NOEXTERNALS>/g, '${{needs.build.outputs.win-arm64-sha-noexternals}}')
           releaseNote = releaseNote.replace(/<OSX_X64_SHA_NOEXTERNALS>/g, '${{needs.build.outputs.osx-x64-sha-noexternals}}')
           releaseNote = releaseNote.replace(/<OSX_ARM64_SHA_NOEXTERNALS>/g, '${{needs.build.outputs.osx-arm64-sha-noexternals}}')
           releaseNote = releaseNote.replace(/<LINUX_X64_SHA_NOEXTERNALS>/g, '${{needs.build.outputs.linux-x64-sha-noexternals}}')
           releaseNote = releaseNote.replace(/<LINUX_ARM_SHA_NOEXTERNALS>/g, '${{needs.build.outputs.linux-arm-sha-noexternals}}')
           releaseNote = releaseNote.replace(/<LINUX_ARM64_SHA_NOEXTERNALS>/g, '${{needs.build.outputs.linux-arm64-sha-noexternals}}')
           releaseNote = releaseNote.replace(/<WIN_X64_SHA_NORUNTIME>/g, '${{needs.build.outputs.win-x64-sha-noruntime}}')
+          releaseNote = releaseNote.replace(/<WIN_ARM64_SHA_NORUNTIME>/g, '${{needs.build.outputs.win-arm64-sha-noruntime}}')
           releaseNote = releaseNote.replace(/<OSX_X64_SHA_NORUNTIME>/g, '${{needs.build.outputs.osx-x64-sha-noruntime}}')
           releaseNote = releaseNote.replace(/<OSX_ARM64_SHA_NORUNTIME>/g, '${{needs.build.outputs.osx-arm64-sha-noruntime}}')
           releaseNote = releaseNote.replace(/<LINUX_X64_SHA_NORUNTIME>/g, '${{needs.build.outputs.linux-x64-sha-noruntime}}')
           releaseNote = releaseNote.replace(/<LINUX_ARM_SHA_NORUNTIME>/g, '${{needs.build.outputs.linux-arm-sha-noruntime}}')
           releaseNote = releaseNote.replace(/<LINUX_ARM64_SHA_NORUNTIME>/g, '${{needs.build.outputs.linux-arm64-sha-noruntime}}')
           releaseNote = releaseNote.replace(/<WIN_X64_SHA_NORUNTIME_NOEXTERNALS>/g, '${{needs.build.outputs.win-x64-sha-noruntime-noexternals}}')
+          releaseNote = releaseNote.replace(/<WIN_ARM64_SHA_NORUNTIME_NOEXTERNALS>/g, '${{needs.build.outputs.win-arm64-sha-noruntime-noexternals}}')
           releaseNote = releaseNote.replace(/<OSX_X64_SHA_NORUNTIME_NOEXTERNALS>/g, '${{needs.build.outputs.osx-x64-sha-noruntime-noexternals}}')
           releaseNote = releaseNote.replace(/<OSX_ARM64_SHA_NORUNTIME_NOEXTERNALS>/g, '${{needs.build.outputs.osx-arm64-sha-noruntime-noexternals}}')
           releaseNote = releaseNote.replace(/<LINUX_X64_SHA_NORUNTIME_NOEXTERNALS>/g, '${{needs.build.outputs.linux-x64-sha-noruntime-noexternals}}')
@@ -271,6 +283,7 @@ jobs:
       run: |
         ls -l
         echo "${{needs.build.outputs.win-x64-sha}}  actions-runner-win-x64-${{ steps.releaseNote.outputs.version }}.zip" | shasum -a 256 -c
+        echo "${{needs.build.outputs.win-arm64-sha}}  actions-runner-win-arm64-${{ steps.releaseNote.outputs.version }}.zip" | shasum -a 256 -c
         echo "${{needs.build.outputs.osx-x64-sha}}  actions-runner-osx-x64-${{ steps.releaseNote.outputs.version }}.tar.gz" | shasum -a 256 -c
         echo "${{needs.build.outputs.osx-arm64-sha}}  actions-runner-osx-arm64-${{ steps.releaseNote.outputs.version }}.tar.gz" | shasum -a 256 -c
         echo "${{needs.build.outputs.linux-x64-sha}}  actions-runner-linux-x64-${{ steps.releaseNote.outputs.version }}.tar.gz" | shasum -a 256 -c
@@ -300,6 +313,16 @@ jobs:
         asset_name: actions-runner-win-x64-${{ steps.releaseNote.outputs.version }}.zip
         asset_content_type: application/octet-stream
 
+    - name: Upload Release Asset (win-arm64)
+      uses: actions/upload-release-asset@v1.0.1
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      with:
+        upload_url: ${{ steps.createRelease.outputs.upload_url }}
+        asset_path: ${{ github.workspace }}/_package/actions-runner-win-arm64-${{ steps.releaseNote.outputs.version }}.zip
+        asset_name: actions-runner-win-arm64-${{ steps.releaseNote.outputs.version }}.zip
+        asset_content_type: application/octet-stream
+
     - name: Upload Release Asset (linux-x64)
       uses: actions/upload-release-asset@v1.0.1
       env:
@@ -361,6 +384,17 @@ jobs:
         asset_name: actions-runner-win-x64-${{ steps.releaseNote.outputs.version }}-noexternals.zip
         asset_content_type: application/octet-stream
 
+    # Upload release assets (trim externals)
+    - name: Upload Release Asset (win-arm64-noexternals)
+      uses: actions/upload-release-asset@v1.0.1
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      with:
+        upload_url: ${{ steps.createRelease.outputs.upload_url }}
+        asset_path: ${{ github.workspace }}/_package_trims/trim_externals/actions-runner-win-arm64-${{ steps.releaseNote.outputs.version }}-noexternals.zip
+        asset_name: actions-runner-win-arm64-${{ steps.releaseNote.outputs.version }}-noexternals.zip
+        asset_content_type: application/octet-stream
+
     - name: Upload Release Asset (linux-x64-noexternals)
       uses: actions/upload-release-asset@v1.0.1
       env:
@@ -422,6 +456,17 @@ jobs:
         asset_name: actions-runner-win-x64-${{ steps.releaseNote.outputs.version }}-noruntime.zip
         asset_content_type: application/octet-stream
 
+    # Upload release assets (trim runtime)
+    - name: Upload Release Asset (win-arm64-noruntime)
+      uses: actions/upload-release-asset@v1.0.1
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      with:
+        upload_url: ${{ steps.createRelease.outputs.upload_url }}
+        asset_path: ${{ github.workspace }}/_package_trims/trim_runtime/actions-runner-win-arm64-${{ steps.releaseNote.outputs.version }}-noruntime.zip
+        asset_name: actions-runner-win-arm64-${{ steps.releaseNote.outputs.version }}-noruntime.zip
+        asset_content_type: application/octet-stream
+
     - name: Upload Release Asset (linux-x64-noruntime)
       uses: actions/upload-release-asset@v1.0.1
       env:
@@ -483,6 +528,17 @@ jobs:
         asset_name: actions-runner-win-x64-${{ steps.releaseNote.outputs.version }}-noruntime-noexternals.zip
         asset_content_type: application/octet-stream
 
+    # Upload release assets (trim runtime and externals)
+    - name: Upload Release Asset (win-arm64-noruntime-noexternals)
+      uses: actions/upload-release-asset@v1.0.1
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      with:
+        upload_url: ${{ steps.createRelease.outputs.upload_url }}
+        asset_path: ${{ github.workspace }}/_package_trims/trim_runtime_externals/actions-runner-win-arm64-${{ steps.releaseNote.outputs.version }}-noruntime-noexternals.zip
+        asset_name: actions-runner-win-arm64-${{ steps.releaseNote.outputs.version }}-noruntime-noexternals.zip
+        asset_content_type: application/octet-stream
+
     - name: Upload Release Asset (linux-x64-noruntime-noexternals)
       uses: actions/upload-release-asset@v1.0.1
       env:
@@ -544,6 +600,17 @@ jobs:
         asset_name: actions-runner-win-x64-${{ steps.releaseNote.outputs.version }}-trimmedpackages.json
         asset_content_type: application/octet-stream
 
+    # Upload release assets (trimmedpackages.json)
+    - name: Upload Release Asset (win-arm64-trimmedpackages.json)
+      uses: actions/upload-release-asset@v1.0.1
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      with:
+        upload_url: ${{ steps.createRelease.outputs.upload_url }}
+        asset_path: ${{ github.workspace }}/win-arm64-trimmedpackages.json
+        asset_name: actions-runner-win-arm64-${{ steps.releaseNote.outputs.version }}-trimmedpackages.json
+        asset_content_type: application/octet-stream
+
     - name: Upload Release Asset (linux-x64-trimmedpackages.json)
       uses: actions/upload-release-asset@v1.0.1
       env:

docs/adrs/1891-container-hooks.md

@@ -0,0 +1,596 @@
+# ADR 0000: Container Hooks
+
+**Date**: 2022-05-12
+
+**Status**: Accepted
+
+# Background
+
+[Job Hooks](https://github.com/actions/runner/blob/main/docs/adrs/1751-runner-job-hooks.md) have given users the ability to customize how their self hosted runners run a job.
+Users also want the ability to customize how they run containers during the scope of the job, rather then being locked into the docker implementation we have in the runner. They may want to use podman, kubernetes, or even change the docker commands we run. 
+We should give them that option, and publish examples how how they can create their own hooks.
+
+# Guiding Principles
+- **Extensibility** is the focus, we need to make sure we are flexible enough to cover current and future scenarios, even at the cost of making it harder to utilize these hooks
+- Args should map **directly** to yaml values provided by the user. 
+  - For example, the current runner overrides `HOME`, we can do that in the hook, but we shouldn't pass that hook as an ENV with the other env's the user has set, as that is not user input, it is how the runner invokes containers
+
+## Interface
+- You will set the variable `ACTIONS_RUNNER_CONTAINER_HOOKS=/Users/foo/runner/hooks.js` which is the entrypoint to your hook handler.
+  - There is no partial opt in, you must handle every hook 
+- We will pass a command and some args via `stdin`
+- An exit code of 0 is a success, every other exit code is a failure
+- We will support the same runner commands we support in [Job Hooks](https://github.com/actions/runner/blob/main/docs/adrs/1751-runner-job-hooks.md)
+- On timeout, we will send a sigint to your process. If you fail to terminate within a reasonable amount of time, we will send a sigkill, and eventually kill the process tree.
+
+An example input looks like
+```json
+{
+  "command": "job_cleanup",
+  "responseFile": "/users/thboop/runner/_work/{guid}.json",
+  "args": {},
+  "state": 
+  {
+      "id": "82e8219701fe096a35941d869cf8d71af1d943b5d3bdd718850fb87ac3042480"
+  }
+}
+```
+
+`command` is the command we expect you to invoke
+`responseFile` is the file you need to write your output to, if the command has output
+`args` are the specific arguments the command needs
+`state` is a json blog you can pass around to maintain your state, this is covered in more details below.
+
+### Writing responses to a file
+All text written to stdout or stderr should appear in the job or step logs. With that in mind, we support a few ways to actually return data:
+1. Wrapping the json in some unique tag and processing it like we do commands
+2. Writing to a file
+
+For 1, users typically view logging information as a safe action, so we worry someone accidentialy logging unsantized information and causing unexpected or un-secure behavior. We eventually plan to move off of stdout/stderr style commands in favor of a runner cli. 
+Investing in this area doesn't make a lot of sense at this time.
+
+While writing to a file to communicate isn't the most ideal pattern, its an existing pattern in the runner and serves us well, so lets reuse it.
+
+### Output
+Your output must be correctly formatted json. An example output looks like:
+
+```
+{
+  "state": {},
+  "context"
+  {
+    "container" : 
+    {
+      "id": "82e8219701fe096a35941d869cf8d71af1d943b5d3bdd718850fb87ac3042480"
+      "network": "github_network_53269bd575974817b43f4733536b200c"
+    }
+    "services": {
+      "redis": {
+        "id": "60972d9aa486605e66b0dad4abb638dc3d9116f566579e418166eedb8abb9105",
+        "ports": {
+          "8080": "8080"
+        },
+      "network": "github_network_53269bd575974817b43f4733536b200c"
+    }
+  }
+  "alpine: true,
+}
+```
+
+`state` is a unique field any command can return. If it is not empty, we will store the state for you and pass it into all future commands. You can overwrite it by having the next hook invoked return a unique state.
+
+Other fields are dependent upon the command being run.
+
+### Versioning
+We will not version these hooks at launch. If needed, we can always major version split these hooks in the future. We will ship in Beta to allow for breaking changes for a few months.
+
+### The Job Context
+The [job context](https://docs.github.com/en/actions/learn-github-actions/contexts#example-contents-of-the-job-context) currently has a variety of fields that correspond to containers. We should consider allowing hooks to populate new fields in the job context. That is out of scope for this original release however.
+
+## Hooks
+Hooks are to be implemented at a very high level, and map to actions the runner does, rather then specific docker actions like `docker build` or `docker create`. By mapping to runner actions, we create a very extensible framework that is flexible enough to solve any user concerns in the future. By providing first party implementations, we give users easy starting points to customize specific hooks (like `docker build`) without having to write full blown solutions.
+
+The other would be to provide hooks that mirror every docker call we make, and expose more hooks to help support k8s users, with the expectation that users may have to no-op on multiple hooks if they don't correspond to our use case.
+
+Why we don't want to go that way
+- It feels clunky, users need to understand which hooks they need to implement and which they can ignore, which isn't a great UX
+- It doesn't scale well, I don't want to build a solution where we may need to add more hooks, by mapping to runner actions, updating hooks is a painful experience for users
+- Its overwhelming, its easier to tell users to build 4 hooks and track data themselves, rather then 16 hooks where the runner needs certain information and then needs to provide that information back into each hook. If we expose `Container Create`, you need to return the container you created, then we do `container run` which uses that container. If we just give you an image and say create and run this container, you don't need to store the container id in the runner, and it maps better to k8s scenarios where we don't really have container ids.
+
+### Prepare_job hook
+The `prepare_job` hook is called when a job is started. We pass in any job or service containers the job has. We expect that you:
+- Prune anything from previous jobs if needed
+- Create a network if needed
+- Pull the job and service containers
+- Start the job container
+- Start the service containers
+- Write to the response file some information we need
+  - Required: if the container is alpine, otherwise x64
+  - Optional: any context fields you want to set on the job context, otherwise they will be unavailable for users to use
+- Return 0 when the health checks have succeeded and the job/service containers are started
+
+This hook will **always** be called if you have container hooks enabled, even if no service or job containers exist in the job. This allows you to fail the job or implement a default job container if you want to and no job container has been provided.
+
+
+<details>
+<summary>Example Input</summary>
+<br>
+  
+```
+{
+  "command": "prepare_job",
+  "responseFile": "/users/thboop/runner/_work/{guid}.json",
+  "state": {},
+  "args": 
+  {
+    "jobContainer": {
+      "image": "node:14.16",
+      "workingDirectory": "/__w/thboop-test2/thboop-test2",
+      "createOptions": "--cpus 1",
+      "environmentVariables": {
+        "NODE_ENV": "development"
+      },
+      "userMountVolumes:[
+        {
+          "sourceVolumePath": "my_docker_volume",
+          "targetVolumePath": "/volume_mount",
+          "readOnly": false
+        },
+      ],
+      "mountVolumes": [
+        {
+          "sourceVolumePath": "/home/thomas/git/runner/_layout/_work",
+          "targetVolumePath": "/__w",
+          "readOnly": false
+        },
+        {
+          "sourceVolumePath": "/home/thomas/git/runner/_layout/externals",
+          "targetVolumePath": "/__e",
+          "readOnly": true
+        },
+        {
+          "sourceVolumePath": "/home/thomas/git/runner/_layout/_work/_temp",
+          "targetVolumePath": "/__w/_temp",
+          "readOnly": false
+        },
+        {
+          "sourceVolumePath": "/home/thomas/git/runner/_layout/_work/_actions",
+          "targetVolumePath": "/__w/_actions",
+          "readOnly": false
+        },
+        {
+          "sourceVolumePath": "/home/thomas/git/runner/_layout/_work/_tool",
+          "targetVolumePath": "/__w/_tool",
+          "readOnly": false
+        },
+        {
+          "sourceVolumePath": "/home/thomas/git/runner/_layout/_work/_temp/_github_home",
+          "targetVolumePath": "/github/home",
+          "readOnly": false
+        },
+        {
+          "sourceVolumePath": "/home/thomas/git/runner/_layout/_work/_temp/_github_workflow",
+          "targetVolumePath": "/github/workflow",
+          "readOnly": false
+        }
+      ],
+      "registry": {
+        "username": "foo",
+        "password": "bar",
+        "serverUrl": "https://index.docker.io/v1"
+      },
+      "portMappings": [ "8080:80/tcp", "8080:80/udp" ]
+    },
+    "services": [
+      {
+        "contextName": "redis",
+        "image": "redis",
+        "createOptions": "--cpus 1",
+        "environmentVariables": {},
+        "mountVolumes": [],
+        "portMappings": [ "8080:80/tcp", "8080:80/udp" ]
+        "registry": {
+          "username": "foo",
+          "password": "bar",
+          "serverUrl": "https://index.docker.io/v1"
+        }
+      }
+    ]
+  }
+}
+```
+
+</details>
+
+<details>
+<summary>Field Descriptions</summary>
+<br>
+
+```
+Arg Fields:
+
+jobContainer: **Optional** An Object containing information about the specified job container
+  "image": **Required** A string containing the docker image
+  "workingDirectory": **Required** A string containing the absolute path of the working directory
+  "createOptions": **Optional** The optional create options specified in the [YAML](https://docs.github.com/en/actions/using-jobs/running-jobs-in-a-container#example-running-a-job-within-a-container)
+  "environmentVariables": **Optional** A map of key value env's to set
+  "userMountVolumes: ** Optional** an array of user mount volumes set in the [YAML](https://docs.github.com/en/actions/using-jobs/running-jobs-in-a-container#example-running-a-job-within-a-container)
+    "sourceVolumePath": **Required** The source path to the volume to be mounted into the docker container
+    "targetVolumePath": **Required** The target path to the volume to be mounted into the docker container
+    "readOnly": false **Required** whether or not the mount should be read only
+  "mountVolumes": **Required** an array of mounts to mount into the container, same fields as above
+    "sourceVolumePath": **Required** The source path to the volume to be mounted into the docker container
+    "targetVolumePath": **Required** The target path to the volume to be mounted into the docker container
+    "readOnly": false **Required** whether or not the mount should be read only
+  "registry" **Optional** docker registry credentials to use when using a private container registry
+    "username": **Optional** the username
+    "password": **Optional** the password
+    "serverUrl": **Optional** the registry url
+  "portMappings": **Optional** an array of source:target ports to map into the container
+ 
+"services": an array of service containers to spin up
+  "contextName": **Required** the name of the service in the Job context
+  "image": **Required** A string containing the docker image
+  "createOptions": **Optional** The optional create options specified in the [YAML](https://docs.github.com/en/actions/using-jobs/running-jobs-in-a-container#example-running-a-job-within-a-container)
+  "environmentVariables": **Optional** A map of key value env's to set
+  "mountVolumes": **Required** an array of mounts to mount into the container, same fields as above
+    "sourceVolumePath": **Required** The source path to the volume to be mounted into the docker container
+    "targetVolumePath": **Required** The target path to the volume to be mounted into the docker container
+    "readOnly": false **Required** whether or not the mount should be read only
+  "registry" **Optional** docker registry credentials to use when using a private container registry
+    "username": **Optional** the username
+    "password": **Optional** the password
+    "serverUrl": **Optional** the registry url
+  "portMappings": **Optional** an array of source:target ports to map into the container
+```
+
+</details>
+
+<details>
+<summary>Example Output</summary>
+<br>
+
+```
+{
+  "state": 
+  {
+    "network": "github_network_53269bd575974817b43f4733536b200c",
+    "jobContainer" : "82e8219701fe096a35941d869cf8d71af1d943b5d3bdd718850fb87ac3042480",
+    "serviceContainers": 
+    {
+      "redis": "60972d9aa486605e66b0dad4abb638dc3d9116f566579e418166eedb8abb9105"
+    }
+  },
+  "context"
+  {
+    "container" : 
+    {
+      "id": "82e8219701fe096a35941d869cf8d71af1d943b5d3bdd718850fb87ac3042480"
+      "network": "github_network_53269bd575974817b43f4733536b200c"
+    }
+    "services": {
+      "redis": {
+        "id": "60972d9aa486605e66b0dad4abb638dc3d9116f566579e418166eedb8abb9105",
+        "ports": {
+          "8080": "8080"
+        },
+      "network": "github_network_53269bd575974817b43f4733536b200c"
+    }
+  }
+  "alpine: true,
+}
+```
+
+</details>
+
+
+### Cleanup Job
+The `cleanup_job` hook is called at the end of a job and expects you to:
+- Stop any running service or job containers (or the equiavalent pod)
+- Stop the network (if one exists)
+- Delete any job or service containers (or the equiavalent pod)
+- Delete the network (if one exists)
+- Cleanup anything else that was created for the run
+
+Its input looks like
+
+<details>
+<summary>Example Input</summary>
+<br>
+
+```
+  "command": "cleanup_job",
+  "responseFile": null,
+  "state":
+  {
+    "network": "github_network_53269bd575974817b43f4733536b200c",
+    "jobContainer" : "82e8219701fe096a35941d869cf8d71af1d943b5d3bdd718850fb87ac3042480",
+    "serviceContainers": 
+    {
+      "redis": "60972d9aa486605e66b0dad4abb638dc3d9116f566579e418166eedb8abb9105"
+    }
+  }
+  "args": {}
+```
+  
+</details>
+
+No args are provided.
+  
+No output is expected.
+
+
+### Run Container Step
+The `run_container_step` is called once per container action in your job and expects you to:
+- Pull or build the required container (or fail if you cannot)
+- Run the container action and return the exit code of the container
+- Stream any step logs output to stdout and stderr
+- Cleanup the container after it executes
+
+<details>
+<summary>Example Input for Image</summary>
+<br>
+
+```
+  "command": "run_container_step",
+  "responseFile": null,
+  "state":
+  {
+    "network": "github_network_53269bd575974817b43f4733536b200c",
+    "jobContainer" : "82e8219701fe096a35941d869cf8d71af1d943b5d3bdd718850fb87ac3042480",
+    "serviceContainers": 
+    {
+      "redis": "60972d9aa486605e66b0dad4abb638dc3d9116f566579e418166eedb8abb9105"
+    }
+  }
+  "args":      
+  {
+      "image": "node:14.16",
+      "dockerfile": null,
+      "entryPointArgs": ["-f", "/dev/null"],
+      "entryPoint": "tail",
+      "workingDirectory": "/__w/thboop-test2/thboop-test2",
+      "createOptions": "--cpus 1",
+      "environmentVariables": {
+        "NODE_ENV": "development"
+      },
+      "prependPath":["/foo/bar", "bar/foo"]
+      "userMountVolumes:[
+        {
+          "sourceVolumePath": "my_docker_volume",
+          "targetVolumePath": "/volume_mount",
+          "readOnly": false
+        },
+      ],
+      "mountVolumes": [
+        {
+          "sourceVolumePath": "/home/thomas/git/runner/_layout/_work",
+          "targetVolumePath": "/__w",
+          "readOnly": false
+        },
+        {
+          "sourceVolumePath": "/home/thomas/git/runner/_layout/externals",
+          "targetVolumePath": "/__e",
+          "readOnly": true
+        },
+        {
+          "sourceVolumePath": "/home/thomas/git/runner/_layout/_work/_temp",
+          "targetVolumePath": "/__w/_temp",
+          "readOnly": false
+        },
+        {
+          "sourceVolumePath": "/home/thomas/git/runner/_layout/_work/_actions",
+          "targetVolumePath": "/__w/_actions",
+          "readOnly": false
+        },
+        {
+          "sourceVolumePath": "/home/thomas/git/runner/_layout/_work/_tool",
+          "targetVolumePath": "/__w/_tool",
+          "readOnly": false
+        },
+        {
+          "sourceVolumePath": "/home/thomas/git/runner/_layout/_work/_temp/_github_home",
+          "targetVolumePath": "/github/home",
+          "readOnly": false
+        },
+        {
+          "sourceVolumePath": "/home/thomas/git/runner/_layout/_work/_temp/_github_workflow",
+          "targetVolumePath": "/github/workflow",
+          "readOnly": false
+        }
+      ],
+      "registry": null,
+      "portMappings": { "80": "801" }
+    },
+```
+  
+</details>
+
+
+<details>
+<summary>Example Input for dockerfile</summary>
+<br>
+
+```
+  "command": "run_container_step",
+  "responseFile": null,
+  "state":
+  {
+    "network": "github_network_53269bd575974817b43f4733536b200c",
+    "jobContainer" : "82e8219701fe096a35941d869cf8d71af1d943b5d3bdd718850fb87ac3042480",
+    "services": 
+    {
+      "redis": "60972d9aa486605e66b0dad4abb638dc3d9116f566579e418166eedb8abb9105"
+    }
+  }
+  "args":      
+  {
+      "image": null,
+      "dockerfile": /__w/_actions/foo/dockerfile,
+      "entryPointArgs": ["hello world"],
+      "entryPoint": "echo",
+      "workingDirectory": "/__w/thboop-test2/thboop-test2",
+      "createOptions": "--cpus 1",
+      "environmentVariables": {
+        "NODE_ENV": "development"
+      },
+      "prependPath":["/foo/bar", "bar/foo"]
+      "userMountVolumes:[
+        {
+          "sourceVolumePath": "my_docker_volume",
+          "targetVolumePath": "/volume_mount",
+          "readOnly": false
+        },
+      ],      
+      "mountVolumes": [
+        {
+          "sourceVolumePath": "my_docker_volume",
+          "targetVolumePath": "/volume_mount",
+          "readOnly": false
+        },
+        {
+          "sourceVolumePath": "/home/thomas/git/runner/_layout/_work",
+          "targetVolumePath": "/__w",
+          "readOnly": false
+        },
+        {
+          "sourceVolumePath": "/home/thomas/git/runner/_layout/externals",
+          "targetVolumePath": "/__e",
+          "readOnly": true
+        },
+        {
+          "sourceVolumePath": "/home/thomas/git/runner/_layout/_work/_temp",
+          "targetVolumePath": "/__w/_temp",
+          "readOnly": false
+        },
+        {
+          "sourceVolumePath": "/home/thomas/git/runner/_layout/_work/_actions",
+          "targetVolumePath": "/__w/_actions",
+          "readOnly": false
+        },
+        {
+          "sourceVolumePath": "/home/thomas/git/runner/_layout/_work/_tool",
+          "targetVolumePath": "/__w/_tool",
+          "readOnly": false
+        },
+        {
+          "sourceVolumePath": "/home/thomas/git/runner/_layout/_work/_temp/_github_home",
+          "targetVolumePath": "/github/home",
+          "readOnly": false
+        },
+        {
+          "sourceVolumePath": "/home/thomas/git/runner/_layout/_work/_temp/_github_workflow",
+          "targetVolumePath": "/github/workflow",
+          "readOnly": false
+        }
+      ],
+      "registry": null,
+      "portMappings": [ "8080:80/tcp", "8080:80/udp" ]
+    },
+  }
+```
+  
+</details>
+
+
+<details>
+<summary>Field Descriptions</summary>
+<br>
+
+```
+Arg Fields:
+
+
+"image": **Optional** A string containing the docker image. Otherwise a dockerfile must be provided
+"dockerfile": **Optional** A string containing the path to the dockerfile, otherwise an image must be provided
+"entryPointArgs": **Optional** A list containing the entry point args
+"entryPoint": **Optional** The container entry point to use if the default image entrypoint should be overwritten
+"workingDirectory": **Required** A string containing the absolute path of the working directory
+"createOptions": **Optional** The optional create options specified in the [YAML](https://docs.github.com/en/actions/using-jobs/running-jobs-in-a-container#example-running-a-job-within-a-container)
+"environmentVariables": **Optional** A map of key value env's to set
+"prependPath": **Optional** an array of additional paths to prepend to the $PATH variable
+"userMountVolumes: ** Optional** an array of user mount volumes set in the [YAML](https://docs.github.com/en/actions/using-jobs/running-jobs-in-a-container#example-running-a-job-within-a-container)
+  "sourceVolumePath": **Required** The source path to the volume to be mounted into the docker container
+  "targetVolumePath": **Required** The target path to the volume to be mounted into the docker container
+  "readOnly": false **Required** whether or not the mount should be read only
+"mountVolumes": **Required** an array of mounts to mount into the container, same fields as above
+  "sourceVolumePath": **Required** The source path to the volume to be mounted into the docker container
+  "targetVolumePath": **Required** The target path to the volume to be mounted into the docker container
+  "readOnly": false **Required** whether or not the mount should be read only
+"registry" **Optional** docker registry credentials to use when using a private container registry
+  "username": **Optional** the username
+  "password": **Optional** the password
+  "serverUrl": **Optional** the registry url
+"portMappings": **Optional** an array of source:target ports to map into the container
+```
+  
+</details>
+
+No output is expected
+
+Currently we build all container actions at the start of the job. By doing it during the hook, we move this to just in time building for hooks. We could expose a hook to build/pull a container action, and have those called at the start of a job, but doing so would require hook authors to track the build containers in the state, which could be painful.
+
+### Run Script Step
+The `run_script_step` expects you to:
+- Invoke the provided script inside the job container and return the exit code
+- Stream any step log output to stdout and stderr
+
+<details>
+<summary>Example Input</summary>
+<br>
+
+
+```
+  "command": "run_script_step",
+  "responseFile": null,
+  "state":
+  {
+    "network": "github_network_53269bd575974817b43f4733536b200c",
+    "jobContainer" : "82e8219701fe096a35941d869cf8d71af1d943b5d3bdd718850fb87ac3042480",
+    "serviceContainers": 
+    {
+      "redis": "60972d9aa486605e66b0dad4abb638dc3d9116f566579e418166eedb8abb9105"
+    }
+  }
+  "args": 
+  {
+    "entryPointArgs": ["-e", "/runner/temp/abc123.sh"],
+    "entryPoint": "bash",
+    "environmentVariables": {
+      "NODE_ENV": "development"
+    },
+    "prependPath": ["/foo/bar", "bar/foo"],
+    "workingDirectory": "/__w/thboop-test2/thboop-test2"
+  }
+```
+  
+</details>
+
+<details>
+<summary>Field Descriptions</summary>
+<br>
+
+```
+Arg Fields:
+
+  
+"entryPointArgs": **Optional** A list containing the entry point args
+"entryPoint": **Optional** The container entry point to use if the default image entrypoint should be overwritten
+"prependPath": **Optional** an array of additional paths to prepend to the $PATH variable
+"workingDirectory": **Required** A string containing the absolute path of the working directory
+"environmentVariables": **Optional** A map of key value env's to set
+```
+
+</details>
+
+No output is expected
+
+
+## Limitations
+- We will only support linux on launch
+- Hooks are set by the runner admin, and thus are only supported on self hosted runners 
+
+## Consequences
+- We support non docker scenarios for self hosted runners and allow customers to customize their docker invocations
+- We ship/maintain docs on docker hooks and an open source repo with examples
+- We support these hooks and add enough telemetry to be able to troubleshoot support issues as they come in.

docs/checks/actions.md

@@ -15,7 +15,7 @@ Make sure the runner has access to actions service for GitHub.com or GitHub Ente
     ```
     curl -v https://api.github.com/api/v3/zen
     curl -v https://vstoken.actions.githubusercontent.com/_apis/health
-    curl -v https://pipelines.actions.githubusercontent/_apis/health
+    curl -v https://pipelines.actions.githubusercontent.com/_apis/health
     ```
 
 - For GitHub Enterprise Server

docs/checks/git.md

@@ -20,11 +20,30 @@ The test also set environment variable `GIT_TRACE=1` and `GIT_CURL_VERBOSE=1` be
 
 ## How to fix the issue?
 
-### 1. Check the common network issue
+### 1. Check global and system git config
+
+If you are having issues connecting to the server, check your global and system git config for any unexpected authentication headers. You might be seeing an error like:
+
+```
+fatal: unable to access 'https://github.com/actions/checkout/': The requested URL returned error: 400
+```
+
+The following commands can be used to check for unexpected authentication headers:
+
+```
+$ git config --global --list | grep extraheader
+http.extraheader=AUTHORIZATION: unexpected_auth_header
+
+$ git config --system --list | grep extraheader
+```
+
+The following command can be used to remove the above value: `git config --global --unset http.extraheader`
+
+### 2. Check the common network issue
   
   > Please check the [network doc](./network.md)
 
-### 2. SSL certificate related issue
+### 3. SSL certificate related issue
 
   If you are seeing `SSL Certificate problem:` in the log, it means the `git` can't connect to the GitHub server due to SSL handshake failure.
   > Please check the [SSL cert doc](./sslcert.md)

docs/contribute.md

@@ -27,6 +27,8 @@ An ADR is an Architectural Decision Record.  This allows consensus on the direct
 
 ![Win](res/win_sm.png) Visual Studio 2017 or newer [Install here](https://visualstudio.microsoft.com) (needed for dev sh script)
 
+![Win-arm](res/win_sm.png) Visual Studio 2022 17.3 Preview or later. [Install here](https://docs.microsoft.com/en-us/visualstudio/releases/2022/release-notes-preview)
+
 ## Quickstart: Run a job from a real repository
 
 If you just want to get from building the sourcecode to using it to execute an action, you will need:

docs/start/envlinux.md

@@ -34,7 +34,7 @@ The `installdependencies.sh` script should install all required dependencies on
 
 Debian based OS (Debian, Ubuntu, Linux Mint)
 
-- liblttng-ust0
+- liblttng-ust1 or liblttng-ust0
 - libkrb5-3
 - zlib1g
 - libssl1.1, libssl1.0.2 or libssl1.0.0

hooks/container/.eslintignore

@@ -1,4 +0,0 @@
-dist/
-lib/
-node_modules/
-**/__tests__/**

hooks/container/.eslintrc.json

@@ -1,56 +0,0 @@
-{
-  "plugins": ["@typescript-eslint"],
-  "extends": ["plugin:github/recommended"],
-  "parser": "@typescript-eslint/parser",
-  "parserOptions": {
-    "ecmaVersion": 9,
-    "sourceType": "module",
-    "project": "./tsconfig.json"
-  },
-  "rules": {
-    "eslint-comments/no-use": "off",
-    "import/no-namespace": "off",
-    "no-constant-condition": "off",
-    "no-unused-vars": "off",
-    "i18n-text/no-en": "off",
-    "@typescript-eslint/no-unused-vars": "error",
-    "@typescript-eslint/explicit-member-accessibility": ["error", {"accessibility": "no-public"}],
-    "@typescript-eslint/no-require-imports": "error",
-    "@typescript-eslint/array-type": "error",
-    "@typescript-eslint/await-thenable": "error",
-    "camelcase": "off",
-    "@typescript-eslint/explicit-function-return-type": ["error", {"allowExpressions": true}],
-    "@typescript-eslint/func-call-spacing": ["error", "never"],
-    "@typescript-eslint/no-array-constructor": "error",
-    "@typescript-eslint/no-empty-interface": "error",
-    "@typescript-eslint/no-explicit-any": "warn",
-    "@typescript-eslint/no-extraneous-class": "error",
-    "@typescript-eslint/no-floating-promises": "error",
-    "@typescript-eslint/no-for-in-array": "error",
-    "@typescript-eslint/no-inferrable-types": "error",
-    "@typescript-eslint/no-misused-new": "error",
-    "@typescript-eslint/no-namespace": "error",
-    "@typescript-eslint/no-non-null-assertion": "warn",
-    "@typescript-eslint/no-unnecessary-qualifier": "error",
-    "@typescript-eslint/no-unnecessary-type-assertion": "error",
-    "@typescript-eslint/no-useless-constructor": "error",
-    "@typescript-eslint/no-var-requires": "error",
-    "@typescript-eslint/prefer-for-of": "warn",
-    "@typescript-eslint/prefer-function-type": "warn",
-    "@typescript-eslint/prefer-includes": "error",
-    "@typescript-eslint/prefer-string-starts-ends-with": "error",
-    "@typescript-eslint/promise-function-async": "error",
-    "@typescript-eslint/require-array-sort-compare": "error",
-    "@typescript-eslint/restrict-plus-operands": "error",
-    "semi": "off",
-    "@typescript-eslint/semi": ["error", "never"],
-    "@typescript-eslint/type-annotation-spacing": "error",
-    "@typescript-eslint/unbound-method": "error",
-    "no-shadow": "off",
-    "@typescript-eslint/no-shadow": ["error"]
-  },
-  "env": {
-    "node": true,
-    "es6": true
-  }
-}

hooks/container/.gitignore

@@ -1,3 +0,0 @@
-node_modules/
-lib/
-dist/

hooks/container/.prettierignore

@@ -1,3 +0,0 @@
-dist/
-lib/
-node_modules/

hooks/container/.prettierrc.json

@@ -1,11 +0,0 @@
-{
-  "printWidth": 80,
-  "tabWidth": 2,
-  "useTabs": false,
-  "semi": false,
-  "singleQuote": true,
-  "trailingComma": "none",
-  "bracketSpacing": false,
-  "arrowParens": "avoid",
-  "parser": "typescript"
-}

hooks/container/CONTRIBUTING.md

@@ -1,34 +0,0 @@
-# Basic setup
-You'll need a runner compatible with hooks, a repository with container workflows to which you can register the runner and the hooks from this repository.
-
-
-
-## Getting Started
-- Run ` npm install && npm run bootstrap` to setup your environment and install all the needed packages
-- Run `npm run lint` and `npm run format` to ensure your charges will pass CI
-- Run `npm run build-all` to build and test end to end.
-
-
-## E2E
-- You'll need a runner compatible with hooks, a repository with container workflows to which you can register the runner and the hooks from this repository.
-- See [the runner contributing.md](../../github/CONTRIBUTING.MD) for how to get started with runner development.
-- Build your hook using `npm run build`
-- Enable the hooks by setting `ACTIONS_RUNNER_CONTAINER_HOOK=./src/{libraryname}/dist/index.js` file generated by [ncc](https://github.com/vercel/ncc)
-- Configure your self hosted runner against the a repository you have admin access
-- Run a workflow with a container job, for example
-```
-name: myjob
-on:
-  workflow_dispatch:
-jobs:
-  my_job:
-    runs-on: self-hosted
-    services:
-      redis:
-        image: redis
-    container:
-      image: alpine:3.15
-      options: --cpus 1
-    steps:
-      - run: pwd
-```

hooks/container/README.md

@@ -1,10 +0,0 @@
-# Container Hooks
-This repo contains example implementation of the container hook feature across various container providers. More information on how to implement your own hooks can be found in the [github docs]().
-
-Three projects are included in the `src` folder
-- k8s: A kubernetes hook implementation that spins up pods dynamically to run a job
-- docker: A hook implementation of the runner's docker implementation 
-- hooklib: a shared library which contains typescript definitions and utilities that the other projects consume
-
-### Want to contribute
-We welcome contributions.  See [how to contribute](CONTRIBUTING.md).

hooks/container/hooklib/.eslintignore

@@ -1,3 +0,0 @@
-dist/
-lib/
-node_modules/

hooks/container/hooklib/package.json

@@ -1,28 +0,0 @@
-{
-  "name": "hooklib",
-  "version": "1.0.0",
-  "description": "",
-  "main": "lib/index.js",
-  "types": "index.d.ts",
-  "scripts": {
-    "test": "echo \"Error: no test specified\" && exit 1",
-    "build": "tsc && ncc build",
-    "format": "prettier --write '**/*.ts'",
-    "format-check": "prettier --check '**/*.ts'",
-    "lint": "eslint src/**/*.ts"
-  },
-  "author": "",
-  "license": "MIT",
-  "devDependencies": {
-    "@types/node": "^17.0.23",
-    "@typescript-eslint/parser": "^5.18.0",
-    "@zeit/ncc": "^0.22.3",
-    "eslint": "^8.12.0",
-    "eslint-plugin-github": "^4.3.6",
-    "prettier": "^2.6.2",
-    "typescript": "^4.6.3"
-  },
-  "dependencies": {
-    "@actions/core": "^1.6.0"
-  }
-}

hooks/container/hooklib/src/index.ts

@@ -1,2 +0,0 @@
-export * from './interfaces'
-export * from './utils'

hooks/container/hooklib/src/interfaces.ts

@@ -1,87 +0,0 @@
-export enum Command {
-  PrepareJob = 'prepare_job',
-  CleanupJob = 'cleanup_job',
-  RunContainerStep = 'run_container_step',
-  RunScriptStep = 'run_script_step'
-}
-
-export interface HookData {
-  command: Command
-  responseFile: string
-  args?: PrepareJobArgs | RunContainerStepArgs | RunScriptStepArgs
-  state?: object
-}
-
-export interface PrepareJobArgs {
-  container?: JobContainerInfo
-  services?: ServiceContainerInfo[]
-}
-
-export type RunContainerStepArgs = StepContainerInfo
-
-export interface RunScriptStepArgs {
-  entrypoint: string
-  entrypointArgs: string[]
-  environmentVariables?: {[key: string]: string}
-  prependPath?: string[]
-  workingDirectory: string
-}
-
-export interface ContainerInfo {
-  entrypoint?: string
-  entrypointArgs?: string[]
-  createOptions?: string
-  environmentVariables?: {[key: string]: string}
-  userMountVolumes?: Mount[]
-  registry?: Registry
-  portMappings?: string[]
-}
-
-export interface ServiceContainerInfo extends ContainerInfo {
-  contextName: string
-  image: string
-}
-
-export interface JobContainerInfo extends ContainerInfo {
-  image: string
-  workingDirectory: string
-  systemMountVolumes: Mount[]
-}
-
-export interface StepContainerInfo extends ContainerInfo {
-  prependPath?: string[]
-  workingDirectory: string
-  dockerfile?: string
-  image?: string
-  systemMountVolumes: Mount[]
-}
-
-export interface Mount {
-  sourceVolumePath: string
-  targetVolumePath: string
-  readOnly: boolean
-}
-
-export interface Registry {
-  username?: string
-  password?: string
-  serverUrl: string
-}
-
-export enum Protocol {
-  TCP = 'tcp',
-  UDP = 'udp'
-}
-
-export interface PrepareJobResponse {
-  state?: object
-  context?: ContainerContext
-  services?: {[key: string]: ContainerContext}
-  alpine: boolean
-}
-
-export interface ContainerContext {
-  id?: string
-  network?: string
-  ports?: {[key: string]: string}
-}

hooks/container/hooklib/src/utils.ts

@@ -1,44 +0,0 @@
-import * as core from '@actions/core'
-import * as events from 'events'
-import * as fs from 'fs'
-import * as os from 'os'
-import * as readline from 'readline'
-import {HookData} from './interfaces'
-
-export async function getInputFromStdin(): Promise<HookData> {
-  let input = ''
-
-  const rl = readline.createInterface({
-    input: process.stdin
-  })
-
-  rl.on('line', line => {
-    core.debug(`Line from STDIN: ${line}`)
-    input = line
-  })
-  await events.default.once(rl, 'close')
-  const inputJson = JSON.parse(input)
-  return inputJson as HookData
-}
-
-export function writeToResponseFile(filePath: string, message: any): void {
-  if (!filePath) {
-    throw new Error(`Expected file path`)
-  }
-  if (!fs.existsSync(filePath)) {
-    throw new Error(`Missing file at path: ${filePath}`)
-  }
-
-  fs.appendFileSync(filePath, `${toCommandValue(message)}${os.EOL}`, {
-    encoding: 'utf8'
-  })
-}
-
-function toCommandValue(input: any): string {
-  if (input === null || input === undefined) {
-    return ''
-  } else if (typeof input === 'string' || input instanceof String) {
-    return input as string
-  }
-  return JSON.stringify(input)
-}

hooks/container/hooklib/tsconfig.json

@@ -1,11 +0,0 @@
-{
-    "extends": "../../tsconfig.json",
-    "compilerOptions": {
-      "baseUrl": "./",
-      "outDir": "./lib",
-      "rootDir": "./src"
-    },
-    "include": [
-      "./src"
-    ]
-  }

hooks/container/package.json

@@ -1,37 +0,0 @@
-{
-  "name": "hooks",
-  "version": "1.0.0",
-  "description": "Three projects are included - k8s: a kubernetes hook implementation that spins up pods dynamically to run a job - docker: A hook implementation of the runner's docker implementation  - A hook lib, which contains shared typescript definitions and utilities that the other packages consume",
-  "main": "",
-  "directories": {
-    "doc": "docs"
-  },
-  "scripts": {
-    "test": "echo \"Error: no test specified\" && exit 1",
-    "bootstrap": "npm install --prefix src/hooklib && npm install --prefix src/k8s && npm install --prefix src/docker",
-    "format": "prettier --write '**/*.ts'",
-    "format-check": "prettier --check '**/*.ts'",
-    "lint": "eslint src/**/*.ts",
-    "build-all": "npm run build --prefix src/hooklib && npm run build --prefix src/k8s && npm run build --prefix src/docker"
-  },
-  "repository": {
-    "type": "git",
-    "url": "git+https://github.com/actions/runner.git"
-  },
-  "author": "",
-  "license": "MIT",
-  "bugs": {
-    "url": "https://github.com/actions/runner/issues"
-  },
-  "homepage": "https://github.com/actions/runner#readme",
-  "dependencies": {
-  },
-  "devDependencies": {
-    "@types/node": "^17.0.23",
-    "@typescript-eslint/parser": "^5.18.0",
-    "eslint": "^8.12.0",
-    "eslint-plugin-github": "^4.3.6",
-    "prettier": "^2.6.2",
-    "typescript": "^4.6.3"
-  }
-}

hooks/container/tsconfig.json

@@ -1,70 +0,0 @@
-{
-  "compilerOptions": {
-    /* Visit https://aka.ms/tsconfig.json to read more about this file */
-    "outDir": "./lib",
-    "rootDir": "./src",
-    /* Basic Options */
-    // "incremental": true,                   /* Enable incremental compilation */
-    "target": "es5",                          /* Specify ECMAScript target version: 'ES3' (default), 'ES5', 'ES2015', 'ES2016', 'ES2017', 'ES2018', 'ES2019', 'ES2020', or 'ESNEXT'. */
-    "module": "commonjs",                     /* Specify module code generation: 'none', 'commonjs', 'amd', 'system', 'umd', 'es2015', 'es2020', or 'ESNext'. */
-    // "lib": [],                             /* Specify library files to be included in the compilation. */
-    // "allowJs": true,                       /* Allow javascript files to be compiled. */
-    // "checkJs": true,                       /* Report errors in .js files. */
-    // "jsx": "preserve",                     /* Specify JSX code generation: 'preserve', 'react-native', or 'react'. */
-    "declaration": true,                   /* Generates corresponding '.d.ts' file. */
-    // "declarationMap": true,                /* Generates a sourcemap for each corresponding '.d.ts' file. */
-    // "sourceMap": true,                     /* Generates corresponding '.map' file. */
-    // "outFile": "./",                       /* Concatenate and emit output to single file. */
-    // "outDir": "./",                        /* Redirect output structure to the directory. */
-    // "rootDir": "./",                       /* Specify the root directory of input files. Use to control the output directory structure with --outDir. */
-    // "composite": true,                     /* Enable project compilation */
-    // "tsBuildInfoFile": "./",               /* Specify file to store incremental compilation information */
-    // "removeComments": true,                /* Do not emit comments to output. */
-    // "noEmit": true,                        /* Do not emit outputs. */
-    // "importHelpers": true,                 /* Import emit helpers from 'tslib'. */
-    // "downlevelIteration": true,            /* Provide full support for iterables in 'for-of', spread, and destructuring when targeting 'ES5' or 'ES3'. */
-    // "isolatedModules": true,               /* Transpile each file as a separate module (similar to 'ts.transpileModule'). */
-
-    /* Strict Type-Checking Options */
-    "strict": true,                           /* Enable all strict type-checking options. */
-    "noImplicitAny": false,                 /* Raise error on expressions and declarations with an implied 'any' type. */
-    // "strictNullChecks": true,              /* Enable strict null checks. */
-    // "strictFunctionTypes": true,           /* Enable strict checking of function types. */
-    // "strictBindCallApply": true,           /* Enable strict 'bind', 'call', and 'apply' methods on functions. */
-    // "strictPropertyInitialization": true,  /* Enable strict checking of property initialization in classes. */
-    // "noImplicitThis": true,                /* Raise error on 'this' expressions with an implied 'any' type. */
-    // "alwaysStrict": true,                  /* Parse in strict mode and emit "use strict" for each source file. */
-
-    /* Additional Checks */
-    // "noUnusedLocals": true,                /* Report errors on unused locals. */
-    // "noUnusedParameters": true,            /* Report errors on unused parameters. */
-    // "noImplicitReturns": true,             /* Report error when not all code paths in function return a value. */
-    // "noFallthroughCasesInSwitch": true,    /* Report errors for fallthrough cases in switch statement. */
-
-    /* Module Resolution Options */
-    // "moduleResolution": "node",            /* Specify module resolution strategy: 'node' (Node.js) or 'classic' (TypeScript pre-1.6). */
-    // "baseUrl": "./",                       /* Base directory to resolve non-absolute module names. */
-    // "paths": {},                           /* A series of entries which re-map imports to lookup locations relative to the 'baseUrl'. */
-    // "rootDirs": [],                        /* List of root folders whose combined content represents the structure of the project at runtime. */
-    // "typeRoots": [],                       /* List of folders to include type definitions from. */
-    // "types": [],                           /* Type declaration files to be included in compilation. */
-    // "allowSyntheticDefaultImports": true,  /* Allow default imports from modules with no default export. This does not affect code emit, just typechecking. */
-    "esModuleInterop": true,                  /* Enables emit interoperability between CommonJS and ES Modules via creation of namespace objects for all imports. Implies 'allowSyntheticDefaultImports'. */
-    // "preserveSymlinks": true,              /* Do not resolve the real path of symlinks. */
-    // "allowUmdGlobalAccess": true,          /* Allow accessing UMD globals from modules. */
-
-    /* Source Map Options */
-    // "sourceRoot": "",                      /* Specify the location where debugger should locate TypeScript files instead of source locations. */
-    // "mapRoot": "",                         /* Specify the location where debugger should locate map files instead of generated locations. */
-    // "inlineSourceMap": true,               /* Emit a single file with source maps instead of having a separate file. */
-    // "inlineSources": true,                 /* Emit the source alongside the sourcemaps within a single file; requires '--inlineSourceMap' or '--sourceMap' to be set. */
-
-    /* Experimental Options */
-    // "experimentalDecorators": true,        /* Enables experimental support for ES7 decorators. */
-    // "emitDecoratorMetadata": true,         /* Enables experimental support for emitting type metadata for decorators. */
-
-    /* Advanced Options */
-    "skipLibCheck": true,                     /* Skip type checking of declaration files. */
-    "forceConsistentCasingInFileNames": true  /* Disallow inconsistently-cased references to the same file. */
-  }
-}

releaseNote.md

@@ -1,11 +1,12 @@
 ## Features
-- Added a pre-release package for the `macOS-arm64` architecture
-  - Note that this packages is pre-release status and may not work with all existing actions
+- Service containers startup error logs are now included in workflow's logs (#2110)
 
 ## Bugs
-- Fixed an issue where live console logs would fail to close (#1903)
+- Fixed missing SHA for Windows arm64 release archive (#2171)
 
 ## Misc
+- Added a feature flag to start warning on `save-state` and `set-output` deprecation (#2164)
+- Prepare supporting `vars` in workflow templates (#2096)
 
 ## Windows x64
 We recommend configuring the runner in a root folder of the Windows drive (e.g. "C:\actions-runner"). This will help avoid issues related to service identity folder permissions and long file path restrictions on Windows.
@@ -21,6 +22,22 @@ Add-Type -AssemblyName System.IO.Compression.FileSystem ;
 [System.IO.Compression.ZipFile]::ExtractToDirectory("$PWD\actions-runner-win-x64-<RUNNER_VERSION>.zip", "$PWD")
 ```
 
+## [Pre-release] Windows arm64
+**Warning:** Windows arm64 runners are currently in preview status and use [unofficial versions of nodejs](https://unofficial-builds.nodejs.org/). They are not intended for production workflows.
+
+We recommend configuring the runner in a root folder of the Windows drive (e.g. "C:\actions-runner"). This will help avoid issues related to service identity folder permissions and long file path restrictions on Windows.
+
+The following snipped needs to be run on `powershell`:
+``` powershell
+# Create a folder under the drive root
+mkdir \actions-runner ; cd \actions-runner
+# Download the latest runner package
+Invoke-WebRequest -Uri https://github.com/actions/runner/releases/download/v<RUNNER_VERSION>/actions-runner-win-arm64-<RUNNER_VERSION>.zip -OutFile actions-runner-win-arm64-<RUNNER_VERSION>.zip
+# Extract the installer
+Add-Type -AssemblyName System.IO.Compression.FileSystem ;
+[System.IO.Compression.ZipFile]::ExtractToDirectory("$PWD\actions-runner-win-arm64-<RUNNER_VERSION>.zip", "$PWD")
+```
+
 ## OSX x64
 
 ``` bash
@@ -32,7 +49,7 @@ curl -O -L https://github.com/actions/runner/releases/download/v<RUNNER_VERSION>
 tar xzf ./actions-runner-osx-x64-<RUNNER_VERSION>.tar.gz
 ```
 
-## [Pre-release] OSX arm64 (Apple silicon)
+## OSX arm64 (Apple silicon)
 
 ``` bash
 # Create a folder
@@ -84,6 +101,7 @@ For additional details about configuring, running, or shutting down the runner p
 The SHA-256 checksums for the packages included in this build are shown below:
 
 - actions-runner-win-x64-<RUNNER_VERSION>.zip <!-- BEGIN SHA win-x64 --><WIN_X64_SHA><!-- END SHA win-x64 -->
+- actions-runner-win-arm64-<RUNNER_VERSION>.zip <!-- BEGIN SHA win-arm64 --><WIN_ARM64_SHA><!-- END SHA win-arm64 -->
 - actions-runner-osx-x64-<RUNNER_VERSION>.tar.gz <!-- BEGIN SHA osx-x64 --><OSX_X64_SHA><!-- END SHA osx-x64 -->
 - actions-runner-osx-arm64-<RUNNER_VERSION>.tar.gz <!-- BEGIN SHA osx-arm64 --><OSX_ARM64_SHA><!-- END SHA osx-arm64 -->
 - actions-runner-linux-x64-<RUNNER_VERSION>.tar.gz <!-- BEGIN SHA linux-x64 --><LINUX_X64_SHA><!-- END SHA linux-x64 -->
@@ -91,6 +109,7 @@ The SHA-256 checksums for the packages included in this build are shown below:
 - actions-runner-linux-arm-<RUNNER_VERSION>.tar.gz <!-- BEGIN SHA linux-arm --><LINUX_ARM_SHA><!-- END SHA linux-arm -->
 
 - actions-runner-win-x64-<RUNNER_VERSION>-noexternals.zip <!-- BEGIN SHA win-x64_noexternals --><WIN_X64_SHA_NOEXTERNALS><!-- END SHA win-x64_noexternals -->
+- actions-runner-win-arm64-<RUNNER_VERSION>-noexternals.zip <!-- BEGIN SHA win-arm64_noexternals --><WIN_ARM64_SHA_NOEXTERNALS><!-- END SHA win-arm64_noexternals -->
 - actions-runner-osx-x64-<RUNNER_VERSION>-noexternals.tar.gz <!-- BEGIN SHA osx-x64_noexternals --><OSX_X64_SHA_NOEXTERNALS><!-- END SHA osx-x64_noexternals -->
 - actions-runner-osx-arm64-<RUNNER_VERSION>-noexternals.tar.gz <!-- BEGIN SHA osx-arm64_noexternals --><OSX_ARM64_SHA_NOEXTERNALS><!-- END SHA osx-arm64_noexternals -->
 - actions-runner-linux-x64-<RUNNER_VERSION>-noexternals.tar.gz <!-- BEGIN SHA linux-x64_noexternals --><LINUX_X64_SHA_NOEXTERNALS><!-- END SHA linux-x64_noexternals -->
@@ -98,6 +117,7 @@ The SHA-256 checksums for the packages included in this build are shown below:
 - actions-runner-linux-arm-<RUNNER_VERSION>-noexternals.tar.gz <!-- BEGIN SHA linux-arm_noexternals --><LINUX_ARM_SHA_NOEXTERNALS><!-- END SHA linux-arm_noexternals -->
 
 - actions-runner-win-x64-<RUNNER_VERSION>-noruntime.zip <!-- BEGIN SHA win-x64_noruntime --><WIN_X64_SHA_NORUNTIME><!-- END SHA win-x64_noruntime -->
+- actions-runner-win-arm64-<RUNNER_VERSION>-noruntime.zip <!-- BEGIN SHA win-arm64_noruntime --><WIN_ARM64_SHA_NORUNTIME><!-- END SHA win-arm64_noruntime -->
 - actions-runner-osx-x64-<RUNNER_VERSION>-noruntime.tar.gz <!-- BEGIN SHA osx-x64_noruntime --><OSX_X64_SHA_NORUNTIME><!-- END SHA osx-x64_noruntime -->
 - actions-runner-osx-arm64-<RUNNER_VERSION>-noruntime.tar.gz <!-- BEGIN SHA osx-arm64_noruntime --><OSX_ARM64_SHA_NORUNTIME><!-- END SHA osx-arm64_noruntime -->
 - actions-runner-linux-x64-<RUNNER_VERSION>-noruntime.tar.gz <!-- BEGIN SHA linux-x64_noruntime --><LINUX_X64_SHA_NORUNTIME><!-- END SHA linux-x64_noruntime -->
@@ -105,6 +125,7 @@ The SHA-256 checksums for the packages included in this build are shown below:
 - actions-runner-linux-arm-<RUNNER_VERSION>-noruntime.tar.gz <!-- BEGIN SHA linux-arm_noruntime --><LINUX_ARM_SHA_NORUNTIME><!-- END SHA linux-arm_noruntime -->
 
 - actions-runner-win-x64-<RUNNER_VERSION>-noruntime-noexternals.zip <!-- BEGIN SHA win-x64_noruntime_noexternals --><WIN_X64_SHA_NORUNTIME_NOEXTERNALS><!-- END SHA win-x64_noruntime_noexternals -->
+- actions-runner-win-arm64-<RUNNER_VERSION>-noruntime-noexternals.zip <!-- BEGIN SHA win-arm64_noruntime_noexternals --><WIN_ARM64_SHA_NORUNTIME_NOEXTERNALS><!-- END SHA win-arm64_noruntime_noexternals -->
 - actions-runner-osx-x64-<RUNNER_VERSION>-noruntime-noexternals.tar.gz <!-- BEGIN SHA osx-x64_noruntime_noexternals --><OSX_X64_SHA_NORUNTIME_NOEXTERNALS><!-- END SHA osx-x64_noruntime_noexternals -->
 - actions-runner-osx-arm64-<RUNNER_VERSION>-noruntime-noexternals.tar.gz <!-- BEGIN SHA osx-arm64_noruntime_noexternals --><OSX_ARM64_SHA_NORUNTIME_NOEXTERNALS><!-- END SHA osx-arm64_noruntime_noexternals -->
 - actions-runner-linux-x64-<RUNNER_VERSION>-noruntime-noexternals.tar.gz <!-- BEGIN SHA linux-x64_noruntime_noexternals --><LINUX_X64_SHA_NORUNTIME_NOEXTERNALS><!-- END SHA linux-x64_noruntime_noexternals -->

releaseVersion

@@ -1 +1 @@
-<Update to ./src/runnerversion when creating release>
+2.298.1

src/Directory.Build.props

@@ -24,6 +24,9 @@
   <PropertyGroup Condition="'$(BUILD_OS)' == 'Windows' AND '$(PackageRuntime)' == 'win-x86'">
     <DefineConstants>$(DefineConstants);X86</DefineConstants>
   </PropertyGroup>
+  <PropertyGroup Condition="'$(BUILD_OS)' == 'Windows' AND '$(PackageRuntime)' == 'win-arm64'">
+    <DefineConstants>$(DefineConstants);ARM64</DefineConstants>
+  </PropertyGroup>
 
   <PropertyGroup Condition="'$(BUILD_OS)' == 'OSX' AND '$(PackageRuntime)' == 'osx-x64'">
     <DefineConstants>$(DefineConstants);X64</DefineConstants>

src/Misc/contentHash/dotnetRuntime/win-arm64

@@ -0,0 +1 @@
+39d0683f0f115a211cb10c473e9574c16549a19d4e9a6c637ded3d7022bf809f

src/Misc/contentHash/externals/win-arm64

@@ -0,0 +1 @@
+e5dace2d41cc0682d096dcce4970079ad48ec7107e46195970eecfdb3df2acef

src/Misc/expressionFunc/hashFiles/README.md

@@ -1 +1,4 @@
-To update hashFiles under `Misc/layoutbin` run `npm install && npm run all`
+To compile this package (output will be stored in `Misc/layoutbin`) run `npm install && npm run all`.
+
+> Note: this package also needs to be recompiled for dependabot PRs updating one of
+> its dependencies.

src/Misc/expressionFunc/hashFiles/package-lock.json

@@ -22,9 +22,13 @@
       }
     },
     "node_modules/@actions/core": {
-      "version": "1.2.6",
-      "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.2.6.tgz",
-      "integrity": "sha512-ZQYitnqiyBc3D+k7LsgSBmMDVkOVidaagDG7j3fOym77jNunWRuYx7VSHa9GNfFZh+zh61xsCjRj4JxMZlDqTA=="
+      "version": "1.9.1",
+      "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.9.1.tgz",
+      "integrity": "sha512-5ad+U2YGrmmiw6du20AQW5XuWo7UKN2052FjSV7MX+Wfjf8sCqcsZe62NfgHys4QI4/Y+vQvLKYL8jWtA1ZBTA==",
+      "dependencies": {
+        "@actions/http-client": "^2.0.1",
+        "uuid": "^8.3.2"
+      }
     },
     "node_modules/@actions/glob": {
       "version": "0.1.0",
@@ -35,6 +39,14 @@
         "minimatch": "^3.0.4"
       }
     },
+    "node_modules/@actions/http-client": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-2.0.1.tgz",
+      "integrity": "sha512-PIXiMVtz6VvyaRsGY268qvj57hXQEpsYogYOu2nrQhlf+XCGmZstmuZBbAybUl1nQGnvS1k1eEsQ69ZoD7xlSw==",
+      "dependencies": {
+        "tunnel": "^0.0.6"
+      }
+    },
     "node_modules/@eslint/eslintrc": {
       "version": "1.2.1",
       "resolved": "https://registry.npmjs.org/@eslint/eslintrc/-/eslintrc-1.2.1.tgz",
@@ -2381,6 +2393,14 @@
         "typescript": ">=2.8.0 || >= 3.2.0-dev || >= 3.3.0-dev || >= 3.4.0-dev || >= 3.5.0-dev || >= 3.6.0-dev || >= 3.6.0-beta || >= 3.7.0-dev || >= 3.7.0-beta"
       }
     },
+    "node_modules/tunnel": {
+      "version": "0.0.6",
+      "resolved": "https://registry.npmjs.org/tunnel/-/tunnel-0.0.6.tgz",
+      "integrity": "sha512-1h/Lnq9yajKY2PEbBadPXj3VxsDDu844OnaAo52UVmIzIvwwtBPIuNvkjuzBlTWpfJyUbG3ez0KSBibQkj4ojg==",
+      "engines": {
+        "node": ">=0.6.11 <=0.7.0 || >=0.7.3"
+      }
+    },
     "node_modules/type-check": {
       "version": "0.4.0",
       "resolved": "https://registry.npmjs.org/type-check/-/type-check-0.4.0.tgz",
@@ -2442,6 +2462,14 @@
         "punycode": "^2.1.0"
       }
     },
+    "node_modules/uuid": {
+      "version": "8.3.2",
+      "resolved": "https://registry.npmjs.org/uuid/-/uuid-8.3.2.tgz",
+      "integrity": "sha512-+NYs2QeMWy+GWFOEm9xnn6HCDp0l7QBD7ml8zLUmJ+93Q5NF0NocErnwkTkXVFNiX3/fpC6afS8Dhb/gz7R7eg==",
+      "bin": {
+        "uuid": "dist/bin/uuid"
+      }
+    },
     "node_modules/v8-compile-cache": {
       "version": "2.1.0",
       "resolved": "https://registry.npmjs.org/v8-compile-cache/-/v8-compile-cache-2.1.0.tgz",
@@ -2503,9 +2531,13 @@
   },
   "dependencies": {
     "@actions/core": {
-      "version": "1.2.6",
-      "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.2.6.tgz",
-      "integrity": "sha512-ZQYitnqiyBc3D+k7LsgSBmMDVkOVidaagDG7j3fOym77jNunWRuYx7VSHa9GNfFZh+zh61xsCjRj4JxMZlDqTA=="
+      "version": "1.9.1",
+      "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.9.1.tgz",
+      "integrity": "sha512-5ad+U2YGrmmiw6du20AQW5XuWo7UKN2052FjSV7MX+Wfjf8sCqcsZe62NfgHys4QI4/Y+vQvLKYL8jWtA1ZBTA==",
+      "requires": {
+        "@actions/http-client": "^2.0.1",
+        "uuid": "^8.3.2"
+      }
     },
     "@actions/glob": {
       "version": "0.1.0",
@@ -2516,6 +2548,14 @@
         "minimatch": "^3.0.4"
       }
     },
+    "@actions/http-client": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-2.0.1.tgz",
+      "integrity": "sha512-PIXiMVtz6VvyaRsGY268qvj57hXQEpsYogYOu2nrQhlf+XCGmZstmuZBbAybUl1nQGnvS1k1eEsQ69ZoD7xlSw==",
+      "requires": {
+        "tunnel": "^0.0.6"
+      }
+    },
     "@eslint/eslintrc": {
       "version": "1.2.1",
       "resolved": "https://registry.npmjs.org/@eslint/eslintrc/-/eslintrc-1.2.1.tgz",
@@ -4189,6 +4229,11 @@
         "tslib": "^1.8.1"
       }
     },
+    "tunnel": {
+      "version": "0.0.6",
+      "resolved": "https://registry.npmjs.org/tunnel/-/tunnel-0.0.6.tgz",
+      "integrity": "sha512-1h/Lnq9yajKY2PEbBadPXj3VxsDDu844OnaAo52UVmIzIvwwtBPIuNvkjuzBlTWpfJyUbG3ez0KSBibQkj4ojg=="
+    },
     "type-check": {
       "version": "0.4.0",
       "resolved": "https://registry.npmjs.org/type-check/-/type-check-0.4.0.tgz",
@@ -4231,6 +4276,11 @@
         "punycode": "^2.1.0"
       }
     },
+    "uuid": {
+      "version": "8.3.2",
+      "resolved": "https://registry.npmjs.org/uuid/-/uuid-8.3.2.tgz",
+      "integrity": "sha512-+NYs2QeMWy+GWFOEm9xnn6HCDp0l7QBD7ml8zLUmJ+93Q5NF0NocErnwkTkXVFNiX3/fpC6afS8Dhb/gz7R7eg=="
+    },
     "v8-compile-cache": {
       "version": "2.1.0",
       "resolved": "https://registry.npmjs.org/v8-compile-cache/-/v8-compile-cache-2.1.0.tgz",

src/Misc/externals.sh

@@ -3,6 +3,7 @@ PACKAGERUNTIME=$1
 PRECACHE=$2
 
 NODE_URL=https://nodejs.org/dist
+UNOFFICIAL_NODE_URL=https://unofficial-builds.nodejs.org/download/release
 NODE12_VERSION="12.22.7"
 NODE16_VERSION="16.13.0"
 
@@ -134,6 +135,16 @@ if [[ "$PACKAGERUNTIME" == "win-x64" || "$PACKAGERUNTIME" == "win-x86" ]]; then
     fi
 fi
 
+# Download the external tools only for Windows.
+if [[ "$PACKAGERUNTIME" == "win-arm64" ]]; then
+    # todo: replace these with official release when available
+    acquireExternalTool "$UNOFFICIAL_NODE_URL/v${NODE16_VERSION}/$PACKAGERUNTIME/node.exe" node16/bin
+    acquireExternalTool "$UNOFFICIAL_NODE_URL/v${NODE16_VERSION}/$PACKAGERUNTIME/node.lib" node16/bin
+    if [[ "$PRECACHE" != "" ]]; then
+        acquireExternalTool "https://github.com/microsoft/vswhere/releases/download/2.6.7/vswhere.exe" vswhere
+    fi
+fi
+
 # Download the external tools only for OSX.
 if [[ "$PACKAGERUNTIME" == "osx-x64" ]]; then
     acquireExternalTool "$NODE_URL/v${NODE12_VERSION}/node-v${NODE12_VERSION}-darwin-x64.tar.gz" node12 fix_nested_dir

src/Misc/layoutbin/installdependencies.sh

@@ -66,7 +66,7 @@ then
             fi
         fi
 
-        $apt_get update && $apt_get install -y liblttng-ust0 libkrb5-3 zlib1g
+        $apt_get update && $apt_get install -y libkrb5-3 zlib1g
         if [ $? -ne 0 ]
         then
             echo "'$apt_get' failed with exit code '$?'"
@@ -94,6 +94,14 @@ then
             fi
         }
 
+        apt_get_with_fallbacks liblttng-ust1 liblttng-ust0
+        if [ $? -ne 0 ]
+        then
+            echo "'$apt_get' failed with exit code '$?'"
+            print_errormessage
+            exit 1
+        fi
+
         apt_get_with_fallbacks libssl1.1$ libssl1.0.2$ libssl1.0.0$
         if [ $? -ne 0 ]
         then

src/Misc/layoutbin/update.cmd.template

@@ -120,6 +120,9 @@ if ERRORLEVEL 1 (
 
 echo [%date% %time%] Update succeed >> "%logfile%" 2>&1
 
+type nul > update.finished
+echo [%date% %time%] update.finished file creation succeed >> "%logfile%" 2>&1
+
 rem rename the update log file with %logfile%.succeed/.failed/succeedneedrestart
 rem runner service host can base on the log file name determin the result of the runner update
 echo [%date% %time%] Rename "%logfile%" to be "%logfile%.succeed" >> "%logfile%" 2>&1

src/Misc/layoutbin/update.sh.template

@@ -180,6 +180,9 @@ fi
 
 date "+[%F %T-%4N] Update succeed" >> "$logfile"
 
+touch update.finished
+date "+[%F %T-%4N] update.finished file creation succeed" >> "$logfile"
+
 # rename the update log file with %logfile%.succeed/.failed/succeedneedrestart
 # runner service host can base on the log file name determin the result of the runner update
 date "+[%F %T-%4N] Rename $logfile to be $logfile.succeed" >> "$logfile" 2>&1

src/Misc/layoutroot/run-helper.cmd.template

@@ -1,5 +1,5 @@
 @echo off
-
+SET UPDATEFILE=update.finished
 "%~dp0\bin\Runner.Listener.exe" run %*
 
 rem using `if %ERRORLEVEL% EQU N` insterad of `if ERRORLEVEL N`
@@ -22,16 +22,30 @@ if %ERRORLEVEL% EQU 2 (
 )
 
 if %ERRORLEVEL% EQU 3 (
-  rem Sleep 5 seconds to wait for the runner update process finish
-  echo "Runner listener exit because of updating, re-launch runner in 5 seconds"
-  ping 127.0.0.1 -n 6 -w 1000 >NUL
+  rem Wait for 30 seconds or for flag file to exists for the ephemeral runner update process finish
+  echo "Runner listener exit because of updating, re-launch runner after successful update"
+  FOR /L %%G IN (1,1,30) DO (
+    IF EXIST %UPDATEFILE% (
+      echo "Update finished successfully."
+      del %FILE%
+      exit /b 1
+    )
+    ping 127.0.0.1 -n 2 -w 1000 >NUL
+  )
   exit /b 1
 )
 
 if %ERRORLEVEL% EQU 4 (
-  rem Sleep 5 seconds to wait for the ephemeral runner update process finish
-  echo "Runner listener exit because of updating, re-launch ephemeral runner in 5 seconds"
-  ping 127.0.0.1 -n 6 -w 1000 >NUL
+  rem Wait for 30 seconds or for flag file to exists for the runner update process finish
+  echo "Runner listener exit because of updating, re-launch runner after successful update"
+  FOR /L %%G IN (1,1,30) DO (
+    IF EXIST %UPDATEFILE% (
+      echo "Update finished successfully."
+      del %FILE%
+      exit /b 1
+    )
+    ping 127.0.0.1 -n 2 -w 1000 >NUL
+  )
   exit /b 1
 )
 

src/Misc/layoutroot/run-helper.sh.template

@@ -17,6 +17,8 @@ while [ -h "$SOURCE" ]; do # resolve $SOURCE until the file is no longer a symli
     [[ $SOURCE != /* ]] && SOURCE="$DIR/$SOURCE" # if $SOURCE was a relative symlink, we need to resolve it relative to the path where the symlink file was located
 done
 DIR="$( cd -P "$( dirname "$SOURCE" )" && pwd )"
+
+updateFile="update.finished"
 "$DIR"/bin/Runner.Listener run $*
 
 returnCode=$?
@@ -31,14 +33,28 @@ elif [[ $returnCode == 2 ]]; then
     "$DIR"/safe_sleep.sh 5
     exit 2
 elif [[ $returnCode == 3 ]]; then
-    # Sleep 5 seconds to wait for the runner update process finish
-    echo "Runner listener exit because of updating, re-launch runner in 5 seconds"
-    "$DIR"/safe_sleep.sh 5
+    # Wait for 30 seconds or for flag file to exists for the runner update process finish
+    echo "Runner listener exit because of updating, re-launch runner after successful update"
+    for i in {0..30}; do
+        if test -f "$updateFile"; then
+            echo "Update finished successfully."
+            rm "$updateFile"
+            break
+        fi
+        "$DIR"/safe_sleep.sh 1
+    done
     exit 2
 elif [[ $returnCode == 4 ]]; then
-    # Sleep 5 seconds to wait for the ephemeral runner update process finish
-    echo "Runner listener exit because of updating, re-launch ephemeral runner in 5 seconds"
-    "$DIR"/safe_sleep.sh 5
+    # Wait for 30 seconds or for flag file to exists for the ephemeral runner update process finish
+    echo "Runner listener exit because of updating, re-launch runner after successful update"
+    for i in {0..30}; do
+        if test -f "$updateFile"; then
+            echo "Update finished successfully."
+            rm "$updateFile"
+            break
+        fi
+        "$DIR"/safe_sleep.sh 1
+    done
     exit 2
 else
     echo "Exiting with unknown error code: ${returnCode}"

src/Misc/layoutroot/run.sh

@@ -9,10 +9,10 @@ while [ -h "$SOURCE" ]; do # resolve $SOURCE until the file is no longer a symli
     [[ $SOURCE != /* ]] && SOURCE="$DIR/$SOURCE" # if $SOURCE was a relative symlink, we need to resolve it relative to the path where the symlink file was located
 done
 DIR="$( cd -P "$( dirname "$SOURCE" )" && pwd )"
-cp -f "$DIR"/run-helper.sh.template "$DIR"/run-helper.sh
 # run the helper process which keep the listener alive
 while :;
 do
+    cp -f "$DIR"/run-helper.sh.template "$DIR"/run-helper.sh
     "$DIR"/run-helper.sh $*
     returnCode=$?
     if [[ $returnCode -eq 2 ]]; then

src/Misc/runnerdotnetruntimeassets

@@ -66,12 +66,14 @@ libmscordbi.dylib
 libmscordbi.so
 Microsoft.CSharp.dll
 Microsoft.DiaSymReader.Native.amd64.dll
+Microsoft.DiaSymReader.Native.arm64.dll
 Microsoft.VisualBasic.Core.dll
 Microsoft.VisualBasic.dll
 Microsoft.Win32.Primitives.dll
 Microsoft.Win32.Registry.dll
 mscordaccore.dll
 mscordaccore_amd64_amd64_6.0.522.21309.dll
+mscordaccore_arm64_arm64_6.0.522.21309.dll
 mscordbi.dll
 mscorlib.dll
 mscorrc.debug.dll
@@ -261,4 +263,4 @@ System.Xml.XmlSerializer.dll
 System.Xml.XPath.dll
 System.Xml.XPath.XDocument.dll
 ucrtbase.dll
-WindowsBase.dll
+WindowsBase.dll

src/Runner.Common/ActionCommand.cs

@@ -1,4 +1,3 @@
-using GitHub.Runner.Common.Util;
 using GitHub.Runner.Sdk;
 using System;
 using System.Collections.Generic;

src/Runner.Common/ActionResult.cs

@@ -1,5 +1,3 @@
-using System;
-
 namespace GitHub.Runner.Common
 {
     public enum ActionResult

src/Runner.Common/CommandLineParser.cs

@@ -1,4 +1,3 @@
-using GitHub.Runner.Common.Util;
 using System;
 using System.Collections.Generic;
 using GitHub.DistributedTask.Logging;

src/Runner.Common/ConfigurationStore.cs

@@ -1,4 +1,3 @@
-using GitHub.Runner.Common.Util;
 using GitHub.Runner.Sdk;
 using System;
 using System.IO;

src/Runner.Common/Constants.cs

@@ -77,7 +77,7 @@ namespace GitHub.Runner.Common
             public static readonly Architecture PlatformArchitecture = Architecture.X64;
 #elif ARM
             public static readonly Architecture PlatformArchitecture = Architecture.Arm;
-#elif ARM64            
+#elif ARM64
             public static readonly Architecture PlatformArchitecture = Architecture.Arm64;
 #endif
 
@@ -90,6 +90,7 @@ namespace GitHub.Runner.Common
                 public static class Args
                 {
                     public static readonly string Auth = "auth";
+                    public static readonly string JitConfig = "jitconfig";
                     public static readonly string Labels = "labels";
                     public static readonly string MonitorSocketAddress = "monitorsocketaddress";
                     public static readonly string Name = "name";
@@ -151,16 +152,18 @@ namespace GitHub.Runner.Common
                 public static readonly string DiskSpaceWarning = "runner.diskspace.warning";
                 public static readonly string Node12Warning = "DistributedTask.AddWarningToNode12Action";
                 public static readonly string UseContainerPathForTemplate = "DistributedTask.UseContainerPathForTemplate";
+                public static readonly string AllowRunnerContainerHooks = "DistributedTask.AllowRunnerContainerHooks";
             }
 
             public static readonly string InternalTelemetryIssueDataKey = "_internal_telemetry";
             public static readonly string WorkerCrash = "WORKER_CRASH";
             public static readonly string LowDiskSpace = "LOW_DISK_SPACE";
             public static readonly string UnsupportedCommand = "UNSUPPORTED_COMMAND";
+            public static readonly string UnsupportedCommandMessage = "The `{0}` command is deprecated and will be disabled soon. Please upgrade to using Environment Files. For more information see: https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/";
             public static readonly string UnsupportedCommandMessageDisabled = "The `{0}` command is disabled. Please upgrade to using Environment Files or opt into unsecure command execution by setting the `ACTIONS_ALLOW_UNSECURE_COMMANDS` environment variable to `true`. For more information see: https://github.blog/changelog/2020-10-01-github-actions-deprecating-set-env-and-add-path-commands/";
             public static readonly string UnsupportedStopCommandTokenDisabled = "You cannot use a endToken that is an empty string, the string 'pause-logging', or another workflow command. For more information see: https://docs.github.com/actions/learn-github-actions/workflow-commands-for-github-actions#example-stopping-and-starting-workflow-commands or opt into insecure command execution by setting the `ACTIONS_ALLOW_UNSECURE_STOPCOMMAND_TOKENS` environment variable to `true`.";
             public static readonly string UnsupportedSummarySize = "$GITHUB_STEP_SUMMARY upload aborted, supports content up to a size of {0}k, got {1}k. For more information see: https://docs.github.com/actions/using-workflows/workflow-commands-for-github-actions#adding-a-markdown-summary";
-            public static readonly string Node12DetectedAfterEndOfLife = "Node.js 12 actions are deprecated. Please update the following actions to use Node.js 16: {0}";
+            public static readonly string Node12DetectedAfterEndOfLife = "Node.js 12 actions are deprecated. For more information see: https://github.blog/changelog/2022-09-22-github-actions-all-actions-will-begin-running-on-node16-instead-of-node12/. Please update the following actions to use Node.js 16: {0}";
         }
 
         public static class RunnerEvent
@@ -196,6 +199,7 @@ namespace GitHub.Runner.Common
         {
             public static readonly string JobStartedStepName = "Set up runner";
             public static readonly string JobCompletedStepName = "Complete runner";
+            public static readonly string ContainerHooksPath = "ACTIONS_RUNNER_CONTAINER_HOOKS";
         }
 
         public static class Path
@@ -227,6 +231,7 @@ namespace GitHub.Runner.Common
                 //
                 public static readonly string AllowUnsupportedCommands = "ACTIONS_ALLOW_UNSECURE_COMMANDS";
                 public static readonly string AllowUnsupportedStopCommandTokens = "ACTIONS_ALLOW_UNSECURE_STOPCOMMAND_TOKENS";
+                public static readonly string RequireJobContainer = "ACTIONS_RUNNER_REQUIRE_JOB_CONTAINER";
                 public static readonly string RunnerDebug = "ACTIONS_RUNNER_DEBUG";
                 public static readonly string StepDebug = "ACTIONS_STEP_DEBUG";
                 public static readonly string AllowActionsUseUnsecureNodeVersion = "ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION";
@@ -237,7 +242,8 @@ namespace GitHub.Runner.Common
                 public static readonly string ToolsDirectory = "agent.ToolsDirectory";
 
                 // Set this env var to "node12" to downgrade the node version for internal functions (e.g hashfiles). This does NOT affect the version of node actions.
-                public static readonly string ForcedInternalNodeVersion = "ACTIONS_RUNNER_FORCED_INTERNAL_NODE_VERSION"; 
+                public static readonly string ForcedInternalNodeVersion = "ACTIONS_RUNNER_FORCED_INTERNAL_NODE_VERSION";
+                public static readonly string ForcedActionsNodeVersion = "ACTIONS_RUNNER_FORCE_ACTIONS_NODE_VERSION";
             }
 
             public static class System
@@ -250,5 +256,12 @@ namespace GitHub.Runner.Common
                 public static readonly string PhaseDisplayName = "system.phaseDisplayName";
             }
         }
+
+        public static class OperatingSystem
+        {
+            public static readonly int Windows11BuildVersion = 22000;
+            // Both windows 10 and windows 11 share the same Major Version 10, need to use the build version to differentiate
+            public static readonly int Windows11MajorVersion = 10;
+        }
     }
 }

src/Runner.Common/ExtensionManager.cs

@@ -1,4 +1,3 @@
-using GitHub.Runner.Common.Util;
 using GitHub.Runner.Sdk;
 using System;
 using System.Collections.Concurrent;
@@ -61,6 +60,8 @@ namespace GitHub.Runner.Common
                     Add<T>(extensions, "GitHub.Runner.Worker.AddPathFileCommand, Runner.Worker");
                     Add<T>(extensions, "GitHub.Runner.Worker.SetEnvFileCommand, Runner.Worker");
                     Add<T>(extensions, "GitHub.Runner.Worker.CreateStepSummaryCommand, Runner.Worker");
+                    Add<T>(extensions, "GitHub.Runner.Worker.SaveStateFileCommand, Runner.Worker");
+                    Add<T>(extensions, "GitHub.Runner.Worker.SetOutputFileCommand, Runner.Worker");
                     break;
                 case "GitHub.Runner.Listener.Check.ICheckExtension":
                     Add<T>(extensions, "GitHub.Runner.Listener.Check.InternetCheck, Runner.Listener");

src/Runner.Common/HostContext.cs

@@ -13,6 +13,7 @@ using System.Runtime.Loader;
 using System.Threading;
 using System.Threading.Tasks;
 using GitHub.DistributedTask.Logging;
+using GitHub.Runner.Common.Util;
 using GitHub.Runner.Sdk;
 
 namespace GitHub.Runner.Common
@@ -641,6 +642,31 @@ namespace GitHub.Runner.Common
             var handlerFactory = context.GetService<IHttpClientHandlerFactory>();
             return handlerFactory.CreateClientHandler(context.WebProxy);
         }
+
+        public static string GetDefaultShellForScript(this IHostContext hostContext, string path, string prependPath)
+        {
+            var trace = hostContext.GetTrace(nameof(GetDefaultShellForScript));
+            switch (Path.GetExtension(path))
+            {
+                case ".sh":
+                    // use 'sh' args but prefer bash
+                    if (WhichUtil.Which("bash", false, trace, prependPath) != null)
+                    {
+                        return "bash";
+                    }
+                    return "sh";
+                case ".ps1":
+                    if (WhichUtil.Which("pwsh", false, trace, prependPath) != null)
+                    {
+                        return "pwsh";
+                    }
+                    return "powershell";
+                case ".js":
+                    return Path.Combine(hostContext.GetDirectory(WellKnownDirectory.Externals), NodeUtil.GetInternalNodeVersion(), "bin", $"node{IOUtil.ExeExtension}") + " {0}";
+                default:
+                    throw new ArgumentException($"{path} is not a valid path to a script. Make sure it ends in '.sh', '.ps1' or '.js'.");
+            }
+        }
     }
 
     public enum ShutdownReason

src/Runner.Common/HostTraceListener.cs

@@ -1,4 +1,3 @@
-using GitHub.Runner.Common.Util;
 using GitHub.Runner.Sdk;
 using System;
 using System.Diagnostics;

src/Runner.Common/JobNotification.cs

@@ -1,10 +1,7 @@
-using System;
-using System.IO;
-using System.IO.Pipes;
+using System;
 using System.Net;
 using System.Net.Sockets;
 using System.Text;
-using System.Threading;
 using System.Threading.Tasks;
 
 namespace GitHub.Runner.Common

src/Runner.Common/JobServer.cs

@@ -1,4 +1,4 @@
-using System;
+using System;
 using System.Collections.Generic;
 using System.IO;
 using System.Linq;
@@ -13,7 +13,6 @@ using GitHub.Runner.Sdk;
 using GitHub.Services.Common;
 using GitHub.Services.WebApi;
 using GitHub.Services.WebApi.Utilities.Internal;
-using Newtonsoft.Json;
 
 namespace GitHub.Runner.Common
 {

src/Runner.Common/JobStatusEventArgs.cs

@@ -0,0 +1,14 @@
+using System;
+using GitHub.DistributedTask.WebApi;
+
+namespace GitHub.Runner.Common
+{
+    public class JobStatusEventArgs : EventArgs
+    {
+        public JobStatusEventArgs(TaskAgentStatus status)
+        {
+            this.Status = status;
+        }
+        public TaskAgentStatus Status { get; private set; }
+    }
+}

src/Runner.Common/Logging.cs

@@ -1,4 +1,3 @@
-using GitHub.Runner.Common.Util;
 using System;
 using System.IO;
 

src/Runner.Common/ProcessInvoker.cs

@@ -1,4 +1,4 @@
-using GitHub.Runner.Common.Util;
+using GitHub.Runner.Common.Util;
 using GitHub.Runner.Sdk;
 using System;
 using System.Collections.Generic;

src/Runner.Common/RunServer.cs

@@ -0,0 +1,103 @@
+using System;
+using System.Threading;
+using System.Threading.Tasks;
+using GitHub.DistributedTask.Pipelines;
+using GitHub.DistributedTask.WebApi;
+using GitHub.Runner.Sdk;
+using GitHub.Services.Common;
+using GitHub.Services.WebApi;
+
+namespace GitHub.Runner.Common
+{
+    [ServiceLocator(Default = typeof(RunServer))]
+    public interface IRunServer : IRunnerService
+    {
+        Task ConnectAsync(Uri serverUrl, VssCredentials credentials);
+
+        Task<AgentJobRequestMessage> GetJobMessageAsync(string id, CancellationToken token);
+    }
+
+    public sealed class RunServer : RunnerService, IRunServer
+    {
+        private bool _hasConnection;
+        private VssConnection _connection;
+        private TaskAgentHttpClient _taskAgentClient;
+
+        public async Task ConnectAsync(Uri serverUrl, VssCredentials credentials)
+        {
+            _connection = await EstablishVssConnection(serverUrl, credentials, TimeSpan.FromSeconds(100));
+            _taskAgentClient = _connection.GetClient<TaskAgentHttpClient>();
+            _hasConnection = true;
+        }
+
+        private async Task<VssConnection> EstablishVssConnection(Uri serverUrl, VssCredentials credentials, TimeSpan timeout)
+        {
+            Trace.Info($"EstablishVssConnection");
+            Trace.Info($"Establish connection with {timeout.TotalSeconds} seconds timeout.");
+            int attemptCount = 5;
+            while (attemptCount-- > 0)
+            {
+                var connection = VssUtil.CreateConnection(serverUrl, credentials, timeout: timeout);
+                try
+                {
+                    await connection.ConnectAsync();
+                    return connection;
+                }
+                catch (Exception ex) when (attemptCount > 0)
+                {
+                    Trace.Info($"Catch exception during connect. {attemptCount} attempt left.");
+                    Trace.Error(ex);
+
+                    await HostContext.Delay(TimeSpan.FromMilliseconds(100), CancellationToken.None);
+                }
+            }
+
+            // should never reach here.
+            throw new InvalidOperationException(nameof(EstablishVssConnection));
+        }
+
+        private void CheckConnection()
+        {
+            if (!_hasConnection)
+            {
+                throw new InvalidOperationException($"SetConnection");
+            }
+        }
+
+        public Task<AgentJobRequestMessage> GetJobMessageAsync(string id, CancellationToken cancellationToken)
+        {
+            CheckConnection();
+            var jobMessage = RetryRequest<AgentJobRequestMessage>(async () =>
+                                                    {
+                                                        return await _taskAgentClient.GetJobMessageAsync(id, cancellationToken);
+                                                    }, cancellationToken);
+            return jobMessage;
+        }
+
+        private async Task<T> RetryRequest<T>(Func<Task<T>> func,
+                                              CancellationToken cancellationToken,
+                                              int maxRetryAttemptsCount = 5
+                                             )
+        {
+            var retryCount = 0;
+            while (true)
+            {
+                retryCount++;
+                cancellationToken.ThrowIfCancellationRequested();
+                try
+                {
+                    return await func();
+                }
+                // TODO: Add handling of non-retriable exceptions: https://github.com/github/actions-broker/issues/122
+                catch (Exception ex) when (retryCount < maxRetryAttemptsCount)
+                {
+                    Trace.Error("Catch exception during get full job message");
+                    Trace.Error(ex);
+                    var backOff = BackoffTimerHelper.GetRandomBackoff(TimeSpan.FromSeconds(5), TimeSpan.FromSeconds(15));
+                    Trace.Warning($"Back off {backOff.TotalSeconds} seconds before next retry. {maxRetryAttemptsCount - retryCount} attempt left.");
+                    await Task.Delay(backOff, cancellationToken);
+                }
+            }
+        }
+    }
+}

src/Runner.Common/Runner.Common.csproj

@@ -3,7 +3,7 @@
   <PropertyGroup>
     <TargetFramework>net6.0</TargetFramework>
     <OutputType>Library</OutputType>
-    <RuntimeIdentifiers>win-x64;win-x86;linux-x64;linux-arm64;linux-arm;osx-x64;osx-arm64</RuntimeIdentifiers>
+    <RuntimeIdentifiers>win-x64;win-x86;linux-x64;linux-arm64;linux-arm;osx-x64;osx-arm64;win-arm64</RuntimeIdentifiers>
     <TargetLatestRuntimePatch>true</TargetLatestRuntimePatch>
     <NoWarn>NU1701;NU1603</NoWarn>
     <Version>$(Version)</Version>
@@ -16,7 +16,7 @@
 
   <ItemGroup>
     <PackageReference Include="Microsoft.Win32.Registry" Version="4.4.0" />
-    <PackageReference Include="Newtonsoft.Json" Version="11.0.2" />
+    <PackageReference Include="Newtonsoft.Json" Version="13.0.1" />
     <PackageReference Include="System.Security.Cryptography.ProtectedData" Version="4.4.0" />
     <PackageReference Include="System.Text.Encoding.CodePages" Version="4.4.0" />
     <PackageReference Include="System.Threading.Channels" Version="4.4.0" />

src/Runner.Common/RunnerServer.cs

@@ -1,9 +1,8 @@
-using GitHub.DistributedTask.WebApi;
+using GitHub.DistributedTask.WebApi;
 using System;
 using System.Collections.Generic;
 using System.Threading;
 using System.Threading.Tasks;
-using GitHub.Runner.Common.Util;
 using GitHub.Services.WebApi;
 using GitHub.Services.Common;
 using GitHub.Runner.Sdk;
@@ -39,7 +38,7 @@ namespace GitHub.Runner.Common
         Task<TaskAgentSession> CreateAgentSessionAsync(Int32 poolId, TaskAgentSession session, CancellationToken cancellationToken);
         Task DeleteAgentMessageAsync(Int32 poolId, Int64 messageId, Guid sessionId, CancellationToken cancellationToken);
         Task DeleteAgentSessionAsync(Int32 poolId, Guid sessionId, CancellationToken cancellationToken);
-        Task<TaskAgentMessage> GetAgentMessageAsync(Int32 poolId, Guid sessionId, Int64? lastMessageId, CancellationToken cancellationToken);
+        Task<TaskAgentMessage> GetAgentMessageAsync(Int32 poolId, Guid sessionId, Int64? lastMessageId, TaskAgentStatus status, CancellationToken cancellationToken);
 
         // job request
         Task<TaskAgentJobRequest> GetAgentRequestAsync(int poolId, long requestId, CancellationToken cancellationToken);
@@ -298,10 +297,10 @@ namespace GitHub.Runner.Common
             return _messageTaskAgentClient.DeleteAgentSessionAsync(poolId, sessionId, cancellationToken: cancellationToken);
         }
 
-        public Task<TaskAgentMessage> GetAgentMessageAsync(Int32 poolId, Guid sessionId, Int64? lastMessageId, CancellationToken cancellationToken)
+        public Task<TaskAgentMessage> GetAgentMessageAsync(Int32 poolId, Guid sessionId, Int64? lastMessageId, TaskAgentStatus status, CancellationToken cancellationToken)
         {
             CheckConnection(RunnerConnectionType.MessageQueue);
-            return _messageTaskAgentClient.GetMessageAsync(poolId, sessionId, lastMessageId, cancellationToken: cancellationToken);
+            return _messageTaskAgentClient.GetMessageAsync(poolId, sessionId, lastMessageId, status, cancellationToken: cancellationToken);
         }
 
         //-----------------------------------------------------------------

src/Runner.Common/ThrottlingReportHandler.cs

@@ -1,10 +1,9 @@
-using System;
+using System;
 using System.Collections.Generic;
 using System.Linq;
 using System.Net.Http;
 using System.Threading;
 using System.Threading.Tasks;
-using GitHub.Runner.Common.Util;
 using GitHub.Runner.Sdk;
 using GitHub.Services.Common.Internal;
 

src/Runner.Common/TraceManager.cs

@@ -1,4 +1,3 @@
-using GitHub.Runner.Common.Util;
 using System;
 using System.Collections.Concurrent;
 using System.Diagnostics;

src/Runner.Common/Tracing.cs

@@ -1,5 +1,3 @@
-
-using GitHub.Runner.Common.Util;
 using Newtonsoft.Json;
 using System;
 using System.Diagnostics;

src/Runner.Common/Util/NodeUtil.cs

@@ -7,7 +7,7 @@ namespace GitHub.Runner.Common.Util
     {
         private const string _defaultNodeVersion = "node16";
 
-#if OS_OSX && ARM64
+#if (OS_OSX || OS_WINDOWS) && ARM64
         public static readonly ReadOnlyCollection<string> BuiltInNodeVersions = new(new[] { "node16" });
 #else
         public static readonly ReadOnlyCollection<string> BuiltInNodeVersions = new(new[] { "node12", "node16" });
@@ -15,8 +15,14 @@ namespace GitHub.Runner.Common.Util
 
         public static string GetInternalNodeVersion()
         {
-            var forcedNodeVersion = Environment.GetEnvironmentVariable(Constants.Variables.Agent.ForcedInternalNodeVersion);
-            return !string.IsNullOrEmpty(forcedNodeVersion) && BuiltInNodeVersions.Contains(forcedNodeVersion) ? forcedNodeVersion : _defaultNodeVersion;
+            var forcedInternalNodeVersion = Environment.GetEnvironmentVariable(Constants.Variables.Agent.ForcedInternalNodeVersion);
+            var isForcedInternalNodeVersion = !string.IsNullOrEmpty(forcedInternalNodeVersion) && BuiltInNodeVersions.Contains(forcedInternalNodeVersion);
+
+            if (isForcedInternalNodeVersion)
+            {
+                return forcedInternalNodeVersion;
+            }
+            return _defaultNodeVersion;
         }
     }
 }

src/Runner.Common/Util/VarUtil.cs

@@ -1,7 +1,4 @@
-using System;
-using System.Collections.Generic;
-using System.Linq;
-using GitHub.Runner.Sdk;
+using System;
 
 namespace GitHub.Runner.Common.Util
 {

src/Runner.Listener/Checks/GitCheck.cs

@@ -2,7 +2,6 @@ using System;
 using System.Collections.Generic;
 using System.IO;
 using System.Linq;
-using System.Net;
 using System.Threading;
 using System.Threading.Tasks;
 using GitHub.Runner.Common;
@@ -168,4 +167,4 @@ namespace GitHub.Runner.Listener.Check
             return result;
         }
     }
-}
+}

src/Runner.Listener/Checks/NodeJsCheck.cs

@@ -2,7 +2,6 @@ using System;
 using System.Collections.Generic;
 using System.IO;
 using System.Linq;
-using System.Net;
 using System.Threading;
 using System.Threading.Tasks;
 using GitHub.Runner.Common;
@@ -179,4 +178,4 @@ namespace GitHub.Runner.Listener.Check
             return result;
         }
     }
-}
+}

src/Runner.Listener/CommandSettings.cs

@@ -4,7 +4,6 @@ using System;
 using System.Collections;
 using System.Collections.Generic;
 using System.Linq;
-using GitHub.DistributedTask.Logging;
 using GitHub.Runner.Common;
 using GitHub.Runner.Sdk;
 
@@ -63,6 +62,7 @@ namespace GitHub.Runner.Listener
                 new string[]
                 {
                     Constants.Runner.CommandLine.Flags.Once,
+                    Constants.Runner.CommandLine.Args.JitConfig,
                     Constants.Runner.CommandLine.Args.StartupType
                 },
             // valid warmup flags and args
@@ -213,6 +213,12 @@ namespace GitHub.Runner.Listener
                 validator: Validators.AuthSchemeValidator);
         }
 
+        public string GetJitConfig()
+        {
+            return GetArg(
+                name: Constants.Runner.CommandLine.Args.JitConfig);
+        }
+
         public string GetRunnerName()
         {
             return GetArgOrPrompt(

src/Runner.Listener/Configuration/ConfigurationManager.cs

@@ -3,6 +3,7 @@ using GitHub.Runner.Common;
 using GitHub.Runner.Common.Util;
 using GitHub.Runner.Sdk;
 using GitHub.Services.Common;
+using GitHub.Services.Common.Internal;
 using GitHub.Services.OAuth;
 using System;
 using System.Collections.Generic;
@@ -128,7 +129,7 @@ namespace GitHub.Runner.Listener.Configuration
                         // Example githubServerUrl is https://my-ghes
                         var actionsServerUrl = new Uri(runnerSettings.ServerUrl);
                         var githubServerUrl = new Uri(runnerSettings.GitHubUrl);
-                        if (!string.Equals(actionsServerUrl.Authority, githubServerUrl.Authority, StringComparison.OrdinalIgnoreCase))
+                        if (!UriUtility.IsSubdomainOf(actionsServerUrl.Authority, githubServerUrl.Authority))
                         {
                             throw new InvalidOperationException($"GitHub Actions is not properly configured in GHES. GHES url: {runnerSettings.GitHubUrl}, Actions url: {runnerSettings.ServerUrl}.");
                         }

src/Runner.Listener/Configuration/PromptManager.cs

@@ -1,5 +1,4 @@
 using GitHub.Runner.Common;
-using GitHub.Runner.Common.Util;
 using GitHub.Runner.Sdk;
 using System;
 
@@ -72,7 +71,7 @@ namespace GitHub.Runner.Listener.Configuration
                 {
                     return defaultValue;
                 }
-                else if (isOptional) 
+                else if (isOptional)
                 {
                     return string.Empty;
                 }
@@ -87,11 +86,12 @@ namespace GitHub.Runner.Listener.Configuration
                 // Write the message prompt.
                 _terminal.Write($"{description} ");
 
-                if(!string.IsNullOrEmpty(defaultValue))
+                if (!string.IsNullOrEmpty(defaultValue))
                 {
                     _terminal.Write($"[press Enter for {defaultValue}] ");
                 }
-                else if (isOptional){
+                else if (isOptional)
+                {
                     _terminal.Write($"[press Enter to skip] ");
                 }
 
@@ -112,7 +112,7 @@ namespace GitHub.Runner.Listener.Configuration
                         return string.Empty;
                     }
                 }
-                
+
                 // Return the value if it is not empty and it is valid.
                 // Otherwise try the loop again.
                 if (!string.IsNullOrEmpty(value))

src/Runner.Listener/Configuration/RSAFileKeyManager.cs

@@ -3,7 +3,6 @@ using System;
 using System.IO;
 using System.Security.Cryptography;
 using System.Threading;
-using GitHub.Runner.Common.Util;
 using GitHub.Runner.Common;
 using GitHub.Runner.Sdk;
 

src/Runner.Listener/Configuration/SystemdControlManager.cs

@@ -1,4 +1,4 @@
-#if OS_LINUX
+#if OS_LINUX
 using System;
 using System.Collections.Generic;
 using System.IO;
@@ -6,7 +6,6 @@ using System.Linq;
 using System.Text;
 using GitHub.Runner.Common.Util;
 using GitHub.Runner.Common;
-using GitHub.Runner.Sdk;
 
 namespace GitHub.Runner.Listener.Configuration
 {

src/Runner.Listener/JobDispatcher.cs

@@ -27,6 +27,7 @@ namespace GitHub.Runner.Listener
         bool Cancel(JobCancelMessage message);
         Task WaitAsync(CancellationToken token);
         Task ShutdownAsync();
+        event EventHandler<JobStatusEventArgs> JobStatus;
     }
 
     // This implementation of IJobDispatcher is not thread safe.
@@ -55,6 +56,8 @@ namespace GitHub.Runner.Listener
 
         private TaskCompletionSource<bool> _runOnceJobCompleted = new TaskCompletionSource<bool>();
 
+        public event EventHandler<JobStatusEventArgs> JobStatus;
+
         public override void Initialize(IHostContext hostContext)
         {
             base.Initialize(hostContext);
@@ -335,6 +338,11 @@ namespace GitHub.Runner.Listener
             Busy = true;
             try
             {
+                if (JobStatus != null)
+                {
+                    JobStatus(this, new JobStatusEventArgs(TaskAgentStatus.Busy));
+                }
+
                 if (previousJobDispatch != null)
                 {
                     Trace.Verbose($"Make sure the previous job request {previousJobDispatch.JobId} has successfully finished on worker.");
@@ -650,6 +658,11 @@ namespace GitHub.Runner.Listener
             finally
             {
                 Busy = false;
+                
+                if (JobStatus != null)
+                {
+                    JobStatus(this, new JobStatusEventArgs(TaskAgentStatus.Online));
+                }
             }
         }
 

src/Runner.Listener/MessageListener.cs

@@ -23,6 +23,7 @@ namespace GitHub.Runner.Listener
         Task DeleteSessionAsync();
         Task<TaskAgentMessage> GetNextMessageAsync(CancellationToken token);
         Task DeleteMessageAsync(TaskAgentMessage message);
+        void OnJobStatus(object sender, JobStatusEventArgs e);
     }
 
     public sealed class MessageListener : RunnerService, IMessageListener
@@ -38,6 +39,8 @@ namespace GitHub.Runner.Listener
         private readonly TimeSpan _sessionConflictRetryLimit = TimeSpan.FromMinutes(4);
         private readonly TimeSpan _clockSkewRetryLimit = TimeSpan.FromMinutes(30);
         private readonly Dictionary<string, int> _sessionCreationExceptionTracker = new Dictionary<string, int>();
+        private TaskAgentStatus runnerStatus = TaskAgentStatus.Online;
+        private CancellationTokenSource _getMessagesTokenSource;
 
         public override void Initialize(IHostContext hostContext)
         {
@@ -170,6 +173,23 @@ namespace GitHub.Runner.Listener
             }
         }
 
+        public void OnJobStatus(object sender, JobStatusEventArgs e)
+        {
+            if (StringUtil.ConvertToBoolean(Environment.GetEnvironmentVariable("USE_BROKER_FLOW")))
+            {
+                Trace.Info("Received job status event. JobState: {0}", e.Status);
+                runnerStatus = e.Status;
+                try
+                {
+                    _getMessagesTokenSource?.Cancel();
+                } 
+                catch (ObjectDisposedException)
+                {
+                    Trace.Info("_getMessagesTokenSource is already disposed.");
+                }
+            }
+        }
+
         public async Task<TaskAgentMessage> GetNextMessageAsync(CancellationToken token)
         {
             Trace.Entering();
@@ -184,12 +204,14 @@ namespace GitHub.Runner.Listener
             {
                 token.ThrowIfCancellationRequested();
                 TaskAgentMessage message = null;
+                _getMessagesTokenSource = CancellationTokenSource.CreateLinkedTokenSource(token);
                 try
                 {
                     message = await _runnerServer.GetAgentMessageAsync(_settings.PoolId,
                                                                 _session.SessionId,
                                                                 _lastMessageId,
-                                                                token);
+                                                                runnerStatus,
+                                                                _getMessagesTokenSource.Token);
 
                     // Decrypt the message body if the session is using encryption
                     message = DecryptMessage(message);
@@ -206,6 +228,11 @@ namespace GitHub.Runner.Listener
                         continuousError = 0;
                     }
                 }
+                catch (OperationCanceledException) when (_getMessagesTokenSource.Token.IsCancellationRequested && !token.IsCancellationRequested)
+                {
+                    Trace.Info("Get messages has been cancelled using local token source. Continue to get messages with new status.");
+                    continue;
+                }
                 catch (OperationCanceledException) when (token.IsCancellationRequested)
                 {
                     Trace.Info("Get next message has been cancelled.");
@@ -261,6 +288,10 @@ namespace GitHub.Runner.Listener
                         await HostContext.Delay(_getNextMessageRetryInterval, token);
                     }
                 }
+                finally 
+                {
+                    _getMessagesTokenSource.Dispose();
+                }
 
                 if (message == null)
                 {

src/Runner.Listener/Program.cs

@@ -1,12 +1,10 @@
 using GitHub.Runner.Common;
-using GitHub.Runner.Common.Util;
 using GitHub.Runner.Sdk;
 using System;
 using System.Globalization;
 using System.IO;
 using System.Reflection;
 using System.Runtime.InteropServices;
-using System.Threading;
 using System.Threading.Tasks;
 
 namespace GitHub.Runner.Listener
@@ -60,6 +58,18 @@ namespace GitHub.Runner.Listener
                         terminal.WriteLine("This runner version is built for Windows. Please install a correct build for your OS.");
                         return Constants.Runner.ReturnCode.TerminatedError;
                     }
+                    #if ARM64
+                        // A little hacky, but windows gives no way to differentiate between windows 10 and 11.
+                        // By default only 11 supports native x64 app emulation on arm, so we only want to support windows 11
+                        // https://docs.microsoft.com/en-us/windows/arm/overview#build-windows-apps-that-run-on-arm
+                        // Windows 10 and 11 share a MajorVersion, so we also check the build version. Minor for both is 0, so doing < 0 doesn't really make a lot of sense.
+                        if (Environment.OSVersion.Version.Major < Constants.OperatingSystem.Windows11MajorVersion || 
+                            Environment.OSVersion.Version.Build < Constants.OperatingSystem.Windows11BuildVersion)
+                        {
+                            terminal.WriteLine("Win-arm64 runners require windows 11 or later. Please upgrade your operating system.");
+                            return Constants.Runner.ReturnCode.TerminatedError;
+                        }
+                    #endif
                     break;
                 default:
                     terminal.WriteLine($"Running the runner on this platform is not supported. The current platform is {RuntimeInformation.OSDescription} and it was built for {Constants.Runner.Platform.ToString()}.");

src/Runner.Listener/Runner.Listener.csproj

@@ -3,7 +3,7 @@
   <PropertyGroup>
     <TargetFramework>net6.0</TargetFramework>
     <OutputType>Exe</OutputType>
-    <RuntimeIdentifiers>win-x64;win-x86;linux-x64;linux-arm64;linux-arm;osx-x64;osx-arm64</RuntimeIdentifiers>
+    <RuntimeIdentifiers>win-x64;win-x86;linux-x64;linux-arm64;linux-arm;osx-x64;osx-arm64;win-arm64</RuntimeIdentifiers>
     <TargetLatestRuntimePatch>true</TargetLatestRuntimePatch>
     <NoWarn>NU1701;NU1603</NoWarn>
     <Version>$(Version)</Version>
@@ -19,7 +19,7 @@
 
   <ItemGroup>
     <PackageReference Include="Microsoft.Win32.Registry" Version="4.4.0" />
-    <PackageReference Include="Newtonsoft.Json" Version="11.0.2" />
+    <PackageReference Include="Newtonsoft.Json" Version="13.0.1" />
     <PackageReference Include="System.IO.FileSystem.AccessControl" Version="4.4.0" />
     <PackageReference Include="System.Security.Cryptography.ProtectedData" Version="4.4.0" />
     <PackageReference Include="System.ServiceProcess.ServiceController" Version="4.4.0" />

src/Runner.Listener/Runner.cs

@@ -1,18 +1,19 @@
-using GitHub.DistributedTask.WebApi;
-using GitHub.Runner.Listener.Configuration;
 using System;
-using System.Threading;
-using System.Threading.Tasks;
-using GitHub.Services.WebApi;
-using Pipelines = GitHub.DistributedTask.Pipelines;
+using System.Collections.Generic;
 using System.IO;
+using System.Linq;
 using System.Reflection;
 using System.Runtime.CompilerServices;
+using System.Text;
+using System.Threading;
+using System.Threading.Tasks;
+using GitHub.DistributedTask.WebApi;
 using GitHub.Runner.Common;
-using GitHub.Runner.Sdk;
-using System.Linq;
 using GitHub.Runner.Listener.Check;
-using System.Collections.Generic;
+using GitHub.Runner.Listener.Configuration;
+using GitHub.Runner.Sdk;
+using GitHub.Services.WebApi;
+using Pipelines = GitHub.DistributedTask.Pipelines;
 
 namespace GitHub.Runner.Listener
 {
@@ -192,6 +193,30 @@ namespace GitHub.Runner.Listener
                     return Constants.Runner.ReturnCode.Success;
                 }
 
+                var base64JitConfig = command.GetJitConfig();
+                if (!string.IsNullOrEmpty(base64JitConfig))
+                {
+                    try
+                    {
+                        var decodedJitConfig = Encoding.UTF8.GetString(Convert.FromBase64String(base64JitConfig));
+                        var jitConfig = StringUtil.ConvertFromJson<Dictionary<string, string>>(decodedJitConfig);
+                        foreach (var config in jitConfig)
+                        {
+                            var configFile = Path.Combine(HostContext.GetDirectory(WellKnownDirectory.Root), config.Key);
+                            var configContent = Encoding.UTF8.GetString(Convert.FromBase64String(config.Value));
+                            File.WriteAllText(configFile, configContent, Encoding.UTF8);
+                            File.SetAttributes(configFile, File.GetAttributes(configFile) | FileAttributes.Hidden);
+                            Trace.Info($"Save {configContent.Length} chars to '{configFile}'.");
+                        }
+                    }
+                    catch (Exception ex)
+                    {
+                        Trace.Error(ex);
+                        _term.WriteError(ex.Message);
+                        return Constants.Runner.ReturnCode.TerminatedError;
+                    }
+                }
+
                 RunnerSettings settings = configManager.LoadSettings();
 
                 var store = HostContext.GetService<IConfigurationStore>();
@@ -322,6 +347,7 @@ namespace GitHub.Runner.Listener
 
                 // Should we try to cleanup ephemeral runners
                 bool runOnceJobCompleted = false;
+                bool skipSessionDeletion = false;
                 try
                 {
                     var notification = HostContext.GetService<IJobNotification>();
@@ -333,6 +359,8 @@ namespace GitHub.Runner.Listener
                     bool runOnceJobReceived = false;
                     jobDispatcher = HostContext.CreateService<IJobDispatcher>();
 
+                    jobDispatcher.JobStatus += _listener.OnJobStatus;
+
                     while (!HostContext.RunnerShutdownToken.IsCancellationRequested)
                     {
                         TaskAgentMessage message = null;
@@ -457,6 +485,34 @@ namespace GitHub.Runner.Listener
                                     }
                                 }
                             }
+                            // Broker flow
+                            else if (string.Equals(message.MessageType, JobRequestMessageTypes.RunnerJobRequest, StringComparison.OrdinalIgnoreCase))
+                            {
+                                if (autoUpdateInProgress || runOnceJobReceived)
+                                {
+                                    skipMessageDeletion = true;
+                                    Trace.Info($"Skip message deletion for job request message '{message.MessageId}'.");
+                                }
+                                else
+                                {
+                                    var messageRef = StringUtil.ConvertFromJson<RunnerJobRequestRef>(message.Body);
+
+                                    // Create connection
+                                    var credMgr = HostContext.GetService<ICredentialManager>();
+                                    var creds = credMgr.LoadCredentials();
+
+                                    var runServer = HostContext.CreateService<IRunServer>();
+                                    await runServer.ConnectAsync(new Uri(settings.ServerUrl), creds);
+                                    var jobMessage = await runServer.GetJobMessageAsync(messageRef.RunnerRequestId, messageQueueLoopTokenSource.Token);
+
+                                    jobDispatcher.Run(jobMessage, runOnce);
+                                    if (runOnce)
+                                    {
+                                        Trace.Info("One time used runner received job message.");
+                                        runOnceJobReceived = true;
+                                    }
+                                }
+                            }
                             else if (string.Equals(message.MessageType, JobCancelMessage.MessageType, StringComparison.OrdinalIgnoreCase))
                             {
                                 var cancelJobMessage = JsonUtility.FromString<JobCancelMessage>(message.Body);
@@ -468,6 +524,14 @@ namespace GitHub.Runner.Listener
                                     Trace.Info($"Skip message deletion for cancellation message '{message.MessageId}'.");
                                 }
                             }
+                            else if (string.Equals(message.MessageType, Pipelines.HostedRunnerShutdownMessage.MessageType, StringComparison.OrdinalIgnoreCase))
+                            {
+                                var HostedRunnerShutdownMessage = JsonUtility.FromString<Pipelines.HostedRunnerShutdownMessage>(message.Body);
+                                skipMessageDeletion = true;
+                                skipSessionDeletion = true;
+                                Trace.Info($"Service requests the hosted runner to shutdown. Reason: '{HostedRunnerShutdownMessage.Reason}'.");
+                                return Constants.Runner.ReturnCode.Success;
+                            }
                             else
                             {
                                 Trace.Error($"Received message {message.MessageId} with unsupported message type {message.MessageType}.");
@@ -498,18 +562,22 @@ namespace GitHub.Runner.Listener
                 {
                     if (jobDispatcher != null)
                     {
+                        jobDispatcher.JobStatus -= _listener.OnJobStatus;
                         await jobDispatcher.ShutdownAsync();
                     }
 
-                    try
+                    if (!skipSessionDeletion)
                     {
-                        await _listener.DeleteSessionAsync();
-                    }
-                    catch (Exception ex) when (runOnce)
-                    {
-                        // ignore exception during delete session for ephemeral runner since the runner might already be deleted from the server side
-                        // and the delete session call will ends up with 401.
-                        Trace.Info($"Ignore any exception during DeleteSession for an ephemeral runner. {ex}");
+                        try
+                        {
+                            await _listener.DeleteSessionAsync();
+                        }
+                        catch (Exception ex) when (runOnce)
+                        {
+                            // ignore exception during delete session for ephemeral runner since the runner might already be deleted from the server side
+                            // and the delete session call will ends up with 401.
+                            Trace.Info($"Ignore any exception during DeleteSession for an ephemeral runner. {ex}");
+                        }
                     }
 
                     messageQueueLoopTokenSource.Dispose();
@@ -561,7 +629,7 @@ Config Options:
  --labels string        Extra labels in addition to the default: 'self-hosted,{Constants.Runner.Platform},{Constants.Runner.PlatformArchitecture}'
  --work string          Relative runner work directory (default {Constants.Path.WorkDirectory})
  --replace              Replace any existing runner with the same name (default false)
- --pat                  GitHub personal access token used for checking network connectivity when executing `.{separator}run.{ext} --check`
+ --pat                  GitHub personal access token with repo scope. Used for checking network connectivity when executing `.{separator}run.{ext} --check`
  --disableupdate        Disable self-hosted runner automatic update to the latest released version`
  --ephemeral            Configure the runner to only take one job and then let the service un-configure the runner after the job finishes (default false)");
 

src/Runner.Listener/RunnerJobRequestRef.cs

@@ -0,0 +1,13 @@
+using System.Runtime.Serialization;
+
+namespace GitHub.Runner.Listener
+{
+    [DataContract]
+    public sealed class RunnerJobRequestRef
+    {
+        [DataMember(Name = "id")]
+        public string Id { get; set; }
+        [DataMember(Name = "runner_request_id")]
+        public string RunnerRequestId { get; set; }
+    }
+}

src/Runner.Listener/SelfUpdater.cs

@@ -131,6 +131,8 @@ namespace GitHub.Runner.Listener
                 // For L0, we will skip execute update script.
                 if (string.IsNullOrEmpty(Environment.GetEnvironmentVariable("_GITHUB_ACTION_EXECUTE_UPDATE_SCRIPT")))
                 {
+                    string flagFile = "update.finished";
+                    IOUtil.DeleteFile(flagFile);
                     // kick off update script
                     Process invokeScript = new Process();
 #if OS_WINDOWS
@@ -294,12 +296,12 @@ namespace GitHub.Runner.Listener
                         archiveFile = Path.Combine(HostContext.GetDirectory(WellKnownDirectory.Root), $"runner{targetVersion}.tar.gz");
                     }
 
-                    if (File.Exists(archiveFile)) 
+                    if (File.Exists(archiveFile))
                     {
                         _updateTrace.Enqueue($"Mocking update with file: '{archiveFile}' and targetVersion: '{targetVersion}', nothing is downloaded");
                         _terminal.WriteLine($"Mocking update with file: '{archiveFile}' and targetVersion: '{targetVersion}', nothing is downloaded");
                     }
-                    else 
+                    else
                     {
                         archiveFile = null;
                         _terminal.WriteLine($"Mock runner archive not found at {archiveFile} for target version {targetVersion}, proceeding with download instead");

src/Runner.PluginHost/Program.cs

@@ -1,13 +1,10 @@
-using System;
-using System.Collections.Generic;
+using System;
 using System.Globalization;
 using System.IO;
-using System.Linq;
 using System.Reflection;
 using System.Runtime.Loader;
 using System.Text;
 using System.Threading;
-using System.Threading.Tasks;
 using GitHub.Runner.Sdk;
 using GitHub.DistributedTask.WebApi;
 

src/Runner.PluginHost/Runner.PluginHost.csproj

@@ -3,7 +3,7 @@
   <PropertyGroup>
     <TargetFramework>net6.0</TargetFramework>
     <OutputType>Exe</OutputType>
-    <RuntimeIdentifiers>win-x64;win-x86;linux-x64;linux-arm64;linux-arm;osx-x64;osx-arm64</RuntimeIdentifiers>
+    <RuntimeIdentifiers>win-x64;win-x86;linux-x64;linux-arm64;linux-arm;osx-x64;osx-arm64;win-arm64</RuntimeIdentifiers>
     <TargetLatestRuntimePatch>true</TargetLatestRuntimePatch>
     <NoWarn>NU1701;NU1603</NoWarn>
     <Version>$(Version)</Version>

src/Runner.Plugins/Artifact/PipelinesServer.cs

@@ -1,5 +1,3 @@
-using System;
-using System.IO;
 using System.Threading;
 using System.Threading.Tasks;
 using GitHub.Actions.Pipelines.WebApi;

src/Runner.Plugins/Repository/GitCliManager.cs

@@ -1,6 +1,5 @@
 using System;
 using System.Collections.Generic;
-using System.Diagnostics;
 using System.Linq;
 using System.Text;
 using System.Text.RegularExpressions;
@@ -9,7 +8,6 @@ using System.Threading.Tasks;
 using System.IO;
 using GitHub.Runner.Sdk;
 using GitHub.Services.Common;
-using GitHub.DistributedTask.Pipelines.ContextData;
 
 namespace GitHub.Runner.Plugins.Repository
 {

src/Runner.Plugins/Repository/v1.0/GitSourceProvider.cs

@@ -6,11 +6,9 @@ using System.Threading.Tasks;
 using System.IO;
 using System.Text.RegularExpressions;
 using System.Text;
-using System.Diagnostics;
 using GitHub.Runner.Sdk;
 using System.Linq;
 using GitHub.DistributedTask.WebApi;
-using GitHub.Services.WebApi;
 
 namespace GitHub.Runner.Plugins.Repository.v1_0
 {

src/Runner.Plugins/Repository/v1.0/RepositoryPlugin.cs

@@ -1,12 +1,9 @@
-using System;
-using System.Collections.Generic;
-using System.Linq;
+using System;
 using System.Threading;
 using System.Threading.Tasks;
 using GitHub.Runner.Sdk;
 using Pipelines = GitHub.DistributedTask.Pipelines;
 using System.IO;
-using GitHub.DistributedTask.Pipelines.ContextData;
 using System.Text.RegularExpressions;
 using GitHub.DistributedTask.Pipelines.Expressions;
 using System.Text;

src/Runner.Plugins/Repository/v1.1/GitSourceProvider.cs

@@ -4,9 +4,7 @@ using System.Collections.Generic;
 using System.Threading;
 using System.Threading.Tasks;
 using System.IO;
-using System.Text.RegularExpressions;
 using System.Text;
-using System.Diagnostics;
 using GitHub.Runner.Sdk;
 using System.Linq;
 using GitHub.DistributedTask.WebApi;

src/Runner.Plugins/Repository/v1.1/RepositoryPlugin.cs

@@ -1,13 +1,9 @@
-using System;
-using System.Collections.Generic;
-using System.Linq;
+using System;
 using System.Threading;
 using System.Threading.Tasks;
 using GitHub.Runner.Sdk;
 using Pipelines = GitHub.DistributedTask.Pipelines;
 using System.IO;
-using GitHub.DistributedTask.Pipelines.ContextData;
-using System.Text.RegularExpressions;
 using GitHub.DistributedTask.Pipelines.Expressions;
 using System.Text;
 

src/Runner.Plugins/Runner.Plugins.csproj

@@ -3,7 +3,7 @@
   <PropertyGroup>
     <TargetFramework>net6.0</TargetFramework>
     <OutputType>Library</OutputType>
-    <RuntimeIdentifiers>win-x64;win-x86;linux-x64;linux-arm64;linux-arm;osx-x64;osx-arm64</RuntimeIdentifiers>
+    <RuntimeIdentifiers>win-x64;win-x86;linux-x64;linux-arm64;linux-arm;osx-x64;osx-arm64;win-arm64</RuntimeIdentifiers>
     <TargetLatestRuntimePatch>true</TargetLatestRuntimePatch>
     <NoWarn>NU1701;NU1603</NoWarn>
     <Version>$(Version)</Version>

src/Runner.Sdk/ActionPlugin.cs

@@ -1,7 +1,6 @@
-using System;
+using System;
 using System.Collections.Generic;
 using System.Linq;
-using System.Net.Http;
 using System.Net.Http.Headers;
 using System.Runtime.InteropServices;
 using System.Threading;
@@ -11,7 +10,6 @@ using GitHub.DistributedTask.WebApi;
 using GitHub.Services.Common;
 using GitHub.Services.WebApi;
 using Newtonsoft.Json;
-using Pipelines = GitHub.DistributedTask.Pipelines;
 
 namespace GitHub.Runner.Sdk
 {

src/Runner.Sdk/Runner.Sdk.csproj

@@ -3,12 +3,12 @@
   <PropertyGroup>
     <TargetFramework>net6.0</TargetFramework>
     <OutputType>Library</OutputType>
-    <RuntimeIdentifiers>win-x64;win-x86;linux-x64;linux-arm64;linux-arm;osx-x64;osx-arm64</RuntimeIdentifiers>
+    <RuntimeIdentifiers>win-x64;win-x86;linux-x64;linux-arm64;linux-arm;osx-x64;osx-arm64;win-arm64</RuntimeIdentifiers>
     <TargetLatestRuntimePatch>true</TargetLatestRuntimePatch>
     <NoWarn>NU1701;NU1603</NoWarn>
     <Version>$(Version)</Version>
   </PropertyGroup>
-  
+
   <ItemGroup>
     <ProjectReference Include="..\Sdk\Sdk.csproj" />
   </ItemGroup>

src/Runner.Sdk/Util/IOUtil.cs

@@ -3,7 +3,6 @@ using System.Collections.Concurrent;
 using System.Collections.Generic;
 using System.IO;
 using System.Linq;
-using System.Reflection;
 using System.Security.Cryptography;
 using System.Text;
 using System.Threading;
@@ -424,6 +423,12 @@ namespace GitHub.Runner.Sdk
             throw new NotSupportedException($"Unable to validate execute permissions for directory '{directory}'. Exceeded maximum iterations.");
         }
 
+        public static void CreateEmptyFile(string path)
+        {
+            Directory.CreateDirectory(Path.GetDirectoryName(path));
+            File.WriteAllText(path, null);
+        }
+
         /// <summary>
         /// Recursively enumerates a directory without following directory reparse points.
         /// </summary>

src/Runner.Sdk/Util/PathUtil.cs

@@ -1,4 +1,3 @@
-using System;
 using System.IO;
 
 namespace GitHub.Runner.Sdk

src/Runner.Sdk/Util/StringUtil.cs

@@ -1,11 +1,7 @@
-using GitHub.Services.WebApi;
+using GitHub.Services.WebApi;
 using Newtonsoft.Json;
-using Newtonsoft.Json.Linq;
 using System;
-using System.Collections.Generic;
 using System.Globalization;
-using System.IO;
-using System.Reflection;
 using System.Text;
 
 namespace GitHub.Runner.Sdk

src/Runner.Sdk/Util/VssUtil.cs

@@ -57,6 +57,10 @@ namespace GitHub.Runner.Sdk
                 settings.SendTimeout = TimeSpan.FromSeconds(Math.Min(Math.Max(httpRequestTimeoutSeconds, 100), 1200));
             }
 
+            if (StringUtil.ConvertToBoolean(Environment.GetEnvironmentVariable("USE_BROKER_FLOW")))
+            {
+                settings.AllowAutoRedirect = true;
+            }
 
             // Remove Invariant from the list of accepted languages.
             //

src/Runner.Sdk/Util/WhichUtil.cs

@@ -1,7 +1,6 @@
 using System;
 using System.IO;
 using System.Linq;
-using GitHub.Runner.Sdk;
 
 namespace GitHub.Runner.Sdk
 {

src/Runner.Service/Windows/App.config

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="utf-8" ?>
 <configuration>
-    <startup> 
+    <startup>
         <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />
     </startup>
-</configuration>
+</configuration>

src/Runner.Service/Windows/AppARM.config

@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<configuration>
+    <startup>
+        <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.8" />
+    </startup>
+</configuration>

src/Runner.Service/Windows/RunnerService.csproj

@@ -11,10 +11,15 @@
     <AssemblyName>RunnerService</AssemblyName>
     <SignAssembly>false</SignAssembly>
     <DelaySign>false</DelaySign>
-    <TargetFrameworkVersion>v4.5</TargetFrameworkVersion>
     <FileAlignment>512</FileAlignment>
     <AutoGenerateBindingRedirects>true</AutoGenerateBindingRedirects>
   </PropertyGroup>
+  <PropertyGroup Condition=" '$(PackageRuntime)' == 'win-arm64' ">
+      <TargetFrameworkVersion>v4.8</TargetFrameworkVersion>
+  </PropertyGroup>
+  <PropertyGroup Condition=" '$(PackageRuntime)' != 'win-arm64' ">
+      <TargetFrameworkVersion>v4.5</TargetFrameworkVersion>
+  </PropertyGroup>
   <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
     <PlatformTarget>AnyCPU</PlatformTarget>
     <DebugSymbols>true</DebugSymbols>
@@ -61,7 +66,10 @@
       <DependentUpon>Resource.resx</DependentUpon>
     </Compile>
   </ItemGroup>
-  <ItemGroup>
+  <ItemGroup Condition=" '$(Platform)' == 'ARM' ">
+    <None Include="AppARM.config" />
+  </ItemGroup>
+  <ItemGroup Condition=" '$(Platform)' != 'ARM' ">
     <None Include="App.config" />
   </ItemGroup>
   <ItemGroup>
@@ -71,7 +79,7 @@
     </EmbeddedResource>
   </ItemGroup>
   <Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
-  <!-- To modify your build process, add your task inside one of the targets below and uncomment it. 
+  <!-- To modify your build process, add your task inside one of the targets below and uncomment it.
        Other similar extension points exist, see Microsoft.Common.targets.
   <Target Name="BeforeBuild">
   </Target>

src/Runner.Worker/ActionCommandManager.cs

@@ -307,6 +307,17 @@ namespace GitHub.Runner.Worker
 
         public void ProcessCommand(IExecutionContext context, string line, ActionCommand command, ContainerInfo container)
         {
+            if (context.Global.Variables.GetBoolean("DistributedTask.DeprecateStepOutputCommands") ?? false)
+            {
+                var issue = new Issue()
+                {
+                    Type = IssueType.Warning,
+                    Message = String.Format(Constants.Runner.UnsupportedCommandMessage, this.Command)
+                };
+                issue.Data[Constants.Runner.InternalTelemetryIssueDataKey] = Constants.Runner.UnsupportedCommand;
+                context.AddIssue(issue);
+            }
+
             if (!command.Properties.TryGetValue(SetOutputCommandProperties.Name, out string outputName) || string.IsNullOrEmpty(outputName))
             {
                 throw new Exception("Required field 'name' is missing in ##[set-output] command.");
@@ -331,6 +342,17 @@ namespace GitHub.Runner.Worker
 
         public void ProcessCommand(IExecutionContext context, string line, ActionCommand command, ContainerInfo container)
         {
+            if (context.Global.Variables.GetBoolean("DistributedTask.DeprecateStepOutputCommands") ?? false)
+            {
+                var issue = new Issue()
+                {
+                    Type = IssueType.Warning,
+                    Message = String.Format(Constants.Runner.UnsupportedCommandMessage, this.Command)
+                };
+                issue.Data[Constants.Runner.InternalTelemetryIssueDataKey] = Constants.Runner.UnsupportedCommand;
+                context.AddIssue(issue);
+            }
+
             if (!command.Properties.TryGetValue(SaveStateCommandProperties.Name, out string stateName) || string.IsNullOrEmpty(stateName))
             {
                 throw new Exception("Required field 'name' is missing in ##[save-state] command.");
@@ -585,6 +607,8 @@ namespace GitHub.Runner.Worker
 
         public void ProcessCommand(IExecutionContext context, string inputLine, ActionCommand command, ContainerInfo container)
         {
+            ValidateLinesAndColumns(command, context);
+
             command.Properties.TryGetValue(IssueCommandProperties.File, out string file);
             command.Properties.TryGetValue(IssueCommandProperties.Line, out string line);
             command.Properties.TryGetValue(IssueCommandProperties.Column, out string column);

src/Runner.Worker/ActionManager.cs

@@ -101,38 +101,41 @@ namespace GitHub.Runner.Worker
             IEnumerable<Pipelines.ActionStep> actions = steps.OfType<Pipelines.ActionStep>();
             executionContext.Output("Prepare all required actions");
             var result = await PrepareActionsRecursiveAsync(executionContext, state, actions, depth, rootStepId);
-            if (state.ImagesToPull.Count > 0)
+            if (!FeatureManager.IsContainerHooksEnabled(executionContext.Global.Variables))
             {
-                foreach (var imageToPull in result.ImagesToPull)
+                if (state.ImagesToPull.Count > 0)
                 {
-                    Trace.Info($"{imageToPull.Value.Count} steps need to pull image '{imageToPull.Key}'");
-                    containerSetupSteps.Add(new JobExtensionRunner(runAsync: this.PullActionContainerAsync,
-                                                                   condition: $"{PipelineTemplateConstants.Success}()",
-                                                                   displayName: $"Pull {imageToPull.Key}",
-                                                                   data: new ContainerSetupInfo(imageToPull.Value, imageToPull.Key)));
+                    foreach (var imageToPull in result.ImagesToPull)
+                    {
+                        Trace.Info($"{imageToPull.Value.Count} steps need to pull image '{imageToPull.Key}'");
+                        containerSetupSteps.Add(new JobExtensionRunner(runAsync: this.PullActionContainerAsync,
+                                                                    condition: $"{PipelineTemplateConstants.Success}()",
+                                                                    displayName: $"Pull {imageToPull.Key}",
+                                                                    data: new ContainerSetupInfo(imageToPull.Value, imageToPull.Key)));
+                    }
                 }
-            }
 
-            if (result.ImagesToBuild.Count > 0)
-            {
-                foreach (var imageToBuild in result.ImagesToBuild)
+                if (result.ImagesToBuild.Count > 0)
                 {
-                    var setupInfo = result.ImagesToBuildInfo[imageToBuild.Key];
-                    Trace.Info($"{imageToBuild.Value.Count} steps need to build image from '{setupInfo.Dockerfile}'");
-                    containerSetupSteps.Add(new JobExtensionRunner(runAsync: this.BuildActionContainerAsync,
-                                                                   condition: $"{PipelineTemplateConstants.Success}()",
-                                                                   displayName: $"Build {setupInfo.ActionRepository}",
-                                                                   data: new ContainerSetupInfo(imageToBuild.Value, setupInfo.Dockerfile, setupInfo.WorkingDirectory)));
+                    foreach (var imageToBuild in result.ImagesToBuild)
+                    {
+                        var setupInfo = result.ImagesToBuildInfo[imageToBuild.Key];
+                        Trace.Info($"{imageToBuild.Value.Count} steps need to build image from '{setupInfo.Dockerfile}'");
+                        containerSetupSteps.Add(new JobExtensionRunner(runAsync: this.BuildActionContainerAsync,
+                                                                    condition: $"{PipelineTemplateConstants.Success}()",
+                                                                    displayName: $"Build {setupInfo.ActionRepository}",
+                                                                    data: new ContainerSetupInfo(imageToBuild.Value, setupInfo.Dockerfile, setupInfo.WorkingDirectory)));
+                    }
                 }
-            }
 
 #if !OS_LINUX
-            if (containerSetupSteps.Count > 0)
-            {
-                executionContext.Output("Container action is only supported on Linux, skip pull and build docker images.");
-                containerSetupSteps.Clear();
-            }
+                if (containerSetupSteps.Count > 0)
+                {
+                    executionContext.Output("Container action is only supported on Linux, skip pull and build docker images.");
+                    containerSetupSteps.Clear();
+                }
 #endif
+            }
             return new PrepareResult(containerSetupSteps, result.PreStepTracker);
         }
 

src/Runner.Worker/ActionManifestManager.cs

@@ -1,4 +1,4 @@
-using System;
+using System;
 using System.Collections.Generic;
 using System.IO;
 using System.Threading;
@@ -10,9 +10,6 @@ using GitHub.DistributedTask.ObjectTemplating.Schema;
 using GitHub.DistributedTask.ObjectTemplating;
 using GitHub.DistributedTask.ObjectTemplating.Tokens;
 using GitHub.DistributedTask.Pipelines.ContextData;
-using YamlDotNet.Core;
-using YamlDotNet.Core.Events;
-using System.Globalization;
 using System.Linq;
 using Pipelines = GitHub.DistributedTask.Pipelines;
 
@@ -503,7 +500,7 @@ namespace GitHub.Runner.Worker
                 };
             }
 
-            throw new NotSupportedException(nameof(ConvertRuns));
+            throw new NotSupportedException("Missing 'using' value. 'using' requires 'composite', 'docker', 'node12' or 'node16'.");
         }
 
         private void ConvertInputs(

src/Runner.Worker/ActionRunner.cs

@@ -1,6 +1,5 @@
-using System;
+using System;
 using System.Collections.Generic;
-using System.Linq;
 using System.Threading.Tasks;
 using GitHub.DistributedTask.ObjectTemplating;
 using GitHub.DistributedTask.ObjectTemplating.Tokens;
@@ -158,8 +157,12 @@ namespace GitHub.Runner.Worker
             // Setup container stephost for running inside the container.
             if (ExecutionContext.Global.Container != null)
             {
-                // Make sure required container is already created.
-                ArgUtil.NotNullOrEmpty(ExecutionContext.Global.Container.ContainerId, nameof(ExecutionContext.Global.Container.ContainerId));
+                // Make sure the required container is already created
+                // Container hooks do not necessarily set 'ContainerId'
+                if (!FeatureManager.IsContainerHooksEnabled(ExecutionContext.Global.Variables))
+                {
+                    ArgUtil.NotNullOrEmpty(ExecutionContext.Global.Container.ContainerId, nameof(ExecutionContext.Global.Container.ContainerId));
+                }
                 var containerStepHost = HostContext.CreateService<IContainerStepHost>();
                 containerStepHost.Container = ExecutionContext.Global.Container;
                 stepHost = containerStepHost;

src/Runner.Worker/ConditionTraceWriter.cs

@@ -1,6 +1,5 @@
 using System;
 using System.Text;
-using GitHub.DistributedTask.Pipelines;
 using GitHub.Runner.Common;
 using GitHub.Runner.Sdk;
 using ObjectTemplating = GitHub.DistributedTask.ObjectTemplating;

src/Runner.Worker/Container/ContainerHooks/ContainerHookManager.cs

@@ -0,0 +1,279 @@
+using System;
+using System.Collections.Generic;
+using System.IO;
+using System.Linq;
+using System.Threading.Tasks;
+using GitHub.DistributedTask.Pipelines.ContextData;
+using GitHub.DistributedTask.WebApi;
+using GitHub.Runner.Common;
+using GitHub.Runner.Common.Util;
+using GitHub.Runner.Sdk;
+using GitHub.Runner.Worker.Handlers;
+using GitHub.Services.WebApi;
+using Newtonsoft.Json.Linq;
+
+namespace GitHub.Runner.Worker.Container.ContainerHooks
+{
+    [ServiceLocator(Default = typeof(ContainerHookManager))]
+    public interface IContainerHookManager : IRunnerService
+    {
+        Task PrepareJobAsync(IExecutionContext context, List<ContainerInfo> containers);
+        Task RunContainerStepAsync(IExecutionContext context, ContainerInfo container, string dockerFile);
+        Task RunScriptStepAsync(IExecutionContext context, ContainerInfo container, string workingDirectory, string fileName, string arguments, IDictionary<string, string> environment, string prependPath);
+        Task CleanupJobAsync(IExecutionContext context, List<ContainerInfo> containers);
+        string GetContainerHookData();
+    }
+
+    public class ContainerHookManager : RunnerService, IContainerHookManager
+    {
+        private const string ResponseFolderName = "_runner_hook_responses";
+        private string HookScriptPath;
+
+        public override void Initialize(IHostContext hostContext)
+        {
+            base.Initialize(hostContext);
+            HookScriptPath = $"{Environment.GetEnvironmentVariable(Constants.Hooks.ContainerHooksPath)}";
+        }
+
+        public async Task PrepareJobAsync(IExecutionContext context, List<ContainerInfo> containers)
+        {
+            Trace.Entering();
+            var jobContainer = containers.Where(c => c.IsJobContainer).SingleOrDefault();
+            var serviceContainers = containers.Where(c => !c.IsJobContainer).ToList();
+
+            var input = new HookInput
+            {
+                Command = HookCommand.PrepareJob,
+                ResponseFile = GenerateResponsePath(),
+                Args = new PrepareJobArgs
+                {
+                    Container = jobContainer?.GetHookContainer(),
+                    Services = serviceContainers.Select(c => c.GetHookContainer()).ToList(),
+                }
+            };
+
+            var prependPath = GetPrependPath(context);
+            var response = await ExecuteHookScript<PrepareJobResponse>(context, input, ActionRunStage.Pre, prependPath);
+            if (jobContainer != null)
+            {
+                jobContainer.IsAlpine = response.IsAlpine.Value;
+            }
+            SaveHookState(context, response.State, input);
+            UpdateJobContext(context, jobContainer, serviceContainers, response);
+        }
+
+        public async Task RunContainerStepAsync(IExecutionContext context, ContainerInfo container, string dockerFile)
+        {
+            Trace.Entering();
+            var hookState = context.Global.ContainerHookState;
+            var containerStepArgs = new ContainerStepArgs(container);
+            if (!string.IsNullOrEmpty(dockerFile))
+            {
+                containerStepArgs.Dockerfile = dockerFile;
+                containerStepArgs.Image = null;
+            }
+            var input = new HookInput
+            {
+                Args = containerStepArgs,
+                Command = HookCommand.RunContainerStep,
+                ResponseFile = GenerateResponsePath(),
+                State = hookState
+            };
+
+            var prependPath = GetPrependPath(context);
+            var response = await ExecuteHookScript<HookResponse>(context, input, ActionRunStage.Pre, prependPath);
+            if (response == null)
+            {
+                return;
+            }
+            SaveHookState(context, response.State, input);
+        }
+
+        public async Task RunScriptStepAsync(IExecutionContext context, ContainerInfo container, string workingDirectory, string entryPoint, string entryPointArgs, IDictionary<string, string> environmentVariables, string prependPath)
+        {
+            Trace.Entering();
+            var input = new HookInput
+            {
+                Command = HookCommand.RunScriptStep,
+                ResponseFile = GenerateResponsePath(),
+                Args = new ScriptStepArgs
+                {
+                    EntryPointArgs = entryPointArgs.Split(' ').Select(arg => arg.Trim()),
+                    EntryPoint = entryPoint,
+                    EnvironmentVariables = environmentVariables,
+                    PrependPath = context.Global.PrependPath.Reverse<string>(),
+                    WorkingDirectory = workingDirectory,
+                },
+                State = context.Global.ContainerHookState
+            };
+
+            var response = await ExecuteHookScript<HookResponse>(context, input, ActionRunStage.Pre, prependPath);
+
+            if (response == null)
+            {
+                return;
+            }
+            SaveHookState(context, response.State, input);
+        }
+
+        public async Task CleanupJobAsync(IExecutionContext context, List<ContainerInfo> containers)
+        {
+            Trace.Entering();
+            var input = new HookInput
+            {
+                Command = HookCommand.CleanupJob,
+                ResponseFile = GenerateResponsePath(),
+                Args = new CleanupJobArgs(),
+                State = context.Global.ContainerHookState
+            };
+            var prependPath = GetPrependPath(context);
+            await ExecuteHookScript<HookResponse>(context, input, ActionRunStage.Pre, prependPath);
+        }
+
+        public string GetContainerHookData()
+        {
+            return JsonUtility.ToString(new { HookScriptPath });
+        }
+
+        private async Task<T> ExecuteHookScript<T>(IExecutionContext context, HookInput input, ActionRunStage stage, string prependPath) where T : HookResponse
+        {
+            try
+            {
+                ValidateHookExecutable();
+                context.StepTelemetry.ContainerHookData = GetContainerHookData();
+                var scriptDirectory = Path.GetDirectoryName(HookScriptPath);
+                var stepHost = HostContext.CreateService<IDefaultStepHost>();
+
+                Dictionary<string, string> inputs = new()
+                {
+                    ["standardInInput"] = JsonUtility.ToString(input),
+                    ["path"] = HookScriptPath,
+                    ["shell"] = HostContext.GetDefaultShellForScript(HookScriptPath, prependPath)
+                };
+                var handlerFactory = HostContext.GetService<IHandlerFactory>();
+                var handler = handlerFactory.Create(
+                                context,
+                                null,
+                                stepHost,
+                                new ScriptActionExecutionData(),
+                                inputs,
+                                environment: new Dictionary<string, string>(VarUtil.EnvironmentVariableKeyComparer),
+                                context.Global.Variables,
+                                actionDirectory: scriptDirectory,
+                                localActionContainerSetupSteps: null) as ScriptHandler;
+                handler.PrepareExecution(stage);
+
+                IOUtil.CreateEmptyFile(input.ResponseFile);
+                await handler.RunAsync(stage);
+                if (handler.ExecutionContext.Result == TaskResult.Failed)
+                {
+                    throw new Exception($"The hook script at '{HookScriptPath}' running command '{input.Command}' did not execute successfully");
+                }
+                var response = GetResponse<T>(input);
+                return response;
+            }
+            catch (Exception ex)
+            {
+                throw new Exception($"Executing the custom container implementation failed. Please contact your self hosted runner administrator.", ex);
+            }
+        }
+
+        private string GenerateResponsePath() => Path.Combine(HostContext.GetDirectory(WellKnownDirectory.Temp), ResponseFolderName, $"{Guid.NewGuid()}.json");
+
+        private static string GetPrependPath(IExecutionContext context) => string.Join(Path.PathSeparator.ToString(), context.Global.PrependPath.Reverse<string>());
+
+        private void ValidateHookExecutable()
+        {
+            if (!string.IsNullOrEmpty(HookScriptPath) && !File.Exists(HookScriptPath))
+            {
+                throw new FileNotFoundException($"File not found at '{HookScriptPath}'. Set {Constants.Hooks.ContainerHooksPath} to the path of an existing file.");
+            }
+
+            var supportedHookExtensions = new string[] { ".js", ".sh", ".ps1" };
+            if (!supportedHookExtensions.Any(extension => HookScriptPath.EndsWith(extension)))
+            {
+                throw new ArgumentOutOfRangeException($"Invalid file extension at '{HookScriptPath}'. {Constants.Hooks.ContainerHooksPath} must be a path to a file with one of the following extensions: {string.Join(", ", supportedHookExtensions)}");
+            }
+        }
+
+        private T GetResponse<T>(HookInput input) where T : HookResponse
+        {
+            if (!File.Exists(input.ResponseFile))
+            {
+                Trace.Info($"Response file for the hook script at '{HookScriptPath}' running command '{input.Command}' not found.");
+                if (input.Args.IsRequireAlpineInResponse())
+                {
+                    throw new Exception($"Response file is required but not found for the hook script at '{HookScriptPath}' running command '{input.Command}'");
+                }
+                return null;
+            }
+
+            T response = IOUtil.LoadObject<T>(input.ResponseFile);
+            Trace.Info($"Response file for the hook script at '{HookScriptPath}' running command '{input.Command}' was processed successfully");
+            IOUtil.DeleteFile(input.ResponseFile);
+            Trace.Info($"Response file for the hook script at '{HookScriptPath}' running command '{input.Command}' was deleted successfully");
+            if (response == null && input.Args.IsRequireAlpineInResponse())
+            {
+                throw new Exception($"Response file could not be read at '{HookScriptPath}' running command '{input.Command}'");
+            }
+            response?.Validate(input);
+            return response;
+        }
+
+        private void SaveHookState(IExecutionContext context, JObject hookState, HookInput input)
+        {
+            if (hookState == null)
+            {
+                Trace.Info($"No 'state' property found in response file for '{input.Command}'. Global variable for 'ContainerHookState' will not be updated.");
+                return;
+            }
+            context.Global.ContainerHookState = hookState;
+            Trace.Info($"Global variable 'ContainerHookState' updated successfully for '{input.Command}' with data found in 'state' property of the response file.");
+        }
+
+        private void UpdateJobContext(IExecutionContext context, ContainerInfo jobContainer, List<ContainerInfo> serviceContainers, PrepareJobResponse response)
+        {
+            if (response.Context == null)
+            {
+                Trace.Info($"The response file does not contain a context. The fields 'jobContext.Container' and 'jobContext.Services' will not be set.");
+                return;
+            }
+
+            var containerId = response.Context.Container?.Id;
+            if (containerId != null)
+            {
+                context.JobContext.Container["id"] = new StringContextData(containerId);
+                jobContainer.ContainerId = containerId;
+            }
+
+            var containerNetwork = response.Context.Container?.Network;
+            if (containerNetwork != null)
+            {
+                context.JobContext.Container["network"] = new StringContextData(containerNetwork);
+                jobContainer.ContainerNetwork = containerNetwork;
+            }
+
+            for (var i = 0; i < response.Context.Services.Count; i++)
+            {
+                var responseContainerInfo = response.Context.Services[i];
+                var globalContainerInfo = serviceContainers[i];
+                globalContainerInfo.ContainerId = responseContainerInfo.Id;
+                globalContainerInfo.ContainerNetwork = responseContainerInfo.Network;
+
+                var service = new DictionaryContextData()
+                {
+                    ["id"] = new StringContextData(responseContainerInfo.Id),
+                    ["ports"] = new DictionaryContextData(),
+                    ["network"] = new StringContextData(responseContainerInfo.Network)
+                };
+
+                globalContainerInfo.AddPortMappings(responseContainerInfo.Ports);
+                foreach (var portMapping in responseContainerInfo.Ports)
+                {
+                    (service["ports"] as DictionaryContextData)[portMapping.Key] = new StringContextData(portMapping.Value);
+                }
+                context.JobContext.Services[globalContainerInfo.ContainerNetworkAlias] = service;
+            }
+        }
+    }
+}