c

GitHub release assets download link returns 302 to storage.

.github/workflows/build.yml

@@ -43,6 +43,14 @@ jobs:
     steps:
     - uses: actions/checkout@v1
 
+    # Set Path workaround for https://github.com/actions/virtual-environments/issues/263
+    - run: |
+        echo "::add-path::C:\Program Files\Git\mingw64\bin"
+        echo "::add-path::C:\Program Files\Git\usr\bin"
+        echo "::add-path::C:\Program Files\Git\bin"
+      if: matrix.os == 'windows-latest'
+      name: "Temp step to Set Path for Windows"
+
     # Build runner layout
     - name: Build & Layout Release
       run: |

.gitignore

@@ -2,6 +2,7 @@
 **/bin
 **/obj
 **/libs
+**/lib
 
 # editors
 **/*.xproj

docs/adrs/0263-proxy-support.md

@@ -1,4 +1,5 @@
 # ADR 263: Self Hosted Runner Proxies
+
 **Date**: 2019-11-13
 
 **Status**: Accepted
@@ -9,8 +10,7 @@
 - While there is not a standard convention, many applications support setting proxies via the environmental variables `http_proxy`, `https_proxy`, `no_proxy`, such as curl, wget, perl, python, docker, git, R, ect
   - Some of these applications use `HTTPS_PROXY` versus `https_proxy`, but most understand or primarily support the lowercase variant
 
-
-## Decisions
+## Decision
 
 We will update the Runner to use the conventional environment variables for proxies: `http_proxy`, `https_proxy` and `no_proxy` if they are set.
 These are described in detail below:

docs/adrs/0276-problem-matchers.md

@@ -0,0 +1,263 @@
+# ADR 0276: Problem Matchers
+
+**Date** 2019-06-05
+
+**Status** Accepted
+
+## Context
+
+Compilation failures during a CI build should surface good error messages.
+
+For example, the actual compile errors from the typescript compiler should bubble as issues in the UI. And not simply "tsc exited with exit code 1".
+
+VSCode has an extensible model for solving this type of problem. VSCode allows users to configure which problems matchers to use, when scanning output. For example, a user can apply the `tsc` problem matcher to receive a rich error output experience in VSCode, when compiling their typescript project.
+
+The problem-matcher concept fits well with "setup" actions. For example, the `setup-nodejs` action will download node.js, add it to the PATH, and register the `tsc` problem matcher. For the duration of the job, the `tsc` problem matcher will be applied against the output.
+
+## Decision
+
+### Registration
+
+#### Using `##` command
+
+`##[add-matcher]path-to-problem-matcher-config.json`
+
+Using a `##` command allows for flexibility:
+- Ad hoc scripts can register problem matchers
+- Allows problem matchers to be conditionally registered
+
+Note, if a matcher with the same name is registered a second time, it will clobber the first instance.
+
+#### Unregister using `##` command
+
+A way out for rare cases where scoping is a problem.
+
+`##[remove-matcher]owner`
+
+For the this to be usable, the `owner` needs to be discoverable. Therefore, debug print the owner on registration.
+
+### Single line matcher
+
+Consider the output:
+
+```
+[...]
+
+Build FAILED.
+
+"C:\temp\problemmatcher\myproject\ConsoleApp1\ConsoleApp1.sln" (default target) (1) ->
+"C:\temp\problemmatcher\myproject\ConsoleApp1\ConsoleApp1\ConsoleApp1.csproj" (default target) (2) ->
+"C:\temp\problemmatcher\myproject\ConsoleApp1\ClassLibrary1\ClassLibrary1.csproj" (default target) (3) ->
+(CoreCompile target) -> 
+  Class1.cs(16,24): warning CS0612: 'ClassLibrary1.Helpers.MyHelper.Name' is obsolete [C:\temp\problemmatcher\myproject\ConsoleApp1\ClassLibrary1\ClassLibrary1.csproj]
+
+
+"C:\temp\problemmatcher\myproject\ConsoleApp1\ConsoleApp1.sln" (default target) (1) ->
+"C:\temp\problemmatcher\myproject\ConsoleApp1\ConsoleApp1\ConsoleApp1.csproj" (default target) (2) ->
+"C:\temp\problemmatcher\myproject\ConsoleApp1\ClassLibrary1\ClassLibrary1.csproj" (default target) (3) ->
+(CoreCompile target) -> 
+  Helpers\MyHelper.cs(16,30): error CS1002: ; expected [C:\temp\problemmatcher\myproject\ConsoleApp1\ClassLibrary1\ClassLibrary1.csproj]
+
+    1 Warning(s)
+    1 Error(s)
+```
+
+The below match configuration uses a regular expression to discover problem lines. And the match groups are mapped into issue-properties.
+
+```json
+"owner": "msbuild",
+"pattern": [
+  {
+    "regexp": "^\\s*([^:]+)\\((\\d+),(\\d+)\\): (error|warning) ([^:]+): (.*) \\[(.+)\\]$",
+    "file": 1,
+    "line": 2,
+    "column": 3,
+    "severity": 4,
+    "code": 5,
+    "message": 6,
+    "fromPath": 7
+  }
+]
+```
+
+The above output and match configuration produces the following matches:
+
+```
+line:     Class1.cs(16,24): warning CS0612: 'ClassLibrary1.Helpers.MyHelper.Name' is obsolete [C:\myrepo\myproject\ConsoleApp1\ClassLibrary1\ClassLibrary1.csproj]
+file:     Class1.cs
+line:     16
+column:   24
+severity: warning
+code:     CS0612
+message:  'ClassLibrary1.Helpers.MyHelper.Name' is obsolete
+fromPath: C:\myrepo\myproject\ConsoleApp1\ClassLibrary1\ClassLibrary1.csproj
+```
+
+```
+line:     Helpers\MyHelper.cs(16,30): error CS1002: ; expected [C:\myrepo\myproject\ConsoleApp1\ClassLibrary1\ClassLibrary1.csproj]
+file:     Helpers\MyHelper.cs
+line:     16
+column:   30
+severity: error
+code:     CS1002
+message:  ; expected
+fromPath: C:\myrepo\myproject\ConsoleApp1\ClassLibrary1\ClassLibrary1.csproj
+```
+
+Additionally the line will appear red in the web UI (prefix with `##[error]`).
+
+Note, an error does not imply task failure. Exit codes communicate failure.
+
+Note, strip color codes when evaluating regular expressions.
+
+### Multi-line matcher
+
+Consider the below output from ESLint in stylish mode. The file name is printed once, yet multiple error lines are printed.
+
+```
+test.js
+  1:0   error  Missing "use strict" statement                 strict
+  5:10  error  'addOne' is defined but never used             no-unused-vars
+✖ 2 problems (2 errors, 0 warnings)
+```
+
+The below match configuration uses multiple regular expressions, for the multiple lines.
+
+And the last pattern of a multiline matcher can specify the `loop` property. This allows multiple errors to be discovered.
+
+```json
+"owner": "eslint-stylish",
+"pattern": [
+  {
+    "regexp": "^([^\\s].*)$",
+    "file": 1
+  },
+  {
+    "regexp": "^\\s+(\\d+):(\\d+)\\s+(error|warning|info)\\s+(.*)\\s\\s+(.*)$",
+    "line": 1,
+    "column": 2,
+    "severity": 3,
+    "message": 4,
+    "code": 5,
+    "loop": true
+  }
+]
+```
+
+The above output and match configuration produces two matches:
+
+```
+line:     1:0   error  Missing "use strict" statement                 strict
+file:     test.js
+line:     1
+column:   0
+severity: error
+message:  Missing "use strict" statement
+code:     strict
+```
+
+```
+line:     5:10  error  'addOne' is defined but never used             no-unused-vars
+file:     test.js
+line:     5
+column:   10
+severity: error
+message:  'addOne' is defined but never used
+code:     no-unused-vars
+```
+
+Note, in the above example only the error line will appear red in the web UI. The \"file\" line will not appear red.
+
+### Other details
+
+#### Configuration `owner`
+
+Can be used to stomp over or remove.
+
+#### Rooting the file
+
+The goal of the file information is to provide a hyperlink in the UI.
+
+Solving this problem means:
+- Rooting the file when unrooted:
+  - Use the `fromPath` if specified (assume file path)
+  - Use the `github.workspace` (where the repo is cloned on disk)
+- Match against a repository to determine the relative path within the repo
+
+This is a place where we diverge from VSCode. VSCode task configuration are specific to the local workspace (workspace root is known or can be specified). We're solving a more generic problem, so we need more information - specifically the `fromPath` property - in order to accurately root the path.
+
+In order to avoid creating inaccurate hyperlinks on the error issues, the agent will verify the file exists and is in the main repository. Otherwise omit the file property from the error issue and debug trace what happened.
+
+#### Supported severity levels
+
+Ordinal ignore case:
+
+- `warning`
+- `error`
+
+Coalesce empty with \"error\". For any other values, omit logging an issue and debug trace what happened.
+
+#### Default severity level
+
+Problem matchers are unable to interpret severity strings other than `warning` and `error`. The `severity` match group expects `warning` or `error` (case insensitive).
+
+However some tools indicate error/warning in different ways. For example `flake8` uses codes like `E100`, `W200`, and `F300` (error, warning, fatal, respectively).
+
+Therefore, allow a property `severity`, sibling to `owner`, which identifies the default severity for the problem matcher. This allows two problem matchers are registered - one for warnings and one for errors.
+
+For example, given the following `flake8` output:
+
+```
+./bootcamp/settings.py:156:80: E501 line too long (94 > 79 characters)
+./bootcamp/settings.py:165:5: F403 'from local_settings import *' used; unable to detect undefined names
+```
+
+Two problem matchers can be used:
+
+```json
+{
+    "problemMatcher": [
+        {
+            "owner": "flake8",
+            "pattern": [
+                {
+                    "regexp": "^(.+):(\\d+):(\\d+): ([EF]\\d+) (.+)$",
+                    "file": 1,
+                    "line": 2,
+                    "column": 3,
+                    "code": 4,
+                    "message": 5
+                }
+            ]
+        },
+        {
+            "owner": "flake8-warnings",
+            "severity": "warning",
+            "pattern": [
+                {
+                    "regexp": "^(.+):(\\d+):(\\d+): (W\\d+) (.+)$",
+                    "file": 1,
+                    "line": 2,
+                    "column": 3,
+                    "code": 4,
+                    "message": 5
+                }
+            ]
+        }
+    ]
+}
+```
+
+#### Mitigate regular expression denial of service (ReDos)
+
+If a matcher exceeds a 1 second timeout when processing a line, retry up to two three times total.
+After three unsuccessful attempts, warn and eject the matcher. The matcher will not run again for the duration of the job.
+
+### Where we diverge from VSCode
+
+- We added the `fromPath` concept for rooting paths. This is done differently in VSCode, since a task is the scope (root path well known). For us, the job is the scope.
+- VSCode allows additional activation info background tasks that are always running (recompile on files changed). They allow regular expressions to define when the matcher scope begins and ends. This is an interesting concept that we could leverage to help solve our scoping problem.
+
+## Consequences
+
+- Setup actions should register problem matchers

docs/adrs/0277-run-action-shell-options.md

@@ -0,0 +1,93 @@
+# ADR 0277: Run action shell option
+
+**Date** 2019-07-09
+
+**Status** Accepted
+
+## Context
+run-actions run scripts using a platform specific shell:
+`bash -eo pipefail` on non-windows, and `cmd.exe /c /d /s` on windows
+
+The `shell` option overwrites this to allow different flags or completely different shells/interpreters
+
+A small example is:
+```yml
+jobs:
+  bash-job:
+    actions:
+    - run: echo "Hello"
+      shell: bash
+  python-job:
+    actions:
+    - run: print("Hello")
+      shell: python {0}
+```
+
+## Decision
+
+___
+
+### Shell option
+The keyword being used is `shell` 
+
+`shell` can be either:
+
+1. Builtins / Explicitly supported keywords. It is useful to support at least `cmd`, and `powershell` on Windows. Because `cmd my_cmd_script` and `powershell my_ps1_script` are not valid the same way many Linux/cross-platform interpreters are, e.g. `bash myscript` or `python myscript`. Those tools (and potentially others) also require the correct file extension to run, or must be run in a particular way to get the exit codes consistently, so we must have first class knowledge about them. We provide default templates for these keywords as follows:
+    - `cmd`: Default is: `%ComSpec% /D /E:ON /V:OFF /S /C "CALL "{0}""` where the script name is automatically appended with `.cmd` and substituted for `{0}`
+        - Note this is equivalent to the default Windows behavior if no shell option is given
+    - `pwsh`: Default is: `pwsh -command "& '{0}'"` where the script is automatically appended with `.ps1`
+    - `powershell`: Default is: `powershell -command "& '{0}'"` where the script is automatically appended with `.ps1`
+    - `bash`: Uses `bash --noprofile --norc -eo pipefail {0}`
+        - The default behavior on non-Windows if no shell is given is to attempt this first
+    - `sh`: Uses `sh -e {0}`
+        - This is the default behavior on non-Windows if no shell is given, AND `bash` (see above) was not located on the PATH
+    - `python`: `python {0}`
+    - **NOTE**: The exact command ran may vary by machine. We only provide default arguments and command format for the listed shell. While the above behavior is expected on hosted machines, private runners may vary. For example, `sh` (or other commands) may actually be a link to `/bin/dash`, `/bin/bash`, or other
+
+1. A template string: `command [...options] {0} [...more_options]`
+    - As above, the file name of the temporary script will be templated in. This gives users more control to have options at any location relative to the script path
+    - The first whitespace-delimited word of the string will be interpreted as the command
+    - e.g. `python {0} arg1 arg2` or similar can be used if passing args is needed. Some shells will require other options after the filename for various reasons
+
+Note that (1) simply provides defaults that are executed with the same mechanism as (2). That is:
+- A temporary script file is generated, and the path to that file is templated into the string at `{0}`
+- The first word of the formatted string is assumed to be a command, and we attempt to locate its full path
+- The fully qualified path to the command, plus the remaining arguments, is executed
+    - e.g. `shell: bash` expands to `/bin/bash --noprofile --norc -eo pipefail /runner/_layout/_work/_temp/f8d4fb2b-19d9-47e6-a786-4cc538d52761.sh` on my private runner
+
+At this time, **THE LIST OF WELL-KNOWN SHELL OPTIONS IS**:
+- cmd - Windows (hosted vs2017, vs2019) only
+- powershell - Windows (hosted vs2017, vs2019) only
+- sh - All hosted platforms
+- pwsh - All hosted platforms
+- bash - All hosted platforms
+- python - All hosted platforms. Can use setup-python to configure which python will be used
+___
+
+### Containers
+For container jobs, `shell` should just work the same as above, transparently. We will simply `exec` the command in the job container, passing the same arguments in
+
+___
+
+### Exit codes / Error action preference
+
+For builtin shells, we provide defaults that make the most sense for CI, running within Actions, and being executed by our runner
+
+bash/sh:
+- Fail-fast behavior using `set -e o pipefail` is the default for `bash` and `shell` builtins, and by default when no option is given on non-Windows platforms
+- Users can opt out of fail-fast and take full control easily by providing a template string to the shell options, eg: `bash {0}`.
+- sh-like shells exit with the exit code of the last command executed in a script, and is our default behavior. Thus the runner reports the status of the step as fail/succeed based on this exit code
+
+powershell/pwsh
+- Fail-fast behavior when possible. For `pwsh` and `powershell` builtins, we will prepend `$ErrorActionPreference = 'stop'` to script contents
+- We append `if ((Test-Path -LiteralPath variable:\LASTEXITCODE)) { exit $LASTEXITCODE }` to powershell scripts to get Action statuses to reflect the script's last exit code
+- Users can always opt out by not using the builtins, and providing a shell option like: `pwsh -File {0}`, or `powershell -Command "& '{0}'"`, depending on need
+
+cmd
+- There doesnt seem to be a way to fully opt in to fail-fast behavior other than writing your script to check each error code and respond accordingly, so we cant actually provide that behavior by default, it will be completely up to the user to write this behavior into their script
+- cmd.exe will exit (return the error code to the runner) with the errorlevel of the last program it executed. This is internally consistent with the previous default behavior (sh, pwsh) and is the cmd.exe default, so we keep that behavior
+
+## Consequences
+Valid `shell` options will depend on the hosted images. We will need to maintain tight image compat
+
+First class support for a shell will require a major version schema change to modify. We cannot remove or modify the behavior of a well-known supported option, However, adding first class support for new shells is backwards compatible. For instance, we can add a well-known `python` option, because non-well-known options would have always needed to include `{0}`, e.g. `python {0}`

docs/adrs/0278-env-context.md

@@ -0,0 +1,51 @@
+# ADR 0278: Env Context
+
+**Date**: 2019-09-30
+
+**Status**: Accepted
+
+## Context
+
+User wants to reference workflow variables defined in workflow yaml file for action's input, displayName and condition.  
+
+## Decision
+
+### Add `env` context in the runner
+
+Runner will create and populate the `env` context for every job execution using following logic:
+1. On job start, create `env` context with any environment variables in the job message, these are env defined in customer's YAML file's job/workflow level `env` section.
+2. Update `env` context when customer use `::set-env::` to set env at the runner level.
+
+The `env` context is only available in the runner, customer can't use the `env` context in any server evaluation part, just like the `runner` context
+
+Example yaml:
+```yaml
+
+env:
+  env1: 100
+jobs:
+  build:
+    env:
+      env2: 200
+    runs-on: ubuntu-latest
+    steps:
+      - run: |
+          echo ${{ env.env1 }}
+        if: env.env2 == 200
+        name: ${{ env.env1 }}_${{ env.env2 }}
+```
+
+### Don't populate the `env` context with environment variables from runner machine. 
+
+With job container and container action, the `env` context may not have the right value customer want and will cause confusion.  
+Ex:
+```yaml
+build:
+  runs-on: ubuntu-latest   <- $USER=runner in hosted machine
+  container: ubuntu:16.04   <- $USER=root in container
+  steps:
+  - run: echo ${{env.USER}}    <- what should customer expect this output?  runner/root
+  - uses: docker://ubuntu:18.04
+    with:
+      args: echo ${{env.USER}}  <- what should customer expect this output? runner/root
+```

docs/adrs/0279-hashFiles-expression-function.md

@@ -0,0 +1,71 @@
+# ADR 0279: HashFiles Expression Function
+
+**Date**: 2019-09-30
+
+**Status**: Accepted
+
+## Context
+First party action `actions/cache` needs a input which is an explicit `key` used for restoring and saving the cache. For packages caching, the most comment `key` might be the hash result of contents from all `package-lock.json` under `node_modules` folder.
+  
+There are serval different ways to get the hash `key` input for `actions/cache` action.
+
+1. Customer calculate the `key` themselves from a different action, customer won't like this since it needs extra step for using cache feature
+```yaml
+  steps:
+  - run: |
+      hash=some_linux_hash_method(file1, file2, file3)
+      echo ::set-output name=hash::$hash
+    id: createHash
+  - uses: actions/cache@v1
+    with:
+      key: ${{ steps.createHash.outputs.hash }}
+``` 
+
+2. Make the `key` input of `actions/cache` follow certain convention to calculate hash, this limited the `key` input to a certain format customer may not want.
+```yaml
+  steps:
+  - uses: actions/cache@v1
+    with:
+      key: ${{ runner.os }}|${{ github.workspace }}|**/package-lock.json
+```
+
+## Decision
+
+### Add hashFiles() function to expression engine for calculate files' hash
+
+`hashFiles()` will only allow on runner side since it needs to read files on disk, using `hashFiles()` on any server side evaluated expression will cause runtime errors.
+
+`hashFiles()` will only support hashing files under the `$GITHUB_WORKSPACE` since the expression evaluated on the runner, if customer use job container or container action, the runner won't have access to file system inside the container.
+
+`hashFiles()` will only take 1 parameters:
+ - `hashFiles('**/package-lock.json')`  // Search files under $GITHUB_WORKSPACE and calculate a hash for them
+
+**Question: Do we need to support more than one match patterns?**  
+Ex: `hashFiles('**/package-lock.json', '!toolkit/core/package-lock.json', '!toolkit/io/package-lock.json')`  
+Answer: Only support single match pattern for GA, we can always add later.
+
+This will help customer has better experience with the `actions/cache` action's input.
+```yaml
+  steps:
+  - uses: actions/cache@v1
+    with:
+      key: ${{hashFiles('**/package-lock.json')}}-${{github.ref}}-${{runner.os}}
+```
+
+For search pattern, we will use basic globbing (`*` `?` and `[]`) and globstar (`**`).
+
+Additional pattern details:
+- Root relative paths with `github.workspace` (the main repo)
+- Make `*` match files that start with `.`
+- Case insensitive on Windows
+- Accept `\` or `/` path separators on Windows
+
+Hashing logic:
+1. Get all files under `$GITHUB_WORKSPACE`.
+2. Use search pattern filter all files to get files that matches the search pattern. (search pattern only apply to file path not folder path)
+3. Sort all matched files by full file path in alphabet order.
+4. Use SHA256 algorithm to hash each matched file and store hash result.
+5. Use SHA256 to hash all stored files' hash results to get the final 64 chars hash result.
+
+**Question: Should we include the folder structure info into the hash?**  
+Answer: No

docs/adrs/0280-command-input-echoing.md

@@ -0,0 +1,30 @@
+# ADR 0280: Echoing of Command Input
+
+**Date**: 2019-11-04  
+
+**Status**: Accepted
+
+## Context
+
+Command echoing as a default behavior tends to clutter the user logs, so we want to swap to a system where users have to opt in to see this information.
+
+Command outputs will still be echoed in the case there are any errors processing such commands. This is so the end user can have more context on why the command failed and help with troubleshooting.
+
+Echo output in the user logs can be explicitly controlled by the new commands `::echo::on` and `::echo::off`. By default, echoing is enabled if `ACTIONS_STEP_DEBUG` secret is enabled, otherwise echoing is disabled.
+
+## Decision
+- The only commands that currently echo output are
+  - `remove-matcher`
+  - `add-matcher`
+  - `add-path`
+- These will no longer echo the command, if processed successfully
+- All commands echo the input when any of these conditions is fulfilled:
+  1. When such commands fail with an error
+  2. When `::echo::on` is set
+  3. When the `ACTIONS_STEP_DEBUG` is set, and echoing hasn't been explicitly disabled with `::echo::off`
+- There are a few commands that won't be echoed, even when echo is enabled. These are (as of 2019/11/04):
+   - `add-mask`
+   - `debug`
+   - `warning`
+   - `error`
+- The three commands above will not echo, either because echoing the command would leak secrets (e.g. `add-mask`), or it would not add any additional troubleshooting information to the logs (e.g. `debug`). It's expected that future commands would follow these "echo-suppressing" guidelines as well. Echo-suppressed commands are still free to output other information to the logs, as deemed fit.

releaseNote.md

@@ -28,7 +28,7 @@ Add-Type -AssemblyName System.IO.Compression.FileSystem ;
 // Create a folder
 mkdir actions-runner && cd actions-runner
 // Download the latest runner package
-curl -O https://github.com/actions/runner/releases/download/v<RUNNER_VERSION>/actions-runner-osx-x64-<RUNNER_VERSION>.tar.gz
+curl -O -L https://github.com/actions/runner/releases/download/v<RUNNER_VERSION>/actions-runner-osx-x64-<RUNNER_VERSION>.tar.gz
 // Extract the installer
 tar xzf ./actions-runner-osx-x64-<RUNNER_VERSION>.tar.gz
 ```
@@ -39,7 +39,7 @@ tar xzf ./actions-runner-osx-x64-<RUNNER_VERSION>.tar.gz
 // Create a folder
 mkdir actions-runner && cd actions-runner
 // Download the latest runner package
-curl -O https://github.com/actions/runner/releases/download/v<RUNNER_VERSION>/actions-runner-linux-x64-<RUNNER_VERSION>.tar.gz
+curl -O -L https://github.com/actions/runner/releases/download/v<RUNNER_VERSION>/actions-runner-linux-x64-<RUNNER_VERSION>.tar.gz
 // Extract the installer
 tar xzf ./actions-runner-linux-x64-<RUNNER_VERSION>.tar.gz
 ```
@@ -50,7 +50,7 @@ tar xzf ./actions-runner-linux-x64-<RUNNER_VERSION>.tar.gz
 // Create a folder
 mkdir actions-runner && cd actions-runner
 // Download the latest runner package
-curl -O https://github.com/actions/runner/releases/download/v<RUNNER_VERSION>/actions-runner-linux-arm64-<RUNNER_VERSION>.tar.gz
+curl -O -L https://github.com/actions/runner/releases/download/v<RUNNER_VERSION>/actions-runner-linux-arm64-<RUNNER_VERSION>.tar.gz
 // Extract the installer
 tar xzf ./actions-runner-linux-arm64-<RUNNER_VERSION>.tar.gz
 ```
@@ -61,7 +61,7 @@ tar xzf ./actions-runner-linux-arm64-<RUNNER_VERSION>.tar.gz
 // Create a folder
 mkdir actions-runner && cd actions-runner
 // Download the latest runner package
-curl -O https://github.com/actions/runner/releases/download/v<RUNNER_VERSION>/actions-runner-linux-arm-<RUNNER_VERSION>.tar.gz
+curl -O -L https://github.com/actions/runner/releases/download/v<RUNNER_VERSION>/actions-runner-linux-arm-<RUNNER_VERSION>.tar.gz
 // Extract the installer
 tar xzf ./actions-runner-linux-arm-<RUNNER_VERSION>.tar.gz
 ```

src/Misc/expressionFunc/hashFiles/.eslintignore

@@ -0,0 +1,3 @@
+dist/
+lib/
+node_modules/

src/Misc/expressionFunc/hashFiles/.eslintrc.json

@@ -0,0 +1,59 @@
+{
+    "plugins": ["jest", "@typescript-eslint"],
+    "extends": ["plugin:github/es6"],
+    "parser": "@typescript-eslint/parser",
+    "parserOptions": {
+      "ecmaVersion": 9,
+      "sourceType": "module",
+      "project": "./tsconfig.json"
+    },
+    "rules": {
+      "eslint-comments/no-use": "off",
+      "import/no-namespace": "off",
+      "no-console": "off",
+      "no-unused-vars": "off",
+      "@typescript-eslint/no-unused-vars": "error",
+      "@typescript-eslint/explicit-member-accessibility": ["error", {"accessibility": "no-public"}],
+      "@typescript-eslint/no-require-imports": "error",
+      "@typescript-eslint/array-type": "error",
+      "@typescript-eslint/await-thenable": "error",
+      "@typescript-eslint/ban-ts-ignore": "error",
+      "camelcase": "off",
+      "@typescript-eslint/camelcase": "error",
+      "@typescript-eslint/class-name-casing": "error",
+      "@typescript-eslint/explicit-function-return-type": ["error", {"allowExpressions": true}],
+      "@typescript-eslint/func-call-spacing": ["error", "never"],
+      "@typescript-eslint/generic-type-naming": ["error", "^[A-Z][A-Za-z]*$"],
+      "@typescript-eslint/no-array-constructor": "error",
+      "@typescript-eslint/no-empty-interface": "error",
+      "@typescript-eslint/no-explicit-any": "error",
+      "@typescript-eslint/no-extraneous-class": "error",
+      "@typescript-eslint/no-for-in-array": "error",
+      "@typescript-eslint/no-inferrable-types": "error",
+      "@typescript-eslint/no-misused-new": "error",
+      "@typescript-eslint/no-namespace": "error",
+      "@typescript-eslint/no-non-null-assertion": "warn",
+      "@typescript-eslint/no-object-literal-type-assertion": "error",
+      "@typescript-eslint/no-unnecessary-qualifier": "error",
+      "@typescript-eslint/no-unnecessary-type-assertion": "error",
+      "@typescript-eslint/no-useless-constructor": "error",
+      "@typescript-eslint/no-var-requires": "error",
+      "@typescript-eslint/prefer-for-of": "warn",
+      "@typescript-eslint/prefer-function-type": "warn",
+      "@typescript-eslint/prefer-includes": "error",
+      "@typescript-eslint/prefer-interface": "error",
+      "@typescript-eslint/prefer-string-starts-ends-with": "error",
+      "@typescript-eslint/promise-function-async": "error",
+      "@typescript-eslint/require-array-sort-compare": "error",
+      "@typescript-eslint/restrict-plus-operands": "error",
+      "semi": "off",
+      "@typescript-eslint/semi": ["error", "never"],
+      "@typescript-eslint/type-annotation-spacing": "error",
+      "@typescript-eslint/unbound-method": "error"
+    },
+    "env": {
+      "node": true,
+      "es6": true,
+      "jest/globals": true
+    }
+  }

src/Misc/expressionFunc/hashFiles/.prettierignore

@@ -0,0 +1,3 @@
+dist/
+lib/
+node_modules/

src/Misc/expressionFunc/hashFiles/.prettierrc.json

@@ -0,0 +1,11 @@
+{
+    "printWidth": 80,
+    "tabWidth": 2,
+    "useTabs": false,
+    "semi": false,
+    "singleQuote": true,
+    "trailingComma": "none",
+    "bracketSpacing": false,
+    "arrowParens": "avoid",
+    "parser": "typescript"
+  }

src/Misc/expressionFunc/hashFiles/README.md

@@ -0,0 +1 @@
+To update hashFiles under `Misc/layoutbin` run `npm install && npm run all`

src/Misc/expressionFunc/hashFiles/package.json

@@ -0,0 +1,35 @@
+{
+  "name": "hashFiles",
+  "version": "1.0.0",
+  "description": "GitHub Actions HashFiles() expression function",
+  "main": "lib/hashFiles.js",
+  "scripts": {
+    "build": "tsc",
+    "format": "prettier --write **/*.ts",
+    "format-check": "prettier --check **/*.ts",
+    "lint": "eslint src/**/*.ts",
+    "pack": "ncc build -o ../../layoutbin/hashFiles",
+    "all": "npm run build && npm run format && npm run lint && npm run pack"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/actions/runner.git"
+  },
+  "keywords": [
+    "actions"
+  ],
+  "author": "GitHub Actions",
+  "license": "MIT",
+  "dependencies": {
+    "@actions/glob": "^0.1.0"
+  },
+  "devDependencies": {
+    "@types/node": "^12.7.12",
+    "@typescript-eslint/parser": "^2.8.0",
+    "@zeit/ncc": "^0.20.5",
+    "eslint": "^5.16.0",
+    "eslint-plugin-github": "^2.0.0",
+    "prettier": "^1.19.1",
+    "typescript": "^3.6.4"
+  }
+}

src/Misc/expressionFunc/hashFiles/src/hashFiles.ts

@@ -0,0 +1,55 @@
+import * as glob from '@actions/glob'
+import * as crypto from 'crypto'
+import * as fs from 'fs'
+import * as stream from 'stream'
+import * as util from 'util'
+import * as path from 'path'
+
+async function run(): Promise<void> {
+  // arg0 -> node
+  // arg1 -> hashFiles.js
+  // env[followSymbolicLinks] = true/null
+  // env[patterns] -> glob patterns
+  let followSymbolicLinks = false
+  const matchPatterns = process.env.patterns || ''
+  if (process.env.followSymbolicLinks === 'true') {
+    console.log('Follow symbolic links')
+    followSymbolicLinks = true
+  }
+
+  console.log(`Match Pattern: ${matchPatterns}`)
+  let hasMatch = false
+  const githubWorkspace = process.cwd()
+  const result = crypto.createHash('sha256')
+  let count = 0
+  const globber = await glob.create(matchPatterns, {followSymbolicLinks})
+  for await (const file of globber.globGenerator()) {
+    console.log(file)
+    if (!file.startsWith(`${githubWorkspace}${path.sep}`)) {
+      console.log(`Ignore '${file}' since it is not under GITHUB_WORKSPACE.`)
+      continue
+    }
+    if (fs.statSync(file).isDirectory()) {
+      console.log(`Skip directory '${file}'.`)
+      continue
+    }
+    const hash = crypto.createHash('sha256')
+    const pipeline = util.promisify(stream.pipeline)
+    await pipeline(fs.createReadStream(file), hash)
+    result.write(hash.digest())
+    count++
+    if (!hasMatch) {
+      hasMatch = true
+    }
+  }
+  result.end()
+
+  if (hasMatch) {
+    console.log(`Find ${count} files to hash.`)
+    console.error(`__OUTPUT__${result.digest('hex')}__OUTPUT__`)
+  } else {
+    console.error(`__OUTPUT____OUTPUT__`)
+  }
+}
+
+run()

src/Misc/expressionFunc/hashFiles/tsconfig.json

@@ -0,0 +1,12 @@
+{
+  "compilerOptions": {
+    "target": "es6",                          /* Specify ECMAScript target version: 'ES3' (default), 'ES5', 'ES2015', 'ES2016', 'ES2017', 'ES2018', 'ES2019' or 'ESNEXT'. */
+    "module": "commonjs",                     /* Specify module code generation: 'none', 'commonjs', 'amd', 'system', 'umd', 'es2015', or 'ESNext'. */
+    "outDir": "./lib",                        /* Redirect output structure to the directory. */
+    "rootDir": "./src",                       /* Specify the root directory of input files. Use to control the output directory structure with --outDir. */
+    "strict": true,                           /* Enable all strict type-checking options. */
+    "noImplicitAny": true,                    /* Raise error on expressions and declarations with an implied 'any' type. */
+    "esModuleInterop": true                   /* Enables emit interoperability between CommonJS and ES Modules via creation of namespace objects for all imports. Implies 'allowSyntheticDefaultImports'. */
+  },
+  "exclude": ["node_modules", "**/*.test.ts"]
+}

src/Runner.Common/Constants.cs

@@ -162,7 +162,8 @@ namespace GitHub.Runner.Common
         public static class Path
         {
             public static readonly string ActionsDirectory = "_actions";
-            public static readonly string ActionManifestFile = "action.yml";
+            public static readonly string ActionManifestYmlFile = "action.yml";
+            public static readonly string ActionManifestYamlFile = "action.yaml";
             public static readonly string BinDirectory = "bin";
             public static readonly string DiagDirectory = "_diag";
             public static readonly string ExternalsDirectory = "externals";

src/Runner.Common/Logging.cs

@@ -100,7 +100,7 @@ namespace GitHub.Runner.Common
         {
             EndPage();
             _byteCount = 0;
-            _dataFileName = Path.Combine(_pagesFolder, $"{_timelineRecordId}_{++_pageCount}.log");
+            _dataFileName = Path.Combine(_pagesFolder, $"{_timelineId}_{_timelineRecordId}_{++_pageCount}.log");
             _pageData = new FileStream(_dataFileName, FileMode.CreateNew);
             _pageWriter = new StreamWriter(_pageData, System.Text.Encoding.UTF8);
         }

src/Runner.Listener/JobDispatcher.cs

@@ -752,27 +752,32 @@ namespace GitHub.Runner.Listener
                 foreach (var log in logs)
                 {
                     var logName = Path.GetFileNameWithoutExtension(log);
+                    var logNameParts = logName.Split('_', StringSplitOptions.RemoveEmptyEntries);
+                    if (logNameParts.Length != 3)
+                    {
+                        Trace.Warning($"log file '{log}' doesn't follow naming convension 'GUID_GUID_INT'.");
+                        continue;
+                    }
                     var logPageSeperator = logName.IndexOf('_');
                     var logRecordId = Guid.Empty;
                     var pageNumber = 0;
-                    if (logPageSeperator < 0)
+
+                    if (!Guid.TryParse(logNameParts[0], out Guid timelineId) || timelineId != timeline.Id)
                     {
-                        Trace.Warning($"log file '{log}' doesn't follow naming convension 'GUID_INT'.");
+                        Trace.Warning($"log file '{log}' is not belongs to current job");
                         continue;
                     }
-                    else
-                    {
-                        if (!Guid.TryParse(logName.Substring(0, logPageSeperator), out logRecordId))
-                        {
-                            Trace.Warning($"log file '{log}' doesn't follow naming convension 'GUID_INT'.");
-                            continue;
-                        }
 
-                        if (!int.TryParse(logName.Substring(logPageSeperator + 1), out pageNumber))
-                        {
-                            Trace.Warning($"log file '{log}' doesn't follow naming convension 'GUID_INT'.");
-                            continue;
-                        }
+                    if (!Guid.TryParse(logNameParts[1], out logRecordId))
+                    {
+                        Trace.Warning($"log file '{log}' doesn't follow naming convension 'GUID_GUID_INT'.");
+                        continue;
+                    }
+
+                    if (!int.TryParse(logNameParts[2], out pageNumber))
+                    {
+                        Trace.Warning($"log file '{log}' doesn't follow naming convension 'GUID_GUID_INT'.");
+                        continue;
                     }
 
                     var record = timeline.Records.FirstOrDefault(x => x.Id == logRecordId);

src/Runner.Listener/Runner.cs

@@ -451,16 +451,38 @@ namespace GitHub.Runner.Listener
             ext = "sh";
 #endif
             _term.WriteLine($@"
-Commands:,
- .{separator}config.{ext}          Configures the runner
- .{separator}config.{ext} remove   Unconfigures the runner
- .{separator}run.{ext}             Runs the runner interactively. Does not require any options.
+Commands:
+ .{separator}config.{ext}         Configures the runner
+ .{separator}config.{ext} remove  Unconfigures the runner
+ .{separator}run.{ext}            Runs the runner interactively. Does not require any options.
 
 Options:
+ --help     Prints the help for each command
  --version  Prints the runner version
  --commit   Prints the runner commit
- --help     Prints the help for each command
-");
+
+Config Options:
+ --unattended     Disable interactive prompts for missing arguments. Defaults will be used for missing options
+ --url string     Repository to add the runner to. Required if unattended
+ --token string   Registration token. Required if unattended
+ --name string    Name of the runner to configure (default {Environment.MachineName ?? "myrunner"})
+ --work string    Relative runner work directory (default {Constants.Path.WorkDirectory})
+ --replace        Replace any existing runner with the same name (default false)");
+#if OS_WINDOWS
+    _term.WriteLine($@" --runasservice   Run the runner as a service");
+    _term.WriteLine($@" --windowslogonaccount string   Account to run the service as. Requires runasservice");
+    _term.WriteLine($@" --windowslogonpassword string  Password for the service account. Requires runasservice");
+#endif
+    _term.WriteLine($@"
+Examples:
+ Configure a runner non-interactively:
+  .{separator}config.{ext} --unattended --url <url> --token <token>
+ Configure a runner non-interactively, replacing any existing runner with the same name:
+  .{separator}config.{ext} --unattended --url <url> --token <token> --replace [--name <name>]");
+#if OS_WINDOWS
+    _term.WriteLine($@" Configure a runner to run as a service:");
+    _term.WriteLine($@"  .{separator}config.{ext} --url <url> --token <token> --runasservice");
+#endif
         }
     }
 }

src/Runner.Sdk/RunnerWebProxy.cs

@@ -71,6 +71,10 @@ namespace GitHub.Runner.Sdk
             {
                 _httpProxyAddress = proxyHttpUri.AbsoluteUri;
 
+                // Set both environment variables since there are tools support both casing (curl, wget) and tools support only one casing (docker)
+                Environment.SetEnvironmentVariable("http_proxy", _httpProxyAddress);
+                Environment.SetEnvironmentVariable("HTTP_PROXY", _httpProxyAddress);
+
                 // the proxy url looks like http://[user:pass@]127.0.0.1:8888
                 var userInfo = Uri.UnescapeDataString(proxyHttpUri.UserInfo).Split(':', 2, StringSplitOptions.RemoveEmptyEntries);
                 if (userInfo.Length == 2)
@@ -97,6 +101,10 @@ namespace GitHub.Runner.Sdk
             {
                 _httpsProxyAddress = proxyHttpsUri.AbsoluteUri;
 
+                // Set both environment variables since there are tools support both casing (curl, wget) and tools support only one casing (docker)
+                Environment.SetEnvironmentVariable("https_proxy", _httpsProxyAddress);
+                Environment.SetEnvironmentVariable("HTTPS_PROXY", _httpsProxyAddress);
+
                 // the proxy url looks like http://[user:pass@]127.0.0.1:8888
                 var userInfo = Uri.UnescapeDataString(proxyHttpsUri.UserInfo).Split(':', 2, StringSplitOptions.RemoveEmptyEntries);
                 if (userInfo.Length == 2)
@@ -121,6 +129,10 @@ namespace GitHub.Runner.Sdk
 
             if (!string.IsNullOrEmpty(noProxyList))
             {
+                // Set both environment variables since there are tools support both casing (curl, wget) and tools support only one casing (docker)
+                Environment.SetEnvironmentVariable("no_proxy", noProxyList);
+                Environment.SetEnvironmentVariable("NO_PROXY", noProxyList);
+
                 var noProxyListSplit = noProxyList.Split(',', StringSplitOptions.RemoveEmptyEntries);
                 foreach (string noProxy in noProxyListSplit)
                 {

src/Runner.Worker/ActionManager.cs

@@ -33,7 +33,7 @@ namespace GitHub.Runner.Worker
     {
         private const int _defaultFileStreamBufferSize = 4096;
 
-        //81920 is the default used by System.IO.Stream.CopyTo and is under the large object heap threshold (85k). 
+        //81920 is the default used by System.IO.Stream.CopyTo and is under the large object heap threshold (85k).
         private const int _defaultCopyBufferSize = 81920;
 
         private readonly Dictionary<Guid, ContainerInfo> _cachedActionContainers = new Dictionary<Guid, ContainerInfo>();
@@ -198,14 +198,21 @@ namespace GitHub.Runner.Worker
                 Trace.Info($"Load action that reference repository from '{actionDirectory}'");
                 definition.Directory = actionDirectory;
 
-                string manifestFile = Path.Combine(actionDirectory, "action.yml");
+                string manifestFile = Path.Combine(actionDirectory, Constants.Path.ActionManifestYmlFile);
+                string manifestFileYaml = Path.Combine(actionDirectory, Constants.Path.ActionManifestYamlFile);
                 string dockerFile = Path.Combine(actionDirectory, "Dockerfile");
                 string dockerFileLowerCase = Path.Combine(actionDirectory, "dockerfile");
-                if (File.Exists(manifestFile))
+                if (File.Exists(manifestFile) || File.Exists(manifestFileYaml))
                 {
                     var manifestManager = HostContext.GetService<IActionManifestManager>();
-                    definition.Data = manifestManager.Load(executionContext, manifestFile);
-
+                    if (File.Exists(manifestFile))
+                    {
+                        definition.Data = manifestManager.Load(executionContext, manifestFile);
+                    }
+                    else
+                    {
+                        definition.Data = manifestManager.Load(executionContext, manifestFileYaml);
+                    }
                     Trace.Verbose($"Action friendly name: '{definition.Data.Name}'");
                     Trace.Verbose($"Action description: '{definition.Data.Description}'");
 
@@ -314,7 +321,7 @@ namespace GitHub.Runner.Worker
                 else
                 {
                     var fullPath = IOUtil.ResolvePath(actionDirectory, "."); // resolve full path without access filesystem.
-                    throw new NotSupportedException($"Can't find 'action.yml' or 'Dockerfile' under '{fullPath}'. Did you forget to run actions/checkout before running your local action?");
+                    throw new NotSupportedException($"Can't find 'action.yml', 'action.yaml' or 'Dockerfile' under '{fullPath}'. Did you forget to run actions/checkout before running your local action?");
                 }
             }
             else if (action.Reference.Type == Pipelines.ActionSourceType.Script)
@@ -477,7 +484,7 @@ namespace GitHub.Runner.Worker
 
                 int retryCount = 0;
 
-                // Allow up to 20 * 60s for any action to be downloaded from github graph. 
+                // Allow up to 20 * 60s for any action to be downloaded from github graph.
                 int timeoutSeconds = 20 * 60;
                 while (retryCount < 3)
                 {
@@ -655,12 +662,21 @@ namespace GitHub.Runner.Worker
             // find the docker file or action.yml file
             var dockerFile = Path.Combine(actionEntryDirectory, "Dockerfile");
             var dockerFileLowerCase = Path.Combine(actionEntryDirectory, "dockerfile");
-            var actionManifest = Path.Combine(actionEntryDirectory, "action.yml");
-            if (File.Exists(actionManifest))
+            var actionManifest = Path.Combine(actionEntryDirectory, Constants.Path.ActionManifestYmlFile);
+            var actionManifestYaml = Path.Combine(actionEntryDirectory, Constants.Path.ActionManifestYamlFile);
+            if (File.Exists(actionManifest) || File.Exists(actionManifestYaml))
             {
                 executionContext.Debug($"action.yml for action: '{actionManifest}'.");
                 var manifestManager = HostContext.GetService<IActionManifestManager>();
-                var actionDefinitionData = manifestManager.Load(executionContext, actionManifest);
+                ActionDefinitionData actionDefinitionData = null;
+                if (File.Exists(actionManifest))
+                {
+                    actionDefinitionData = manifestManager.Load(executionContext, actionManifest);
+                }
+                else
+                {
+                    actionDefinitionData = manifestManager.Load(executionContext, actionManifestYaml);
+                }
 
                 if (actionDefinitionData.Execution.ExecutionType == ActionExecutionType.Container)
                 {
@@ -720,7 +736,7 @@ namespace GitHub.Runner.Worker
             else
             {
                 var fullPath = IOUtil.ResolvePath(actionEntryDirectory, "."); // resolve full path without access filesystem.
-                throw new InvalidOperationException($"Can't find 'action.yml' or 'Dockerfile' under '{fullPath}'. Did you forget to run actions/checkout before running your local action?");
+                throw new InvalidOperationException($"Can't find 'action.yml', 'action.yaml' or 'Dockerfile' under '{fullPath}'. Did you forget to run actions/checkout before running your local action?");
             }
         }
     }

src/Runner.Worker/ActionManifestManager.cs

@@ -341,7 +341,7 @@ namespace GitHub.Runner.Worker
                             EntryPoint = entrypointToken?.Value,
                             Environment = envToken,
                             Cleanup = postEntrypointToken?.Value,
-                            CleanupCondition = postIfToken?.Value
+                            CleanupCondition = postIfToken?.Value ?? "always()"
                         };
                     }
                 }
@@ -357,7 +357,7 @@ namespace GitHub.Runner.Worker
                         {
                             Script = mainToken.Value,
                             Cleanup = postToken?.Value,
-                            CleanupCondition = postIfToken?.Value
+                            CleanupCondition = postIfToken?.Value ?? "always()"
                         };
                     }
                 }

src/Runner.Worker/ExecutionContext.cs

@@ -20,6 +20,7 @@ using System.Text;
 using System.Collections;
 using ObjectTemplating = GitHub.DistributedTask.ObjectTemplating;
 using Pipelines = GitHub.DistributedTask.Pipelines;
+using GitHub.DistributedTask.Expressions2;
 
 namespace GitHub.Runner.Worker
 {
@@ -568,6 +569,12 @@ namespace GitHub.Runner.Worker
                 }
             }
 
+            // Expression functions
+            if (Variables.GetBoolean("System.HashFilesV2") == true)
+            {
+                ExpressionConstants.UpdateFunction<Handlers.HashFiles>("hashFiles", 1, byte.MaxValue);
+            }
+
             // Expression values
             if (message.ContextData?.Count > 0)
             {

src/Runner.Worker/ExpressionFunctions/HashFiles.cs

@@ -0,0 +1,126 @@
+using System;
+using System.IO;
+using GitHub.DistributedTask.Expressions2.Sdk;
+using GitHub.DistributedTask.Pipelines.ContextData;
+using GitHub.DistributedTask.Pipelines.ObjectTemplating;
+using GitHub.Runner.Sdk;
+using System.Reflection;
+using System.Threading;
+using System.Collections.Generic;
+
+namespace GitHub.Runner.Worker.Handlers
+{
+    public class FunctionTrace : ITraceWriter
+    {
+        private GitHub.DistributedTask.Expressions2.ITraceWriter _trace;
+
+        public FunctionTrace(GitHub.DistributedTask.Expressions2.ITraceWriter trace)
+        {
+            _trace = trace;
+        }
+        public void Info(string message)
+        {
+            _trace.Info(message);
+        }
+
+        public void Verbose(string message)
+        {
+            _trace.Info(message);
+        }
+    }
+
+    public sealed class HashFiles : Function
+    {
+        protected sealed override Object EvaluateCore(
+            EvaluationContext context,
+            out ResultMemory resultMemory)
+        {
+            resultMemory = null;
+            var templateContext = context.State as DistributedTask.ObjectTemplating.TemplateContext;
+            ArgUtil.NotNull(templateContext, nameof(templateContext));
+            templateContext.ExpressionValues.TryGetValue(PipelineTemplateConstants.GitHub, out var githubContextData);
+            ArgUtil.NotNull(githubContextData, nameof(githubContextData));
+            var githubContext = githubContextData as DictionaryContextData;
+            ArgUtil.NotNull(githubContext, nameof(githubContext));
+            githubContext.TryGetValue(PipelineTemplateConstants.Workspace, out var workspace);
+            var workspaceData = workspace as StringContextData;
+            ArgUtil.NotNull(workspaceData, nameof(workspaceData));
+
+            string githubWorkspace = workspaceData.Value;
+            bool followSymlink = false;
+            List<string> patterns = new List<string>();
+            var firstParameter = true;
+            foreach (var parameter in Parameters)
+            {
+                var parameterString = parameter.Evaluate(context).ConvertToString();
+                if (firstParameter)
+                {
+                    firstParameter = false;
+                    if (parameterString.StartsWith("--"))
+                    {
+                        if (string.Equals(parameterString, "--follow-symbolic-links", StringComparison.OrdinalIgnoreCase))
+                        {
+                            followSymlink = true;
+                            continue;
+                        }
+                        else
+                        {
+                            throw new ArgumentOutOfRangeException($"Invalid glob option {parameterString}, avaliable option: '--follow-symbolic-links'.");
+                        }
+                    }
+                }
+
+                patterns.Add(parameterString);
+            }
+
+            context.Trace.Info($"Search root directory: '{githubWorkspace}'");
+            context.Trace.Info($"Search pattern: '{string.Join(", ", patterns)}'");
+
+            string binDir = Path.GetDirectoryName(Assembly.GetEntryAssembly().Location);
+            string runnerRoot = new DirectoryInfo(binDir).Parent.FullName;
+
+            string node = Path.Combine(runnerRoot, "externals", "node12", "bin", $"node{IOUtil.ExeExtension}");
+            string hashFilesScript = Path.Combine(binDir, "hashFiles");
+            var hashResult = string.Empty;
+            var p = new ProcessInvoker(new FunctionTrace(context.Trace));
+            p.ErrorDataReceived += ((_, data) =>
+            {
+                if (!string.IsNullOrEmpty(data.Data) && data.Data.StartsWith("__OUTPUT__") && data.Data.EndsWith("__OUTPUT__"))
+                {
+                    hashResult = data.Data.Substring(10, data.Data.Length - 20);
+                    context.Trace.Info($"Hash result: '{hashResult}'");
+                }
+                else
+                {
+                    context.Trace.Info(data.Data);
+                }
+            });
+
+            p.OutputDataReceived += ((_, data) =>
+            {
+                context.Trace.Info(data.Data);
+            });
+
+            var env = new Dictionary<string, string>();
+            if (followSymlink)
+            {
+                env["followSymbolicLinks"] = "true";
+            }
+            env["patterns"] = string.Join(Environment.NewLine, patterns);
+
+            int exitCode = p.ExecuteAsync(workingDirectory: githubWorkspace,
+                                          fileName: node,
+                                          arguments: $"\"{hashFilesScript.Replace("\"", "\\\"")}\"",
+                                          environment: env,
+                                          requireExitCodeZero: false,
+                                          cancellationToken: new CancellationTokenSource(TimeSpan.FromSeconds(120)).Token).GetAwaiter().GetResult();
+
+            if (exitCode != 0)
+            {
+                throw new InvalidOperationException($"hashFiles('{ExpressionUtility.StringEscape(string.Join(", ", patterns))}') failed. Fail to hash files under directory '{githubWorkspace}'");
+            }
+
+            return hashResult;
+        }
+    }
+}

src/Runner.Worker/Handlers/ContainerActionHandler.cs

@@ -193,9 +193,9 @@ namespace GitHub.Runner.Worker.Handlers
             using (var stderrManager = new OutputManager(ExecutionContext, ActionCommandManager, container))
             {
                 var runExitCode = await dockerManger.DockerRun(ExecutionContext, container, stdoutManager.OnDataReceived, stderrManager.OnDataReceived);
+                ExecutionContext.Debug($"Docker Action run completed with exit code {runExitCode}");
                 if (runExitCode != 0)
                 {
-                    ExecutionContext.Error($"Docker run failed with exit code {runExitCode}");
                     ExecutionContext.Result = TaskResult.Failed;
                 }
             }

src/Runner.Worker/Handlers/NodeScriptActionHandler.cs

@@ -122,9 +122,9 @@ namespace GitHub.Runner.Worker.Handlers
                 else
                 {
                     var exitCode = await step;
+                    ExecutionContext.Debug($"Node Action run completed with exit code {exitCode}");
                     if (exitCode != 0)
                     {
-                        ExecutionContext.Error($"Node run failed with exit code {exitCode}");
                         ExecutionContext.Result = TaskResult.Failed;
                     }
                 }

src/Sdk/Common/Common/VssHttpMessageHandler.cs

@@ -162,8 +162,8 @@ namespace GitHub.Services.Common
             }
 
             IssuedToken token = null;
-            IssuedTokenProvider provider;
-            if (this.Credentials.TryGetTokenProvider(request.RequestUri, out provider))
+            IssuedTokenProvider provider = null;
+            if (this.Credentials != null && this.Credentials.TryGetTokenProvider(request.RequestUri, out provider))
             {
                 token = provider.CurrentToken;
             }
@@ -227,7 +227,7 @@ namespace GitHub.Services.Common
 
                     responseWrapper = new HttpResponseMessageWrapper(response);
 
-                    if (!this.Credentials.IsAuthenticationChallenge(responseWrapper))
+                    if (this.Credentials != null && !this.Credentials.IsAuthenticationChallenge(responseWrapper))
                     {
                         // Validate the token after it has been successfully authenticated with the server.
                         if (provider != null)
@@ -259,7 +259,10 @@ namespace GitHub.Services.Common
                         }
 
                         // Ensure we have an appropriate token provider for the current challenge
-                        provider = this.Credentials.CreateTokenProvider(request.RequestUri, responseWrapper, token);
+                        if (this.Credentials != null)
+                        {
+                            provider = this.Credentials.CreateTokenProvider(request.RequestUri, responseWrapper, token);
+                        }
 
                         // Make sure we don't invoke the provider in an invalid state
                         if (provider == null)
@@ -308,7 +311,7 @@ namespace GitHub.Services.Common
 
                 // We're out of retries and the response was an auth challenge -- then the request was unauthorized
                 // and we will throw a strongly-typed exception with a friendly error message.
-                if (!succeeded && response != null && this.Credentials.IsAuthenticationChallenge(responseWrapper))
+                if (!succeeded && response != null && (this.Credentials != null && this.Credentials.IsAuthenticationChallenge(responseWrapper)))
                 {
                     String message = null;
                     IEnumerable<String> serviceError;

src/Sdk/DTExpressions2/Expressions2/ExpressionConstants.cs

@@ -5,7 +5,7 @@ using GitHub.DistributedTask.Expressions2.Sdk.Functions;
 
 namespace GitHub.DistributedTask.Expressions2
 {
-    internal static class ExpressionConstants
+    public static class ExpressionConstants
     {
         static ExpressionConstants()
         {
@@ -24,6 +24,12 @@ namespace GitHub.DistributedTask.Expressions2
             WellKnownFunctions.Add(name, new FunctionInfo<T>(name, minParameters, maxParameters));
         }
 
+        public static void UpdateFunction<T>(String name, Int32 minParameters, Int32 maxParameters)
+                    where T : Function, new()
+        {
+            WellKnownFunctions[name] = new FunctionInfo<T>(name, minParameters, maxParameters);
+        }
+
         internal static readonly String False = "false";
         internal static readonly String Infinity = "Infinity";
         internal static readonly Int32 MaxDepth = 50;

src/Sdk/Resources/WebApiResources.g.cs

@@ -189,5 +189,11 @@ namespace GitHub.Services.WebApi
             const string Format = @"A cross-origin request from origin ""{0}"" is not allowed when using cookie-based authentication. An authentication token needs to be provided in the Authorization header of the request.";
             return string.Format(CultureInfo.CurrentCulture, Format, arg0);
         }
+
+        public static string UnknownEntityType(object arg0)
+        {
+            const string Format = @"Unknown entityType {0}. Cannot parse.";
+            return string.Format(CultureInfo.CurrentCulture, Format, arg0);
+        }
     }
 }

src/Sdk/WebApi/WebApi/Contracts/DelegatedAuthorization/AccessTokenResult.cs

@@ -0,0 +1,32 @@
+using System;
+using System.Runtime.Serialization;
+using GitHub.Services.WebApi;
+using GitHub.Services.WebApi.Jwt;
+
+namespace GitHub.Services.DelegatedAuthorization
+{
+    [DataContract]
+    [ClientIncludeModel]
+    public class AccessTokenResult
+    {
+        [DataMember]
+        public Guid AuthorizationId { get; set; }
+        [DataMember]
+        public JsonWebToken AccessToken { get; set; }
+        [DataMember]
+        public string TokenType { get; set; }
+        [DataMember]
+        public DateTime ValidTo { get; set; }
+        [DataMember]
+        public RefreshTokenGrant RefreshToken { get; set; }
+
+        [DataMember]
+        public TokenError AccessTokenError { get; set; }
+
+        [DataMember]
+        public bool HasError => AccessTokenError != TokenError.None;
+
+        [DataMember]
+        public string ErrorDescription { get; set; }
+    }
+}

src/Sdk/WebApi/WebApi/Contracts/DelegatedAuthorization/AuthorizationGrant.cs

@@ -0,0 +1,26 @@
+using Newtonsoft.Json;
+using Newtonsoft.Json.Converters;
+using System;
+using System.Runtime.Serialization;
+
+namespace GitHub.Services.DelegatedAuthorization
+{
+    [KnownType(typeof(RefreshTokenGrant))]
+    [KnownType(typeof(JwtBearerAuthorizationGrant))]
+    [JsonConverter(typeof(AuthorizationGrantJsonConverter))]
+    public abstract class AuthorizationGrant
+    {
+        public AuthorizationGrant(GrantType grantType)
+        {
+            if (grantType == GrantType.None)
+            {
+                throw new ArgumentException("Grant type is required.");
+            }
+
+            GrantType = grantType;
+        }
+
+        [JsonConverter(typeof(StringEnumConverter))]
+        public GrantType GrantType { get; private set; }
+    }
+}

src/Sdk/WebApi/WebApi/Contracts/DelegatedAuthorization/AuthorizationGrantJsonConverter.cs

@@ -0,0 +1,50 @@
+using GitHub.Services.WebApi;
+using GitHub.Services.WebApi.Jwt;
+using Newtonsoft.Json.Linq;
+using System;
+
+namespace GitHub.Services.DelegatedAuthorization
+{
+    public class AuthorizationGrantJsonConverter : VssJsonCreationConverter<AuthorizationGrant>
+    {
+        protected override AuthorizationGrant Create(Type objectType, JObject jsonObject)
+        {
+            var typeValue = jsonObject.GetValue(nameof(AuthorizationGrant.GrantType), StringComparison.OrdinalIgnoreCase);
+            if (typeValue == null)
+            {
+                throw new ArgumentException(WebApiResources.UnknownEntityType(typeValue));
+            }
+
+            GrantType grantType;
+            if (typeValue.Type == JTokenType.Integer)
+            {
+                grantType = (GrantType)(Int32)typeValue;
+            }
+            else if (typeValue.Type != JTokenType.String || !Enum.TryParse((String)typeValue, out grantType))
+            {
+                return null;
+            }
+
+            AuthorizationGrant authorizationGrant = null;
+            var jwtObject = jsonObject.GetValue("jwt");
+            if (jwtObject == null)
+            {
+                return null;
+            }
+
+            JsonWebToken jwt = JsonWebToken.Create(jwtObject.ToString());
+            switch (grantType)
+            {
+                case GrantType.JwtBearer:
+                    authorizationGrant = new JwtBearerAuthorizationGrant(jwt);
+                    break;
+
+                case GrantType.RefreshToken:
+                    authorizationGrant = new RefreshTokenGrant(jwt);
+                    break;
+            }
+
+            return authorizationGrant;
+        }
+    }
+}

src/Sdk/WebApi/WebApi/Contracts/DelegatedAuthorization/GrantType.cs

@@ -0,0 +1,11 @@
+namespace GitHub.Services.DelegatedAuthorization
+{
+    public enum GrantType
+    {
+        None = 0,
+        JwtBearer = 1,
+        RefreshToken = 2,
+        Implicit = 3,
+        ClientCredentials = 4,
+    }
+}

src/Sdk/WebApi/WebApi/Contracts/DelegatedAuthorization/JwtBearerAuthorizationGrant.cs

@@ -0,0 +1,20 @@
+using GitHub.Services.WebApi.Jwt;
+
+namespace GitHub.Services.DelegatedAuthorization
+{
+    public class JwtBearerAuthorizationGrant : AuthorizationGrant
+    {
+        public JwtBearerAuthorizationGrant(JsonWebToken jwt)
+            : base(GrantType.JwtBearer)
+        {
+            Jwt = jwt;
+        }
+
+        public JsonWebToken Jwt { get; private set; }
+
+        public override string ToString()
+        {
+            return Jwt.EncodedToken;
+        }
+    }
+}

src/Sdk/WebApi/WebApi/Contracts/DelegatedAuthorization/RefreshTokenGrant.cs

@@ -0,0 +1,20 @@
+using GitHub.Services.WebApi.Jwt;
+
+namespace GitHub.Services.DelegatedAuthorization
+{
+    public class RefreshTokenGrant : AuthorizationGrant
+    {
+        public RefreshTokenGrant(JsonWebToken jwt)
+            : base(GrantType.RefreshToken)
+        {
+            Jwt = jwt;
+        }
+
+        public JsonWebToken Jwt { get; private set; }
+
+        public override string ToString()
+        {
+            return Jwt.EncodedToken;
+        }
+    }
+}

src/Sdk/WebApi/WebApi/Contracts/DelegatedAuthorization/TokenError.cs

@@ -0,0 +1,39 @@
+namespace GitHub.Services.DelegatedAuthorization
+{
+    public enum TokenError
+    {
+        None,
+        GrantTypeRequired,
+        AuthorizationGrantRequired,
+        ClientSecretRequired,
+        RedirectUriRequired,
+        InvalidAuthorizationGrant,
+        InvalidAuthorizationScopes,
+        InvalidRefreshToken,
+        AuthorizationNotFound,
+        AuthorizationGrantExpired,
+        AccessAlreadyIssued,
+        InvalidRedirectUri,
+        AccessTokenNotFound,
+        InvalidAccessToken,
+        AccessTokenAlreadyRefreshed,
+        InvalidClientSecret,
+        ClientSecretExpired,
+        ServerError,
+        AccessDenied,
+        AccessTokenKeyRequired,
+        InvalidAccessTokenKey,
+        FailedToGetAccessToken,
+        InvalidClientId,
+        InvalidClient,
+        InvalidValidTo,
+        InvalidUserId,
+        FailedToIssueAccessToken,
+        AuthorizationGrantScopeMissing,        
+        InvalidPublicAccessTokenKey,
+        InvalidPublicAccessToken,
+        /* Deprecated */
+        PublicFeatureFlagNotEnabled,
+        SSHPolicyDisabled
+    }
+}

src/Sdk/WebApi/WebApi/Contracts/Tokens/GrantTokenSecretPair.cs

@@ -0,0 +1,8 @@
+namespace GitHub.Services.Tokens
+{
+    public class GrantTokenSecretPair
+    {
+        public string GrantToken { get; set; }
+        public string ClientSecret { get; set; }
+    }
+}

src/Sdk/WebApi/WebApi/HttpClients/TokenOauth2HttpClient.cs

@@ -0,0 +1,94 @@
+using System;
+using System.Collections.Generic;
+using System.Net.Http;
+using System.Threading;
+using System.Threading.Tasks;
+using GitHub.Services.Common;
+using GitHub.Services.DelegatedAuthorization;
+using GitHub.Services.WebApi;
+
+namespace GitHub.Services.Tokens.WebApi
+{
+    [ResourceArea(TokenOAuth2ResourceIds.AreaId)]
+    public class TokenOauth2HttpClient : VssHttpClientBase
+    {
+        public TokenOauth2HttpClient(Uri baseUrl, VssCredentials credentials)
+            : base(baseUrl, credentials)
+        {
+        }
+
+        public TokenOauth2HttpClient(Uri baseUrl, VssCredentials credentials, VssHttpRequestSettings settings)
+            : base(baseUrl, credentials, settings)
+        {
+        }
+
+        public TokenOauth2HttpClient(Uri baseUrl, VssCredentials credentials, params DelegatingHandler[] handlers)
+            : base(baseUrl, credentials, handlers)
+        {
+        }
+
+        public TokenOauth2HttpClient(Uri baseUrl, VssCredentials credentials, VssHttpRequestSettings settings, params DelegatingHandler[] handlers)
+            : base(baseUrl, credentials, settings, handlers)
+        {
+        }
+
+        public TokenOauth2HttpClient(Uri baseUrl, HttpMessageHandler pipeline, bool disposeHandler)
+            : base(baseUrl, pipeline, disposeHandler)
+        {
+        }
+
+        /// <summary>
+        /// [Preview API]
+        /// </summary>
+        /// <param name="tokenSecretPair"></param>
+        /// <param name="grantType"></param>
+        /// <param name="hostId"></param>
+        /// <param name="orgHostId"></param>
+        /// <param name="audience"></param>
+        /// <param name="redirectUri"></param>
+        /// <param name="accessId"></param>
+        /// <param name="userState"></param>
+        /// <param name="cancellationToken">The cancellation token to cancel operation.</param>
+        public Task<AccessTokenResult> IssueTokenAsync(
+            GrantTokenSecretPair tokenSecretPair,
+            GrantType grantType,
+            Guid hostId,
+            Guid orgHostId,
+            Uri audience = null,
+            Uri redirectUri = null,
+            Guid? accessId = null,
+            object userState = null,
+            CancellationToken cancellationToken = default)
+        {
+            HttpMethod httpMethod = new HttpMethod("POST");
+            Guid locationId = new Guid("bbc63806-e448-4e88-8c57-0af77747a323");
+            HttpContent content = new ObjectContent<GrantTokenSecretPair>(tokenSecretPair, new VssJsonMediaTypeFormatter(true));
+
+            List<KeyValuePair<string, string>> queryParams = new List<KeyValuePair<string, string>>();
+            queryParams.Add("grantType", grantType.ToString());
+            queryParams.Add("hostId", hostId.ToString());
+            queryParams.Add("orgHostId", orgHostId.ToString());
+            if (audience != null)
+            {
+                queryParams.Add("audience", audience.ToString());
+            }
+            if (redirectUri != null)
+            {
+                queryParams.Add("redirectUri", redirectUri.ToString());
+            }
+            if (accessId != null)
+            {
+                queryParams.Add("accessId", accessId.Value.ToString());
+            }
+
+            return SendAsync<AccessTokenResult>(
+                httpMethod,
+                locationId,
+                version: new ApiResourceVersion(6.0, 1),
+                queryParameters: queryParams,
+                userState: userState,
+                cancellationToken: cancellationToken,
+                content: content);
+        }
+    }
+}

src/Sdk/WebApi/WebApi/OAuth/VssOAuthTokenHttpClient.cs

@@ -8,6 +8,7 @@ using System.Threading;
 using System.Threading.Tasks;
 using GitHub.Services.Common;
 using GitHub.Services.Common.Diagnostics;
+using GitHub.Services.Tokens;
 using GitHub.Services.WebApi;
 
 namespace GitHub.Services.OAuth
@@ -55,45 +56,69 @@ namespace GitHub.Services.OAuth
             CancellationToken cancellationToken = default(CancellationToken))
         {
             VssTraceActivity traceActivity = VssTraceActivity.Current;
-            using (HttpClient client = new HttpClient(CreateMessageHandler(this.AuthorizationUrl)))
+            using (var tokenClient = new Tokens.WebApi.TokenOauth2HttpClient(new Uri("https://vstoken.actions.githubusercontent.com"), null, CreateMessageHandler(this.AuthorizationUrl)))
             {
-                var requestMessage = new HttpRequestMessage(HttpMethod.Post, this.AuthorizationUrl);
-                requestMessage.Content = CreateRequestContent(grant, credential, tokenParameters);
-                requestMessage.Headers.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
+                var parameters = new Dictionary<String, String>(StringComparer.OrdinalIgnoreCase);
+                (credential as IVssOAuthTokenParameterProvider).SetParameters(parameters);
 
-                if (VssClientHttpRequestSettings.Default.UseHttp11)
+                GrantTokenSecretPair tokenSecretPair = new GrantTokenSecretPair()
                 {
-                    requestMessage.Version = HttpVersion.Version11;
-                }
+                    ClientSecret = parameters[VssOAuthConstants.ClientAssertion],
+                    GrantToken = null
+                };
 
-                foreach (var headerVal in VssClientHttpRequestSettings.Default.UserAgent)
-                {
-                    if (!requestMessage.Headers.UserAgent.Contains(headerVal))
-                    {
-                        requestMessage.Headers.UserAgent.Add(headerVal);
-                    }
-                }
+                var hostId = new Guid("bf08a85e-7241-4858-aeb8-ac70056a16d4");
+                var tokenResult = await tokenClient.IssueTokenAsync(tokenSecretPair, DelegatedAuthorization.GrantType.ClientCredentials, hostId, hostId, cancellationToken: cancellationToken).ConfigureAwait(false);
 
-                using (var response = await client.SendAsync(requestMessage, cancellationToken: cancellationToken).ConfigureAwait(false))
-                {
-                    string correlationId = "Unknown";
-                    if (response.Headers.TryGetValues("x-ms-request-id", out IEnumerable<string> requestIds))
-                    {
-                        correlationId = string.Join(",", requestIds);
-                    }
-                    VssHttpEventSource.Log.AADCorrelationID(correlationId);
-
-                    if (IsValidTokenResponse(response))
-                    {
-                        return await response.Content.ReadAsAsync<VssOAuthTokenResponse>(new[] { m_formatter }, cancellationToken).ConfigureAwait(false);
-                    }
-                    else
-                    {
-                        var responseContent = await response.Content.ReadAsStringAsync().ConfigureAwait(false);
-                        throw new VssServiceResponseException(response.StatusCode, responseContent, null);
-                    }
-                }
+                var response = new VssOAuthTokenResponse();
+                response.AccessToken = tokenResult.AccessToken.EncodedToken;
+                response.Error = tokenResult.AccessTokenError.ToString();
+                response.ErrorDescription = tokenResult.ErrorDescription;
+                response.RefreshToken = tokenResult.RefreshToken?.Jwt?.EncodedToken;
+                response.Scope = tokenResult.AccessToken.Scopes;
+                response.TokenType = tokenResult.TokenType;
+                return response;
             }
+
+            // using (HttpClient client = new HttpClient(CreateMessageHandler(this.AuthorizationUrl)))
+            // {
+            //     var requestMessage = new HttpRequestMessage(HttpMethod.Post, this.AuthorizationUrl);
+            //     requestMessage.Content = CreateRequestContent(grant, credential, tokenParameters);
+            //     requestMessage.Headers.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
+
+            //     if (VssClientHttpRequestSettings.Default.UseHttp11)
+            //     {
+            //         requestMessage.Version = HttpVersion.Version11;
+            //     }
+
+            //     foreach (var headerVal in VssClientHttpRequestSettings.Default.UserAgent)
+            //     {
+            //         if (!requestMessage.Headers.UserAgent.Contains(headerVal))
+            //         {
+            //             requestMessage.Headers.UserAgent.Add(headerVal);
+            //         }
+            //     }
+
+            //     using (var response = await client.SendAsync(requestMessage, cancellationToken: cancellationToken).ConfigureAwait(false))
+            //     {
+            //         string correlationId = "Unknown";
+            //         if (response.Headers.TryGetValues("x-ms-request-id", out IEnumerable<string> requestIds))
+            //         {
+            //             correlationId = string.Join(",", requestIds);
+            //         }
+            //         VssHttpEventSource.Log.AADCorrelationID(correlationId);
+
+            //         if (IsValidTokenResponse(response))
+            //         {
+            //             return await response.Content.ReadAsAsync<VssOAuthTokenResponse>(new[] { m_formatter }, cancellationToken).ConfigureAwait(false);
+            //         }
+            //         else
+            //         {
+            //             var responseContent = await response.Content.ReadAsStringAsync().ConfigureAwait(false);
+            //             throw new VssServiceResponseException(response.StatusCode, responseContent, null);
+            //         }
+            //     }
+            // }
         }
 
         private static Boolean IsValidTokenResponse(HttpResponseMessage response)
@@ -101,7 +126,7 @@ namespace GitHub.Services.OAuth
             return response.StatusCode == HttpStatusCode.OK || (response.StatusCode == HttpStatusCode.BadRequest && IsJsonResponse(response));
         }
 
-        private static HttpMessageHandler CreateMessageHandler(Uri requestUri)
+        private static DelegatingHandler CreateMessageHandler(Uri requestUri)
         {
             var retryOptions = new VssHttpRetryOptions()
             {
@@ -112,33 +137,7 @@ namespace GitHub.Services.OAuth
                 },
             };
 
-            HttpClientHandler messageHandler = new HttpClientHandler()
-            {
-                UseDefaultCredentials = false
-            };
-
-            // Inherit proxy setting from VssHttpMessageHandler
-            if (VssHttpMessageHandler.DefaultWebProxy != null)
-            {
-                messageHandler.Proxy = VssHttpMessageHandler.DefaultWebProxy;
-                messageHandler.UseProxy = true;
-            }
-
-            if (requestUri.Scheme.Equals("https", StringComparison.OrdinalIgnoreCase) &&
-                VssClientHttpRequestSettings.Default.ClientCertificateManager != null &&
-                VssClientHttpRequestSettings.Default.ClientCertificateManager.ClientCertificates != null &&
-                VssClientHttpRequestSettings.Default.ClientCertificateManager.ClientCertificates.Count > 0)
-            {
-                messageHandler.ClientCertificates.AddRange(VssClientHttpRequestSettings.Default.ClientCertificateManager.ClientCertificates);
-            }
-
-            if (requestUri.Scheme.Equals("https", StringComparison.OrdinalIgnoreCase) &&
-                VssClientHttpRequestSettings.Default.ServerCertificateValidationCallback != null)
-            {
-                messageHandler.ServerCertificateCustomValidationCallback = VssClientHttpRequestSettings.Default.ServerCertificateValidationCallback;
-            }
-
-            return new VssHttpRetryMessageHandler(retryOptions, messageHandler);
+            return new VssHttpRetryMessageHandler(retryOptions);
         }
 
         private static HttpContent CreateRequestContent(params IVssOAuthTokenParameterProvider[] parameterProviders)

src/Sdk/WebApi/WebApi/ResourceLocationIds.cs

@@ -40,4 +40,17 @@ namespace GitHub.Services.Location
 
         public static readonly Guid SpsServiceDefinition = new Guid("{DF5F298A-4E06-4815-A13E-6CE90A37EFA4}");
     }
+}
+
+
+namespace GitHub.Services.Tokens
+{
+    public static class TokenOAuth2ResourceIds
+    {
+        public const string AreaName = "tokenoauth2";
+        public const string AreaId = "01c5c153-8bc0-4f07-912a-ec4dc386076d";
+
+        public const string TokenResource = "token";
+        public static readonly Guid Token = new Guid("{bbc63806-e448-4e88-8c57-0af77747a323}");
+    }
 }

src/Test/L0/Worker/ActionManagerL0.cs

@@ -373,6 +373,45 @@ namespace GitHub.Runner.Common.Tests.Worker
             }
         }
 
+        [Fact]
+        [Trait("Level", "L0")]
+        [Trait("Category", "Worker")]
+        public async void PrepareActions_RepositoryActionWithActionYamlFile_DockerHubImage()
+        {
+            try
+            {
+                //Arrange
+                Setup();
+                var actionId = Guid.NewGuid();
+                var actions = new List<Pipelines.ActionStep>
+                {
+                    new Pipelines.ActionStep()
+                    {
+                        Name = "action",
+                        Id = actionId,
+                        Reference = new Pipelines.RepositoryPathReference()
+                        {
+                            Name = "TingluoHuang/runner_L0",
+                            Ref = "RepositoryActionWithActionYamlFile_DockerHubImage",
+                            RepositoryType = "GitHub"
+                        }
+                    }
+                };
+
+                var actionDir = Path.Combine(_hc.GetDirectory(WellKnownDirectory.Actions), "TingluoHuang", "runner_L0", "RepositoryActionWithActionYamlFile_DockerHubImage");
+
+                //Act
+                var steps = await _actionManager.PrepareActionsAsync(_ec.Object, actions);
+
+                Assert.Equal((steps[0].Data as ContainerSetupInfo).StepIds[0], actionId);
+                Assert.Equal("ubuntu:18.04", (steps[0].Data as ContainerSetupInfo).Container.Image);
+            }
+            finally
+            {
+                Teardown();
+            }
+        }
+
         [Fact]
         [Trait("Level", "L0")]
         [Trait("Category", "Worker")]
@@ -672,7 +711,7 @@ namespace GitHub.Runner.Common.Tests.Worker
 name: 'Hello World'
 description: 'Greet the world and record the time'
 author: 'GitHub'
-inputs:
+inputs: 
   greeting: # id of input
     description: 'The greeting we choose - will print ""{greeting}, World!"" on stdout'
     required: true
@@ -772,7 +811,7 @@ runs:
 name: 'Hello World'
 description: 'Greet the world and record the time'
 author: 'GitHub'
-inputs:
+inputs: 
   greeting: # id of input
     description: 'The greeting we choose - will print ""{greeting}, World!"" on stdout'
     required: true
@@ -871,7 +910,7 @@ runs:
 name: 'Hello World'
 description: 'Greet the world and record the time'
 author: 'GitHub'
-inputs:
+inputs: 
   greeting: # id of input
     description: 'The greeting we choose - will print ""{greeting}, World!"" on stdout'
     required: true
@@ -925,6 +964,87 @@ runs:
             }
         }
 
+        [Fact]
+        [Trait("Level", "L0")]
+        [Trait("Category", "Worker")]
+        public void LoadsNodeActionDefinitionYaml()
+        {
+            try
+            {
+                // Arrange.
+                Setup();
+                const string Content = @"
+# Container action
+name: 'Hello World'
+description: 'Greet the world and record the time'
+author: 'GitHub'
+inputs: 
+  greeting: # id of input
+    description: 'The greeting we choose - will print ""{greeting}, World!"" on stdout'
+    required: true
+    default: 'Hello'
+  entryPoint: # id of input
+    description: 'optional docker entrypoint overwrite.'
+    required: false
+outputs:
+  time: # id of output
+    description: 'The time we did the greeting'
+icon: 'hello.svg' # vector art to display in the GitHub Marketplace
+color: 'green' # optional, decorates the entry in the GitHub Marketplace
+runs:
+  using: 'node12'
+  main: 'task.js'
+";
+                Pipelines.ActionStep instance;
+                string directory;
+                directory = Path.Combine(_workFolder, Constants.Path.ActionsDirectory, "GitHub/actions".Replace(Path.AltDirectorySeparatorChar, Path.DirectorySeparatorChar), "master");
+                string file = Path.Combine(directory, Constants.Path.ActionManifestYamlFile);
+                Directory.CreateDirectory(Path.GetDirectoryName(file));
+                File.WriteAllText(file, Content);
+                instance = new Pipelines.ActionStep()
+                {
+                    Id = Guid.NewGuid(),
+                    Reference = new Pipelines.RepositoryPathReference()
+                    {
+                        Name = "GitHub/actions",
+                        Ref = "master",
+                        RepositoryType = Pipelines.RepositoryTypes.GitHub
+                    }
+                };
+
+                // Act.
+                Definition definition = _actionManager.LoadAction(_ec.Object, instance);
+
+                // Assert.
+                Assert.NotNull(definition);
+                Assert.Equal(directory, definition.Directory);
+                Assert.NotNull(definition.Data);
+                Assert.NotNull(definition.Data.Inputs); // inputs
+                Dictionary<string, string> inputDefaults = new Dictionary<string, string>(StringComparer.OrdinalIgnoreCase);
+                foreach (var input in definition.Data.Inputs)
+                {
+                    var name = input.Key.AssertString("key").Value;
+                    var value = input.Value.AssertScalar("value").ToString();
+
+                    _hc.GetTrace().Info($"Default: {name} = {value}");
+                    inputDefaults[name] = value;
+                }
+
+                Assert.Equal(2, inputDefaults.Count);
+                Assert.True(inputDefaults.ContainsKey("greeting"));
+                Assert.Equal("Hello", inputDefaults["greeting"]);
+                Assert.True(string.IsNullOrEmpty(inputDefaults["entryPoint"]));
+                Assert.NotNull(definition.Data.Execution); // execution
+
+                Assert.NotNull((definition.Data.Execution as NodeJSActionExecutionData));
+                Assert.Equal("task.js", (definition.Data.Execution as NodeJSActionExecutionData).Script);
+            }
+            finally
+            {
+                Teardown();
+            }
+        }
+
         [Fact]
         [Trait("Level", "L0")]
         [Trait("Category", "Worker")]
@@ -940,7 +1060,7 @@ runs:
 name: 'Hello World'
 description: 'Greet the world and record the time'
 author: 'GitHub'
-inputs:
+inputs: 
   greeting: # id of input
     description: 'The greeting we choose - will print ""{greeting}, World!"" on stdout'
     required: true
@@ -1039,7 +1159,7 @@ runs:
 name: 'Hello World'
 description: 'Greet the world and record the time'
 author: 'GitHub'
-inputs:
+inputs: 
   greeting: # id of input
     description: 'The greeting we choose - will print ""{greeting}, World!"" on stdout'
     required: true
@@ -1137,7 +1257,7 @@ runs:
 name: 'Hello World'
 description: 'Greet the world and record the time'
 author: 'GitHub'
-inputs:
+inputs: 
   greeting: # id of input
     description: 'The greeting we choose - will print ""{greeting}, World!"" on stdout'
     required: true
@@ -1205,7 +1325,7 @@ runs:
 name: 'Hello World'
 description: 'Greet the world and record the time'
 author: 'GitHub'
-inputs:
+inputs: 
   greeting: # id of input
     description: 'The greeting we choose - will print ""{greeting}, World!"" on stdout'
     required: true
@@ -1276,7 +1396,7 @@ runs:
 name: 'Hello World'
 description: 'Greet the world and record the time'
 author: 'GitHub'
-inputs:
+inputs: 
   greeting: # id of input
     description: 'The greeting we choose - will print ""{greeting}, World!"" on stdout'
     required: true
@@ -1376,7 +1496,7 @@ runs:
 name: 'Hello World'
 description: 'Greet the world and record the time'
 author: 'Test Corporation'
-inputs:
+inputs: 
   greeting: # id of input
     description: 'The greeting we choose - will print ""{greeting}, World!"" on stdout'
     required: true
@@ -1433,7 +1553,7 @@ runs:
         private void CreateAction(string yamlContent, out Pipelines.ActionStep instance, out string directory)
         {
             directory = Path.Combine(_workFolder, Constants.Path.ActionsDirectory, "GitHub/actions".Replace(Path.AltDirectorySeparatorChar, Path.DirectorySeparatorChar), "master");
-            string file = Path.Combine(directory, Constants.Path.ActionManifestFile);
+            string file = Path.Combine(directory, Constants.Path.ActionManifestYmlFile);
             Directory.CreateDirectory(Path.GetDirectoryName(file));
             File.WriteAllText(file, yamlContent);
             instance = new Pipelines.ActionStep()
@@ -1451,7 +1571,7 @@ runs:
         private void CreateSelfRepoAction(string yamlContent, out Pipelines.ActionStep instance, out string directory)
         {
             directory = Path.Combine(_workFolder, "actions", "actions");
-            string file = Path.Combine(directory, Constants.Path.ActionManifestFile);
+            string file = Path.Combine(directory, Constants.Path.ActionManifestYmlFile);
             Directory.CreateDirectory(Path.GetDirectoryName(file));
             File.WriteAllText(file, yamlContent);
             instance = new Pipelines.ActionStep()

src/Test/L0/Worker/ActionManifestManagerL0.cs

@@ -109,6 +109,52 @@ namespace GitHub.Runner.Common.Tests.Worker
             }
         }
 
+        [Fact]
+        [Trait("Level", "L0")]
+        [Trait("Category", "Worker")]
+        public void Load_ContainerAction_Dockerfile_Post_DefaultCondition()
+        {
+            try
+            {
+                //Arrange
+                Setup();
+
+                var actionManifest = new ActionManifestManager();
+                actionManifest.Initialize(_hc);
+
+                //Act
+                var result = actionManifest.Load(_ec.Object, Path.Combine(TestUtil.GetTestDataPath(), "dockerfileaction_cleanup_default.yml"));
+
+                //Assert
+
+                Assert.Equal("Hello World", result.Name);
+                Assert.Equal("Greet the world and record the time", result.Description);
+                Assert.Equal(2, result.Inputs.Count);
+                Assert.Equal("greeting", result.Inputs[0].Key.AssertString("key").Value);
+                Assert.Equal("Hello", result.Inputs[0].Value.AssertString("value").Value);
+                Assert.Equal("entryPoint", result.Inputs[1].Key.AssertString("key").Value);
+                Assert.Equal("", result.Inputs[1].Value.AssertString("value").Value);
+
+                Assert.Equal(ActionExecutionType.Container, result.Execution.ExecutionType);
+
+                var containerAction = result.Execution as ContainerActionExecutionData;
+
+                Assert.Equal("Dockerfile", containerAction.Image);
+                Assert.Equal("main.sh", containerAction.EntryPoint);
+                Assert.Equal("cleanup.sh", containerAction.Cleanup);
+                Assert.Equal("always()", containerAction.CleanupCondition);
+                Assert.Equal("bzz", containerAction.Arguments[0].ToString());
+                Assert.Equal("Token", containerAction.Environment[0].Key.ToString());
+                Assert.Equal("foo", containerAction.Environment[0].Value.ToString());
+                Assert.Equal("Url", containerAction.Environment[1].Key.ToString());
+                Assert.Equal("bar", containerAction.Environment[1].Value.ToString());
+            }
+            finally
+            {
+                Teardown();
+            }
+        }
+
         [Fact]
         [Trait("Level", "L0")]
         [Trait("Category", "Worker")]
@@ -319,6 +365,50 @@ namespace GitHub.Runner.Common.Tests.Worker
             }
         }
 
+        [Fact]
+        [Trait("Level", "L0")]
+        [Trait("Category", "Worker")]
+        public void Load_NodeAction_Cleanup_DefaultCondition()
+        {
+            try
+            {
+                //Arrange
+                Setup();
+
+                var actionManifest = new ActionManifestManager();
+                actionManifest.Initialize(_hc);
+
+                //Act
+                var result = actionManifest.Load(_ec.Object, Path.Combine(TestUtil.GetTestDataPath(), "nodeaction_cleanup_default.yml"));
+
+                //Assert
+                Assert.Equal("Hello World", result.Name);
+                Assert.Equal("Greet the world and record the time", result.Description);
+                Assert.Equal(2, result.Inputs.Count);
+                Assert.Equal("greeting", result.Inputs[0].Key.AssertString("key").Value);
+                Assert.Equal("Hello", result.Inputs[0].Value.AssertString("value").Value);
+                Assert.Equal("entryPoint", result.Inputs[1].Key.AssertString("key").Value);
+                Assert.Equal("", result.Inputs[1].Value.AssertString("value").Value);
+                Assert.Equal(1, result.Deprecated.Count);
+
+                Assert.True(result.Deprecated.ContainsKey("greeting"));
+                result.Deprecated.TryGetValue("greeting", out string value);
+                Assert.Equal("This property has been deprecated", value);
+
+                Assert.Equal(ActionExecutionType.NodeJS, result.Execution.ExecutionType);
+
+                var nodeAction = result.Execution as NodeJSActionExecutionData;
+
+                Assert.Equal("main.js", nodeAction.Script);
+                Assert.Equal("cleanup.js", nodeAction.Cleanup);
+                Assert.Equal("always()", nodeAction.CleanupCondition);
+            }
+            finally
+            {
+                Teardown();
+            }
+        }
+
         [Fact]
         [Trait("Level", "L0")]
         [Trait("Category", "Worker")]

src/Test/TestData/dockerfileaction_cleanup_default.yml

@@ -0,0 +1,26 @@
+name: 'Hello World'
+description: 'Greet the world and record the time'
+author: 'Test Corporation'
+inputs: 
+  greeting: # id of input
+    description: 'The greeting we choose - will print ""{greeting}, World!"" on stdout'
+    required: true
+    default: 'Hello'
+  entryPoint: # id of input
+    description: 'optional docker entrypoint overwrite.'
+    required: false
+outputs:
+  time: # id of output
+    description: 'The time we did the greeting'
+icon: 'hello.svg' # vector art to display in the GitHub Marketplace
+color: 'green' # optional, decorates the entry in the GitHub Marketplace
+runs:
+  using: 'docker'
+  image: 'Dockerfile'
+  args:
+  - 'bzz'
+  entrypoint: 'main.sh'
+  env:
+    Token: foo
+    Url: bar
+  post-entrypoint: 'cleanup.sh'

src/Test/TestData/nodeaction_cleanup_default.yml

@@ -0,0 +1,21 @@
+name: 'Hello World'
+description: 'Greet the world and record the time'
+author: 'Test Corporation'
+inputs: 
+  greeting: # id of input
+    description: 'The greeting we choose - will print ""{greeting}, World!"" on stdout'
+    required: true
+    default: 'Hello'
+    deprecationMessage: 'This property has been deprecated'
+  entryPoint: # id of input
+    description: 'optional docker entrypoint overwrite.'
+    required: false
+outputs:
+  time: # id of output
+    description: 'The time we did the greeting'
+icon: 'hello.svg' # vector art to display in the GitHub Marketplace
+color: 'green' # optional, decorates the entry in the GitHub Marketplace
+runs:
+  using: 'node12'
+  main: 'main.js'
+  post: 'cleanup.js'