create 2.267.0 release

* Only raise a single warning for unexpected inputs

* Update invalid input test to raise single warning

docs/contribute.md

@@ -23,7 +23,7 @@ An ADR is an Architectural Decision Record.  This allows consensus on the direct
 
 ### Required Dev Dependencies
 
-![Win](res/win_sm.png) Git for Windows [Install Here](https://git-scm.com/downloads) (needed for dev sh script)
+![Win](res/win_sm.png) ![*nix](res/linux_sm.png)  Git for Windows and Linux [Install Here](https://git-scm.com/downloads) (needed for dev sh script)
 
 ### To Build, Test, Layout 
 
@@ -43,6 +43,7 @@ Sample developer flow:
 
 ```bash
 git clone https://github.com/actions/runner
+cd runner
 cd ./src
 ./dev.(sh/cmd) layout # the runner that built from source is in {root}/_layout
 <make code changes>
@@ -53,7 +54,7 @@ cd ./src
 ### Editors
 
 [Using Visual Studio Code](https://code.visualstudio.com/)
-[Using Visual Studio 2019](https://www.visualstudio.com/vs/)  
+[Using Visual Studio](https://code.visualstudio.com/docs)  
 
 ### Styling
 

releaseNote.md

@@ -1,20 +1,18 @@
 ## Features
-  - Sample scripts to automate scalable runners (#427)
-  - Raise warning when action input does not match action.yml. (#429)
-  - Add secret masker for trimming double quotes. (#440)
-  - Use the API_URL and munge action URLs for GHES (#437 #469)
-  - Help trace worker crash in Kusto. (#450)
-  - update checkout@v1 for GHES (#470)
+  - Resolve action download info from server (#508, #515, #550)
+  - Print runner and machine name to log. (#539)
 ## Bugs
-  - Print node version in debug instead of output. (#433)
-  - Better error when runner removed from service. (#441)
-  - Add help info for '--labels' config option (#472)
-  - Sps/token migration fix, job.status/steps.outcome/steps.conclusion case match with GitHub check suites conclusion. (#462)
-  - Docker build using -f instead of implied default (#471)
+  - Reduce input validation warnings (#506) 
+  - Fix null ref exception in SecretMasker caused by `hashfiles` timeout. (#516)
+  - Add libicu66 to `./installDependencies.sh` for Ubuntu 20.04 (#535)
+  - Fix DataContract with Token service (#532)
+  - Skip search $PATH on command with fully qualified path (#526)
+  - Restore SELinux context on service file when SELinux is enabled (#525)
 ## Misc
-  - Make release notes code blocks copy-paste-able (#430)
-  - Fix spelling of RHEL and CentOS. (#436)
-  - Add CodeQL Analysis workflow (#459)
+  - Remove SPS/Token migration code. Remove GHES url manipulate code. (#513) 
+  - Add sub-step for developer flow for clarity (#523)
+  - Update Links and Language to Git + VSCode (#522)
+  - Update runner configuration exception message (#540)
 
 ## Windows x64
 We recommend configuring the runner in a root folder of the Windows drive (e.g. "C:\actions-runner"). This will help avoid issues related to service identity folder permissions and long file path restrictions on Windows.

releaseVersion

@@ -1 +1 @@
-<Update to ./src/runnerversion when creating release>
+2.267.0

scripts/create-latest-svc.sh

@@ -81,7 +81,7 @@ fi
 
 export RUNNER_TOKEN=$(curl -s -X POST ${base_api_url}/${orgs_or_repos}/${runner_scope}/actions/runners/registration-token -H "accept: application/vnd.github.everest-preview+json" -H "authorization: token ${RUNNER_CFG_PAT}" | jq -r '.token')
 
-if [ -z "$RUNNER_TOKEN" ]; then fatal "Failed to get a token"; fi
+if [ "null" == "$RUNNER_TOKEN" -o -z "$RUNNER_TOKEN" ]; then fatal "Failed to get a token"; fi
 
 #---------------------------------------
 # Download latest released and extract

src/Misc/dotnet-install.ps1

@@ -684,3 +684,196 @@ Prepend-Sdk-InstallRoot-To-Path -InstallRoot $InstallRoot -BinFolderRelativePath
 
 Say "Installation finished"
 exit 0
+
+# SIG # Begin signature block
+# MIIjkQYJKoZIhvcNAQcCoIIjgjCCI34CAQExDzANBglghkgBZQMEAgEFADB5Bgor
+# BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG
+# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCAwp4UsNdAkvwY3
+# VhbuN9D6NGOz+qNqW2+62YubWa4qJaCCDYEwggX/MIID56ADAgECAhMzAAABh3IX
+# chVZQMcJAAAAAAGHMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNVBAYTAlVTMRMwEQYD
+# VQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNy
+# b3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMTH01pY3Jvc29mdCBDb2RlIFNpZ25p
+# bmcgUENBIDIwMTEwHhcNMjAwMzA0MTgzOTQ3WhcNMjEwMzAzMTgzOTQ3WjB0MQsw
+# CQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9u
+# ZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMR4wHAYDVQQDExVNaWNy
+# b3NvZnQgQ29ycG9yYXRpb24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
+# AQDOt8kLc7P3T7MKIhouYHewMFmnq8Ayu7FOhZCQabVwBp2VS4WyB2Qe4TQBT8aB
+# znANDEPjHKNdPT8Xz5cNali6XHefS8i/WXtF0vSsP8NEv6mBHuA2p1fw2wB/F0dH
+# sJ3GfZ5c0sPJjklsiYqPw59xJ54kM91IOgiO2OUzjNAljPibjCWfH7UzQ1TPHc4d
+# weils8GEIrbBRb7IWwiObL12jWT4Yh71NQgvJ9Fn6+UhD9x2uk3dLj84vwt1NuFQ
+# itKJxIV0fVsRNR3abQVOLqpDugbr0SzNL6o8xzOHL5OXiGGwg6ekiXA1/2XXY7yV
+# Fc39tledDtZjSjNbex1zzwSXAgMBAAGjggF+MIIBejAfBgNVHSUEGDAWBgorBgEE
+# AYI3TAgBBggrBgEFBQcDAzAdBgNVHQ4EFgQUhov4ZyO96axkJdMjpzu2zVXOJcsw
+# UAYDVR0RBEkwR6RFMEMxKTAnBgNVBAsTIE1pY3Jvc29mdCBPcGVyYXRpb25zIFB1
+# ZXJ0byBSaWNvMRYwFAYDVQQFEw0yMzAwMTIrNDU4Mzg1MB8GA1UdIwQYMBaAFEhu
+# ZOVQBdOCqhc3NyK1bajKdQKVMFQGA1UdHwRNMEswSaBHoEWGQ2h0dHA6Ly93d3cu
+# bWljcm9zb2Z0LmNvbS9wa2lvcHMvY3JsL01pY0NvZFNpZ1BDQTIwMTFfMjAxMS0w
+# Ny0wOC5jcmwwYQYIKwYBBQUHAQEEVTBTMFEGCCsGAQUFBzAChkVodHRwOi8vd3d3
+# Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NlcnRzL01pY0NvZFNpZ1BDQTIwMTFfMjAx
+# MS0wNy0wOC5jcnQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQsFAAOCAgEAixmy
+# S6E6vprWD9KFNIB9G5zyMuIjZAOuUJ1EK/Vlg6Fb3ZHXjjUwATKIcXbFuFC6Wr4K
+# NrU4DY/sBVqmab5AC/je3bpUpjtxpEyqUqtPc30wEg/rO9vmKmqKoLPT37svc2NV
+# BmGNl+85qO4fV/w7Cx7J0Bbqk19KcRNdjt6eKoTnTPHBHlVHQIHZpMxacbFOAkJr
+# qAVkYZdz7ikNXTxV+GRb36tC4ByMNxE2DF7vFdvaiZP0CVZ5ByJ2gAhXMdK9+usx
+# zVk913qKde1OAuWdv+rndqkAIm8fUlRnr4saSCg7cIbUwCCf116wUJ7EuJDg0vHe
+# yhnCeHnBbyH3RZkHEi2ofmfgnFISJZDdMAeVZGVOh20Jp50XBzqokpPzeZ6zc1/g
+# yILNyiVgE+RPkjnUQshd1f1PMgn3tns2Cz7bJiVUaqEO3n9qRFgy5JuLae6UweGf
+# AeOo3dgLZxikKzYs3hDMaEtJq8IP71cX7QXe6lnMmXU/Hdfz2p897Zd+kU+vZvKI
+# 3cwLfuVQgK2RZ2z+Kc3K3dRPz2rXycK5XCuRZmvGab/WbrZiC7wJQapgBodltMI5
+# GMdFrBg9IeF7/rP4EqVQXeKtevTlZXjpuNhhjuR+2DMt/dWufjXpiW91bo3aH6Ea
+# jOALXmoxgltCp1K7hrS6gmsvj94cLRf50QQ4U8Qwggd6MIIFYqADAgECAgphDpDS
+# AAAAAAADMA0GCSqGSIb3DQEBCwUAMIGIMQswCQYDVQQGEwJVUzETMBEGA1UECBMK
+# V2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0
+# IENvcnBvcmF0aW9uMTIwMAYDVQQDEylNaWNyb3NvZnQgUm9vdCBDZXJ0aWZpY2F0
+# ZSBBdXRob3JpdHkgMjAxMTAeFw0xMTA3MDgyMDU5MDlaFw0yNjA3MDgyMTA5MDla
+# MH4xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdS
+# ZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMT
+# H01pY3Jvc29mdCBDb2RlIFNpZ25pbmcgUENBIDIwMTEwggIiMA0GCSqGSIb3DQEB
+# AQUAA4ICDwAwggIKAoICAQCr8PpyEBwurdhuqoIQTTS68rZYIZ9CGypr6VpQqrgG
+# OBoESbp/wwwe3TdrxhLYC/A4wpkGsMg51QEUMULTiQ15ZId+lGAkbK+eSZzpaF7S
+# 35tTsgosw6/ZqSuuegmv15ZZymAaBelmdugyUiYSL+erCFDPs0S3XdjELgN1q2jz
+# y23zOlyhFvRGuuA4ZKxuZDV4pqBjDy3TQJP4494HDdVceaVJKecNvqATd76UPe/7
+# 4ytaEB9NViiienLgEjq3SV7Y7e1DkYPZe7J7hhvZPrGMXeiJT4Qa8qEvWeSQOy2u
+# M1jFtz7+MtOzAz2xsq+SOH7SnYAs9U5WkSE1JcM5bmR/U7qcD60ZI4TL9LoDho33
+# X/DQUr+MlIe8wCF0JV8YKLbMJyg4JZg5SjbPfLGSrhwjp6lm7GEfauEoSZ1fiOIl
+# XdMhSz5SxLVXPyQD8NF6Wy/VI+NwXQ9RRnez+ADhvKwCgl/bwBWzvRvUVUvnOaEP
+# 6SNJvBi4RHxF5MHDcnrgcuck379GmcXvwhxX24ON7E1JMKerjt/sW5+v/N2wZuLB
+# l4F77dbtS+dJKacTKKanfWeA5opieF+yL4TXV5xcv3coKPHtbcMojyyPQDdPweGF
+# RInECUzF1KVDL3SV9274eCBYLBNdYJWaPk8zhNqwiBfenk70lrC8RqBsmNLg1oiM
+# CwIDAQABo4IB7TCCAekwEAYJKwYBBAGCNxUBBAMCAQAwHQYDVR0OBBYEFEhuZOVQ
+# BdOCqhc3NyK1bajKdQKVMBkGCSsGAQQBgjcUAgQMHgoAUwB1AGIAQwBBMAsGA1Ud
+# DwQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFHItOgIxkEO5FAVO
+# 4eqnxzHRI4k0MFoGA1UdHwRTMFEwT6BNoEuGSWh0dHA6Ly9jcmwubWljcm9zb2Z0
+# LmNvbS9wa2kvY3JsL3Byb2R1Y3RzL01pY1Jvb0NlckF1dDIwMTFfMjAxMV8wM18y
+# Mi5jcmwwXgYIKwYBBQUHAQEEUjBQME4GCCsGAQUFBzAChkJodHRwOi8vd3d3Lm1p
+# Y3Jvc29mdC5jb20vcGtpL2NlcnRzL01pY1Jvb0NlckF1dDIwMTFfMjAxMV8wM18y
+# Mi5jcnQwgZ8GA1UdIASBlzCBlDCBkQYJKwYBBAGCNy4DMIGDMD8GCCsGAQUFBwIB
+# FjNodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2RvY3MvcHJpbWFyeWNw
+# cy5odG0wQAYIKwYBBQUHAgIwNB4yIB0ATABlAGcAYQBsAF8AcABvAGwAaQBjAHkA
+# XwBzAHQAYQB0AGUAbQBlAG4AdAAuIB0wDQYJKoZIhvcNAQELBQADggIBAGfyhqWY
+# 4FR5Gi7T2HRnIpsLlhHhY5KZQpZ90nkMkMFlXy4sPvjDctFtg/6+P+gKyju/R6mj
+# 82nbY78iNaWXXWWEkH2LRlBV2AySfNIaSxzzPEKLUtCw/WvjPgcuKZvmPRul1LUd
+# d5Q54ulkyUQ9eHoj8xN9ppB0g430yyYCRirCihC7pKkFDJvtaPpoLpWgKj8qa1hJ
+# Yx8JaW5amJbkg/TAj/NGK978O9C9Ne9uJa7lryft0N3zDq+ZKJeYTQ49C/IIidYf
+# wzIY4vDFLc5bnrRJOQrGCsLGra7lstnbFYhRRVg4MnEnGn+x9Cf43iw6IGmYslmJ
+# aG5vp7d0w0AFBqYBKig+gj8TTWYLwLNN9eGPfxxvFX1Fp3blQCplo8NdUmKGwx1j
+# NpeG39rz+PIWoZon4c2ll9DuXWNB41sHnIc+BncG0QaxdR8UvmFhtfDcxhsEvt9B
+# xw4o7t5lL+yX9qFcltgA1qFGvVnzl6UJS0gQmYAf0AApxbGbpT9Fdx41xtKiop96
+# eiL6SJUfq/tHI4D1nvi/a7dLl+LrdXga7Oo3mXkYS//WsyNodeav+vyL6wuA6mk7
+# r/ww7QRMjt/fdW1jkT3RnVZOT7+AVyKheBEyIXrvQQqxP/uozKRdwaGIm1dxVk5I
+# RcBCyZt2WwqASGv9eZ/BvW1taslScxMNelDNMYIVZjCCFWICAQEwgZUwfjELMAkG
+# A1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQx
+# HjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEoMCYGA1UEAxMfTWljcm9z
+# b2Z0IENvZGUgU2lnbmluZyBQQ0EgMjAxMQITMwAAAYdyF3IVWUDHCQAAAAABhzAN
+# BglghkgBZQMEAgEFAKCBrjAZBgkqhkiG9w0BCQMxDAYKKwYBBAGCNwIBBDAcBgor
+# BgEEAYI3AgELMQ4wDAYKKwYBBAGCNwIBFTAvBgkqhkiG9w0BCQQxIgQga11B1DE+
+# y9z0lmEO+MC+bhXPKfWALB7Snkn7G/wCUncwQgYKKwYBBAGCNwIBDDE0MDKgFIAS
+# AE0AaQBjAHIAbwBzAG8AZgB0oRqAGGh0dHA6Ly93d3cubWljcm9zb2Z0LmNvbTAN
+# BgkqhkiG9w0BAQEFAASCAQBIgx+sFXkLXf7Xbx7opCD3uhpQGEQ4x/LsqTax0bu1
+# GC/cxiI+dodUz+T4hKj1ZQyUH0Zlce32GutY048O9tkr7fQyuohoFUgChdIATEOY
+# qAIESFbDT07i7khJfO2pewlhgM+A5ClvBa8HAvV0wOd+2IVgv3pgow1LEJm0/5NB
+# E3IFA+hFrqiWALOY0uUep4H20EHMrbqw3YoV3EodIkTj3fC76q4K/bF84EZLUgjY
+# e4rmXac8n7A9qR18QzGl8usEJej4OHU4nlUT1J734m+AWIFmfb/Zr2MyXED0V4q4
+# Vbmw3O7xD9STeNYrn5RjPmGPEN04akHxhNUSqLIc9vxQoYIS8DCCEuwGCisGAQQB
+# gjcDAwExghLcMIIS2AYJKoZIhvcNAQcCoIISyTCCEsUCAQMxDzANBglghkgBZQME
+# AgEFADCCAVQGCyqGSIb3DQEJEAEEoIIBQwSCAT8wggE7AgEBBgorBgEEAYRZCgMB
+# MDEwDQYJYIZIAWUDBAIBBQAEIPPK1A0D1n7ZEdgTjKPY4sWiOMtohMqGpFvG55NY
+# SFHeAgZepuJh/dEYEjIwMjAwNTI5MTYyNzE1LjMxWjAEgAIB9KCB1KSB0TCBzjEL
+# MAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1v
+# bmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEpMCcGA1UECxMgTWlj
+# cm9zb2Z0IE9wZXJhdGlvbnMgUHVlcnRvIFJpY28xJjAkBgNVBAsTHVRoYWxlcyBU
+# U1MgRVNOOjYwQkMtRTM4My0yNjM1MSUwIwYDVQQDExxNaWNyb3NvZnQgVGltZS1T
+# dGFtcCBTZXJ2aWNloIIORDCCBPUwggPdoAMCAQICEzMAAAEm37pLIrmCggcAAAAA
+# ASYwDQYJKoZIhvcNAQELBQAwfDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hp
+# bmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jw
+# b3JhdGlvbjEmMCQGA1UEAxMdTWljcm9zb2Z0IFRpbWUtU3RhbXAgUENBIDIwMTAw
+# HhcNMTkxMjE5MDExNDU5WhcNMjEwMzE3MDExNDU5WjCBzjELMAkGA1UEBhMCVVMx
+# EzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoT
+# FU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEpMCcGA1UECxMgTWljcm9zb2Z0IE9wZXJh
+# dGlvbnMgUHVlcnRvIFJpY28xJjAkBgNVBAsTHVRoYWxlcyBUU1MgRVNOOjYwQkMt
+# RTM4My0yNjM1MSUwIwYDVQQDExxNaWNyb3NvZnQgVGltZS1TdGFtcCBTZXJ2aWNl
+# MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnjC+hpxO8w2VdBO18X8L
+# Hk6XdfR9yNQ0y+MuBOY7n5YdgkVunvbk/f6q8UoNFAdYQjVLPSAHbi6tUMiNeMGH
+# k1U0lUxAkja2W2/szj/ghuFklvfHNBbsuiUShlhRlqcFNS7KXL2iwKDijmOhWJPY
+# a2bLEr4W/mQLbSXail5p6m138Ttx4MAVEzzuGI0Kwr8ofIL7z6zCeWDiBM57LrNC
+# qHOA2wboeuMsG4O0Oz2LMAzBLbJZPRPnZAD2HdD4HUL2mzZ8wox74Mekb7RzrUP3
+# hiHpxXZceJvhIEKfAgVkB5kTZQnio8A1JijMjw8f4TmsJPdJWpi8ei73sexe8/Yj
+# cwIDAQABo4IBGzCCARcwHQYDVR0OBBYEFEmrrB8XsH6YQo3RWKZfxqM0DmFBMB8G
+# A1UdIwQYMBaAFNVjOlyKMZDzQ3t8RhvFM2hahW1VMFYGA1UdHwRPME0wS6BJoEeG
+# RWh0dHA6Ly9jcmwubWljcm9zb2Z0LmNvbS9wa2kvY3JsL3Byb2R1Y3RzL01pY1Rp
+# bVN0YVBDQV8yMDEwLTA3LTAxLmNybDBaBggrBgEFBQcBAQROMEwwSgYIKwYBBQUH
+# MAKGPmh0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9wa2kvY2VydHMvTWljVGltU3Rh
+# UENBXzIwMTAtMDctMDEuY3J0MAwGA1UdEwEB/wQCMAAwEwYDVR0lBAwwCgYIKwYB
+# BQUHAwgwDQYJKoZIhvcNAQELBQADggEBAECW+51o6W/0J/O/npudfjVzMXq0u0cs
+# HjqXpdRyH6o03jlmY5MXAui3cmPBKufijJxD2pMRPVMUNh3VA0PQuJeYrP06oFdq
+# LpLxd3IJARm98vzaMgCz2nCwBDpe9X2M3Js9K1GAX+w4Az8N7J+Z6P1OD0VxHBdq
+# eTaqDN1lk1vwagTN7t/WitxMXRDz0hRdYiWbATBAVgXXCOfzs3hnEv1n/EDab9HX
+# OLMXKVY/+alqYKdV9lkuRp8Us1Q1WZy9z72Azu9x4mzft3fJ1puTjBHo5tHfixZo
+# ummbI+WwjVCrku7pskJahfNi5amSgrqgR6nWAwvpJELccpVLdSxxmG0wggZxMIIE
+# WaADAgECAgphCYEqAAAAAAACMA0GCSqGSIb3DQEBCwUAMIGIMQswCQYDVQQGEwJV
+# UzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UE
+# ChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMTIwMAYDVQQDEylNaWNyb3NvZnQgUm9v
+# dCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkgMjAxMDAeFw0xMDA3MDEyMTM2NTVaFw0y
+# NTA3MDEyMTQ2NTVaMHwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9u
+# MRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRp
+# b24xJjAkBgNVBAMTHU1pY3Jvc29mdCBUaW1lLVN0YW1wIFBDQSAyMDEwMIIBIjAN
+# BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqR0NvHcRijog7PwTl/X6f2mUa3RU
+# ENWlCgCChfvtfGhLLF/Fw+Vhwna3PmYrW/AVUycEMR9BGxqVHc4JE458YTBZsTBE
+# D/FgiIRUQwzXTbg4CLNC3ZOs1nMwVyaCo0UN0Or1R4HNvyRgMlhgRvJYR4YyhB50
+# YWeRX4FUsc+TTJLBxKZd0WETbijGGvmGgLvfYfxGwScdJGcSchohiq9LZIlQYrFd
+# /XcfPfBXday9ikJNQFHRD5wGPmd/9WbAA5ZEfu/QS/1u5ZrKsajyeioKMfDaTgaR
+# togINeh4HLDpmc085y9Euqf03GS9pAHBIAmTeM38vMDJRF1eFpwBBU8iTQIDAQAB
+# o4IB5jCCAeIwEAYJKwYBBAGCNxUBBAMCAQAwHQYDVR0OBBYEFNVjOlyKMZDzQ3t8
+# RhvFM2hahW1VMBkGCSsGAQQBgjcUAgQMHgoAUwB1AGIAQwBBMAsGA1UdDwQEAwIB
+# hjAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFNX2VsuP6KJcYmjRPZSQW9fO
+# mhjEMFYGA1UdHwRPME0wS6BJoEeGRWh0dHA6Ly9jcmwubWljcm9zb2Z0LmNvbS9w
+# a2kvY3JsL3Byb2R1Y3RzL01pY1Jvb0NlckF1dF8yMDEwLTA2LTIzLmNybDBaBggr
+# BgEFBQcBAQROMEwwSgYIKwYBBQUHMAKGPmh0dHA6Ly93d3cubWljcm9zb2Z0LmNv
+# bS9wa2kvY2VydHMvTWljUm9vQ2VyQXV0XzIwMTAtMDYtMjMuY3J0MIGgBgNVHSAB
+# Af8EgZUwgZIwgY8GCSsGAQQBgjcuAzCBgTA9BggrBgEFBQcCARYxaHR0cDovL3d3
+# dy5taWNyb3NvZnQuY29tL1BLSS9kb2NzL0NQUy9kZWZhdWx0Lmh0bTBABggrBgEF
+# BQcCAjA0HjIgHQBMAGUAZwBhAGwAXwBQAG8AbABpAGMAeQBfAFMAdABhAHQAZQBt
+# AGUAbgB0AC4gHTANBgkqhkiG9w0BAQsFAAOCAgEAB+aIUQ3ixuCYP4FxAz2do6Eh
+# b7Prpsz1Mb7PBeKp/vpXbRkws8LFZslq3/Xn8Hi9x6ieJeP5vO1rVFcIK1GCRBL7
+# uVOMzPRgEop2zEBAQZvcXBf/XPleFzWYJFZLdO9CEMivv3/Gf/I3fVo/HPKZeUqR
+# UgCvOA8X9S95gWXZqbVr5MfO9sp6AG9LMEQkIjzP7QOllo9ZKby2/QThcJ8ySif9
+# Va8v/rbljjO7Yl+a21dA6fHOmWaQjP9qYn/dxUoLkSbiOewZSnFjnXshbcOco6I8
+# +n99lmqQeKZt0uGc+R38ONiU9MalCpaGpL2eGq4EQoO4tYCbIjggtSXlZOz39L9+
+# Y1klD3ouOVd2onGqBooPiRa6YacRy5rYDkeagMXQzafQ732D8OE7cQnfXXSYIghh
+# 2rBQHm+98eEA3+cxB6STOvdlR3jo+KhIq/fecn5ha293qYHLpwmsObvsxsvYgrRy
+# zR30uIUBHoD7G4kqVDmyW9rIDVWZeodzOwjmmC3qjeAzLhIp9cAvVCch98isTtoo
+# uLGp25ayp0Kiyc8ZQU3ghvkqmqMRZjDTu3QyS99je/WZii8bxyGvWbWu3EQ8l1Bx
+# 16HSxVXjad5XwdHeMMD9zOZN+w2/XU/pnR4ZOC+8z1gFLu8NoFA12u8JJxzVs341
+# Hgi62jbb01+P3nSISRKhggLSMIICOwIBATCB/KGB1KSB0TCBzjELMAkGA1UEBhMC
+# VVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNV
+# BAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEpMCcGA1UECxMgTWljcm9zb2Z0IE9w
+# ZXJhdGlvbnMgUHVlcnRvIFJpY28xJjAkBgNVBAsTHVRoYWxlcyBUU1MgRVNOOjYw
+# QkMtRTM4My0yNjM1MSUwIwYDVQQDExxNaWNyb3NvZnQgVGltZS1TdGFtcCBTZXJ2
+# aWNloiMKAQEwBwYFKw4DAhoDFQAKZzI5aZnESumrToHx3Lqgxnr//KCBgzCBgKR+
+# MHwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdS
+# ZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xJjAkBgNVBAMT
+# HU1pY3Jvc29mdCBUaW1lLVN0YW1wIFBDQSAyMDEwMA0GCSqGSIb3DQEBBQUAAgUA
+# 4nuQTDAiGA8yMDIwMDUyOTE3NDQ0NFoYDzIwMjAwNTMwMTc0NDQ0WjB3MD0GCisG
+# AQQBhFkKBAExLzAtMAoCBQDie5BMAgEAMAoCAQACAiZJAgH/MAcCAQACAhEjMAoC
+# BQDifOHMAgEAMDYGCisGAQQBhFkKBAIxKDAmMAwGCisGAQQBhFkKAwKgCjAIAgEA
+# AgMHoSChCjAIAgEAAgMBhqAwDQYJKoZIhvcNAQEFBQADgYEAprmyJTXdH9FmQZ0I
+# mRSJdjc/RrSqDm8DUEq/h3FL73G/xvg9MbQj1J/h3hdlSIPcQXjrhL8hud/vyF0j
+# IFaTK5YOcixkX++9t7Vz3Mn0KkQo8F4DNSyZEPpz682AyKKwLMJDy52pFFFKNP5l
+# NpOz6YY1Od1xvk4nyN1WwfLnGswxggMNMIIDCQIBATCBkzB8MQswCQYDVQQGEwJV
+# UzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UE
+# ChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSYwJAYDVQQDEx1NaWNyb3NvZnQgVGlt
+# ZS1TdGFtcCBQQ0EgMjAxMAITMwAAASbfuksiuYKCBwAAAAABJjANBglghkgBZQME
+# AgEFAKCCAUowGgYJKoZIhvcNAQkDMQ0GCyqGSIb3DQEJEAEEMC8GCSqGSIb3DQEJ
+# BDEiBCB0IE0Q6P23RQlh8TFyp57UQQUF/sbui7mOMStRgTFZxTCB+gYLKoZIhvcN
+# AQkQAi8xgeowgecwgeQwgb0EIDb9z++evV5wDO9qk5ZnbEZ8CTOuR+kZyu8xbTsJ
+# CXUPMIGYMIGApH4wfDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24x
+# EDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlv
+# bjEmMCQGA1UEAxMdTWljcm9zb2Z0IFRpbWUtU3RhbXAgUENBIDIwMTACEzMAAAEm
+# 37pLIrmCggcAAAAAASYwIgQgtwi02bvsGAOdpAxEF607G6g9PlyS8vc2bAUSHovH
+# /IIwDQYJKoZIhvcNAQELBQAEggEAEMCfsXNudrjztjI6JNyNDVpdF1axRVcGiNy6
+# 67pgb1EePsjA2EaBB+5ZjgO/73JxuiVgsoXgH7em8tKG5RQJtcm5obVDb+jKksK4
+# qcFLA1f7seQRGfE06UAPnSFh2GqMtTNJGCXWwqWLH2LduTjOqPt8Nupo16ABFIT2
+# akTzBSJ81EHBkEU0Et6CgeaZiBYrCCXUtD+ASvLDkPSrjweQGu3Zk1SSROEzxMY9
+# jdlGfMkK2krMd9ub9UZ13RcQDijJqo+h6mz76pAuiFFvuQl6wMoSGFaaUQwfd+WQ
+# gXlVVX/A9JFBihrxnDVglEPlsIOxCHkTeIxLfnAkCbax+9pevA==
+# SIG # End signature block

src/Misc/layoutbin/darwin.svc.sh.template

@@ -1,6 +1,7 @@
 #!/bin/bash
 
 SVC_NAME="{{SvcNameVar}}"
+SVC_NAME=${SVC_NAME// /_}
 SVC_DESCRIPTION="{{SvcDescription}}"
 
 user_id=`id -u`

src/Misc/layoutbin/installdependencies.sh

@@ -70,8 +70,8 @@ then
                 exit 1
             fi
 
-            # libicu version prefer: libicu63 -> libicu60 -> libicu57 -> libicu55 -> libicu52
-            apt install -y libicu63 || apt install -y libicu60 || apt install -y libicu57 || apt install -y libicu55 || apt install -y libicu52
+            # libicu version prefer: libicu66 -> libicu63 -> libicu60 -> libicu57 -> libicu55 -> libicu52
+            apt install -y libicu66 || apt install -y libicu63 || apt install -y libicu60 || apt install -y libicu57 || apt install -y libicu55 || apt install -y libicu52
             if [ $? -ne 0 ]
             then
                 echo "'apt' failed with exit code '$?'"
@@ -99,8 +99,8 @@ then
                     exit 1
                 fi
 
-                # libicu version prefer: libicu63 -> libicu60 -> libicu57 -> libicu55 -> libicu52
-                apt-get install -y libicu63 || apt-get install -y libicu60 || apt install -y libicu57 || apt install -y libicu55 || apt install -y libicu52
+                # libicu version prefer: libicu66 -> libicu63 -> libicu60 -> libicu57 -> libicu55 -> libicu52
+                apt-get install -y libicu66 || apt-get install -y libicu63 || apt-get install -y libicu60 || apt install -y libicu57 || apt install -y libicu55 || apt install -y libicu52
                 if [ $? -ne 0 ]
                 then
                     echo "'apt-get' failed with exit code '$?'"

src/Misc/layoutbin/systemd.svc.sh.template

@@ -1,6 +1,7 @@
 #!/bin/bash
 
 SVC_NAME="{{SvcNameVar}}"
+SVC_NAME=${SVC_NAME// /_}
 SVC_DESCRIPTION="{{SvcDescription}}"
 
 SVC_CMD=$1
@@ -62,12 +63,25 @@ function install()
 
     sed "s/{{User}}/${run_as_user}/g; s/{{Description}}/$(echo ${SVC_DESCRIPTION} | sed -e 's/[\/&]/\\&/g')/g; s/{{RunnerRoot}}/$(echo ${RUNNER_ROOT} | sed -e 's/[\/&]/\\&/g')/g;" "${TEMPLATE_PATH}" > "${TEMP_PATH}" || failed "failed to create replacement temp file"
     mv "${TEMP_PATH}" "${UNIT_PATH}" || failed "failed to copy unit file"
+
+    # Recent Fedora based Linux (CentOS/Redhat) has SELinux enabled by default
+    # We need to restore security context on the unit file we added otherwise SystemD have no access to it.
+    command -v getenforce > /dev/null
+    if [ $? -eq 0 ]
+    then
+        selinuxEnabled=$(getenforce)
+        if [[ $selinuxEnabled == "Enforcing" ]]
+        then
+            # SELinux is enabled, we will need to Restore SELinux Context for the service file
+            restorecon -r -v "${UNIT_PATH}" || failed "failed to restore SELinux context on ${UNIT_PATH}"
+        fi
+    fi
     
     # unit file should not be executable and world writable
-    chmod 664 ${UNIT_PATH} || failed "failed to set permissions on ${UNIT_PATH}"
+    chmod 664 "${UNIT_PATH}" || failed "failed to set permissions on ${UNIT_PATH}"
     systemctl daemon-reload || failed "failed to reload daemons"
     
-	# Since we started with sudo, runsvc.sh will be owned by root. Change this to current login user.    
+    # Since we started with sudo, runsvc.sh will be owned by root. Change this to current login user.    
     cp ./bin/runsvc.sh ./runsvc.sh || failed "failed to copy runsvc.sh"
     chown ${run_as_uid}:${run_as_gid} ./runsvc.sh || failed "failed to set owner for runsvc.sh"
     chmod 755 ./runsvc.sh || failed "failed to set permission for runsvc.sh"

src/Runner.Common/ConfigurationStore.cs

@@ -108,9 +108,9 @@ namespace GitHub.Runner.Common
         CredentialData GetMigratedCredentials();
         RunnerSettings GetSettings();
         void SaveCredential(CredentialData credential);
-        void SaveMigratedCredential(CredentialData credential);
         void SaveSettings(RunnerSettings settings);
         void DeleteCredential();
+        void DeleteMigratedCredential();
         void DeleteSettings();
     }
 
@@ -232,21 +232,6 @@ namespace GitHub.Runner.Common
             File.SetAttributes(_credFilePath, File.GetAttributes(_credFilePath) | FileAttributes.Hidden);
         }
 
-        public void SaveMigratedCredential(CredentialData credential)
-        {
-            Trace.Info("Saving {0} migrated credential @ {1}", credential.Scheme, _migratedCredFilePath);
-            if (File.Exists(_migratedCredFilePath))
-            {
-                // Delete existing credential file first, since the file is hidden and not able to overwrite.
-                Trace.Info("Delete exist runner migrated credential file.");
-                IOUtil.DeleteFile(_migratedCredFilePath);
-            }
-
-            IOUtil.SaveObject(credential, _migratedCredFilePath);
-            Trace.Info("Migrated Credentials Saved.");
-            File.SetAttributes(_migratedCredFilePath, File.GetAttributes(_migratedCredFilePath) | FileAttributes.Hidden);
-        }
-
         public void SaveSettings(RunnerSettings settings)
         {
             Trace.Info("Saving runner settings.");
@@ -268,6 +253,11 @@ namespace GitHub.Runner.Common
             IOUtil.Delete(_migratedCredFilePath, default(CancellationToken));
         }
 
+        public void DeleteMigratedCredential()
+        {
+            IOUtil.Delete(_migratedCredFilePath, default(CancellationToken));
+        }
+
         public void DeleteSettings()
         {
             IOUtil.Delete(_configFilePath, default(CancellationToken));

src/Runner.Common/JobServer.cs

@@ -22,6 +22,7 @@ namespace GitHub.Runner.Common
         Task<List<TimelineRecord>> UpdateTimelineRecordsAsync(Guid scopeIdentifier, string hubName, Guid planId, Guid timelineId, IEnumerable<TimelineRecord> records, CancellationToken cancellationToken);
         Task RaisePlanEventAsync<T>(Guid scopeIdentifier, string hubName, Guid planId, T eventData, CancellationToken cancellationToken) where T : JobEvent;
         Task<Timeline> GetTimelineAsync(Guid scopeIdentifier, string hubName, Guid planId, Guid timelineId, CancellationToken cancellationToken);
+        Task<ActionDownloadInfoCollection> ResolveActionDownloadInfoAsync(Guid scopeIdentifier, string hubName, Guid planId, ActionReferenceList actions, CancellationToken cancellationToken);
     }
 
     public sealed class JobServer : RunnerService, IJobServer
@@ -113,5 +114,14 @@ namespace GitHub.Runner.Common
             CheckConnection();
             return _taskClient.GetTimelineAsync(scopeIdentifier, hubName, planId, timelineId, includeRecords: true, cancellationToken: cancellationToken);
         }
+
+        //-----------------------------------------------------------------
+        // Action download info
+        //-----------------------------------------------------------------
+        public Task<ActionDownloadInfoCollection> ResolveActionDownloadInfoAsync(Guid scopeIdentifier, string hubName, Guid planId, ActionReferenceList actions, CancellationToken cancellationToken)
+        {
+            CheckConnection();
+            return _taskClient.ResolveActionDownloadInfoAsync(scopeIdentifier, hubName, planId, actions, cancellationToken: cancellationToken);
+        }
     }
 }

src/Runner.Common/RunnerServer.cs

@@ -50,10 +50,6 @@ namespace GitHub.Runner.Common
 
         // agent update
         Task<TaskAgent> UpdateAgentUpdateStateAsync(int agentPoolId, int agentId, string currentState);
-
-        // runner authorization url
-        Task<string> GetRunnerAuthUrlAsync(int runnerPoolId, int runnerId);
-        Task ReportRunnerAuthUrlErrorAsync(int runnerPoolId, int runnerId, string error);
     }
 
     public sealed class RunnerServer : RunnerService, IRunnerServer

src/Runner.Common/Terminal.cs

@@ -96,13 +96,14 @@ namespace GitHub.Runner.Common
             Trace.Info($"WRITE: {message}");
             if (!Silent)
             {
-                if(colorCode != null)
+                if (colorCode != null)
                 {
                     Console.ForegroundColor = colorCode.Value;
                     Console.Write(message);
                     Console.ResetColor();
                 }
-                else {
+                else
+                {
                     Console.Write(message);
                 }
             }
@@ -120,13 +121,14 @@ namespace GitHub.Runner.Common
             Trace.Info($"WRITE LINE: {line}");
             if (!Silent)
             {
-                if(colorCode != null)
+                if (colorCode != null)
                 {
                     Console.ForegroundColor = colorCode.Value;
                     Console.WriteLine(line);
                     Console.ResetColor();
                 }
-                else {
+                else
+                {
                     Console.WriteLine(line);
                 }
             }

src/Runner.Listener/Configuration/ConfigurationManager.cs

@@ -92,9 +92,11 @@ namespace GitHub.Runner.Listener.Configuration
             _term.WriteSection("Authentication");
             while (true)
             {
-                // Get the URL
+                // When testing against a dev deployment of Actions Service, set this environment variable
+                var useDevActionsServiceUrl = Environment.GetEnvironmentVariable("USE_DEV_ACTIONS_SERVICE_URL");
                 var inputUrl = command.GetUrl();
-                if (inputUrl.Contains("codedev.ms", StringComparison.OrdinalIgnoreCase))
+                if (inputUrl.Contains("codedev.ms", StringComparison.OrdinalIgnoreCase)
+                    || useDevActionsServiceUrl != null)
                 {
                     runnerSettings.ServerUrl = inputUrl;
                     // Get the credentials
@@ -117,6 +119,19 @@ namespace GitHub.Runner.Listener.Configuration
                     // Determine the service deployment type based on connection data. (Hosted/OnPremises)
                     runnerSettings.IsHostedServer = runnerSettings.GitHubUrl == null || IsHostedServer(new UriBuilder(runnerSettings.GitHubUrl));
 
+                    // Warn if the Actions server url and GHES server url has different Host
+                    if (!runnerSettings.IsHostedServer)
+                    {
+                        // Example actionsServerUrl is https://my-ghes/_services/pipelines/[...]
+                        // Example githubServerUrl is https://my-ghes
+                        var actionsServerUrl = new Uri(runnerSettings.ServerUrl);
+                        var githubServerUrl = new Uri(runnerSettings.GitHubUrl);
+                        if (!string.Equals(actionsServerUrl.Authority, githubServerUrl.Authority, StringComparison.OrdinalIgnoreCase))
+                        {
+                            throw new InvalidOperationException($"GitHub Actions is not properly configured in GHES. GHES url: {runnerSettings.GitHubUrl}, Actions url: {runnerSettings.ServerUrl}.");
+                        }
+                    }
+
                     // Validate can connect.
                     await _runnerServer.ConnectAsync(new Uri(runnerSettings.ServerUrl), creds);
 
@@ -195,7 +210,7 @@ namespace GitHub.Runner.Listener.Configuration
                     else if (command.Unattended)
                     {
                         // if not replace and it is unattended config.
-                        throw new TaskAgentExistsException($"Pool {runnerSettings.PoolId} already contains a runner with name {runnerSettings.AgentName}.");
+                        throw new TaskAgentExistsException($"A runner exists with the same name {runnerSettings.AgentName}.");
                     }
                 }
                 else
@@ -219,36 +234,11 @@ namespace GitHub.Runner.Listener.Configuration
             // Add Agent Id to settings
             runnerSettings.AgentId = agent.Id;
 
-            // respect the serverUrl resolve by server.
-            // in case of agent configured using collection url instead of account url.
-            string agentServerUrl;
-            if (agent.Properties.TryGetValidatedValue<string>("ServerUrl", out agentServerUrl) &&
-                !string.IsNullOrEmpty(agentServerUrl))
-            {
-                Trace.Info($"Agent server url resolve by server: '{agentServerUrl}'.");
-
-                // we need make sure the Schema/Host/Port component of the url remain the same.
-                UriBuilder inputServerUrl = new UriBuilder(runnerSettings.ServerUrl);
-                UriBuilder serverReturnedServerUrl = new UriBuilder(agentServerUrl);
-                if (Uri.Compare(inputServerUrl.Uri, serverReturnedServerUrl.Uri, UriComponents.SchemeAndServer, UriFormat.Unescaped, StringComparison.OrdinalIgnoreCase) != 0)
-                {
-                    inputServerUrl.Path = serverReturnedServerUrl.Path;
-                    Trace.Info($"Replace server returned url's scheme://host:port component with user input server url's scheme://host:port: '{inputServerUrl.Uri.AbsoluteUri}'.");
-                    runnerSettings.ServerUrl = inputServerUrl.Uri.AbsoluteUri;
-                }
-                else
-                {
-                    runnerSettings.ServerUrl = agentServerUrl;
-                }
-            }
-
             // See if the server supports our OAuth key exchange for credentials
             if (agent.Authorization != null &&
                 agent.Authorization.ClientId != Guid.Empty &&
                 agent.Authorization.AuthorizationUrl != null)
             {
-                UriBuilder configServerUrl = new UriBuilder(runnerSettings.ServerUrl);
-                UriBuilder oauthEndpointUrlBuilder = new UriBuilder(agent.Authorization.AuthorizationUrl);
                 var credentialData = new CredentialData
                 {
                     Scheme = Constants.Configuration.OAuth,
@@ -256,7 +246,6 @@ namespace GitHub.Runner.Listener.Configuration
                     {
                         { "clientId", agent.Authorization.ClientId.ToString("D") },
                         { "authorizationUrl", agent.Authorization.AuthorizationUrl.AbsoluteUri },
-                        { "oauthEndpointUrl", oauthEndpointUrlBuilder.Uri.AbsoluteUri },
                     },
                 };
 
@@ -462,7 +451,7 @@ namespace GitHub.Runner.Listener.Configuration
             // update should replace the existing labels
             agent.Version = BuildConstants.RunnerPackage.Version;
             agent.OSDescription = RuntimeInformation.OSDescription;
-            
+
             agent.Labels.Clear();
 
             agent.Labels.Add(new AgentLabel("self-hosted", LabelType.System));
@@ -473,7 +462,7 @@ namespace GitHub.Runner.Listener.Configuration
             {
                 agent.Labels.Add(new AgentLabel(userLabel, LabelType.User));
             }
-            
+
             return agent;
         }
 

src/Runner.Listener/Configuration/CredentialManager.cs

@@ -13,7 +13,7 @@ namespace GitHub.Runner.Listener.Configuration
     public interface ICredentialManager : IRunnerService
     {
         ICredentialProvider GetCredentialProvider(string credType);
-        VssCredentials LoadCredentials(bool preferMigrated = true);
+        VssCredentials LoadCredentials();
     }
 
     public class CredentialManager : RunnerService, ICredentialManager
@@ -40,7 +40,7 @@ namespace GitHub.Runner.Listener.Configuration
             return creds;
         }
 
-        public VssCredentials LoadCredentials(bool preferMigrated = true)
+        public VssCredentials LoadCredentials()
         {
             IConfigurationStore store = HostContext.GetService<IConfigurationStore>();
 
@@ -50,14 +50,16 @@ namespace GitHub.Runner.Listener.Configuration
             }
 
             CredentialData credData = store.GetCredentials();
-
-            if (preferMigrated)
+            var migratedCred = store.GetMigratedCredentials();
+            if (migratedCred != null)
             {
-                var migratedCred = store.GetMigratedCredentials();
-                if (migratedCred != null)
-                {
-                    credData = migratedCred;
-                }
+                credData = migratedCred;
+
+                // Re-write .credentials with Token URL
+                store.SaveCredential(credData);
+
+                // Delete .credentials_migrated
+                store.DeleteMigratedCredential();
             }
 
             ICredentialProvider credProv = GetCredentialProvider(credData.Scheme);

src/Runner.Listener/MessageListener.cs

@@ -13,10 +13,7 @@ using System.Diagnostics;
 using System.Runtime.InteropServices;
 using GitHub.Runner.Common;
 using GitHub.Runner.Sdk;
-using GitHub.Services.WebApi;
-using System.Runtime.CompilerServices;
 
-[assembly: InternalsVisibleTo("Test")]
 namespace GitHub.Runner.Listener
 {
     [ServiceLocator(Default = typeof(MessageListener))]
@@ -35,30 +32,18 @@ namespace GitHub.Runner.Listener
         private ITerminal _term;
         private IRunnerServer _runnerServer;
         private TaskAgentSession _session;
-        private ICredentialManager _credMgr;
-        private IConfigurationStore _configStore;
         private TimeSpan _getNextMessageRetryInterval;
         private readonly TimeSpan _sessionCreationRetryInterval = TimeSpan.FromSeconds(30);
         private readonly TimeSpan _sessionConflictRetryLimit = TimeSpan.FromMinutes(4);
         private readonly TimeSpan _clockSkewRetryLimit = TimeSpan.FromMinutes(30);
         private readonly Dictionary<string, int> _sessionCreationExceptionTracker = new Dictionary<string, int>();
 
-        // Whether load credentials from .credentials_migrated file
-        internal bool _useMigratedCredentials;
-
-        // need to check auth url if there is only .credentials and auth schema is OAuth
-        internal bool _needToCheckAuthorizationUrlUpdate;
-        internal Task<VssCredentials> _authorizationUrlMigrationBackgroundTask;
-        internal Task _authorizationUrlRollbackReattemptDelayBackgroundTask;
-
         public override void Initialize(IHostContext hostContext)
         {
             base.Initialize(hostContext);
 
             _term = HostContext.GetService<ITerminal>();
             _runnerServer = HostContext.GetService<IRunnerServer>();
-            _credMgr = HostContext.GetService<ICredentialManager>();
-            _configStore = HostContext.GetService<IConfigurationStore>();
         }
 
         public async Task<Boolean> CreateSessionAsync(CancellationToken token)
@@ -73,8 +58,8 @@ namespace GitHub.Runner.Listener
 
             // Create connection.
             Trace.Info("Loading Credentials");
-            _useMigratedCredentials = !StringUtil.ConvertToBoolean(Environment.GetEnvironmentVariable("GITHUB_ACTIONS_RUNNER_SPSAUTHURL"));
-            VssCredentials creds = _credMgr.LoadCredentials(_useMigratedCredentials);
+            var credMgr = HostContext.GetService<ICredentialManager>();
+            VssCredentials creds = credMgr.LoadCredentials();
 
             var agent = new TaskAgentReference
             {
@@ -89,17 +74,6 @@ namespace GitHub.Runner.Listener
             string errorMessage = string.Empty;
             bool encounteringError = false;
 
-            var originalCreds = _configStore.GetCredentials();
-            var migratedCreds = _configStore.GetMigratedCredentials();
-            if (migratedCreds == null)
-            {
-                _useMigratedCredentials = false;
-                if (originalCreds.Scheme == Constants.Configuration.OAuth)
-                {
-                    _needToCheckAuthorizationUrlUpdate = true;
-                }
-            }
-
             while (true)
             {
                 token.ThrowIfCancellationRequested();
@@ -127,12 +101,6 @@ namespace GitHub.Runner.Listener
                         encounteringError = false;
                     }
 
-                    if (_needToCheckAuthorizationUrlUpdate)
-                    {
-                        // start background task try to get new authorization url
-                        _authorizationUrlMigrationBackgroundTask = GetNewOAuthAuthorizationSetting(token);
-                    }
-
                     return true;
                 }
                 catch (OperationCanceledException) when (token.IsCancellationRequested)
@@ -164,44 +132,10 @@ namespace GitHub.Runner.Listener
                         }
                     }
 
-                    if (ex is TaskAgentSessionConflictException)
-                    {
-                        try
-                        {
-                            var newCred = await GetNewOAuthAuthorizationSetting(token, true);
-                            if (newCred != null)
-                            {
-                                await _runnerServer.ConnectAsync(new Uri(_settings.ServerUrl), newCred);
-                                Trace.Info("Updated connection to use migrated credential for next CreateSession call.");
-                                _useMigratedCredentials = true;
-                                _authorizationUrlMigrationBackgroundTask = null;
-                                _needToCheckAuthorizationUrlUpdate = false;
-                            }
-                        }
-                        catch (Exception e)
-                        {
-                            Trace.Error("Fail to refresh connection with new authorization url.");
-                            Trace.Error(e);
-                        }
-                    }
-
                     if (!IsSessionCreationExceptionRetriable(ex))
                     {
-                        if (_useMigratedCredentials && !(ex is TaskAgentSessionConflictException))
-                        {
-                            // migrated credentials might cause lose permission during permission check,
-                            // we will force to use original credential and try again
-                            _useMigratedCredentials = false;
-                            var reattemptBackoff = BackoffTimerHelper.GetRandomBackoff(TimeSpan.FromHours(24), TimeSpan.FromHours(36));
-                            _authorizationUrlRollbackReattemptDelayBackgroundTask = HostContext.Delay(reattemptBackoff, token); // retry migrated creds in 24-36 hours.
-                            creds = _credMgr.LoadCredentials(false);
-                            Trace.Error("Fallback to original credentials and try again.");
-                        }
-                        else
-                        {
-                            _term.WriteError($"Failed to create session. {ex.Message}");
-                            return false;
-                        }
+                        _term.WriteError($"Failed to create session. {ex.Message}");
+                        return false;
                     }
 
                     if (!encounteringError) //print the message only on the first error
@@ -262,51 +196,6 @@ namespace GitHub.Runner.Listener
                         encounteringError = false;
                         continuousError = 0;
                     }
-
-                    if (_needToCheckAuthorizationUrlUpdate &&
-                        _authorizationUrlMigrationBackgroundTask?.IsCompleted == true)
-                    {
-                        if (HostContext.GetService<IJobDispatcher>().Busy ||
-                            HostContext.GetService<ISelfUpdater>().Busy)
-                        {
-                            Trace.Info("Job or runner updates in progress, update credentials next time.");
-                        }
-                        else
-                        {
-                            try
-                            {
-                                var newCred = await _authorizationUrlMigrationBackgroundTask;
-                                await _runnerServer.ConnectAsync(new Uri(_settings.ServerUrl), newCred);
-                                Trace.Info("Updated connection to use migrated credential for next GetMessage call.");
-                                _useMigratedCredentials = true;
-                                _authorizationUrlMigrationBackgroundTask = null;
-                                _needToCheckAuthorizationUrlUpdate = false;
-                            }
-                            catch (Exception ex)
-                            {
-                                Trace.Error("Fail to refresh connection with new authorization url.");
-                                Trace.Error(ex);
-                            }
-                        }
-                    }
-
-                    if (_authorizationUrlRollbackReattemptDelayBackgroundTask?.IsCompleted == true)
-                    {
-                        try
-                        {
-                            // we rolled back to use original creds about 2 days before, now it's a good time to try migrated creds again.
-                            Trace.Info("Re-attempt to use migrated credential");
-                            var migratedCreds = _credMgr.LoadCredentials();
-                            await _runnerServer.ConnectAsync(new Uri(_settings.ServerUrl), migratedCreds);
-                            _useMigratedCredentials = true;
-                            _authorizationUrlRollbackReattemptDelayBackgroundTask = null;
-                        }
-                        catch (Exception ex)
-                        {
-                            Trace.Error("Fail to refresh connection with new authorization url on rollback reattempt.");
-                            Trace.Error(ex);
-                        }
-                    }
                 }
                 catch (OperationCanceledException) when (token.IsCancellationRequested)
                 {
@@ -330,21 +219,7 @@ namespace GitHub.Runner.Listener
                     }
                     else if (!IsGetNextMessageExceptionRetriable(ex))
                     {
-                        if (_useMigratedCredentials)
-                        {
-                            // migrated credentials might cause lose permission during permission check,
-                            // we will force to use original credential and try again
-                            _useMigratedCredentials = false;
-                            var reattemptBackoff = BackoffTimerHelper.GetRandomBackoff(TimeSpan.FromHours(24), TimeSpan.FromHours(36));
-                            _authorizationUrlRollbackReattemptDelayBackgroundTask = HostContext.Delay(reattemptBackoff, token); // retry migrated creds in 24-36 hours.
-                            var originalCreds = _credMgr.LoadCredentials(false);
-                            await _runnerServer.ConnectAsync(new Uri(_settings.ServerUrl), originalCreds);
-                            Trace.Error("Fallback to original credentials and try again.");
-                        }
-                        else
-                        {
-                            throw;
-                        }
+                        throw;
                     }
                     else
                     {
@@ -536,94 +411,5 @@ namespace GitHub.Runner.Listener
                 return true;
             }
         }
-
-        private async Task<VssCredentials> GetNewOAuthAuthorizationSetting(CancellationToken token, bool adhoc = false)
-        {
-            Trace.Info("Start checking oauth authorization url update.");
-            while (true)
-            {
-                try
-                {
-                    var migratedAuthorizationUrl = await _runnerServer.GetRunnerAuthUrlAsync(_settings.PoolId, _settings.AgentId);
-                    if (!string.IsNullOrEmpty(migratedAuthorizationUrl))
-                    {
-                        var credData = _configStore.GetCredentials();
-                        var clientId = credData.Data.GetValueOrDefault("clientId", null);
-                        var currentAuthorizationUrl = credData.Data.GetValueOrDefault("authorizationUrl", null);
-                        Trace.Info($"Current authorization url: {currentAuthorizationUrl}, new authorization url: {migratedAuthorizationUrl}");
-
-                        if (string.Equals(currentAuthorizationUrl, migratedAuthorizationUrl, StringComparison.OrdinalIgnoreCase))
-                        {
-                            // We don't need to update credentials.
-                            Trace.Info("No needs to update authorization url");
-                            if (adhoc)
-                            {
-                                return null;
-                            }
-                            else
-                            {
-                                await Task.Delay(TimeSpan.FromMilliseconds(-1), token);
-                            }
-                        }
-
-                        var keyManager = HostContext.GetService<IRSAKeyManager>();
-                        var signingCredentials = VssSigningCredentials.Create(() => keyManager.GetKey());
-
-                        var migratedClientCredential = new VssOAuthJwtBearerClientCredential(clientId, migratedAuthorizationUrl, signingCredentials);
-                        var migratedRunnerCredential = new VssOAuthCredential(new Uri(migratedAuthorizationUrl, UriKind.Absolute), VssOAuthGrant.ClientCredentials, migratedClientCredential);
-
-                        Trace.Info("Try connect service with Token Service OAuth endpoint.");
-                        var runnerServer = HostContext.CreateService<IRunnerServer>();
-                        await runnerServer.ConnectAsync(new Uri(_settings.ServerUrl), migratedRunnerCredential);
-                        await runnerServer.GetAgentPoolsAsync();
-                        Trace.Info($"Successfully connected service with new authorization url.");
-
-                        var migratedCredData = new CredentialData
-                        {
-                            Scheme = Constants.Configuration.OAuth,
-                            Data =
-                            {
-                                { "clientId", clientId },
-                                { "authorizationUrl", migratedAuthorizationUrl },
-                                { "oauthEndpointUrl", migratedAuthorizationUrl },
-                            },
-                        };
-
-                        _configStore.SaveMigratedCredential(migratedCredData);
-                        return migratedRunnerCredential;
-                    }
-                    else
-                    {
-                        Trace.Verbose("No authorization url updates");
-                    }
-                }
-                catch (Exception ex) when (!token.IsCancellationRequested)
-                {
-                    Trace.Error("Fail to get/test new authorization url.");
-                    Trace.Error(ex);
-
-                    try
-                    {
-                        await _runnerServer.ReportRunnerAuthUrlErrorAsync(_settings.PoolId, _settings.AgentId, ex.ToString());
-                    }
-                    catch (Exception e)
-                    {
-                        // best effort
-                        Trace.Error("Fail to report the migration error");
-                        Trace.Error(e);
-                    }
-                }
-
-                if (adhoc)
-                {
-                    return null;
-                }
-                else
-                {
-                    var backoff = BackoffTimerHelper.GetRandomBackoff(TimeSpan.FromMinutes(30), TimeSpan.FromMinutes(45));
-                    await HostContext.Delay(backoff, token);
-                }
-            }
-        }
     }
 }

src/Runner.Listener/Program.cs

@@ -102,7 +102,9 @@ namespace GitHub.Runner.Listener
                 IRunner runner = context.GetService<IRunner>();
                 try
                 {
-                    return await runner.ExecuteCommand(command);
+                    var returnCode = await runner.ExecuteCommand(command);
+                    trace.Info($"Runner execution has finished with return code {returnCode}");
+                    return returnCode;
                 }
                 catch (OperationCanceledException) when (context.RunnerShutdownToken.IsCancellationRequested)
                 {

src/Runner.Plugins/Repository/v1.0/GitSourceProvider.cs

@@ -82,7 +82,7 @@ namespace GitHub.Runner.Plugins.Repository.v1_0
             executionContext.Output($"Syncing repository: {repoFullName}");
 
             // Repository URL
-            var githubUrl = executionContext.GetGitHubContext("url");
+            var githubUrl = executionContext.GetGitHubContext("server_url");
             var githubUri = new Uri(!string.IsNullOrEmpty(githubUrl) ? githubUrl : "https://github.com");
             var portInfo = githubUri.IsDefaultPort ? string.Empty : $":{githubUri.Port}";
             Uri repositoryUrl = new Uri($"{githubUri.Scheme}://{githubUri.Host}{portInfo}/{repoFullName}");

src/Runner.Sdk/ProcessInvoker.cs

@@ -318,7 +318,12 @@ namespace GitHub.Runner.Sdk
                 }
             }
 
-            using (var registration = cancellationToken.Register(async () => await CancelAndKillProcessTree(killProcessOnCancel)))
+            var cancellationFinished = new TaskCompletionSource<bool>();
+            using (var registration = cancellationToken.Register(async () =>
+            {
+                await CancelAndKillProcessTree(killProcessOnCancel);
+                cancellationFinished.TrySetResult(true);
+            }))
             {
                 Trace.Info($"Process started with process id {_proc.Id}, waiting for process exit.");
                 while (true)
@@ -341,6 +346,13 @@ namespace GitHub.Runner.Sdk
                 // data buffers one last time before returning
                 ProcessOutput();
 
+                if (cancellationToken.IsCancellationRequested)
+                {
+                    // Ensure cancellation also finish on the cancellationToken.Register thread.
+                    await cancellationFinished.Task;
+                    Trace.Info($"Process Cancellation finished.");
+                }
+
                 Trace.Info($"Finished process {_proc.Id} with exit code {_proc.ExitCode}, and elapsed time {_stopWatch.Elapsed}.");
             }
 

src/Runner.Sdk/Util/WhichUtil.cs

@@ -11,6 +11,11 @@ namespace GitHub.Runner.Sdk
         {
             ArgUtil.NotNullOrEmpty(command, nameof(command));
             trace?.Info($"Which: '{command}'");
+            if (Path.IsPathFullyQualified(command) && File.Exists(command))
+            {
+                trace?.Info($"Fully qualified path: '{command}'");
+                return command;
+            }
             string path = Environment.GetEnvironmentVariable(PathUtil.PathVariable);
             if (string.IsNullOrEmpty(path))
             {

src/Runner.Worker/ActionManager.cs

@@ -14,6 +14,7 @@ using GitHub.Runner.Common;
 using GitHub.Runner.Sdk;
 using GitHub.Runner.Worker.Container;
 using GitHub.Services.Common;
+using WebApi = GitHub.DistributedTask.WebApi;
 using Pipelines = GitHub.DistributedTask.Pipelines;
 using PipelineTemplateConstants = GitHub.DistributedTask.Pipelines.ObjectTemplating.PipelineTemplateConstants;
 
@@ -73,6 +74,11 @@ namespace GitHub.Runner.Worker
             // Clear the cache (for self-hosted runners)
             IOUtil.DeleteDirectory(HostContext.GetDirectory(WellKnownDirectory.Actions), executionContext.CancellationToken);
 
+            // todo: Remove when feature flag DistributedTask.NewActionMetadata is removed
+            var newActionMetadata = executionContext.Variables.GetBoolean("DistributedTask.NewActionMetadata") ?? false;
+
+            var repositoryActions = new List<Pipelines.ActionStep>();
+
             foreach (var action in actions)
             {
                 if (action.Reference.Type == Pipelines.ActionSourceType.ContainerRegistry)
@@ -90,7 +96,8 @@ namespace GitHub.Runner.Worker
                     Trace.Info($"Action {action.Name} ({action.Id}) needs to pull image '{containerReference.Image}'");
                     imagesToPull[containerReference.Image].Add(action.Id);
                 }
-                else if (action.Reference.Type == Pipelines.ActionSourceType.Repository)
+                // todo: Remove when feature flag DistributedTask.NewActionMetadata is removed
+                else if (action.Reference.Type == Pipelines.ActionSourceType.Repository && !newActionMetadata)
                 {
                     // only download the repository archive
                     await DownloadRepositoryActionAsync(executionContext, action);
@@ -124,6 +131,81 @@ namespace GitHub.Runner.Worker
                         }
                     }
 
+                    var repoAction = action.Reference as Pipelines.RepositoryPathReference;
+                    if (repoAction.RepositoryType != Pipelines.PipelineConstants.SelfAlias)
+                    {
+                        var definition = LoadAction(executionContext, action);
+                        if (definition.Data.Execution.HasPre)
+                        {
+                            var actionRunner = HostContext.CreateService<IActionRunner>();
+                            actionRunner.Action = action;
+                            actionRunner.Stage = ActionRunStage.Pre;
+                            actionRunner.Condition = definition.Data.Execution.InitCondition;
+
+                            Trace.Info($"Add 'pre' execution for {action.Id}");
+                            preStepTracker[action.Id] = actionRunner;
+                        }
+                    }
+                }
+                else if (action.Reference.Type == Pipelines.ActionSourceType.Repository && newActionMetadata)
+                {
+                    repositoryActions.Add(action);
+                }
+            }
+
+            if (repositoryActions.Count > 0)
+            {
+                // Get the download info
+                var downloadInfos = await GetDownloadInfoAsync(executionContext, repositoryActions);
+
+                // Download each action
+                foreach (var action in repositoryActions)
+                {
+                    var lookupKey = GetDownloadInfoLookupKey(action);
+                    if (string.IsNullOrEmpty(lookupKey))
+                    {
+                        continue;
+                    }
+
+                    if (!downloadInfos.TryGetValue(lookupKey, out var downloadInfo))
+                    {
+                        throw new Exception($"Missing download info for {lookupKey}");
+                    }
+
+                    await DownloadRepositoryActionAsync(executionContext, downloadInfo);
+                }
+
+                // More preparation based on content in the repository (action.yml)
+                foreach (var action in repositoryActions)
+                {
+                    var setupInfo = PrepareRepositoryActionAsync(executionContext, action);
+                    if (setupInfo != null)
+                    {
+                        if (!string.IsNullOrEmpty(setupInfo.Image))
+                        {
+                            if (!imagesToPull.ContainsKey(setupInfo.Image))
+                            {
+                                imagesToPull[setupInfo.Image] = new List<Guid>();
+                            }
+
+                            Trace.Info($"Action {action.Name} ({action.Id}) from repository '{setupInfo.ActionRepository}' needs to pull image '{setupInfo.Image}'");
+                            imagesToPull[setupInfo.Image].Add(action.Id);
+                        }
+                        else
+                        {
+                            ArgUtil.NotNullOrEmpty(setupInfo.ActionRepository, nameof(setupInfo.ActionRepository));
+
+                            if (!imagesToBuild.ContainsKey(setupInfo.ActionRepository))
+                            {
+                                imagesToBuild[setupInfo.ActionRepository] = new List<Guid>();
+                            }
+
+                            Trace.Info($"Action {action.Name} ({action.Id}) from repository '{setupInfo.ActionRepository}' needs to build image '{setupInfo.Dockerfile}'");
+                            imagesToBuild[setupInfo.ActionRepository].Add(action.Id);
+                            imagesToBuildInfo[setupInfo.ActionRepository] = setupInfo;
+                        }
+                    }
+
                     var repoAction = action.Reference as Pipelines.RepositoryPathReference;
                     if (repoAction.RepositoryType != Pipelines.PipelineConstants.SelfAlias)
                     {
@@ -464,6 +546,80 @@ namespace GitHub.Runner.Worker
             }
         }
 
+        // This implementation is temporary and will be replaced with a REST API call to the service to resolve
+        private async Task<IDictionary<string, WebApi.ActionDownloadInfo>> GetDownloadInfoAsync(IExecutionContext executionContext, List<Pipelines.ActionStep> actions)
+        {
+            executionContext.Output("Getting action download info");
+
+            // Convert to action reference
+            var actionReferences = actions
+                .GroupBy(x => GetDownloadInfoLookupKey(x))
+                .Where(x => !string.IsNullOrEmpty(x.Key))
+                .Select(x =>
+                {
+                    var action = x.First();
+                    var repositoryReference = action.Reference as Pipelines.RepositoryPathReference;
+                    ArgUtil.NotNull(repositoryReference, nameof(repositoryReference));
+                    return new WebApi.ActionReference
+                    {
+                        NameWithOwner = repositoryReference.Name,
+                        Ref = repositoryReference.Ref,
+                    };
+                })
+                .ToList();
+
+            // Nothing to resolve?
+            if (actionReferences.Count == 0)
+            {
+                return new Dictionary<string, WebApi.ActionDownloadInfo>();
+            }
+
+            // Resolve download info
+            var jobServer = HostContext.GetService<IJobServer>();
+            var actionDownloadInfos = default(WebApi.ActionDownloadInfoCollection);
+            for (var attempt = 1; attempt <= 3; attempt++)
+            {
+                try
+                {
+                    actionDownloadInfos = await jobServer.ResolveActionDownloadInfoAsync(executionContext.Plan.ScopeIdentifier, executionContext.Plan.PlanType, executionContext.Plan.PlanId, new WebApi.ActionReferenceList { Actions = actionReferences }, executionContext.CancellationToken);
+                    break;
+                }
+                catch (Exception ex) when (attempt < 3)
+                {
+                    executionContext.Output($"Failed to resolve action download info. Error: {ex.Message}");
+                    executionContext.Debug(ex.ToString());
+                    if (String.IsNullOrEmpty(Environment.GetEnvironmentVariable("_GITHUB_ACTION_DOWNLOAD_NO_BACKOFF")))
+                    {
+                        var backoff = BackoffTimerHelper.GetRandomBackoff(TimeSpan.FromSeconds(10), TimeSpan.FromSeconds(30));
+                        executionContext.Output($"Retrying in {backoff.TotalSeconds} seconds");
+                        await Task.Delay(backoff);
+                    }
+                }
+            }
+
+            ArgUtil.NotNull(actionDownloadInfos, nameof(actionDownloadInfos));
+            ArgUtil.NotNull(actionDownloadInfos.Actions, nameof(actionDownloadInfos.Actions));
+            var apiUrl = GetApiUrl(executionContext);
+            var defaultAccessToken = executionContext.GetGitHubContext("token");
+            var configurationStore = HostContext.GetService<IConfigurationStore>();
+            var runnerSettings = configurationStore.GetSettings();
+
+            foreach (var actionDownloadInfo in actionDownloadInfos.Actions.Values)
+            {
+                // Add secret
+                HostContext.SecretMasker.AddValue(actionDownloadInfo.Authentication?.Token);
+
+                // Default auth token
+                if (string.IsNullOrEmpty(actionDownloadInfo.Authentication?.Token))
+                {
+                    actionDownloadInfo.Authentication = new WebApi.ActionDownloadAuthentication { Token = defaultAccessToken };
+                }
+            }
+
+            return actionDownloadInfos.Actions;
+        }
+
+        // todo: Remove when feature flag DistributedTask.NewActionMetadata is removed
         private async Task DownloadRepositoryActionAsync(IExecutionContext executionContext, Pipelines.ActionStep repositoryAction)
         {
             Trace.Entering();
@@ -507,9 +663,8 @@ namespace GitHub.Runner.Worker
             {
                 string apiUrl = GetApiUrl(executionContext);
                 string archiveLink = BuildLinkToActionArchive(apiUrl, repositoryReference.Name, repositoryReference.Ref);
-                Trace.Info($"Download archive '{archiveLink}' to '{destDirectory}'.");
                 var downloadDetails = new ActionDownloadDetails(archiveLink, ConfigureAuthorizationFromContext);
-                await DownloadRepositoryActionAsync(executionContext, downloadDetails, destDirectory);
+                await DownloadRepositoryActionAsync(executionContext, downloadDetails, null, destDirectory);
                 return;
             }
             else
@@ -533,10 +688,9 @@ namespace GitHub.Runner.Worker
 
                 foreach (var downloadAttempt in downloadAttempts)
                 {
-                    Trace.Info($"Download archive '{downloadAttempt.ArchiveLink}' to '{destDirectory}'.");
                     try
                     {
-                        await DownloadRepositoryActionAsync(executionContext, downloadAttempt, destDirectory);
+                        await DownloadRepositoryActionAsync(executionContext, downloadAttempt, null, destDirectory);
                         return;
                     }
                     catch (ActionNotFoundException)
@@ -549,6 +703,32 @@ namespace GitHub.Runner.Worker
             }
         }
 
+        private async Task DownloadRepositoryActionAsync(IExecutionContext executionContext, WebApi.ActionDownloadInfo downloadInfo)
+        {
+            Trace.Entering();
+            ArgUtil.NotNull(executionContext, nameof(executionContext));
+            ArgUtil.NotNull(downloadInfo, nameof(downloadInfo));
+            ArgUtil.NotNullOrEmpty(downloadInfo.NameWithOwner, nameof(downloadInfo.NameWithOwner));
+            ArgUtil.NotNullOrEmpty(downloadInfo.Ref, nameof(downloadInfo.Ref));
+
+            string destDirectory = Path.Combine(HostContext.GetDirectory(WellKnownDirectory.Actions), downloadInfo.NameWithOwner.Replace(Path.AltDirectorySeparatorChar, Path.DirectorySeparatorChar), downloadInfo.Ref);
+            string watermarkFile = GetWatermarkFilePath(destDirectory);
+            if (File.Exists(watermarkFile))
+            {
+                executionContext.Debug($"Action '{downloadInfo.NameWithOwner}@{downloadInfo.Ref}' already downloaded at '{destDirectory}'.");
+                return;
+            }
+            else
+            {
+                // make sure we get a clean folder ready to use.
+                IOUtil.DeleteDirectory(destDirectory, executionContext.CancellationToken);
+                Directory.CreateDirectory(destDirectory);
+                executionContext.Output($"Download action repository '{downloadInfo.NameWithOwner}@{downloadInfo.Ref}'");
+            }
+
+            await DownloadRepositoryActionAsync(executionContext, null, downloadInfo, destDirectory);
+        }
+
         private string GetApiUrl(IExecutionContext executionContext)
         {
             string apiUrl = executionContext.GetGitHubContext("api_url");
@@ -569,7 +749,8 @@ namespace GitHub.Runner.Worker
 #endif
         }
 
-        private async Task DownloadRepositoryActionAsync(IExecutionContext executionContext, ActionDownloadDetails actionDownloadDetails, string destDirectory)
+        // todo: Remove the parameter "actionDownloadDetails" when feature flag DistributedTask.NewActionMetadata is removed
+        private async Task DownloadRepositoryActionAsync(IExecutionContext executionContext, ActionDownloadDetails actionDownloadDetails, WebApi.ActionDownloadInfo downloadInfo, string destDirectory)
         {
             //download and extract action in a temp folder and rename it on success
             string tempDirectory = Path.Combine(HostContext.GetDirectory(WellKnownDirectory.Actions), "_temp_" + Guid.NewGuid());
@@ -577,11 +758,12 @@ namespace GitHub.Runner.Worker
 
 #if OS_WINDOWS
             string archiveFile = Path.Combine(tempDirectory, $"{Guid.NewGuid()}.zip");
+            string link = downloadInfo?.ZipballUrl ?? actionDownloadDetails.ArchiveLink;
 #else
             string archiveFile = Path.Combine(tempDirectory, $"{Guid.NewGuid()}.tar.gz");
+            string link = downloadInfo?.TarballUrl ?? actionDownloadDetails.ArchiveLink;
 #endif
 
-            string link = actionDownloadDetails.ArchiveLink;
             Trace.Info($"Save archive '{link}' into {archiveFile}.");
             try
             {
@@ -601,7 +783,16 @@ namespace GitHub.Runner.Worker
                             using (var httpClientHandler = HostContext.CreateHttpClientHandler())
                             using (var httpClient = new HttpClient(httpClientHandler))
                             {
-                                actionDownloadDetails.ConfigureAuthorization(executionContext, httpClient);
+                                // Legacy
+                                if (downloadInfo == null)
+                                {
+                                    actionDownloadDetails.ConfigureAuthorization(executionContext, httpClient);
+                                }
+                                // FF DistributedTask.NewActionMetadata
+                                else
+                                {
+                                    httpClient.DefaultRequestHeaders.Authorization = CreateAuthHeader(downloadInfo.Authentication?.Token);
+                                }
 
                                 httpClient.DefaultRequestHeaders.UserAgent.AddRange(HostContext.UserAgents);
                                 using (var response = await httpClient.GetAsync(link))
@@ -741,6 +932,7 @@ namespace GitHub.Runner.Worker
             }
         }
 
+        // todo: Remove when feature flag DistributedTask.NewActionMetadata is removed
         private void ConfigureAuthorizationFromContext(IExecutionContext executionContext, HttpClient httpClient)
         {
             var authToken = Environment.GetEnvironmentVariable("_GITHUB_ACTION_TOKEN");
@@ -872,6 +1064,51 @@ namespace GitHub.Runner.Worker
             }
         }
 
+        private static string GetDownloadInfoLookupKey(Pipelines.ActionStep action)
+        {
+            if (action.Reference.Type != Pipelines.ActionSourceType.Repository)
+            {
+                return null;
+            }
+
+            var repositoryReference = action.Reference as Pipelines.RepositoryPathReference;
+            ArgUtil.NotNull(repositoryReference, nameof(repositoryReference));
+
+            if (string.Equals(repositoryReference.RepositoryType, Pipelines.PipelineConstants.SelfAlias, StringComparison.OrdinalIgnoreCase))
+            {
+                return null;
+            }
+
+            if (!string.Equals(repositoryReference.RepositoryType, Pipelines.RepositoryTypes.GitHub, StringComparison.OrdinalIgnoreCase))
+            {
+                throw new NotSupportedException(repositoryReference.RepositoryType);
+            }
+
+            ArgUtil.NotNullOrEmpty(repositoryReference.Name, nameof(repositoryReference.Name));
+            ArgUtil.NotNullOrEmpty(repositoryReference.Ref, nameof(repositoryReference.Ref));
+            return $"{repositoryReference.Name}@{repositoryReference.Ref}";
+        }
+
+        private static string GetDownloadInfoLookupKey(WebApi.ActionDownloadInfo info)
+        {
+            ArgUtil.NotNullOrEmpty(info.NameWithOwner, nameof(info.NameWithOwner));
+            ArgUtil.NotNullOrEmpty(info.Ref, nameof(info.Ref));
+            return $"{info.NameWithOwner}@{info.Ref}";
+        }
+
+        private AuthenticationHeaderValue CreateAuthHeader(string token)
+        {
+            if (string.IsNullOrEmpty(token))
+            {
+                return null;
+            }
+
+            var base64EncodingToken = Convert.ToBase64String(Encoding.UTF8.GetBytes($"x-access-token:{token}"));
+            HostContext.SecretMasker.AddValue(base64EncodingToken);
+            return new AuthenticationHeaderValue("Basic", base64EncodingToken);
+        }
+
+        // todo: Remove when feature flag DistributedTask.NewActionMetadata is removed
         private class ActionDownloadDetails
         {
             public string ArchiveLink { get; }

src/Runner.Worker/ActionRunner.cs

@@ -94,6 +94,13 @@ namespace GitHub.Runner.Worker
             if (handlerData.HasPost && (Stage == ActionRunStage.Pre || Stage == ActionRunStage.Main))
             {
                 string postDisplayName = $"Post {this.DisplayName}";
+                if (Stage == ActionRunStage.Pre &&
+                    this.DisplayName.StartsWith("Pre ", StringComparison.OrdinalIgnoreCase))
+                {
+                    // Trim the leading `Pre ` from the display name.
+                    // Otherwise, we will get `Post Pre xxx` as DisplayName for the Post step.
+                    postDisplayName = $"Post {this.DisplayName.Substring("Pre ".Length)}";
+                }
                 var repositoryReference = Action.Reference as RepositoryPathReference;
                 var pathString = string.IsNullOrEmpty(repositoryReference.Path) ? string.Empty : $"/{repositoryReference.Path}";
                 var repoString = string.IsNullOrEmpty(repositoryReference.Ref) ? $"{repositoryReference.Name}{pathString}" :
@@ -155,6 +162,13 @@ namespace GitHub.Runner.Worker
             }
 
             var validInputs = new HashSet<string>(StringComparer.OrdinalIgnoreCase);
+            if (handlerData.ExecutionType == ActionExecutionType.Container)
+            {
+                // container action always accept 'entryPoint' and 'args' as inputs
+                // https://help.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idstepswithargs
+                validInputs.Add("entryPoint");
+                validInputs.Add("args");
+            }
             // Merge the default inputs from the definition
             if (definition.Data?.Inputs != null)
             {
@@ -170,11 +184,21 @@ namespace GitHub.Runner.Worker
                 }
             }
 
-            foreach (var input in userInputs)
+            // Validate inputs only for actions with action.yml
+            if (Action.Reference.Type == Pipelines.ActionSourceType.Repository)
             {
-                if (!validInputs.Contains(input))
+                var unexpectedInputs = new List<string>();
+                foreach (var input in userInputs)
                 {
-                    ExecutionContext.Warning($"Unexpected input '{input}', valid inputs are ['{string.Join("', '", validInputs)}']");
+                    if (!validInputs.Contains(input))
+                    {
+                        unexpectedInputs.Add(input);
+                    }
+                }
+
+                if (unexpectedInputs.Count > 0)
+                {
+                    ExecutionContext.Warning($"Unexpected input(s) '{string.Join("', '", unexpectedInputs)}', valid inputs are ['{string.Join("', '", validInputs)}']");
                 }
             }
 

src/Runner.Worker/ExecutionContext.cs

@@ -44,6 +44,7 @@ namespace GitHub.Runner.Worker
         TaskResult? CommandResult { get; set; }
         CancellationToken CancellationToken { get; }
         List<ServiceEndpoint> Endpoints { get; }
+        TaskOrchestrationPlanReference Plan { get; }
 
         PlanFeatures Features { get; }
         Variables Variables { get; }
@@ -109,6 +110,7 @@ namespace GitHub.Runner.Worker
     public sealed class ExecutionContext : RunnerService, IExecutionContext
     {
         private const int _maxIssueCount = 10;
+        private const int _throttlingDelayReportThreshold = 10 * 1000; // Don't report throttling with less than 10 seconds delay
 
         private readonly TimelineRecord _record = new TimelineRecord();
         private readonly Dictionary<Guid, TimelineRecord> _detailRecords = new Dictionary<Guid, TimelineRecord>();
@@ -140,6 +142,7 @@ namespace GitHub.Runner.Worker
         public Task ForceCompleted => _forceCompleted.Task;
         public CancellationToken CancellationToken => _cancellationTokenSource.Token;
         public List<ServiceEndpoint> Endpoints { get; private set; }
+        public TaskOrchestrationPlanReference Plan { get; private set; }
         public Variables Variables { get; private set; }
         public Dictionary<string, string> IntraActionState { get; private set; }
         public IDictionary<String, IDictionary<String, String>> JobDefaults { get; private set; }
@@ -274,6 +277,7 @@ namespace GitHub.Runner.Worker
             child.Features = Features;
             child.Variables = Variables;
             child.Endpoints = Endpoints;
+            child.Plan = Plan;
             if (intraActionState == null)
             {
                 child.IntraActionState = new Dictionary<string, string>(StringComparer.OrdinalIgnoreCase);
@@ -335,7 +339,7 @@ namespace GitHub.Runner.Worker
             }
 
             // report total delay caused by server throttling.
-            if (_totalThrottlingDelayInMilliseconds > 0)
+            if (_totalThrottlingDelayInMilliseconds > _throttlingDelayReportThreshold)
             {
                 this.Warning($"The job has experienced {TimeSpan.FromMilliseconds(_totalThrottlingDelayInMilliseconds).TotalSeconds} seconds total delay caused by server throttling.");
             }
@@ -363,7 +367,11 @@ namespace GitHub.Runner.Worker
                 }
             }
 
-            _cancellationTokenSource?.Dispose();
+            if (Root != this)
+            {
+                // only dispose TokenSource for step level ExecutionContext 
+                _cancellationTokenSource?.Dispose();
+            }
 
             _logger.End();
 
@@ -571,7 +579,8 @@ namespace GitHub.Runner.Worker
 
             _cancellationTokenSource = CancellationTokenSource.CreateLinkedTokenSource(token);
 
-            // Features
+            // Plan
+            Plan = message.Plan;
             Features = PlanUtil.GetFeatures(message.Plan);
 
             // Endpoints
@@ -851,7 +860,8 @@ namespace GitHub.Runner.Worker
         {
             Interlocked.Add(ref _totalThrottlingDelayInMilliseconds, Convert.ToInt64(data.Delay.TotalMilliseconds));
 
-            if (!_throttlingReported)
+            if (!_throttlingReported &&
+                _totalThrottlingDelayInMilliseconds > _throttlingDelayReportThreshold)
             {
                 this.Warning(string.Format("The job is currently being throttled by the server. You may experience delays in console line output, job status reporting, and action log uploads."));
 

src/Runner.Worker/Expressions/HashFilesFunction.cs

@@ -12,6 +12,8 @@ namespace GitHub.Runner.Worker.Expressions
 {
     public sealed class HashFilesFunction : Function
     {
+        private const int _hashFileTimeoutSeconds = 120;
+
         protected sealed override Object EvaluateCore(
             EvaluationContext context,
             out ResultMemory resultMemory)
@@ -89,19 +91,29 @@ namespace GitHub.Runner.Worker.Expressions
             }
             env["patterns"] = string.Join(Environment.NewLine, patterns);
 
-            int exitCode = p.ExecuteAsync(workingDirectory: githubWorkspace,
-                                          fileName: node,
-                                          arguments: $"\"{hashFilesScript.Replace("\"", "\\\"")}\"",
-                                          environment: env,
-                                          requireExitCodeZero: false,
-                                          cancellationToken: new CancellationTokenSource(TimeSpan.FromSeconds(120)).Token).GetAwaiter().GetResult();
-
-            if (exitCode != 0)
+            using (var tokenSource = new CancellationTokenSource(TimeSpan.FromSeconds(_hashFileTimeoutSeconds)))
             {
-                throw new InvalidOperationException($"hashFiles('{ExpressionUtility.StringEscape(string.Join(", ", patterns))}') failed. Fail to hash files under directory '{githubWorkspace}'");
-            }
+                try
+                {
+                    int exitCode = p.ExecuteAsync(workingDirectory: githubWorkspace,
+                                                  fileName: node,
+                                                  arguments: $"\"{hashFilesScript.Replace("\"", "\\\"")}\"",
+                                                  environment: env,
+                                                  requireExitCodeZero: false,
+                                                  cancellationToken: tokenSource.Token).GetAwaiter().GetResult();
 
-            return hashResult;
+                    if (exitCode != 0)
+                    {
+                        throw new InvalidOperationException($"hashFiles('{ExpressionUtility.StringEscape(string.Join(", ", patterns))}') failed. Fail to hash files under directory '{githubWorkspace}'");
+                    }
+                }
+                catch (OperationCanceledException) when (tokenSource.IsCancellationRequested)
+                {
+                    throw new TimeoutException($"hashFiles('{ExpressionUtility.StringEscape(string.Join(", ", patterns))}') couldn't finish within {_hashFileTimeoutSeconds} seconds.");
+                }
+
+                return hashResult;
+            }
         }
 
         private sealed class HashFilesTrace : ITraceWriter

src/Runner.Worker/GitHubContext.cs

@@ -22,8 +22,8 @@ namespace GitHub.Runner.Worker
             "repository_owner",
             "run_id",
             "run_number",
+            "server_url",
             "sha",
-            "url",
             "workflow",
             "workspace",
         };

src/Runner.Worker/Handlers/OutputManager.cs

@@ -352,15 +352,24 @@ namespace GitHub.Runner.Worker.Handlers
                 if (File.Exists(gitConfigPath))
                 {
                     // Check if the config contains the workflow repository url
-                    var qualifiedRepository = _executionContext.GetGitHubContext("repository");
-                    var configMatch = $"url = https://github.com/{qualifiedRepository}";
+                    var serverUrl = _executionContext.GetGitHubContext("server_url");
+                    serverUrl = !string.IsNullOrEmpty(serverUrl) ? serverUrl : "https://github.com";
+                    var host = new Uri(serverUrl, UriKind.Absolute).Host;
+                    var nameWithOwner = _executionContext.GetGitHubContext("repository");
+                    var patterns = new[] {
+                        $"url = {serverUrl}/{nameWithOwner}",
+                        $"url = git@{host}:{nameWithOwner}.git",
+                    };
                     var content = File.ReadAllText(gitConfigPath);
                     foreach (var line in content.Split("\n").Select(x => x.Trim()))
                     {
-                        if (String.Equals(line, configMatch, StringComparison.OrdinalIgnoreCase))
+                        foreach (var pattern in patterns)
                         {
-                            repositoryPath = directoryPath;
-                            break;
+                            if (String.Equals(line, pattern, StringComparison.OrdinalIgnoreCase))
+                            {
+                                repositoryPath = directoryPath;
+                                break;
+                            }
                         }
                     }
                 }

src/Runner.Worker/JobExtension.cs

@@ -64,6 +64,20 @@ namespace GitHub.Runner.Worker
                     context.Debug($"Starting: Set up job");
                     context.Output($"Current runner version: '{BuildConstants.RunnerPackage.Version}'");
 
+                    var setting = HostContext.GetService<IConfigurationStore>().GetSettings();
+                    var credFile = HostContext.GetConfigFile(WellKnownConfigFile.Credentials);
+                    if (File.Exists(credFile))
+                    {
+                        var credData = IOUtil.LoadObject<CredentialData>(credFile);
+                        if (credData != null &&
+                            credData.Data.TryGetValue("clientId", out var clientId))
+                        {
+                            // print out HostName for self-hosted runner
+                            context.Output($"Runner name: '{setting.AgentName}'");
+                            context.Output($"Machine name: '{Environment.MachineName}'");
+                        }
+                    }
+
                     var setupInfoFile = HostContext.GetConfigFile(WellKnownConfigFile.SetupInfo);
                     if (File.Exists(setupInfoFile))
                     {
@@ -131,12 +145,13 @@ namespace GitHub.Runner.Worker
                     // Temporary hack for GHES alpha
                     var configurationStore = HostContext.GetService<IConfigurationStore>();
                     var runnerSettings = configurationStore.GetSettings();
-                    if (string.IsNullOrEmpty(context.GetGitHubContext("url")) && !runnerSettings.IsHostedServer && !string.IsNullOrEmpty(runnerSettings.GitHubUrl))
+                    if (string.IsNullOrEmpty(context.GetGitHubContext("server_url")) && !runnerSettings.IsHostedServer && !string.IsNullOrEmpty(runnerSettings.GitHubUrl))
                     {
                         var url = new Uri(runnerSettings.GitHubUrl);
                         var portInfo = url.IsDefaultPort ? string.Empty : $":{url.Port.ToString(CultureInfo.InvariantCulture)}";
-                        context.SetGitHubContext("url", $"{url.Scheme}://{url.Host}{portInfo}");
+                        context.SetGitHubContext("server_url", $"{url.Scheme}://{url.Host}{portInfo}");
                         context.SetGitHubContext("api_url", $"{url.Scheme}://{url.Host}{portInfo}/api/v3");
+                        context.SetGitHubContext("graphql_url", $"{url.Scheme}://{url.Host}{portInfo}/api/graphql");
                     }
 
                     // Evaluate the job-level environment variables

src/Runner.Worker/JobRunner.cs

@@ -5,21 +5,13 @@ using GitHub.Services.Common;
 using GitHub.Services.WebApi;
 using System;
 using System.Collections.Generic;
-using System.Globalization;
 using System.IO;
 using System.Linq;
 using System.Threading;
 using System.Threading.Tasks;
 using System.Net.Http;
-using System.Text;
-using System.IO.Compression;
-using System.Diagnostics;
-using Newtonsoft.Json.Linq;
-using GitHub.DistributedTask.ObjectTemplating.Tokens;
 using GitHub.Runner.Common;
 using GitHub.Runner.Sdk;
-using GitHub.DistributedTask.Pipelines.ContextData;
-using GitHub.DistributedTask.ObjectTemplating;
 
 namespace GitHub.Runner.Worker
 {
@@ -122,13 +114,6 @@ namespace GitHub.Runner.Worker
                 _tempDirectoryManager = HostContext.GetService<ITempDirectoryManager>();
                 _tempDirectoryManager.InitializeTempDirectory(jobContext);
 
-                // // Expand container properties
-                // jobContext.Container?.ExpandProperties(jobContext.Variables);
-                // foreach (var sidecar in jobContext.SidecarContainers)
-                // {
-                //     sidecar.ExpandProperties(jobContext.Variables);
-                // }
-
                 // Get the job extension.
                 Trace.Info("Getting job extension.");
                 IJobExtension jobExtension = HostContext.CreateService<IJobExtension>();
@@ -254,6 +239,12 @@ namespace GitHub.Runner.Worker
                     Trace.Error(ex);
                     return TaskResult.Failed;
                 }
+                catch (TaskOrchestrationPlanTerminatedException ex)
+                {
+                    Trace.Error($"TaskOrchestrationPlanTerminatedException received, while attempting to raise JobCompletedEvent for job {message.JobId}.");
+                    Trace.Error(ex);
+                    return TaskResult.Failed;
+                }
                 catch (Exception ex)
                 {
                     Trace.Error($"Catch exception while attempting to raise JobCompletedEvent for job {message.JobId}, job request {message.RequestId}.");

src/Runner.Worker/StepsRunner.cs

@@ -98,124 +98,139 @@ namespace GitHub.Runner.Worker
                         envContext[pair.Key] = new StringContextData(pair.Value ?? string.Empty);
                     }
 
+                    bool evaluateStepEnvFailed = false;
                     if (step is IActionRunner actionStep)
                     {
                         // Set GITHUB_ACTION
                         step.ExecutionContext.SetGitHubContext("action", actionStep.Action.Name);
 
-                        // Evaluate and merge action's env block to env context
-                        var templateEvaluator = step.ExecutionContext.ToPipelineTemplateEvaluator();
-                        var actionEnvironment = templateEvaluator.EvaluateStepEnvironment(actionStep.Action.Environment, step.ExecutionContext.ExpressionValues, step.ExecutionContext.ExpressionFunctions, VarUtil.EnvironmentVariableKeyComparer);
-                        foreach (var env in actionEnvironment)
+                        try
                         {
-                            envContext[env.Key] = new StringContextData(env.Value ?? string.Empty);
-                        }
-                    }
-
-                    try
-                    {
-                        // Register job cancellation call back only if job cancellation token not been fire before each step run
-                        if (!jobContext.CancellationToken.IsCancellationRequested)
-                        {
-                            // Test the condition again. The job was canceled after the condition was originally evaluated.
-                            jobCancelRegister = jobContext.CancellationToken.Register(() =>
+                            // Evaluate and merge action's env block to env context
+                            var templateEvaluator = step.ExecutionContext.ToPipelineTemplateEvaluator();
+                            var actionEnvironment = templateEvaluator.EvaluateStepEnvironment(actionStep.Action.Environment, step.ExecutionContext.ExpressionValues, step.ExecutionContext.ExpressionFunctions, VarUtil.EnvironmentVariableKeyComparer);
+                            foreach (var env in actionEnvironment)
                             {
-                                // mark job as cancelled
-                                jobContext.Result = TaskResult.Canceled;
-                                jobContext.JobContext.Status = jobContext.Result?.ToActionResult();
-
-                                step.ExecutionContext.Debug($"Re-evaluate condition on job cancellation for step: '{step.DisplayName}'.");
-                                var conditionReTestTraceWriter = new ConditionTraceWriter(Trace, null); // host tracing only
-                                var conditionReTestResult = false;
-                                if (HostContext.RunnerShutdownToken.IsCancellationRequested)
-                                {
-                                    step.ExecutionContext.Debug($"Skip Re-evaluate condition on runner shutdown.");
-                                }
-                                else
-                                {
-                                    try
-                                    {
-                                        var templateEvaluator = step.ExecutionContext.ToPipelineTemplateEvaluator(conditionReTestTraceWriter);
-                                        var condition = new BasicExpressionToken(null, null, null, step.Condition);
-                                        conditionReTestResult = templateEvaluator.EvaluateStepIf(condition, step.ExecutionContext.ExpressionValues, step.ExecutionContext.ExpressionFunctions, step.ExecutionContext.ToExpressionState());
-                                    }
-                                    catch (Exception ex)
-                                    {
-                                        // Cancel the step since we get exception while re-evaluate step condition.
-                                        Trace.Info("Caught exception from expression when re-test condition on job cancellation.");
-                                        step.ExecutionContext.Error(ex);
-                                    }
-                                }
-
-                                if (!conditionReTestResult)
-                                {
-                                    // Cancel the step.
-                                    Trace.Info("Cancel current running step.");
-                                    step.ExecutionContext.CancelToken();
-                                }
-                            });
-                        }
-                        else
-                        {
-                            if (jobContext.Result != TaskResult.Canceled)
-                            {
-                                // mark job as cancelled
-                                jobContext.Result = TaskResult.Canceled;
-                                jobContext.JobContext.Status = jobContext.Result?.ToActionResult();
+                                envContext[env.Key] = new StringContextData(env.Value ?? string.Empty);
                             }
                         }
-
-                        // Evaluate condition.
-                        step.ExecutionContext.Debug($"Evaluating condition for step: '{step.DisplayName}'");
-                        var conditionTraceWriter = new ConditionTraceWriter(Trace, step.ExecutionContext);
-                        var conditionResult = false;
-                        var conditionEvaluateError = default(Exception);
-                        if (HostContext.RunnerShutdownToken.IsCancellationRequested)
-                        {
-                            step.ExecutionContext.Debug($"Skip evaluate condition on runner shutdown.");
-                        }
-                        else
-                        {
-                            try
-                            {
-                                var templateEvaluator = step.ExecutionContext.ToPipelineTemplateEvaluator(conditionTraceWriter);
-                                var condition = new BasicExpressionToken(null, null, null, step.Condition);
-                                conditionResult = templateEvaluator.EvaluateStepIf(condition, step.ExecutionContext.ExpressionValues, step.ExecutionContext.ExpressionFunctions, step.ExecutionContext.ToExpressionState());
-                            }
-                            catch (Exception ex)
-                            {
-                                Trace.Info("Caught exception from expression.");
-                                Trace.Error(ex);
-                                conditionEvaluateError = ex;
-                            }
-                        }
-
-                        // no evaluate error but condition is false
-                        if (!conditionResult && conditionEvaluateError == null)
-                        {
-                            // Condition == false
-                            Trace.Info("Skipping step due to condition evaluation.");
-                            CompleteStep(step, nextStep, TaskResult.Skipped, resultCode: conditionTraceWriter.Trace);
-                        }
-                        else if (conditionEvaluateError != null)
+                        catch (Exception ex)
                         {
                             // fail the step since there is an evaluate error.
-                            step.ExecutionContext.Error(conditionEvaluateError);
+                            Trace.Info("Caught exception from expression for step.env");
+                            evaluateStepEnvFailed = true;
+                            step.ExecutionContext.Error(ex);
                             CompleteStep(step, nextStep, TaskResult.Failed);
                         }
-                        else
-                        {
-                            // Run the step.
-                            await RunStepAsync(step, jobContext.CancellationToken);
-                            CompleteStep(step, nextStep);
-                        }
                     }
-                    finally
+
+                    if (!evaluateStepEnvFailed)
                     {
-                        if (jobCancelRegister != null)
+                        try
                         {
-                            jobCancelRegister?.Dispose();
-                            jobCancelRegister = null;
+                            // Register job cancellation call back only if job cancellation token not been fire before each step run
+                            if (!jobContext.CancellationToken.IsCancellationRequested)
+                            {
+                                // Test the condition again. The job was canceled after the condition was originally evaluated.
+                                jobCancelRegister = jobContext.CancellationToken.Register(() =>
+                                {
+                                    // mark job as cancelled
+                                    jobContext.Result = TaskResult.Canceled;
+                                    jobContext.JobContext.Status = jobContext.Result?.ToActionResult();
+
+                                    step.ExecutionContext.Debug($"Re-evaluate condition on job cancellation for step: '{step.DisplayName}'.");
+                                    var conditionReTestTraceWriter = new ConditionTraceWriter(Trace, null); // host tracing only
+                                    var conditionReTestResult = false;
+                                    if (HostContext.RunnerShutdownToken.IsCancellationRequested)
+                                    {
+                                        step.ExecutionContext.Debug($"Skip Re-evaluate condition on runner shutdown.");
+                                    }
+                                    else
+                                    {
+                                        try
+                                        {
+                                            var templateEvaluator = step.ExecutionContext.ToPipelineTemplateEvaluator(conditionReTestTraceWriter);
+                                            var condition = new BasicExpressionToken(null, null, null, step.Condition);
+                                            conditionReTestResult = templateEvaluator.EvaluateStepIf(condition, step.ExecutionContext.ExpressionValues, step.ExecutionContext.ExpressionFunctions, step.ExecutionContext.ToExpressionState());
+                                        }
+                                        catch (Exception ex)
+                                        {
+                                            // Cancel the step since we get exception while re-evaluate step condition.
+                                            Trace.Info("Caught exception from expression when re-test condition on job cancellation.");
+                                            step.ExecutionContext.Error(ex);
+                                        }
+                                    }
+
+                                    if (!conditionReTestResult)
+                                    {
+                                        // Cancel the step.
+                                        Trace.Info("Cancel current running step.");
+                                        step.ExecutionContext.CancelToken();
+                                    }
+                                });
+                            }
+                            else
+                            {
+                                if (jobContext.Result != TaskResult.Canceled)
+                                {
+                                    // mark job as cancelled
+                                    jobContext.Result = TaskResult.Canceled;
+                                    jobContext.JobContext.Status = jobContext.Result?.ToActionResult();
+                                }
+                            }
+
+                            // Evaluate condition.
+                            step.ExecutionContext.Debug($"Evaluating condition for step: '{step.DisplayName}'");
+                            var conditionTraceWriter = new ConditionTraceWriter(Trace, step.ExecutionContext);
+                            var conditionResult = false;
+                            var conditionEvaluateError = default(Exception);
+                            if (HostContext.RunnerShutdownToken.IsCancellationRequested)
+                            {
+                                step.ExecutionContext.Debug($"Skip evaluate condition on runner shutdown.");
+                            }
+                            else
+                            {
+                                try
+                                {
+                                    var templateEvaluator = step.ExecutionContext.ToPipelineTemplateEvaluator(conditionTraceWriter);
+                                    var condition = new BasicExpressionToken(null, null, null, step.Condition);
+                                    conditionResult = templateEvaluator.EvaluateStepIf(condition, step.ExecutionContext.ExpressionValues, step.ExecutionContext.ExpressionFunctions, step.ExecutionContext.ToExpressionState());
+                                }
+                                catch (Exception ex)
+                                {
+                                    Trace.Info("Caught exception from expression.");
+                                    Trace.Error(ex);
+                                    conditionEvaluateError = ex;
+                                }
+                            }
+
+                            // no evaluate error but condition is false
+                            if (!conditionResult && conditionEvaluateError == null)
+                            {
+                                // Condition == false
+                                Trace.Info("Skipping step due to condition evaluation.");
+                                CompleteStep(step, nextStep, TaskResult.Skipped, resultCode: conditionTraceWriter.Trace);
+                            }
+                            else if (conditionEvaluateError != null)
+                            {
+                                // fail the step since there is an evaluate error.
+                                step.ExecutionContext.Error(conditionEvaluateError);
+                                CompleteStep(step, nextStep, TaskResult.Failed);
+                            }
+                            else
+                            {
+                                // Run the step.
+                                await RunStepAsync(step, jobContext.CancellationToken);
+                                CompleteStep(step, nextStep);
+                            }
+                        }
+                        finally
+                        {
+                            if (jobCancelRegister != null)
+                            {
+                                jobCancelRegister?.Dispose();
+                                jobCancelRegister = null;
+                            }
                         }
                     }
                 }

src/Sdk/DTGenerated/Generated/TaskHttpClientBase.cs

@@ -317,5 +317,37 @@ namespace GitHub.DistributedTask.WebApi
                 userState: userState,
                 cancellationToken: cancellationToken);
         }
+
+        /// <summary>
+        /// [Preview API] Resolves information required to download actions (URL, token) defined in an orchestration.
+        /// </summary>
+        /// <param name="scopeIdentifier">The project GUID to scope the request</param>
+        /// <param name="hubName">The name of the server hub: "build" for the Build server or "rm" for the Release Management server</param>
+        /// <param name="planId"></param>
+        /// <param name="actionReferenceList"></param>
+        /// <param name="userState"></param>
+        /// <param name="cancellationToken">The cancellation token to cancel operation.</param>
+        public virtual Task<ActionDownloadInfoCollection> ResolveActionDownloadInfoAsync(
+            Guid scopeIdentifier,
+            string hubName,
+            Guid planId,
+            ActionReferenceList actionReferenceList,
+            object userState = null,
+            CancellationToken cancellationToken = default)
+        {
+            HttpMethod httpMethod = new HttpMethod("POST");
+            Guid locationId = new Guid("27d7f831-88c1-4719-8ca1-6a061dad90eb");
+            object routeValues = new { scopeIdentifier = scopeIdentifier, hubName = hubName, planId = planId };
+            HttpContent content = new ObjectContent<ActionReferenceList>(actionReferenceList, new VssJsonMediaTypeFormatter(true));
+
+            return SendAsync<ActionDownloadInfoCollection>(
+                httpMethod,
+                locationId,
+                routeValues: routeValues,
+                version: new ApiResourceVersion(6.0, 1),
+                userState: userState,
+                cancellationToken: cancellationToken,
+                content: content);
+        }
     }
 }

src/Sdk/DTWebApi/WebApi/ActionDownloadInfo.cs

@@ -0,0 +1,40 @@
+using System;
+using System.Runtime.Serialization;
+
+namespace GitHub.DistributedTask.WebApi
+{
+    [DataContract]
+    public class ActionDownloadInfo
+    {
+        [DataMember(EmitDefaultValue = false)]
+        public ActionDownloadAuthentication Authentication { get; set; }
+
+        [DataMember(EmitDefaultValue = false)]
+        public string NameWithOwner { get; set; }
+
+        [DataMember(EmitDefaultValue = false)]
+        public string ResolvedNameWithOwner { get; set; }
+
+        [DataMember(EmitDefaultValue = false)]
+        public string ResolvedSha { get; set; }
+
+        [DataMember(EmitDefaultValue = false)]
+        public string TarballUrl { get; set; }
+
+        [DataMember(EmitDefaultValue = false)]
+        public string Ref { get; set; }
+
+        [DataMember(EmitDefaultValue = false)]
+        public string ZipballUrl { get; set; }
+    }
+
+    [DataContract]
+    public class ActionDownloadAuthentication
+    {
+        [DataMember(EmitDefaultValue = false)]
+        public DateTime ExpiresAt { get; set; }
+
+        [DataMember(EmitDefaultValue = false)]
+        public string Token { get; set; }
+    }
+}

src/Sdk/DTWebApi/WebApi/ActionDownloadInfoCollection.cs

@@ -0,0 +1,16 @@
+using System.Collections.Generic;
+using System.Runtime.Serialization;
+
+namespace GitHub.DistributedTask.WebApi
+{
+    [DataContract]
+    public class ActionDownloadInfoCollection
+    {
+        [DataMember]
+        public IDictionary<string, ActionDownloadInfo> Actions
+        {
+            get;
+            set;
+        }
+    }
+}

src/Sdk/DTWebApi/WebApi/ActionReference.cs

@@ -0,0 +1,22 @@
+using System.Runtime.Serialization;
+
+namespace GitHub.DistributedTask.WebApi
+{
+    [DataContract]
+    public class ActionReference
+    {
+        [DataMember]
+        public string NameWithOwner
+        {
+            get;
+            set;
+        }
+
+        [DataMember]
+        public string Ref
+        {
+            get;
+            set;
+        }
+    }
+}

src/Sdk/DTWebApi/WebApi/ActionReferenceList.cs

@@ -0,0 +1,16 @@
+using System.Collections.Generic;
+using System.Runtime.Serialization;
+
+namespace GitHub.DistributedTask.WebApi
+{
+    [DataContract]
+    public class ActionReferenceList
+    {
+        [DataMember]
+        public IList<ActionReference> Actions
+        {
+            get;
+            set;
+        }
+    }
+}

src/Sdk/WebApi/WebApi/OAuth/VssOAuthTokenResponse.cs

@@ -39,7 +39,7 @@ namespace GitHub.Services.OAuth
         /// <summary>
         /// Gets or sets the error description for the response.
         /// </summary>
-        [DataMember(Name = "errordescription", EmitDefaultValue = false)]
+        [DataMember(Name = "error_description", EmitDefaultValue = false)]
         public String ErrorDescription
         {
             get;

src/Test/L0/Util/WhichUtilL0.cs

@@ -70,5 +70,24 @@ namespace GitHub.Runner.Common.Tests.Util
                 }
             }
         }
+
+        [Fact]
+        [Trait("Level", "L0")]
+        [Trait("Category", "Common")]
+        public void WhichHandleFullyQualifiedPath()
+        {
+            using (TestHostContext hc = new TestHostContext(this))
+            {
+                //Arrange
+                Tracing trace = hc.GetTrace();
+
+                // Act.
+                var gitPath = WhichUtil.Which("git", require: true, trace: trace);
+                var gitPath2 = WhichUtil.Which(gitPath, require: true, trace: trace);
+
+                // Assert.
+                Assert.Equal(gitPath, gitPath2);
+            }
+        }
     }
 }

src/Test/L0/Worker/ActionRunnerL0.cs

@@ -295,9 +295,10 @@ namespace GitHub.Runner.Common.Tests.Worker
             {
                 Name = "action",
                 Id = actionId,
-                Reference = new Pipelines.ContainerRegistryReference()
+                Reference = new Pipelines.RepositoryPathReference()
                 {
-                    Image = "ubuntu:16.04"
+                    Name = "actions/runner",
+                    Ref = "v1"
                 },
                 Inputs = actionInputs
             };
@@ -327,8 +328,7 @@ namespace GitHub.Runner.Common.Tests.Worker
             Assert.Equal("invalid1", finialInputs["invalid1"]);
             Assert.Equal("invalid2", finialInputs["invalid2"]);
 
-            _ec.Verify(x => x.AddIssue(It.Is<Issue>(s => s.Message.Contains("Unexpected input 'invalid1'")), It.IsAny<string>()), Times.Once);
-            _ec.Verify(x => x.AddIssue(It.Is<Issue>(s => s.Message.Contains("Unexpected input 'invalid2'")), It.IsAny<string>()), Times.Once);
+            _ec.Verify(x => x.AddIssue(It.Is<Issue>(s => s.Message.Contains("Unexpected input(s) 'invalid1', 'invalid2'")), It.IsAny<string>()), Times.Once);
         }
 
         private void Setup([CallerMemberName] string name = "")

src/Test/L0/Worker/OutputManagerL0.cs

@@ -686,14 +686,17 @@ namespace GitHub.Runner.Common.Tests.Worker
                 // <WORKSPACE>/workflow-repo/nested-other-repo
                 // <WORKSPACE>/other-repo
                 // <WORKSPACE>/other-repo/nested-workflow-repo
+                // <WORKSPACE>/workflow-repo-using-ssh
                 var workflowRepository = Path.Combine(workspaceDirectory, "workflow-repo");
                 var nestedOtherRepository = Path.Combine(workspaceDirectory, "workflow-repo", "nested-other-repo");
                 var otherRepository = Path.Combine(workspaceDirectory, workflowRepository, "nested-other-repo");
                 var nestedWorkflowRepository = Path.Combine(workspaceDirectory, "other-repo", "nested-workflow-repo");
+                var workflowRepositoryUsingSsh = Path.Combine(workspaceDirectory, "workflow-repo-using-ssh");
                 await CreateRepository(hostContext, workflowRepository, "https://github.com/my-org/workflow-repo");
                 await CreateRepository(hostContext, nestedOtherRepository, "https://github.com/my-org/other-repo");
                 await CreateRepository(hostContext, otherRepository, "https://github.com/my-org/other-repo");
                 await CreateRepository(hostContext, nestedWorkflowRepository, "https://github.com/my-org/workflow-repo");
+                await CreateRepository(hostContext, workflowRepositoryUsingSsh, "git@github.com:my-org/workflow-repo.git");
 
                 // Create test files
                 var file_noRepository = Path.Combine(workspaceDirectory, "no-repo.txt");
@@ -703,7 +706,8 @@ namespace GitHub.Runner.Common.Tests.Worker
                 var file_nestedOtherRepository = Path.Combine(nestedOtherRepository, "nested-other-repo");
                 var file_otherRepository = Path.Combine(otherRepository, "other-repo.txt");
                 var file_nestedWorkflowRepository = Path.Combine(nestedWorkflowRepository, "nested-workflow-repo.txt");
-                foreach (var file in new[] { file_noRepository, file_workflowRepository, file_workflowRepository_nestedDirectory, file_workflowRepository_failsafe, file_nestedOtherRepository, file_otherRepository, file_nestedWorkflowRepository })
+                var file_workflowRepositoryUsingSsh = Path.Combine(workflowRepositoryUsingSsh, "workflow-repo-using-ssh.txt");
+                foreach (var file in new[] { file_noRepository, file_workflowRepository, file_workflowRepository_nestedDirectory, file_workflowRepository_failsafe, file_nestedOtherRepository, file_otherRepository, file_nestedWorkflowRepository, file_workflowRepositoryUsingSsh })
                 {
                     Directory.CreateDirectory(Path.GetDirectoryName(file));
                     File.WriteAllText(file, "");
@@ -718,8 +722,9 @@ namespace GitHub.Runner.Common.Tests.Worker
                 Process($"{file_nestedOtherRepository}: some error 6");
                 Process($"{file_otherRepository}: some error 7");
                 Process($"{file_nestedWorkflowRepository}: some error 8");
+                Process($"{file_workflowRepositoryUsingSsh}: some error 9");
 
-                Assert.Equal(8, _issues.Count);
+                Assert.Equal(9, _issues.Count);
 
                 Assert.Equal("some error 1", _issues[0].Item1.Message);
                 Assert.False(_issues[0].Item1.Data.ContainsKey("file"));
@@ -744,6 +749,9 @@ namespace GitHub.Runner.Common.Tests.Worker
 
                 Assert.Equal("some error 8", _issues[7].Item1.Message);
                 Assert.Equal(file_nestedWorkflowRepository.Substring(nestedWorkflowRepository.Length + 1).Replace(Path.DirectorySeparatorChar, Path.AltDirectorySeparatorChar), _issues[7].Item1.Data["file"]);
+
+                Assert.Equal("some error 9", _issues[8].Item1.Message);
+                Assert.Equal(file_workflowRepositoryUsingSsh.Substring(workflowRepositoryUsingSsh.Length + 1).Replace(Path.DirectorySeparatorChar, Path.AltDirectorySeparatorChar), _issues[8].Item1.Data["file"]);
             }
 
             Environment.SetEnvironmentVariable("RUNNER_TEST_GET_REPOSITORY_PATH_FAILSAFE", "");

src/runnerversion

@@ -1 +1 @@
-2.262.0
+2.267.0