chore: npm audit fix for hashFiles dependencies

.github/workflows/codeql.yml

@@ -27,7 +27,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v4
+      uses: github/codeql-action/init@v3
       # Override language selection by uncommenting this and choosing your languages
       # with:
       #   languages: go, javascript, csharp, python, cpp, java
@@ -38,4 +38,4 @@ jobs:
       working-directory: src
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v4
+      uses: github/codeql-action/analyze@v3

.github/workflows/dependency-check.yml

@@ -31,7 +31,7 @@ jobs:
     steps:
       - uses: actions/checkout@v5
       - name: Setup Node.js
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@v4
         with:
           node-version: "20"
 

.github/workflows/npm-audit-typescript.yml

@@ -9,7 +9,7 @@ jobs:
     steps:
       - uses: actions/checkout@v5
       - name: Setup Node.js
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@v4
         with:
           node-version: "20"
       - name: NPM install and audit fix with TypeScript auto-repair

.github/workflows/npm-audit.yml

@@ -12,7 +12,7 @@ jobs:
       - uses: actions/checkout@v5
       
       - name: Setup Node.js
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@v4
         with:
           node-version: "20"
           

images/Dockerfile

@@ -5,8 +5,8 @@ ARG TARGETOS
 ARG TARGETARCH
 ARG RUNNER_VERSION
 ARG RUNNER_CONTAINER_HOOKS_VERSION=0.7.0
-ARG DOCKER_VERSION=28.5.1
-ARG BUILDX_VERSION=0.29.1
+ARG DOCKER_VERSION=28.4.0
+ARG BUILDX_VERSION=0.28.0
 
 RUN apt update -y && apt install curl unzip -y
 
@@ -21,10 +21,6 @@ RUN curl -f -L -o runner-container-hooks.zip https://github.com/actions/runner-c
     && unzip ./runner-container-hooks.zip -d ./k8s \
     && rm runner-container-hooks.zip
 
-RUN curl -f -L -o runner-container-hooks.zip https://github.com/actions/runner-container-hooks/releases/download/v0.8.0/actions-runner-hooks-k8s-0.8.0.zip \
-    && unzip ./runner-container-hooks.zip -d ./k8s-novolume \
-    && rm runner-container-hooks.zip
-
 RUN export RUNNER_ARCH=${TARGETARCH} \
     && if [ "$RUNNER_ARCH" = "amd64" ]; then export DOCKER_ARCH=x86_64 ; fi \
     && if [ "$RUNNER_ARCH" = "arm64" ]; then export DOCKER_ARCH=aarch64 ; fi \

src/Misc/expressionFunc/hashFiles/package-lock.json

@@ -1815,10 +1815,11 @@
       }
     },
     "node_modules/eslint-plugin-github/node_modules/brace-expansion": {
-      "version": "2.0.1",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.1.tgz",
-      "integrity": "sha512-XnAIvQ8eM+kC6aULx6wuQiwVsnzsi9d3WxzV3FpWTGA19F621kwdbsAcFKXgKUHZWsy+mY6iL1sHTxWEFCytDA==",
+      "version": "2.0.2",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.2.tgz",
+      "integrity": "sha512-Jt0vHyM+jmUBqojB7E1NIYadt0vI0Qxjxd2TErW94wDz+E2LAm5vKMXXwg6ZZBTHPuUlDgQHKXvjGBdfcF1ZDQ==",
       "dev": true,
+      "license": "MIT",
       "dependencies": {
         "balanced-match": "^1.0.0"
       }
@@ -5904,9 +5905,9 @@
           }
         },
         "brace-expansion": {
-          "version": "2.0.1",
-          "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.1.tgz",
-          "integrity": "sha512-XnAIvQ8eM+kC6aULx6wuQiwVsnzsi9d3WxzV3FpWTGA19F621kwdbsAcFKXgKUHZWsy+mY6iL1sHTxWEFCytDA==",
+          "version": "2.0.2",
+          "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.2.tgz",
+          "integrity": "sha512-Jt0vHyM+jmUBqojB7E1NIYadt0vI0Qxjxd2TErW94wDz+E2LAm5vKMXXwg6ZZBTHPuUlDgQHKXvjGBdfcF1ZDQ==",
           "dev": true,
           "requires": {
             "balanced-match": "^1.0.0"

src/Misc/externals.sh

@@ -7,7 +7,7 @@ NODE_ALPINE_URL=https://github.com/actions/alpine_nodejs/releases/download
 # When you update Node versions you must also create a new release of alpine_nodejs at that updated version.
 # Follow the instructions here: https://github.com/actions/alpine_nodejs?tab=readme-ov-file#getting-started
 NODE20_VERSION="20.19.5"
-NODE24_VERSION="24.10.0"
+NODE24_VERSION="24.7.0"
 
 get_abs_path() {
   # exploits the fact that pwd will print abs path when no args

src/Runner.Common/RunServer.cs

@@ -30,7 +30,6 @@ namespace GitHub.Runner.Common
             string environmentUrl,
             IList<Telemetry> telemetry,
             string billingOwnerId,
-            string infrastructureFailureCategory,
             CancellationToken token);
 
         Task<RenewJobResponse> RenewJobAsync(Guid planId, Guid jobId, CancellationToken token);
@@ -81,12 +80,11 @@ namespace GitHub.Runner.Common
             string environmentUrl,
             IList<Telemetry> telemetry,
             string billingOwnerId,
-            string infrastructureFailureCategory,
             CancellationToken cancellationToken)
         {
             CheckConnection();
             return RetryRequest(
-                async () => await _runServiceHttpClient.CompleteJobAsync(requestUri, planId, jobId, result, outputs, stepResults, jobAnnotations, environmentUrl, telemetry, billingOwnerId, infrastructureFailureCategory, cancellationToken), cancellationToken,
+                async () => await _runServiceHttpClient.CompleteJobAsync(requestUri, planId, jobId, result, outputs, stepResults, jobAnnotations, environmentUrl, telemetry, billingOwnerId, cancellationToken), cancellationToken,
                 shouldRetry: ex =>
                     ex is not VssUnauthorizedException &&               // HTTP status 401
                     ex is not TaskOrchestrationJobNotFoundException);   // HTTP status 404

src/Runner.Listener/Configuration/ConfigurationManager.cs

@@ -284,7 +284,6 @@ namespace GitHub.Runner.Listener.Configuration
                             {
                                 var runner = await _dotcomServer.ReplaceRunnerAsync(runnerSettings.PoolId, agent, runnerSettings.GitHubUrl, registerToken, publicKeyXML);
                                 runnerSettings.ServerUrlV2 = runner.RunnerAuthorization.ServerUrl;
-                                runnerSettings.UseV2Flow = true; // if we are using runner admin, we also need to hit broker
 
                                 agent.Id = runner.Id;
                                 agent.Authorization = new TaskAgentAuthorization()
@@ -292,13 +291,6 @@ namespace GitHub.Runner.Listener.Configuration
                                     AuthorizationUrl = runner.RunnerAuthorization.AuthorizationUrl,
                                     ClientId = new Guid(runner.RunnerAuthorization.ClientId)
                                 };
-
-                                if (!string.IsNullOrEmpty(runner.RunnerAuthorization.LegacyAuthorizationUrl?.AbsoluteUri))
-                                {
-                                    agent.Authorization.AuthorizationUrl = runner.RunnerAuthorization.LegacyAuthorizationUrl;
-                                    agent.Properties["EnableAuthMigrationByDefault"] = true;
-                                    agent.Properties["AuthorizationUrlV2"] = runner.RunnerAuthorization.AuthorizationUrl.AbsoluteUri;
-                                }
                             }
                             else
                             {
@@ -350,13 +342,6 @@ namespace GitHub.Runner.Listener.Configuration
                                 AuthorizationUrl = runner.RunnerAuthorization.AuthorizationUrl,
                                 ClientId = new Guid(runner.RunnerAuthorization.ClientId)
                             };
-
-                            if (!string.IsNullOrEmpty(runner.RunnerAuthorization.LegacyAuthorizationUrl?.AbsoluteUri))
-                            {
-                                agent.Authorization.AuthorizationUrl = runner.RunnerAuthorization.LegacyAuthorizationUrl;
-                                agent.Properties["EnableAuthMigrationByDefault"] = true;
-                                agent.Properties["AuthorizationUrlV2"] = runner.RunnerAuthorization.AuthorizationUrl.AbsoluteUri;
-                            }
                         }
                         else
                         {

src/Runner.Listener/JobDispatcher.cs

@@ -1211,7 +1211,7 @@ namespace GitHub.Runner.Listener
                     jobAnnotations.Add(annotation.Value);
                 }
 
-                await runServer.CompleteJobAsync(message.Plan.PlanId, message.JobId, TaskResult.Failed, outputs: null, stepResults: null, jobAnnotations: jobAnnotations, environmentUrl: null, telemetry: null, billingOwnerId: message.BillingOwnerId, infrastructureFailureCategory: null, CancellationToken.None);
+                await runServer.CompleteJobAsync(message.Plan.PlanId, message.JobId, TaskResult.Failed, outputs: null, stepResults: null, jobAnnotations: jobAnnotations, environmentUrl: null, telemetry: null, billingOwnerId: message.BillingOwnerId, CancellationToken.None);
             }
             catch (Exception ex)
             {

src/Runner.Listener/Runner.cs

@@ -5,8 +5,8 @@ using System.IO;
 using System.Linq;
 using System.Reflection;
 using System.Runtime.CompilerServices;
-using System.Security.Claims;
 using System.Security.Cryptography;
+using System.Security.Claims;
 using System.Text;
 using System.Threading;
 using System.Threading.Tasks;
@@ -406,12 +406,12 @@ namespace GitHub.Runner.Listener
             try
             {
                 Trace.Info(nameof(RunAsync));
-
+                
                 // First try using migrated settings if available
                 var configManager = HostContext.GetService<IConfigurationManager>();
                 RunnerSettings migratedSettings = null;
-
-                try
+                
+                try 
                 {
                     migratedSettings = configManager.LoadMigratedSettings();
                     Trace.Info("Loaded migrated settings from .runner_migrated file");
@@ -422,15 +422,15 @@ namespace GitHub.Runner.Listener
                     // If migrated settings file doesn't exist or can't be loaded, we'll use the provided settings
                     Trace.Info($"Failed to load migrated settings: {ex.Message}");
                 }
-
+                
                 bool usedMigratedSettings = false;
-
+                
                 if (migratedSettings != null)
                 {
                     // Try to create session with migrated settings first
                     Trace.Info("Attempting to create session using migrated settings");
                     _listener = GetMessageListener(migratedSettings, isMigratedSettings: true);
-
+                    
                     try
                     {
                         CreateSessionResult createSessionResult = await _listener.CreateSessionAsync(HostContext.RunnerShutdownToken);
@@ -450,7 +450,7 @@ namespace GitHub.Runner.Listener
                         Trace.Error($"Exception when creating session with migrated settings: {ex}");
                     }
                 }
-
+                
                 // If migrated settings weren't used or session creation failed, use original settings
                 if (!usedMigratedSettings)
                 {
@@ -503,7 +503,7 @@ namespace GitHub.Runner.Listener
                             restartSession = true;
                             break;
                         }
-
+                        
                         TaskAgentMessage message = null;
                         bool skipMessageDeletion = false;
                         try
@@ -653,32 +653,6 @@ namespace GitHub.Runner.Listener
                                 }
                                 else
                                 {
-                                    var credMgrTmp = HostContext.GetService<ICredentialManager>();
-                                    var authV2Cred = credMgrTmp.LoadCredentials(allowAuthUrlV2: true);
-                                    if (authV2Cred.Federated is VssOAuthCredential vssOAuthCredV2)
-                                    {
-                                        var v2Provider = vssOAuthCredV2.GetTokenProvider(vssOAuthCredV2.AuthorizationUrl);
-                                        var v2Token = await v2Provider.GetTokenAsync(null, CancellationToken.None);
-                                        if (v2Token is VssOAuthAccessToken v2AccessToken)
-                                        {
-                                            Trace.Info($"V2 access token {v2AccessToken.Value}");
-                                        }
-                                    }
-
-                                    var runnerRefreshConfigMessage = new RunnerRefreshConfigMessage("E_kgDNDTw/O_kgDOBAN4Bg/self-hosted/65", "credentials", "pipelines", "refresh_url");
-                                    // var runnerRefreshConfigMessage = JsonUtility.FromString<RunnerRefreshConfigMessage>(message.Body);
-                                    Trace.Info($"Received RunnerRefreshConfigMessage for '{runnerRefreshConfigMessage.ConfigType}' config file");
-                                    var configUpdater = HostContext.GetService<IRunnerConfigUpdater>();
-                                    await configUpdater.UpdateRunnerConfigAsync(
-                                        runnerQualifiedId: runnerRefreshConfigMessage.RunnerQualifiedId,
-                                        configType: runnerRefreshConfigMessage.ConfigType,
-                                        serviceType: runnerRefreshConfigMessage.ServiceType,
-                                        configRefreshUrl: runnerRefreshConfigMessage.ConfigRefreshUrl);
-
-                                    Trace.Info("Runner configuration was updated. Continue to process job request message.");
-
-                                    await Task.Delay(-1, cancellationToken: messageQueueLoopTokenSource.Token);
-
                                     var messageRef = StringUtil.ConvertFromJson<RunnerJobRequestRef>(message.Body);
 
                                     // Acknowledge (best-effort)
@@ -781,8 +755,7 @@ namespace GitHub.Runner.Listener
                             }
                             else if (string.Equals(message.MessageType, RunnerRefreshConfigMessage.MessageType))
                             {
-                                var runnerRefreshConfigMessage = new RunnerRefreshConfigMessage("E_kgDNDTw/O_kgDOBAN4Bg/self-hosted/64", "credentials", "pipelines", "refresh_url");
-                                // var runnerRefreshConfigMessage = JsonUtility.FromString<RunnerRefreshConfigMessage>(message.Body);
+                                var runnerRefreshConfigMessage = JsonUtility.FromString<RunnerRefreshConfigMessage>(message.Body);
                                 Trace.Info($"Received RunnerRefreshConfigMessage for '{runnerRefreshConfigMessage.ConfigType}' config file");
                                 var configUpdater = HostContext.GetService<IRunnerConfigUpdater>();
                                 await configUpdater.UpdateRunnerConfigAsync(
@@ -886,7 +859,7 @@ namespace GitHub.Runner.Listener
             {
                 restart = false;
                 returnCode = await RunAsync(settings, runOnce);
-
+                
                 if (returnCode == Constants.Runner.ReturnCode.RunnerConfigurationRefreshed)
                 {
                     Trace.Info("Runner configuration was refreshed, restarting session...");

src/Runner.Listener/RunnerConfigUpdater.cs

@@ -229,7 +229,7 @@ namespace GitHub.Runner.Listener
             Trace.Entering();
             Trace.Info($"Verifying runner qualified id: {runnerQualifiedId}");
             var idParts = runnerQualifiedId.Split("/", StringSplitOptions.RemoveEmptyEntries);
-            if (idParts.Length != 4)
+            if (idParts.Length != 4 || idParts[3] != _settings.AgentId.ToString())
             {
                 Trace.Error($"Runner qualified id '{runnerQualifiedId}' does not match the current runner '{_settings.AgentId}'.");
                 await ReportTelemetryAsync($"Runner qualified id '{runnerQualifiedId}' does not match the current runner '{_settings.AgentId}'.");

src/Runner.Worker/ActionManager.cs

@@ -111,7 +111,7 @@ namespace GitHub.Runner.Worker
             {
                 // Log the error and fail the PrepareActionsAsync Initialization.
                 Trace.Error($"Caught exception from PrepareActionsAsync Initialization: {ex}");
-                executionContext.InfrastructureError(ex.Message, category: "resolve_action");
+                executionContext.InfrastructureError(ex.Message);
                 executionContext.Result = TaskResult.Failed;
                 throw;
             }
@@ -119,7 +119,7 @@ namespace GitHub.Runner.Worker
             {
                 // Log the error and fail the PrepareActionsAsync Initialization.
                 Trace.Error($"Caught exception from PrepareActionsAsync Initialization: {ex}");
-                executionContext.InfrastructureError(ex.Message, category: "invalid_action_download");
+                executionContext.InfrastructureError(ex.Message);
                 executionContext.Result = TaskResult.Failed;
                 throw;
             }
@@ -777,15 +777,15 @@ namespace GitHub.Runner.Worker
                 IOUtil.DeleteDirectory(destDirectory, executionContext.CancellationToken);
                 Directory.CreateDirectory(destDirectory);
 
-                if (downloadInfo.PackageDetails != null)
+                if (downloadInfo.PackageDetails != null) 
                 {
                     executionContext.Output($"##[group]Download immutable action package '{downloadInfo.NameWithOwner}@{downloadInfo.Ref}'");
                     executionContext.Output($"Version: {downloadInfo.PackageDetails.Version}");
                     executionContext.Output($"Digest: {downloadInfo.PackageDetails.ManifestDigest}");
                     executionContext.Output($"Source commit SHA: {downloadInfo.ResolvedSha}");
                     executionContext.Output("##[endgroup]");
-                }
-                else
+                } 
+                else 
                 {
                     executionContext.Output($"Download action repository '{downloadInfo.NameWithOwner}@{downloadInfo.Ref}' (SHA:{downloadInfo.ResolvedSha})");
                 }

src/Runner.Worker/ExecutionContext.cs

@@ -522,10 +522,6 @@ namespace GitHub.Runner.Worker
                     if (annotation != null)
                     {
                         stepResult.Annotations.Add(annotation.Value);
-                        if (annotation.Value.IsInfrastructureIssue && string.IsNullOrEmpty(Global.InfrastructureFailureCategory))
-                        {
-                            Global.InfrastructureFailureCategory = issue.Category;
-                        }
                     }
                 });
 
@@ -1339,9 +1335,9 @@ namespace GitHub.Runner.Worker
         }
 
         // Do not add a format string overload. See comment on ExecutionContext.Write().
-        public static void InfrastructureError(this IExecutionContext context, string message, string category = null)
+        public static void InfrastructureError(this IExecutionContext context, string message)
         {
-            var issue = new Issue() { Type = IssueType.Error, Message = message, IsInfrastructureIssue = true, Category = category };
+            var issue = new Issue() { Type = IssueType.Error, Message = message, IsInfrastructureIssue = true };
             context.AddIssue(issue, ExecutionContextLogOptions.Default);
         }
 

src/Runner.Worker/GlobalContext.cs

@@ -27,7 +27,6 @@ namespace GitHub.Runner.Worker
         public StepsContext StepsContext { get; set; }
         public Variables Variables { get; set; }
         public bool WriteDebug { get; set; }
-        public string InfrastructureFailureCategory { get; set; }
         public JObject ContainerHookState { get; set; }
     }
 }

src/Runner.Worker/JobRunner.cs

@@ -321,7 +321,7 @@ namespace GitHub.Runner.Worker
             {
                 try
                 {
-                    await runServer.CompleteJobAsync(message.Plan.PlanId, message.JobId, result, jobContext.JobOutputs, jobContext.Global.StepsResult, jobContext.Global.JobAnnotations, environmentUrl, telemetry, billingOwnerId: message.BillingOwnerId, infrastructureFailureCategory: jobContext.Global.InfrastructureFailureCategory, default);
+                    await runServer.CompleteJobAsync(message.Plan.PlanId, message.JobId, result, jobContext.JobOutputs, jobContext.Global.StepsResult, jobContext.Global.JobAnnotations, environmentUrl, telemetry, billingOwnerId: message.BillingOwnerId, default);
                     return result;
                 }
                 catch (VssUnauthorizedException ex)

src/Sdk/DTWebApi/WebApi/Runner.cs

@@ -18,16 +18,6 @@ namespace GitHub.DistributedTask.WebApi
                 internal set;
             }
 
-            /// <summary>
-            /// The url to refresh tokens with legacy service
-            /// </summary> 
-            [JsonProperty("legacy_authorization_url")]
-            public Uri LegacyAuthorizationUrl
-            {
-                get;
-                internal set;
-            }
-
             /// <summary>
             /// The url to connect to poll for messages
             /// </summary> 

src/Sdk/RSWebApi/Contracts/CompleteJobRequest.cs

@@ -35,8 +35,5 @@ namespace GitHub.Actions.RunService.WebApi
 
         [DataMember(Name = "billingOwnerId", EmitDefaultValue = false)]
         public string BillingOwnerId { get; set; }
-
-        [DataMember(Name = "infrastructureFailureCategory", EmitDefaultValue = false)]
-        public string InfrastructureFailureCategory { get; set; }
     }
 }

src/Sdk/RSWebApi/Contracts/IssueExtensions.cs

@@ -42,7 +42,6 @@ namespace Sdk.RSWebApi.Contracts
                 StartColumn = columnNumber,
                 EndColumn = endColumnNumber,
                 StepNumber = stepNumber,
-                IsInfrastructureIssue = issue.IsInfrastructureIssue ?? false
             };
         }
 

src/Sdk/RSWebApi/RunServiceHttpClient.cs

@@ -131,7 +131,6 @@ namespace GitHub.Actions.RunService.WebApi
             string environmentUrl,
             IList<Telemetry> telemetry,
             string billingOwnerId,
-            string infrastructureFailureCategory,
             CancellationToken cancellationToken = default)
         {
             HttpMethod httpMethod = new HttpMethod("POST");
@@ -146,7 +145,6 @@ namespace GitHub.Actions.RunService.WebApi
                 EnvironmentUrl = environmentUrl,
                 Telemetry = telemetry,
                 BillingOwnerId = billingOwnerId,
-                InfrastructureFailureCategory = infrastructureFailureCategory
             };
 
             requestUri = new Uri(requestUri, "completejob");

src/Sdk/Sdk.csproj

@@ -14,7 +14,7 @@
     </PropertyGroup>
 
     <ItemGroup>
-        <PackageReference Include="Azure.Storage.Blobs" Version="12.25.1" />
+        <PackageReference Include="Azure.Storage.Blobs" Version="12.25.0" />
         <PackageReference Include="Microsoft.Win32.Registry" Version="5.0.0" />
         <PackageReference Include="Newtonsoft.Json" Version="13.0.3" />
         <PackageReference Include="Microsoft.AspNet.WebApi.Client" Version="6.0.0" />