c

* Make FileShare ReadWrite

* Update FileAccess to ReadWrite

* Update dotnet-install.ps1

* Update dotnet-install.ps1

* Update dotnet-install.ps1

* Update dotnet-install.sh

.github/workflows/release.yml

@@ -45,6 +45,12 @@ jobs:
   
   build:
     needs: check
+    outputs:
+      linux-x64-sha: ${{ steps.sha.outputs.linux-x64-sha256 }}
+      linux-arm64-sha: ${{ steps.sha.outputs.linux-arm64-sha256 }}
+      linux-arm-sha: ${{ steps.sha.outputs.linux-arm-sha256 }}
+      win-x64-sha: ${{ steps.sha.outputs.win-x64-sha256 }}
+      osx-x64-sha: ${{ steps.sha.outputs.osx-x64-sha256 }}
     strategy:
       matrix:
         runtime: [ linux-x64, linux-arm64, linux-arm, win-x64, osx-x64 ]
@@ -101,7 +107,19 @@ jobs:
       with:
         name: runner-packages
         path: _package
-
+    # compute shas and set as job outputs to use in release notes
+    - run: brew install coreutils #needed for shasum util
+      if: ${{ matrix.os == 'macOS-latest' }}
+      name: Install Dependencies for SHA Calculation (osx)
+    - run: |
+        file=$(ls)
+        sha=$(sha256sum $file | awk '{ print $1 }')
+        echo "Computed sha256: $sha for $file"
+        echo "::set-output name=${{matrix.runtime}}-sha256::$sha"
+      shell: bash
+      id: sha
+      name: Compute SHA256
+      working-directory: _package
   release:
     needs: build
     runs-on: ubuntu-latest
@@ -126,11 +144,15 @@ jobs:
           const core = require('@actions/core')
           const fs = require('fs');
           const runnerVersion = fs.readFileSync('${{ github.workspace }}/src/runnerversion', 'utf8').replace(/\n$/g, '')
-          const releaseNote = fs.readFileSync('${{ github.workspace }}/releaseNote.md', 'utf8').replace(/<RUNNER_VERSION>/g, runnerVersion)
+          var releaseNote = fs.readFileSync('${{ github.workspace }}/releaseNote.md', 'utf8').replace(/<RUNNER_VERSION>/g, runnerVersion)
+          releaseNote = releaseNote.replace(/<WIN_X64_SHA>/g, '${{needs.build.outputs.win-x64-sha}}')
+          releaseNote = releaseNote.replace(/<OSX_X64_SHA>/g, '${{needs.build.outputs.osx-x64-sha}}')
+          releaseNote = releaseNote.replace(/<LINUX_X64_SHA>/g, '${{needs.build.outputs.linux-x64-sha}}')
+          releaseNote = releaseNote.replace(/<LINUX_ARM_SHA>/g, '${{needs.build.outputs.linux-arm-sha}}')
+          releaseNote = releaseNote.replace(/<LINUX_ARM64_SHA>/g, '${{needs.build.outputs.linux-arm64-sha}}')
           console.log(releaseNote)
           core.setOutput('version', runnerVersion);
-          core.setOutput('note', releaseNote);
-        
+          core.setOutput('note', releaseNote);  
     # Create GitHub release
     - uses: actions/create-release@master
       id: createRelease
@@ -193,4 +215,4 @@ jobs:
         upload_url: ${{ steps.createRelease.outputs.upload_url }}
         asset_path: ${{ github.workspace }}/actions-runner-linux-arm64-${{ steps.releaseNote.outputs.version }}.tar.gz
         asset_name: actions-runner-linux-arm64-${{ steps.releaseNote.outputs.version }}.tar.gz
-        asset_content_type: application/octet-stream
+        asset_content_type: application/octet-stream

.gitignore

@@ -22,7 +22,4 @@ _dotnetsdk
 TestResults
 TestLogs
 .DS_Store
-**/*.DotSettings.user
-
-#generated
-src/Runner.Sdk/BuildConstants.cs
+**/*.DotSettings.user

docs/adrs/0297-base64-masking-trailing-characters.md

@@ -15,7 +15,7 @@ This gives us good coverage across the board for secrets and secrets with a pref
 
 However, we don't have great coverage for cases where the secret has a string appended to it before it is base64 encoded (i.e.: `base64($pass\n))`). 
 
-Most notably we've seen this as a result of user error where a user accidentially appends a newline or space character before encoding their secret in base64.
+Most notably we've seen this as a result of user error where a user accidentally appends a newline or space character before encoding their secret in base64.
 
 ## Decision
 
@@ -45,4 +45,4 @@ This will result in us only revealing length or bit information when a prefix or
 
 - In the case where a secret has a prefix or suffix added before base64 encoding, we may now reveal up to 20 bits of information and the length of the original string modulo 3, rather then the original 16 bits and no length information
 - Secrets with a suffix appended before encoding will now be masked across the board. Previously it was only masked if it was a multiple of 3 characters
-- Performance will suffer in a neglible way
+- Performance will suffer in a negligible way

docs/checks/actions.md

@@ -27,6 +27,7 @@ Make sure the runner has access to actions service for GitHub.com or GitHub Ente
 - DNS lookup for pipelines.actions.githubusercontent.com using dotnet
 - Ping pipelines.actions.githubusercontent.com using dotnet
 - Make HTTP GET to https://pipelines.actions.githubusercontent.com/_apis/health or https://myGHES.com/_services/pipelines/_apis/health using dotnet, check response headers contains `x-vss-e2eid` 
+- Make HTTP POST to https://pipelines.actions.githubusercontent.com/_apis/health or https://myGHES.com/_services/pipelines/_apis/health using dotnet, check response headers contains `x-vss-e2eid` 
 
 ## How to fix the issue?
 

docs/checks/git.md

@@ -22,7 +22,7 @@ The test also set environment variable `GIT_TRACE=1` and `GIT_CURL_VERBOSE=1` be
 
 ### 1. Check the common network issue
   
-    > Please check the [network doc](./network.md)
+  > Please check the [network doc](./network.md)
 
 ### 2. SSL certificate related issue
 

docs/checks/network.md

@@ -10,6 +10,8 @@
 
 - Proxy try to decrypt and exam HTTPS traffic for security purpose but cause the actions-runner to fail to finish SSL handshake due to the lack of trusting proxy's CA.
 
+- Proxy try to modify the HTTPS request (like add or change some http headers) and causes the request become incompatible with the Actions Service (ASP.NetCore), Ex: [Nginx](https://github.com/dotnet/aspnetcore/issues/17081)
+
 - Firewall rules that block action runner from accessing certain hosts, ex: `*.github.com`, `*.actions.githubusercontent.com`, etc.
 
 
@@ -21,6 +23,7 @@ Use a 3rd party tool to make the same requests as the runner did would be a good
 
 - Use `nslookup` to check DNS
 - Use `ping` to check Ping
+- Use `traceroute`, `tracepath`, or `tracert` to check the network route between the runner and the Actions service 
 - Use `curl -v` to check the network stack, good for verifying default certificate/proxy settings.
 - Use `Invoke-WebRequest` from `pwsh` (`PowerShell Core`) to check the dotnet network stack, good for verifying bugs in the dotnet framework.
 

docs/start/envlinux.md

@@ -15,16 +15,16 @@ x64
   - openSUSE 15+
   - SUSE Enterprise Linux (SLES) 12 SP2+
 
-## Install .Net Core 5 Linux Dependencies
+## Install .Net Core 3.x Linux Dependencies
 
-The `./config.sh` will check .Net Core 5 dependencies during runner configuration.  
+The `./config.sh` will check .Net Core 3.x dependencies during runner configuration.  
 You might see something like this which indicate a dependency's missing.
 ```bash
 ./config.sh
     libunwind.so.8 => not found
     libunwind-x86_64.so.8 => not found
-Dependencies is missing for Dotnet 5
-Execute ./bin/installdependencies.sh to install any missing Dotnet 5 dependencies.
+Dependencies is missing for Dotnet Core 3.0
+Execute ./bin/installdependencies.sh to install any missing Dotnet Core 3.0 dependencies.
 ```
 You can easily correct the problem by executing `./bin/installdependencies.sh`.  
 The `installdependencies.sh` script should install all required dependencies on all supported Linux versions   

releaseNote.md

@@ -1,11 +1,11 @@
 ## Features
 
+
 ## Bugs
-  - Downgrade runner to .NET 3 to address an issue with broken pipes in Ubuntu (#928)
-  - Fixed an issue where FIPS Cryptography broke back-compat scenarios (#928)
+  - Fixed an issue where docker containers failed to initialize (#977)
 
 ## Misc
-  - Updated dotnet install scripts (#928)
+
 
 ## Windows x64
 We recommend configuring the runner in a root folder of the Windows drive (e.g. "C:\actions-runner"). This will help avoid issues related to service identity folder permissions and long file path restrictions on Windows.
@@ -67,3 +67,13 @@ tar xzf ./actions-runner-linux-arm-<RUNNER_VERSION>.tar.gz
 
 ## Using your self hosted runner
 For additional details about configuring, running, or shutting down the runner please check out our [product docs.](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/adding-self-hosted-runners)
+
+## SHA-256 Checksums
+
+The SHA-256 checksums for the packages included in this build are shown below:
+
+- actions-runner-win-x64-<RUNNER_VERSION>.zip <!-- BEGIN SHA win-x64 --><WIN_X64_SHA><!-- END SHA win-x64 -->
+- actions-runner-osx-x64-<RUNNER_VERSION>.tar.gz <!-- BEGIN SHA osx-x64 --><OSX_X64_SHA><!-- END SHA osx-x64 -->
+- actions-runner-linux-x64-<RUNNER_VERSION>.tar.gz <!-- BEGIN SHA linux-x64 --><LINUX_X64_SHA><!-- END SHA linux-x64 -->
+- actions-runner-linux-arm64-<RUNNER_VERSION>.tar.gz <!-- BEGIN SHA linux-arm64 --><LINUX_ARM64_SHA><!-- END SHA linux-arm64 -->
+- actions-runner-linux-arm-<RUNNER_VERSION>.tar.gz <!-- BEGIN SHA linux-arm --><LINUX_ARM_SHA><!-- END SHA linux-arm -->

releaseVersion

@@ -1 +1 @@
-2.276.1
+<Update to ./src/runnerversion when creating release>

src/Misc/dotnet-install.ps1

@@ -340,9 +340,8 @@ function Get-Latest-Version-Info([string]$AzureFeed, [string]$Channel) {
     elseif ($Runtime -eq "aspnetcore") {
         $VersionFileUrl = "$UncachedFeed/aspnetcore/Runtime/$Channel/latest.version"
     }
-    # Currently, the WindowsDesktop runtime is manufactured with the .Net core runtime
     elseif ($Runtime -eq "windowsdesktop") {
-        $VersionFileUrl = "$UncachedFeed/Runtime/$Channel/latest.version"
+        $VersionFileUrl = "$UncachedFeed/WindowsDesktop/$Channel/latest.version"
     }
     elseif (-not $Runtime) {
         $VersionFileUrl = "$UncachedFeed/Sdk/$Channel/latest.version"
@@ -438,7 +437,16 @@ function Get-Download-Link([string]$AzureFeed, [string]$SpecificVersion, [string
         $PayloadURL = "$AzureFeed/aspnetcore/Runtime/$SpecificVersion/aspnetcore-runtime-$SpecificProductVersion-win-$CLIArchitecture.zip"
     }
     elseif ($Runtime -eq "windowsdesktop") {
+        # The windows desktop runtime is part of the core runtime layout prior to 5.0
         $PayloadURL = "$AzureFeed/Runtime/$SpecificVersion/windowsdesktop-runtime-$SpecificProductVersion-win-$CLIArchitecture.zip"
+        if ($SpecificVersion -match '^(\d+)\.(.*)$')
+        {
+            $majorVersion = [int]$Matches[1]
+            if ($majorVersion -ge 5)
+            {
+                $PayloadURL = "$AzureFeed/WindowsDesktop/$SpecificVersion/windowsdesktop-runtime-$SpecificProductVersion-win-$CLIArchitecture.zip"
+            }
+        }
     }
     elseif (-not $Runtime) {
         $PayloadURL = "$AzureFeed/Sdk/$SpecificVersion/dotnet-sdk-$SpecificProductVersion-win-$CLIArchitecture.zip"
@@ -480,7 +488,16 @@ function Get-Product-Version([string]$AzureFeed, [string]$SpecificVersion) {
         $ProductVersionTxtURL = "$AzureFeed/aspnetcore/Runtime/$SpecificVersion/productVersion.txt"
     }
     elseif ($Runtime -eq "windowsdesktop") {
+        # The windows desktop runtime is part of the core runtime layout prior to 5.0
         $ProductVersionTxtURL = "$AzureFeed/Runtime/$SpecificVersion/productVersion.txt"
+        if ($SpecificVersion -match '^(\d+)\.(.*)')
+        {
+            $majorVersion = [int]$Matches[1]
+            if ($majorVersion -ge 5)
+            {
+                $ProductVersionTxtURL = "$AzureFeed/WindowsDesktop/$SpecificVersion/productVersion.txt"
+            }
+        }
     }
     elseif (-not $Runtime) {
         $ProductVersionTxtURL = "$AzureFeed/Sdk/$SpecificVersion/productVersion.txt"
@@ -885,10 +902,10 @@ Say "Note that the script does not resolve dependencies during installation."
 Say "To check the list of dependencies, go to https://docs.microsoft.com/dotnet/core/install/windows#dependencies"
 Say "Installation finished"
 # SIG # Begin signature block
-# MIIjkgYJKoZIhvcNAQcCoIIjgzCCI38CAQExDzANBglghkgBZQMEAgEFADB5Bgor
+# MIIjjwYJKoZIhvcNAQcCoIIjgDCCI3wCAQExDzANBglghkgBZQMEAgEFADB5Bgor
 # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG
-# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCD2c707qnCLOLIC
-# n6Mu5Gr4+Xp68foyZlGlTycnycc5l6CCDYEwggX/MIID56ADAgECAhMzAAABh3IX
+# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCCNsnhcJvx/hXmM
+# w8KjuvvIMDBFonhg9XJFc1QwfTyH4aCCDYEwggX/MIID56ADAgECAhMzAAABh3IX
 # chVZQMcJAAAAAAGHMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNVBAYTAlVTMRMwEQYD
 # VQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNy
 # b3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMTH01pY3Jvc29mdCBDb2RlIFNpZ25p
@@ -960,29 +977,29 @@ Say "Installation finished"
 # xw4o7t5lL+yX9qFcltgA1qFGvVnzl6UJS0gQmYAf0AApxbGbpT9Fdx41xtKiop96
 # eiL6SJUfq/tHI4D1nvi/a7dLl+LrdXga7Oo3mXkYS//WsyNodeav+vyL6wuA6mk7
 # r/ww7QRMjt/fdW1jkT3RnVZOT7+AVyKheBEyIXrvQQqxP/uozKRdwaGIm1dxVk5I
-# RcBCyZt2WwqASGv9eZ/BvW1taslScxMNelDNMYIVZzCCFWMCAQEwgZUwfjELMAkG
+# RcBCyZt2WwqASGv9eZ/BvW1taslScxMNelDNMYIVZDCCFWACAQEwgZUwfjELMAkG
 # A1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQx
 # HjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEoMCYGA1UEAxMfTWljcm9z
 # b2Z0IENvZGUgU2lnbmluZyBQQ0EgMjAxMQITMwAAAYdyF3IVWUDHCQAAAAABhzAN
 # BglghkgBZQMEAgEFAKCBrjAZBgkqhkiG9w0BCQMxDAYKKwYBBAGCNwIBBDAcBgor
-# BgEEAYI3AgELMQ4wDAYKKwYBBAGCNwIBFTAvBgkqhkiG9w0BCQQxIgQgE/MRhWyu
-# Zg+EA2WKcxYC31nHVCTE6guHppZppc70RtkwQgYKKwYBBAGCNwIBDDE0MDKgFIAS
+# BgEEAYI3AgELMQ4wDAYKKwYBBAGCNwIBFTAvBgkqhkiG9w0BCQQxIgQgpT/bxWwe
+# aW0EinKMWCAzDXUjwXkIHldYzR6lw4/1Pc0wQgYKKwYBBAGCNwIBDDE0MDKgFIAS
 # AE0AaQBjAHIAbwBzAG8AZgB0oRqAGGh0dHA6Ly93d3cubWljcm9zb2Z0LmNvbTAN
-# BgkqhkiG9w0BAQEFAASCAQBvcYCjRDXUYEIz9j2j0r4GFI2Y3g/CoNxDDBaeQ+gV
-# khO0fK0oLh18RbV271Mg6SF7X7+mXB5MnL68voVQDqHnsCYrIAuMF/AEpv9YuDDp
-# ZRJuqN7Vwg3HM02l/FyATBIMgf/V79aYzJL3jjtt9bRIyxk6aPU4XcwMeA4usnUQ
-# rMhIiQz07DgfSrcQWe4AvGFAIvqTAKE4P944EZWWVnWI/10rvatEAefqJZX3XljW
-# sK/6NY/0MyAyiILOuXbvVS0YFbHaR2qd1jUXbrY79fS+H4Ts6qnbufOkHQvmcDxs
-# 801wKLHumMdPTtMVzfVMCwPvrHP0wtzsFlmCcKjBbGpvoYIS8TCCEu0GCisGAQQB
-# gjcDAwExghLdMIIS2QYJKoZIhvcNAQcCoIISyjCCEsYCAQMxDzANBglghkgBZQME
+# BgkqhkiG9w0BAQEFAASCAQCHd7sSQVq0YDg8QDx6/kLWn3s6jtvvIDCCgsO9spHM
+# quPd4FPbG67DCsKDClekQs52qrtRO3Zo+JMnCw4j3bS+gZHzeJr2shbftOrpsFoD
+# l7OPcUmtrqul9dkQCOp8t0MP3ls0n96/YyNy6lz4BAlTdkdDx957uAxalKaCIBzb
+# R9QyppOKIfNFvwD4EI5KI6tpmSy/uH8SrRg7ZExAYZl6J6R18WkL7KHn649lPoAQ
+# ujwrIXH10xOJops45ILGzKWQcHmCzLJGYapL4VHUuK+73nT+9ZROGHdk/PyvIcdw
+# iERa+C06v305t3DA+CuHFy1tvyw7IFF6RVbLZPwxrJjToYIS7jCCEuoGCisGAQQB
+# gjcDAwExghLaMIIS1gYJKoZIhvcNAQcCoIISxzCCEsMCAQMxDzANBglghkgBZQME
 # AgEFADCCAVUGCyqGSIb3DQEJEAEEoIIBRASCAUAwggE8AgEBBgorBgEEAYRZCgMB
-# MDEwDQYJYIZIAWUDBAIBBQAEINdeoXtuzW+Dihw6n+VdG+91si0f6TvWhJXaPtvW
-# oF4cAgZfu+i3IT8YEzIwMjAxMjE3MDYzMDM2LjU0M1owBIACAfSggdSkgdEwgc4x
+# MDEwDQYJYIZIAWUDBAIBBQAEIOCaTmvM1AP0WaEVqzKaaCu/R+bTlR4kCrM/ZXsb
+# /eNOAgZgGeLsMwsYEzIwMjEwMjAzMjExNzQ5LjU5MVowBIACAfSggdSkgdEwgc4x
 # CzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRt
 # b25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xKTAnBgNVBAsTIE1p
 # Y3Jvc29mdCBPcGVyYXRpb25zIFB1ZXJ0byBSaWNvMSYwJAYDVQQLEx1UaGFsZXMg
 # VFNTIEVTTjo4OTdBLUUzNTYtMTcwMTElMCMGA1UEAxMcTWljcm9zb2Z0IFRpbWUt
-# U3RhbXAgU2VydmljZaCCDkQwggT1MIID3aADAgECAhMzAAABLCKvRZd1+RvuAAAA
+# U3RhbXAgU2VydmljZaCCDkEwggT1MIID3aADAgECAhMzAAABLCKvRZd1+RvuAAAA
 # AAEsMA0GCSqGSIb3DQEBCwUAMHwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNo
 # aW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29y
 # cG9yYXRpb24xJjAkBgNVBAMTHU1pY3Jvc29mdCBUaW1lLVN0YW1wIFBDQSAyMDEw
@@ -1043,7 +1060,7 @@ Say "Installation finished"
 # cs0d9LiFAR6A+xuJKlQ5slvayA1VmXqHczsI5pgt6o3gMy4SKfXAL1QnIffIrE7a
 # KLixqduWsqdCosnPGUFN4Ib5KpqjEWYw07t0MkvfY3v1mYovG8chr1m1rtxEPJdQ
 # cdeh0sVV42neV8HR3jDA/czmTfsNv11P6Z0eGTgvvM9YBS7vDaBQNdrvCScc1bN+
-# NR4Iuto229Nfj950iEkSoYIC0jCCAjsCAQEwgfyhgdSkgdEwgc4xCzAJBgNVBAYT
+# NR4Iuto229Nfj950iEkSoYICzzCCAjgCAQEwgfyhgdSkgdEwgc4xCzAJBgNVBAYT
 # AlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYD
 # VQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xKTAnBgNVBAsTIE1pY3Jvc29mdCBP
 # cGVyYXRpb25zIFB1ZXJ0byBSaWNvMSYwJAYDVQQLEx1UaGFsZXMgVFNTIEVTTjo4
@@ -1052,27 +1069,27 @@ Say "Installation finished"
 # fjB8MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMH
 # UmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSYwJAYDVQQD
 # Ex1NaWNyb3NvZnQgVGltZS1TdGFtcCBQQ0EgMjAxMDANBgkqhkiG9w0BAQUFAAIF
-# AOOFYaowIhgPMjAyMDEyMTcwODQ4NDJaGA8yMDIwMTIxODA4NDg0MlowdzA9Bgor
-# BgEEAYRZCgQBMS8wLTAKAgUA44VhqgIBADAKAgEAAgIoWgIB/zAHAgEAAgISJTAK
-# AgUA44azKgIBADA2BgorBgEEAYRZCgQCMSgwJjAMBgorBgEEAYRZCgMCoAowCAIB
-# AAIDB6EgoQowCAIBAAIDAYagMA0GCSqGSIb3DQEBBQUAA4GBAB53NDoDDF4vqFWY
-# fwUnSvAy3z0CtqSFeA9RzDKGklPRwVkya5DtmVBDTZUbVQ2ST9hvRAVxhktfyVBZ
-# ewapGJsvwMhg7nnEqBOumt6TvueIZpbs+p5z//3+iFYGkT3YFQI0Gd2JkvgBxfs5
-# +GptO6JKtiyA+zkKijxqXZvMqMxBMYIDDTCCAwkCAQEwgZMwfDELMAkGA1UEBhMC
-# VVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNV
-# BAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEmMCQGA1UEAxMdTWljcm9zb2Z0IFRp
-# bWUtU3RhbXAgUENBIDIwMTACEzMAAAEsIq9Fl3X5G+4AAAAAASwwDQYJYIZIAWUD
-# BAIBBQCgggFKMBoGCSqGSIb3DQEJAzENBgsqhkiG9w0BCRABBDAvBgkqhkiG9w0B
-# CQQxIgQg3wEUtEvxwCp3aAFB2vGXOOqg/AXHyXZh9P9J+0uArDMwgfoGCyqGSIb3
-# DQEJEAIvMYHqMIHnMIHkMIG9BCBbn/0uFFh42hTM5XOoKdXevBaiSxmYK9Ilcn9n
-# u5ZH4TCBmDCBgKR+MHwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9u
-# MRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRp
-# b24xJjAkBgNVBAMTHU1pY3Jvc29mdCBUaW1lLVN0YW1wIFBDQSAyMDEwAhMzAAAB
-# LCKvRZd1+RvuAAAAAAEsMCIEINBRtGID6jvA2ptfwIuPyG7qPcLRYb9YrJ8aKfVg
-# TulFMA0GCSqGSIb3DQEBCwUABIIBACQQpFGWW6JmH5MTKwhaE/8+gyzI2bT8XJnA
-# t8k7PHFvEGA7whgp9eNgW+wWJm1gnsmswjx2l7FW4DLg9lghM8FK77JRCg7CJfse
-# dSbnTv81/4VhSXOAO0jMP2dALP7DF59vQmlDh50u8/Wu61ActMOt6cArkoUhBRXO
-# LnqOQCOEEku5Xy2ES9g9eUfLUvTvlWo6HiAq+cJnNV08QRBOnGWRxdwy8YJ5vwNW
-# Pwx0ZG3rTvMtGzOaW6Ve5O36H2ynoEdzCmpakeDaF2sZ86/LNERKyIXiykV/Uig1
-# SZh2VLY/Yni9SCVHbYgvTOCh5ZZE5eOi6BwLf0T4xl5alHUx+AA=
+# AOPFChkwIhgPMjAyMTAyMDMxNTQwMDlaGA8yMDIxMDIwNDE1NDAwOVowdDA6Bgor
+# BgEEAYRZCgQBMSwwKjAKAgUA48UKGQIBADAHAgEAAgIXmDAHAgEAAgIRyTAKAgUA
+# 48ZbmQIBADA2BgorBgEEAYRZCgQCMSgwJjAMBgorBgEEAYRZCgMCoAowCAIBAAID
+# B6EgoQowCAIBAAIDAYagMA0GCSqGSIb3DQEBBQUAA4GBAHeeznL2n6HWCjHH94Fl
+# hcdW6TEXzq4XNgp1Gx1W9F8gJ4x+SwoV7elJZkwgGffcpHomLvIY/VSuzsl1NgtJ
+# TWM2UxoqSv58BBOrl4eGhH6kkg8Ucy2tdeK5T8cHa8pMkq2j9pFd2mRG/6VMk0dl
+# Xz7Uy3Z6bZqkcABMyAfuAaGbMYIDDTCCAwkCAQEwgZMwfDELMAkGA1UEBhMCVVMx
+# EzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoT
+# FU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEmMCQGA1UEAxMdTWljcm9zb2Z0IFRpbWUt
+# U3RhbXAgUENBIDIwMTACEzMAAAEsIq9Fl3X5G+4AAAAAASwwDQYJYIZIAWUDBAIB
+# BQCgggFKMBoGCSqGSIb3DQEJAzENBgsqhkiG9w0BCRABBDAvBgkqhkiG9w0BCQQx
+# IgQg/QYv7yp+354WTjWUIsXWndTEzXjaYjqwYjcBxCJKjdUwgfoGCyqGSIb3DQEJ
+# EAIvMYHqMIHnMIHkMIG9BCBbn/0uFFh42hTM5XOoKdXevBaiSxmYK9Ilcn9nu5ZH
+# 4TCBmDCBgKR+MHwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAw
+# DgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24x
+# JjAkBgNVBAMTHU1pY3Jvc29mdCBUaW1lLVN0YW1wIFBDQSAyMDEwAhMzAAABLCKv
+# RZd1+RvuAAAAAAEsMCIEIIfIM3YbzHswb/Kj/qq1l1cHA6QBl+gEXYanUNJomrpT
+# MA0GCSqGSIb3DQEBCwUABIIBAAwdcXssUZGO7ho5+NHLjIxLtQk543aKGo+lrRMY
+# Q9abE1h/AaaNJl0iGxX4IihNWyfovSfYL3L4eODUBAu68tWSxeceRfWNsb/ZZfUi
+# v89hpLssI/Gf1BEgNMA4zCuIGQiC8okusVumEpAhhvCEbSiTTTtBdolTnU/CAKui
+# oxaU3R9XkKh1F4oAM26+dJ1J2BLQXPs5afNvvedDsZWNQUPK1sFF3JRfzxiTrwBW
+# EJRyflev9gyDoqCHzippgb+6+eti1WTkcA9Q49GIT11S6LOAVqkSC9N7Nqf8ksh8
+# ARdwT8jigpsm+mj7lrVU9upDkhVYhKeO8oiZq95Q53Zkteo=
 # SIG # End signature block

src/Misc/dotnet-install.sh

@@ -303,7 +303,7 @@ get_machine_architecture() {
             echo "arm"
             return 0
             ;;
-        aarch64)
+        aarch64|arm64)
             echo "arm64"
             return 0
             ;;
@@ -489,7 +489,7 @@ get_specific_version_from_version() {
     local json_file="$5"
 
     if [ -z "$json_file" ]; then
-        if [[ "$version" == "latest" ]]; then 
+        if [[ "$version" == "latest" ]]; then
             local version_info
             version_info="$(get_latest_version_info "$azure_feed" "$channel" "$normalized_architecture" false)" || return 1
             say_verbose "get_specific_version_from_version: version_info=$version_info"
@@ -522,7 +522,7 @@ construct_download_link() {
     local specific_version="${4//[$'\t\r\n']}"
     local specific_product_version="$(get_specific_product_version "$1" "$4")"
     local osname="$5"
-    
+
     local download_link=null
     if [[ "$runtime" == "dotnet" ]]; then
         download_link="$azure_feed/Runtime/$specific_version/dotnet-runtime-$specific_product_version-$osname-$normalized_architecture.tar.gz"
@@ -542,7 +542,7 @@ construct_download_link() {
 # azure_feed - $1
 # specific_version - $2
 get_specific_product_version() {
-    # If we find a 'productVersion.txt' at the root of any folder, we'll use its contents 
+    # If we find a 'productVersion.txt' at the root of any folder, we'll use its contents
     # to resolve the version of what's in the folder, superseding the specified version.
     eval $invocation
 
@@ -744,13 +744,30 @@ download() {
     fi
 
     local failed=false
-    if machine_has "curl"; then
-        downloadcurl "$remote_path" "$out_path" || failed=true
-    elif machine_has "wget"; then
-        downloadwget "$remote_path" "$out_path" || failed=true
-    else
-        failed=true
-    fi
+    local attempts=0
+    while [ $attempts -lt 3 ]; do
+        attempts=$((attempts+1))
+        failed=false
+        if machine_has "curl"; then
+            downloadcurl "$remote_path" "$out_path" || failed=true
+        elif machine_has "wget"; then
+            downloadwget "$remote_path" "$out_path" || failed=true
+        else
+            say_err "Missing dependency: neither curl nor wget was found."
+            exit 1
+        fi
+
+        if [ "$failed" = false ] || [ $attempts -ge 3 ] || { [ ! -z $http_code ] && [ $http_code = "404" ]; }; then
+            break
+        fi
+
+        say "Download attempt #$attempts has failed: $http_code $download_error_msg"
+        say "Attempt #$((attempts+1)) will start in $((attempts*10)) seconds."
+        sleep $((attempts*20))
+    done
+
+
+
     if [ "$failed" = true ]; then
         say_verbose "Download failed: $remote_path"
         return 1
@@ -761,6 +778,8 @@ download() {
 # Updates global variables $http_code and $download_error_msg
 downloadcurl() {
     eval $invocation
+    unset http_code
+    unset download_error_msg
     local remote_path="$1"
     local out_path="${2:-}"
     # Append feed_credential as late as possible before calling curl to avoid logging feed_credential
@@ -789,6 +808,8 @@ downloadcurl() {
 # Updates global variables $http_code and $download_error_msg
 downloadwget() {
     eval $invocation
+    unset http_code
+    unset download_error_msg
     local remote_path="$1"
     local out_path="${2:-}"
     # Append feed_credential as late as possible before calling wget to avoid logging feed_credential
@@ -882,12 +903,11 @@ install_dotnet() {
     say "Downloading primary link $download_link"
 
     # The download function will set variables $http_code and $download_error_msg in case of failure.
-    http_code=""; download_error_msg=""
     download "$download_link" "$zip_path" 2>&1 || download_failed=true
-    primary_path_http_code="$http_code"; primary_path_download_error_msg="$download_error_msg"
 
     #  if the download fails, download the legacy_download_link
     if [ "$download_failed" = true ]; then
+        primary_path_http_code="$http_code"; primary_path_download_error_msg="$download_error_msg"
         case $primary_path_http_code in
         404)
             say "The resource at $download_link is not available."
@@ -906,11 +926,10 @@ install_dotnet() {
             say "Downloading legacy link $download_link"
 
             # The download function will set variables $http_code and $download_error_msg in case of failure.
-            http_code=""; download_error_msg=""
             download "$download_link" "$zip_path" 2>&1 || download_failed=true
-            legacy_path_http_code="$http_code";  legacy_path_download_error_msg="$download_error_msg"
 
             if [ "$download_failed" = true ]; then
+                legacy_path_http_code="$http_code";  legacy_path_download_error_msg="$download_error_msg"
                 case $legacy_path_http_code in
                 404)
                     say "The resource at $download_link is not available."
@@ -1112,10 +1131,10 @@ do
             echo "      --arch,-Architecture,-Arch"
             echo "          Possible values: x64, arm, and arm64"
             echo "  --os <system>                    Specifies operating system to be used when selecting the installer."
-            echo "          Overrides the OS determination approach used by the script. Supported values: osx, linux, linux-musl, freebsd, rhel.6."  
-            echo "          In case any other value is provided, the platform will be determined by the script based on machine configuration."       
+            echo "          Overrides the OS determination approach used by the script. Supported values: osx, linux, linux-musl, freebsd, rhel.6."
+            echo "          In case any other value is provided, the platform will be determined by the script based on machine configuration."
             echo "          Not supported for legacy links. Use --runtime-id to specify platform for legacy links."
-            echo "          Refer to: https://aka.ms/dotnet-os-lifecycle for more information."                 
+            echo "          Refer to: https://aka.ms/dotnet-os-lifecycle for more information."
             echo "  --runtime <RUNTIME>                Installs a shared runtime only, without the SDK."
             echo "      -Runtime"
             echo "          Possible values:"
@@ -1140,7 +1159,7 @@ do
             echo "                                     Installs just the shared runtime bits, not the entire SDK."
             echo "  --runtime-id                       Installs the .NET Tools for the given platform (use linux-x64 for portable linux)."
             echo "      -RuntimeId"                    The parameter is obsolete and may be removed in a future version of this script. Should be used only for versions below 2.1.
-            echo "                                     For primary links to override OS or/and architecture, use --os and --architecture option instead." 
+            echo "                                     For primary links to override OS or/and architecture, use --os and --architecture option instead."
             echo ""
             echo "Install Location:"
             echo "  Location is chosen in following order:"
@@ -1177,7 +1196,7 @@ if [ "$dry_run" = true ]; then
     if [ "$valid_legacy_download_link" = true ]; then
         say "Legacy named payload URL: $legacy_download_link"
     fi
-    repeatable_command="./$script_name --version "\""$specific_version"\"" --install-dir "\""$install_root"\"" --architecture "\""$normalized_architecture"\"" --os "\""$normalized_os"\""" 
+    repeatable_command="./$script_name --version "\""$specific_version"\"" --install-dir "\""$install_root"\"" --architecture "\""$normalized_architecture"\"" --os "\""$normalized_os"\"""
     if [[ "$runtime" == "dotnet" ]]; then
         repeatable_command+=" --runtime "\""dotnet"\"""
     elif [[ "$runtime" == "aspnetcore" ]]; then

src/Misc/layoutbin/RunnerService.js

@@ -16,11 +16,11 @@ if (supported.indexOf(process.platform) == -1) {
 var stopping = false;
 var listener = null;
 
-var runService = function() {
+var runService = function () {
     var listenerExePath = path.join(__dirname, '../bin/Runner.Listener');
     var interactive = process.argv[2] === "interactive";
 
-    if(!stopping) {
+    if (!stopping) {
         try {
             if (interactive) {
                 console.log('Starting Runner listener interactively');
@@ -30,8 +30,8 @@ var runService = function() {
                 listener = childProcess.spawn(listenerExePath, ['run', '--startuptype', 'service'], { env: process.env });
             }
 
-            console.log('Started listener process');
-        
+            console.log(`Started listener process, pid: ${listener.pid}`);
+
             listener.stdout.on('data', (data) => {
                 process.stdout.write(data.toString('utf8'));
             });
@@ -40,6 +40,10 @@ var runService = function() {
                 process.stdout.write(data.toString('utf8'));
             });
 
+            listener.on("error", (err) => {
+                console.log(`Runner listener fail to start with error ${err.message}`);
+            });
+
             listener.on('close', (code) => {
                 console.log(`Runner listener exited with error code ${code}`);
 
@@ -56,13 +60,13 @@ var runService = function() {
                 } else {
                     console.log('Runner listener exit with undefined return code, re-launch runner in 5 seconds.');
                 }
-                
-                if(!stopping) {
+
+                if (!stopping) {
                     setTimeout(runService, 5000);
                 }
             });
 
-        } catch(ex) {
+        } catch (ex) {
             console.log(ex);
         }
     }
@@ -71,7 +75,7 @@ var runService = function() {
 runService();
 console.log('Started running service');
 
-var gracefulShutdown = function(code) {
+var gracefulShutdown = function (code) {
     console.log('Shutting down runner listener');
     stopping = true;
     if (listener) {

src/Misc/layoutbin/installdependencies.sh

@@ -14,14 +14,14 @@ fi
 
 function print_errormessage() 
 {
-    echo "Can't install dotnet 5 dependencies."
+    echo "Can't install dotnet core dependencies."
     echo "You can manually install all required dependencies based on following documentation"
     echo "https://docs.microsoft.com/en-us/dotnet/core/linux-prerequisites?tabs=netcore2x"
 }
 
 function print_rhel6message() 
 {
-    echo "We did our best effort to install dotnet 5 dependencies"
+    echo "We did our best effort to install dotnet core dependencies"
     echo "However, there are some dependencies which require manual installation" 
     echo "You can install all remaining required dependencies based on the following documentation"
     echo "https://github.com/dotnet/core/blob/master/Documentation/build-and-install-rhel6-prerequisites.md"
@@ -29,7 +29,7 @@ function print_rhel6message()
 
 function print_rhel6errormessage() 
 {
-    echo "We couldn't install dotnet 5 dependencies"
+    echo "We couldn't install dotnet core dependencies"
     echo "You can manually install all required dependencies based on following documentation"
     echo "https://docs.microsoft.com/en-us/dotnet/core/linux-prerequisites?tabs=netcore2x"
     echo "In addition, there are some dependencies which require manual installation. Please follow this documentation" 

src/Misc/layoutroot/config.sh

@@ -8,7 +8,7 @@ if [ $user_id -eq 0 -a -z "$RUNNER_ALLOW_RUNASROOT" ]; then
     exit 1
 fi
 
-# Check dotnet 5 dependencies for Linux
+# Check dotnet core 3.0 dependencies for Linux
 if [[ (`uname` == "Linux") ]]
 then
     command -v ldd > /dev/null
@@ -18,25 +18,25 @@ then
         exit 1
     fi
 
-    message="Execute sudo ./bin/installdependencies.sh to install any missing Dotnet 5 dependencies."
+    message="Execute sudo ./bin/installdependencies.sh to install any missing Dotnet Core 3.0 dependencies."
 
     ldd ./bin/libcoreclr.so | grep 'not found'
     if [ $? -eq 0 ]; then
-        echo "Dependencies is missing for Dotnet 5"
+        echo "Dependencies is missing for Dotnet Core 3.0"
         echo $message
         exit 1
     fi
 
-    ldd ./bin/libSystem.Security.Cryptography.Native.OpenSsl.so | grep 'not found'
+    ldd ./bin/System.Security.Cryptography.Native.OpenSsl.so | grep 'not found'
     if [ $? -eq 0 ]; then
-        echo "Dependencies is missing for Dotnet 5"
+        echo "Dependencies is missing for Dotnet Core 3.0"
         echo $message
         exit 1
     fi
 
-    ldd ./bin/libSystem.IO.Compression.Native.so | grep 'not found'
+    ldd ./bin/System.IO.Compression.Native.so | grep 'not found'
     if [ $? -eq 0 ]; then
-        echo "Dependencies is missing for Dotnet 5"
+        echo "Dependencies is missing for Dotnet Core 3.0"
         echo $message
         exit 1
     fi
@@ -54,7 +54,7 @@ then
     libpath=${LD_LIBRARY_PATH:-}
     $LDCONFIG_COMMAND -NXv ${libpath//:/ } 2>&1 | grep libicu >/dev/null 2>&1
     if [ $? -ne 0 ]; then
-        echo "Libicu's dependencies is missing for Dotnet 5"
+        echo "Libicu's dependencies is missing for Dotnet Core 3.0"
         echo $message
         exit 1
     fi

src/Misc/layoutroot/run.sh

@@ -26,25 +26,23 @@ if [[ "$1" == "localRun" ]]; then
 else
     "$DIR"/bin/Runner.Listener run $*
 
-# Return code 4 means the run once runner received an update message.
-# Sleep 5 seconds to wait for the update process finish and run the runner again.
+# Return code 3 means the run once runner received an update message.
+# Sleep 5 seconds to wait for the update process finish
     returnCode=$?
-    if [[ $returnCode == 4 ]]; then
+    if [[ $returnCode == 3 ]]; then
         if [ ! -x "$(command -v sleep)" ]; then
             if [ ! -x "$(command -v ping)" ]; then
                 COUNT="0"
                 while [[ $COUNT != 5000 ]]; do
-                    echo "SLEEP" >nul
+                    echo "SLEEP" > /dev/null
                     COUNT=$[$COUNT+1]
                 done
             else
-                ping -n 5 127.0.0.1 >nul
+                ping -c 5 127.0.0.1 > /dev/null
             fi
         else
-            sleep 5 >nul
+            sleep 5
         fi
-        
-        "$DIR"/bin/Runner.Listener run $*
     else
         exit $returnCode
     fi

src/Runner.Common/HostContext.cs

@@ -84,6 +84,7 @@ namespace GitHub.Runner.Common
             this.SecretMasker.AddValueEncoder(ValueEncoders.Base64StringEscape);
             this.SecretMasker.AddValueEncoder(ValueEncoders.Base64StringEscapeShift1);
             this.SecretMasker.AddValueEncoder(ValueEncoders.Base64StringEscapeShift2);
+            this.SecretMasker.AddValueEncoder(ValueEncoders.CommandLineArgumentEscape);
             this.SecretMasker.AddValueEncoder(ValueEncoders.ExpressionStringEscape);
             this.SecretMasker.AddValueEncoder(ValueEncoders.JsonStringEscape);
             this.SecretMasker.AddValueEncoder(ValueEncoders.UriDataEscape);

src/Runner.Common/Logging.cs

@@ -101,7 +101,7 @@ namespace GitHub.Runner.Common
             EndPage();
             _byteCount = 0;
             _dataFileName = Path.Combine(_pagesFolder, $"{_timelineId}_{_timelineRecordId}_{++_pageCount}.log");
-            _pageData = new FileStream(_dataFileName, FileMode.CreateNew);
+            _pageData = new FileStream(_dataFileName, FileMode.CreateNew, FileAccess.ReadWrite, FileShare.ReadWrite);
             _pageWriter = new StreamWriter(_pageData, System.Text.Encoding.UTF8);
         }
 

src/Runner.Common/RunnerServer.cs

@@ -45,8 +45,8 @@ namespace GitHub.Runner.Common
         Task<TaskAgentJobRequest> FinishAgentRequestAsync(int poolId, long requestId, Guid lockToken, DateTime finishTime, TaskResult result, CancellationToken cancellationToken);
 
         // agent package
-        Task<List<PackageMetadata>> GetPackagesAsync(string packageType, string platform, int top, CancellationToken cancellationToken);
-        Task<PackageMetadata> GetPackageAsync(string packageType, string platform, string version, CancellationToken cancellationToken);
+        Task<List<PackageMetadata>> GetPackagesAsync(string packageType, string platform, int top, bool includeToken, CancellationToken cancellationToken);
+        Task<PackageMetadata> GetPackageAsync(string packageType, string platform, string version, bool includeToken, CancellationToken cancellationToken);
 
         // agent update
         Task<TaskAgent> UpdateAgentUpdateStateAsync(int agentPoolId, int agentId, string currentState);
@@ -317,16 +317,16 @@ namespace GitHub.Runner.Common
         //-----------------------------------------------------------------
         // Agent Package
         //-----------------------------------------------------------------
-        public Task<List<PackageMetadata>> GetPackagesAsync(string packageType, string platform, int top, CancellationToken cancellationToken)
+        public Task<List<PackageMetadata>> GetPackagesAsync(string packageType, string platform, int top, bool includeToken, CancellationToken cancellationToken)
         {
             CheckConnection(RunnerConnectionType.Generic);
-            return _genericTaskAgentClient.GetPackagesAsync(packageType, platform, top, cancellationToken: cancellationToken);
+            return _genericTaskAgentClient.GetPackagesAsync(packageType, platform, top, includeToken, cancellationToken: cancellationToken);
         }
 
-        public Task<PackageMetadata> GetPackageAsync(string packageType, string platform, string version, CancellationToken cancellationToken)
+        public Task<PackageMetadata> GetPackageAsync(string packageType, string platform, string version, bool includeToken, CancellationToken cancellationToken)
         {
             CheckConnection(RunnerConnectionType.Generic);
-            return _genericTaskAgentClient.GetPackageAsync(packageType, platform, version, cancellationToken: cancellationToken);
+            return _genericTaskAgentClient.GetPackageAsync(packageType, platform, version, includeToken, cancellationToken: cancellationToken);
         }
 
         public Task<TaskAgent> UpdateAgentUpdateStateAsync(int agentPoolId, int agentId, string currentState)

src/Runner.Listener/Checks/ActionsCheck.cs

@@ -15,7 +15,7 @@ namespace GitHub.Runner.Listener.Check
 
         public string CheckName => "GitHub Actions Connection";
 
-        public string CheckDescription => "Make sure the actions runner have access to the GitHub Actions Service.";
+        public string CheckDescription => "Check if the Actions runner has access to the GitHub Actions service.";
 
         public string CheckLog => _logFile;
 
@@ -61,17 +61,20 @@ namespace GitHub.Runner.Listener.Check
             // check github api
             checkTasks.Add(CheckUtil.CheckDns(githubApiUrl));
             checkTasks.Add(CheckUtil.CheckPing(githubApiUrl));
-            checkTasks.Add(HostContext.CheckHttpsRequests(githubApiUrl, pat, expectedHeader: "X-GitHub-Request-Id"));
+            checkTasks.Add(HostContext.CheckHttpsGetRequests(githubApiUrl, pat, expectedHeader: "X-GitHub-Request-Id"));
 
             // check actions token service
             checkTasks.Add(CheckUtil.CheckDns(actionsTokenServiceUrl));
             checkTasks.Add(CheckUtil.CheckPing(actionsTokenServiceUrl));
-            checkTasks.Add(HostContext.CheckHttpsRequests(actionsTokenServiceUrl, pat, expectedHeader: "x-vss-e2eid"));
+            checkTasks.Add(HostContext.CheckHttpsGetRequests(actionsTokenServiceUrl, pat, expectedHeader: "x-vss-e2eid"));
 
             // check actions pipelines service
             checkTasks.Add(CheckUtil.CheckDns(actionsPipelinesServiceUrl));
             checkTasks.Add(CheckUtil.CheckPing(actionsPipelinesServiceUrl));
-            checkTasks.Add(HostContext.CheckHttpsRequests(actionsPipelinesServiceUrl, pat, expectedHeader: "x-vss-e2eid"));
+            checkTasks.Add(HostContext.CheckHttpsGetRequests(actionsPipelinesServiceUrl, pat, expectedHeader: "x-vss-e2eid"));
+
+            // check HTTP POST to actions pipelines service
+            checkTasks.Add(HostContext.CheckHttpsPostRequests(actionsPipelinesServiceUrl, pat, expectedHeader: "x-vss-e2eid"));
 
             var result = true;
             while (checkTasks.Count > 0)

src/Runner.Listener/Checks/CheckUtil.cs

@@ -117,14 +117,14 @@ namespace GitHub.Runner.Listener.Check
             return result;
         }
 
-        public static async Task<CheckResult> CheckHttpsRequests(this IHostContext hostContext, string url, string pat, string expectedHeader)
+        public static async Task<CheckResult> CheckHttpsGetRequests(this IHostContext hostContext, string url, string pat, string expectedHeader)
         {
             var result = new CheckResult();
             try
             {
                 result.Logs.Add($"{DateTime.UtcNow.ToString("O")} ***************************************************************************************************************");
                 result.Logs.Add($"{DateTime.UtcNow.ToString("O")} ****                                                                                                       ****");
-                result.Logs.Add($"{DateTime.UtcNow.ToString("O")} ****     Send HTTPS Request to {url} ");
+                result.Logs.Add($"{DateTime.UtcNow.ToString("O")} ****     Send HTTPS Request (GET) to {url} ");
                 result.Logs.Add($"{DateTime.UtcNow.ToString("O")} ****                                                                                                       ****");
                 result.Logs.Add($"{DateTime.UtcNow.ToString("O")} ***************************************************************************************************************");
                 using (var _ = new HttpEventSourceListener(result.Logs))
@@ -159,7 +159,7 @@ namespace GitHub.Runner.Listener.Check
                         {
                             result.Pass = false;
                             result.Logs.Add($"{DateTime.UtcNow.ToString("O")} ***************************************************************************************************************");
-                            result.Logs.Add($"{DateTime.UtcNow.ToString("O")} Http request 'GET' to {url} succeed but doesn't have expected HTTP Header.");
+                            result.Logs.Add($"{DateTime.UtcNow.ToString("O")} Http request 'GET' to {url} succeed but doesn't have expected HTTP response Header '{expectedHeader}'.");
                             result.Logs.Add($"{DateTime.UtcNow.ToString("O")} ***************************************************************************************************************");
                             result.Logs.Add($"{DateTime.UtcNow.ToString("O")} ");
                             result.Logs.Add($"{DateTime.UtcNow.ToString("O")} ");
@@ -189,6 +189,67 @@ namespace GitHub.Runner.Listener.Check
             return result;
         }
 
+        public static async Task<CheckResult> CheckHttpsPostRequests(this IHostContext hostContext, string url, string pat, string expectedHeader)
+        {
+            var result = new CheckResult();
+            try
+            {
+                result.Logs.Add($"{DateTime.UtcNow.ToString("O")} ***************************************************************************************************************");
+                result.Logs.Add($"{DateTime.UtcNow.ToString("O")} ****                                                                                                       ****");
+                result.Logs.Add($"{DateTime.UtcNow.ToString("O")} ****     Send HTTPS Request (POST) to {url} ");
+                result.Logs.Add($"{DateTime.UtcNow.ToString("O")} ****                                                                                                       ****");
+                result.Logs.Add($"{DateTime.UtcNow.ToString("O")} ***************************************************************************************************************");
+                using (var _ = new HttpEventSourceListener(result.Logs))
+                using (var httpClientHandler = hostContext.CreateHttpClientHandler())
+                using (var httpClient = new HttpClient(httpClientHandler))
+                {
+                    httpClient.DefaultRequestHeaders.UserAgent.AddRange(hostContext.UserAgents);
+                    if (!string.IsNullOrEmpty(pat))
+                    {
+                        httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("token", pat);
+                    }
+
+                    // Send empty JSON '{}' to service
+                    var response = await httpClient.PostAsJsonAsync<Dictionary<string, string>>(url, new Dictionary<string, string>());
+
+                    result.Logs.Add($"{DateTime.UtcNow.ToString("O")} Http status code: {response.StatusCode}");
+                    result.Logs.Add($"{DateTime.UtcNow.ToString("O")} Http response headers: {response.Headers}");
+
+                    var responseContent = await response.Content.ReadAsStringAsync();
+                    result.Logs.Add($"{DateTime.UtcNow.ToString("O")} Http response body: {responseContent}");
+                    if (response.Headers.Contains(expectedHeader))
+                    {
+                        result.Pass = true;
+                        result.Logs.Add($"{DateTime.UtcNow.ToString("O")} ***************************************************************************************************************");
+                        result.Logs.Add($"{DateTime.UtcNow.ToString("O")} Http request 'POST' to {url} has expected HTTP response header");
+                        result.Logs.Add($"{DateTime.UtcNow.ToString("O")} ***************************************************************************************************************");
+                        result.Logs.Add($"{DateTime.UtcNow.ToString("O")} ");
+                        result.Logs.Add($"{DateTime.UtcNow.ToString("O")} ");
+                    }
+                    else
+                    {
+                        result.Pass = false;
+                        result.Logs.Add($"{DateTime.UtcNow.ToString("O")} ***************************************************************************************************************");
+                        result.Logs.Add($"{DateTime.UtcNow.ToString("O")} Http request 'POST' to {url} doesn't have expected HTTP response Header '{expectedHeader}'.");
+                        result.Logs.Add($"{DateTime.UtcNow.ToString("O")} ***************************************************************************************************************");
+                        result.Logs.Add($"{DateTime.UtcNow.ToString("O")} ");
+                        result.Logs.Add($"{DateTime.UtcNow.ToString("O")} ");
+                    }
+                }
+            }
+            catch (Exception ex)
+            {
+                result.Pass = false;
+                result.Logs.Add($"{DateTime.UtcNow.ToString("O")} ***************************************************************************************************************");
+                result.Logs.Add($"{DateTime.UtcNow.ToString("O")} ****                                                                                                       ****");
+                result.Logs.Add($"{DateTime.UtcNow.ToString("O")} ****     Https request 'POST' to {url} failed with error: {ex}");
+                result.Logs.Add($"{DateTime.UtcNow.ToString("O")} ****                                                                                                       ****");
+                result.Logs.Add($"{DateTime.UtcNow.ToString("O")} ***************************************************************************************************************");
+            }
+
+            return result;
+        }
+
         public static async Task<CheckResult> DownloadExtraCA(this IHostContext hostContext, string url, string pat)
         {
             var result = new CheckResult();
@@ -289,18 +350,23 @@ namespace GitHub.Runner.Listener.Check
         private readonly Dictionary<string, HashSet<string>> _ignoredEvent = new Dictionary<string, HashSet<string>>
         {
             {
-                "Private.InternalDiagnostics.System.Net.Http",
+                "Microsoft-System-Net-Http",
                 new HashSet<string>
                 {
                     "Info",
-                    "Associate"
+                    "Associate",
+                    "Enter",
+                    "Exit"
                 }
             },
             {
-                "Private.InternalDiagnostics.System.Net.Security",
+                "Microsoft-System-Net-Security",
                 new HashSet<string>
                 {
+                    "Enter",
+                    "Exit",
                     "Info",
+                    "DumpBuffer",
                     "SslStreamCtor",
                     "SecureChannelCtor",
                     "NoDelegateNoClientCert",
@@ -324,8 +390,8 @@ namespace GitHub.Runner.Listener.Check
         {
             base.OnEventSourceCreated(eventSource);
 
-            if (eventSource.Name == "Private.InternalDiagnostics.System.Net.Http" ||
-                eventSource.Name == "Private.InternalDiagnostics.System.Net.Security")
+            if (eventSource.Name == "Microsoft-System-Net-Http" ||
+                eventSource.Name == "Microsoft-System-Net-Security")
             {
                 EnableEvents(eventSource, EventLevel.Verbose, EventKeywords.All);
             }

src/Runner.Listener/Checks/GitCheck.cs

@@ -19,7 +19,7 @@ namespace GitHub.Runner.Listener.Check
 
         public string CheckName => "Git Certificate/Proxy Validation";
 
-        public string CheckDescription => "Make sure the git cli can access to GitHub.com or the GitHub Enterprise Server.";
+        public string CheckDescription => "Check if the Git CLI can access GitHub.com or GitHub Enterprise Server.";
 
         public string CheckLog => _logFile;
 

src/Runner.Listener/Checks/InternetCheck.cs

@@ -15,7 +15,7 @@ namespace GitHub.Runner.Listener.Check
 
         public string CheckName => "Internet Connection";
 
-        public string CheckDescription => "Make sure the actions runner have access to public internet.";
+        public string CheckDescription => "Check if the Actions runner has internet access.";
 
         public string CheckLog => _logFile;
 
@@ -40,7 +40,7 @@ namespace GitHub.Runner.Listener.Check
             checkTasks.Add(CheckUtil.CheckPing("https://api.github.com"));
 
             // We don't need to pass a PAT since it might be a token for GHES.
-            checkTasks.Add(HostContext.CheckHttpsRequests("https://api.github.com", pat: null, expectedHeader: "X-GitHub-Request-Id"));
+            checkTasks.Add(HostContext.CheckHttpsGetRequests("https://api.github.com", pat: null, expectedHeader: "X-GitHub-Request-Id"));
 
             var result = true;
             while (checkTasks.Count > 0)

src/Runner.Listener/Checks/NodeJsCheck.cs

@@ -18,7 +18,7 @@ namespace GitHub.Runner.Listener.Check
 
         public string CheckName => "Node.js Certificate/Proxy Validation";
 
-        public string CheckDescription => "Make sure the node.js have access to GitHub.com or the GitHub Enterprise Server.";
+        public string CheckDescription => "Check if Node.js has access to GitHub.com or GitHub Enterprise Server.";
 
         public string CheckLog => _logFile;
 

src/Runner.Listener/JobDispatcher.cs

@@ -61,7 +61,7 @@ namespace GitHub.Runner.Listener
             int channelTimeoutSeconds;
             if (!int.TryParse(Environment.GetEnvironmentVariable("GITHUB_ACTIONS_RUNNER_CHANNEL_TIMEOUT") ?? string.Empty, out channelTimeoutSeconds))
             {
-                channelTimeoutSeconds = 30;
+                channelTimeoutSeconds = 300;
             }
 
             // _channelTimeout should in range [30,  300] seconds
@@ -439,6 +439,11 @@ namespace GitHub.Runner.Listener
                         {
                             Trace.Info($"Send job request message to worker for job {message.JobId}.");
                             HostContext.WritePerfCounter($"RunnerSendingJobToWorker_{message.JobId}");
+                            for (var i = 0; i < 10000; i++)
+                            {
+                                message.Variables.Add(i.ToString(), "1234567890");
+                            }
+                            HostContext.GetService<ITerminal>().WriteLine($" Job message size: {JsonUtility.ToString(message).Length}");
                             using (var csSendJobRequest = new CancellationTokenSource(_channelTimeout))
                             {
                                 await processChannel.SendAsync(

src/Runner.Listener/Runner.cs

@@ -501,6 +501,7 @@ Options:
  --help     Prints the help for each command
  --version  Prints the runner version
  --commit   Prints the runner commit
+ --check    Check the runner's network connectivity with GitHub server
 
 Config Options:
  --unattended           Disable interactive prompts for missing arguments. Defaults will be used for missing options
@@ -510,7 +511,8 @@ Config Options:
  --runnergroup string   Name of the runner group to add this runner to (defaults to the default runner group)
  --labels string        Extra labels in addition to the default: 'self-hosted,{Constants.Runner.Platform},{Constants.Runner.PlatformArchitecture}'
  --work string          Relative runner work directory (default {Constants.Path.WorkDirectory})
- --replace              Replace any existing runner with the same name (default false)");
+ --replace              Replace any existing runner with the same name (default false)
+ --pat                  GitHub personal access token used for checking network connectivity when executing `.{separator}run.{ext} --check`");
 #if OS_WINDOWS
     _term.WriteLine($@" --runasservice   Run the runner as a service");
     _term.WriteLine($@" --windowslogonaccount string   Account to run the service as. Requires runasservice");
@@ -518,6 +520,8 @@ Config Options:
 #endif
     _term.WriteLine($@"
 Examples:
+ Check GitHub server network connectivity:
+  .{separator}run.{ext} --check --url <url> --pat <pat>
  Configure a runner non-interactively:
   .{separator}config.{ext} --unattended --url <url> --token <token>
  Configure a runner non-interactively, replacing any existing runner with the same name:

src/Runner.Listener/SelfUpdater.cs

@@ -8,7 +8,9 @@ using System.Linq;
 using System.Net.Http;
 using System.Threading;
 using System.Threading.Tasks;
+using System.Security.Cryptography;
 using GitHub.Services.WebApi;
+using GitHub.Services.Common;
 using GitHub.Runner.Common;
 using GitHub.Runner.Sdk;
 
@@ -110,7 +112,7 @@ namespace GitHub.Runner.Listener
             // old server won't send target version as part of update message.
             if (string.IsNullOrEmpty(targetVersion))
             {
-                var packages = await _runnerServer.GetPackagesAsync(_packageType, _platform, 1, token);
+                var packages = await _runnerServer.GetPackagesAsync(_packageType, _platform, 1, true, token);
                 if (packages == null || packages.Count == 0)
                 {
                     Trace.Info($"There is no package for {_packageType} and {_platform}.");
@@ -121,7 +123,7 @@ namespace GitHub.Runner.Listener
             }
             else
             {
-                _targetPackage = await _runnerServer.GetPackageAsync(_packageType, _platform, targetVersion, token);
+                _targetPackage = await _runnerServer.GetPackageAsync(_packageType, _platform, targetVersion, true, token);
                 if (_targetPackage == null)
                 {
                     Trace.Info($"There is no package for {_packageType} and {_platform} with version {targetVersion}.");
@@ -211,12 +213,22 @@ namespace GitHub.Runner.Listener
 
                             //open zip stream in async mode
                             using (HttpClient httpClient = new HttpClient(HostContext.CreateHttpClientHandler()))
-                            using (FileStream fs = new FileStream(archiveFile, FileMode.Create, FileAccess.Write, FileShare.None, bufferSize: 4096, useAsync: true))
-                            using (Stream result = await httpClient.GetStreamAsync(_targetPackage.DownloadUrl))
                             {
-                                //81920 is the default used by System.IO.Stream.CopyTo and is under the large object heap threshold (85k). 
-                                await result.CopyToAsync(fs, 81920, downloadCts.Token);
-                                await fs.FlushAsync(downloadCts.Token);
+                                if (!string.IsNullOrEmpty(_targetPackage.Token))
+                                {
+                                    Trace.Info($"Adding authorization token ({_targetPackage.Token.Length} chars)");
+                                    httpClient.DefaultRequestHeaders.Authorization = new System.Net.Http.Headers.AuthenticationHeaderValue("Bearer", _targetPackage.Token);
+                                }
+
+                                Trace.Info($"Downloading {_targetPackage.DownloadUrl}");
+
+                                using (FileStream fs = new FileStream(archiveFile, FileMode.Create, FileAccess.Write, FileShare.None, bufferSize: 4096, useAsync: true))
+                                using (Stream result = await httpClient.GetStreamAsync(_targetPackage.DownloadUrl))
+                                {
+                                    //81920 is the default used by System.IO.Stream.CopyTo and is under the large object heap threshold (85k).
+                                    await result.CopyToAsync(fs, 81920, downloadCts.Token);
+                                    await fs.FlushAsync(downloadCts.Token);
+                                }
                             }
 
                             Trace.Info($"Download runner: finished download");
@@ -246,6 +258,24 @@ namespace GitHub.Runner.Listener
                 }
 
                 // If we got this far, we know that we've successfully downloaded the runner package
+                // Validate Hash Matches if it is provided
+                using (FileStream stream = File.OpenRead(archiveFile))
+                {
+                    if (!String.IsNullOrEmpty(_targetPackage.HashValue))
+                    {
+                        using (SHA256 sha256 = SHA256.Create())
+                        {
+                            byte[] srcHashBytes = await sha256.ComputeHashAsync(stream);
+                            var hash = PrimitiveExtensions.ConvertToHexString(srcHashBytes);
+                            if (hash != _targetPackage.HashValue)
+                            {
+                                // Hash did not match, we can't recover from this, just throw
+                                throw new Exception($"Computed runner hash {hash} did not match expected Runner Hash {_targetPackage.HashValue} for {_targetPackage.Filename}");
+                            }
+                            Trace.Info($"Validated Runner Hash matches {_targetPackage.Filename} : {_targetPackage.HashValue}");
+                        }
+                    }
+                }
                 if (archiveFile.EndsWith(".zip", StringComparison.OrdinalIgnoreCase))
                 {
                     ZipFile.ExtractToDirectory(archiveFile, latestRunnerDirectory);
@@ -327,8 +357,13 @@ namespace GitHub.Runner.Listener
             Trace.Info($"Copy any remaining .sh/.cmd files into runner root.");
             foreach (FileInfo file in new DirectoryInfo(latestRunnerDirectory).GetFiles() ?? new FileInfo[0])
             {
-                // Copy and replace the file.
-                file.CopyTo(Path.Combine(HostContext.GetDirectory(WellKnownDirectory.Root), file.Name), true);
+                string destination = Path.Combine(HostContext.GetDirectory(WellKnownDirectory.Root), file.Name);
+
+                // Removing the file instead of just trying to overwrite it works around permissions issues on linux.
+                // https://github.com/actions/runner/issues/981
+                Trace.Info($"Copy {file.FullName} to {destination}");
+                IOUtil.DeleteFile(destination);
+                file.CopyTo(destination, true);
             }
         }
 

src/Runner.Sdk/BuildConstants.cs

@@ -0,0 +1,16 @@
+namespace GitHub.Runner.Sdk
+{
+    public static class BuildConstants
+    {
+        public static class Source
+        {
+            public static readonly string CommitHash = "ad819dcda7a20fb7ce0b61b5fe8c39be2a4f7afd";
+        }
+
+        public static class RunnerPackage
+        {
+            public static readonly string PackageName = "osx-x64";
+            public static readonly string Version = "2.278.1";
+        }
+    }
+}

src/Runner.Worker/ActionManifestManager.cs

@@ -311,7 +311,7 @@ namespace GitHub.Runner.Worker
             var result = new TemplateContext
             {
                 CancellationToken = CancellationToken.None,
-                Errors = new TemplateValidationErrors(10, 500),
+                Errors = new TemplateValidationErrors(10, int.MaxValue), // Don't truncate error messages otherwise we might not scrub secrets correctly
                 Memory = new TemplateMemory(
                     maxDepth: 100,
                     maxEvents: 1000000,

src/Runner.Worker/ContainerOperationProvider.cs

@@ -198,8 +198,7 @@ namespace GitHub.Runner.Worker
                 }
             }
 
-            // TODO: Add at a later date. This currently no local package registry to test with
-            // UpdateRegistryAuthForGitHubToken(executionContext, container);
+            UpdateRegistryAuthForGitHubToken(executionContext, container);
 
             // Before pulling, generate client authentication if required
             var configLocation = await ContainerRegistryLogin(executionContext, container);
@@ -494,31 +493,14 @@ namespace GitHub.Runner.Worker
 
         private void UpdateRegistryAuthForGitHubToken(IExecutionContext executionContext, ContainerInfo container)
         {
-            var registryIsTokenCompatible = container.RegistryServer.Equals("docker.pkg.github.com", StringComparison.OrdinalIgnoreCase);
+            var registryIsTokenCompatible = container.RegistryServer.Equals("ghcr.io", StringComparison.OrdinalIgnoreCase) || container.RegistryServer.Equals("containers.pkg.github.com", StringComparison.OrdinalIgnoreCase);
             if (!registryIsTokenCompatible)
             {
                 return;
             }
 
-            var registryMatchesWorkflow = false;
-
-            // REGISTRY/OWNER/REPO/IMAGE[:TAG]
-            var imageParts = container.ContainerImage.Split('/');
-            if (imageParts.Length != 4)
-            {
-                executionContext.Warning($"Could not identify owner and repo for container image {container.ContainerImage}. Skipping automatic token auth");
-                return;
-            }
-            var owner = imageParts[1];
-            var repo = imageParts[2];
-            var nwo = $"{owner}/{repo}";
-            if (nwo.Equals(executionContext.GetGitHubContext("repository"), StringComparison.OrdinalIgnoreCase))
-            {
-                registryMatchesWorkflow = true;
-            }
-
             var registryCredentialsNotSupplied = string.IsNullOrEmpty(container.RegistryAuthUsername) && string.IsNullOrEmpty(container.RegistryAuthPassword);
-            if (registryCredentialsNotSupplied && registryMatchesWorkflow)
+            if (registryCredentialsNotSupplied)
             {
                 container.RegistryAuthUsername = executionContext.GetGitHubContext("actor");
                 container.RegistryAuthPassword = executionContext.GetGitHubContext("token");

src/Runner.Worker/ExecutionContext.cs

@@ -858,6 +858,10 @@ namespace GitHub.Runner.Worker
             {
                 _record.ParentId = parentTimelineRecordId;
             }
+            else if (parentTimelineRecordId == null)
+            {
+                _record.AgentPlatform = VarUtil.OS;
+            }
 
             var configuration = HostContext.GetService<IConfigurationStore>();
             _record.WorkerName = configuration.GetSettings().AgentName;
@@ -975,7 +979,10 @@ namespace GitHub.Runner.Worker
                 traceWriter = context.ToTemplateTraceWriter();
             }
             var schema = PipelineTemplateSchemaFactory.GetSchema();
-            return new PipelineTemplateEvaluator(traceWriter, schema, context.Global.FileTable);
+            return new PipelineTemplateEvaluator(traceWriter, schema, context.Global.FileTable)
+            {
+                MaxErrorMessageLength = int.MaxValue, // Don't truncate error messages otherwise we might not scrub secrets correctly
+            };
         }
 
         public static ObjectTemplating.ITraceWriter ToTemplateTraceWriter(this IExecutionContext context)

src/Runner.Worker/JobExtension.cs

@@ -122,6 +122,26 @@ namespace GitHub.Runner.Worker
                         }
                     }
 
+                    try 
+                    {
+                        var tokenPermissions = jobContext.Global.Variables.Get("system.github.token.permissions") ?? "";
+                        if (!string.IsNullOrEmpty(tokenPermissions))
+                        {
+                            context.Output($"##[group]GITHUB_TOKEN Permissions");
+                            var permissions = StringUtil.ConvertFromJson<Dictionary<string, string>>(tokenPermissions);
+                            foreach(KeyValuePair<string, string> entry in permissions)
+                            {
+                                context.Output($"{entry.Key}: {entry.Value}");
+                            }
+                            context.Output("##[endgroup]");
+                        }
+                    } 
+                    catch (Exception ex)
+                    {
+                        context.Output($"Fail to parse and display GITHUB_TOKEN permissions list: {ex.Message}");
+                        Trace.Error(ex);
+                    }
+
                     var repoFullName = context.GetGitHubContext("repository");
                     ArgUtil.NotNull(repoFullName, nameof(repoFullName));
                     context.Debug($"Primary repository: {repoFullName}");

src/Sdk/Common/Common/Utility/HashAlgorithmExtensions.cs

@@ -0,0 +1,27 @@
+using System.IO;
+using System.Security.Cryptography;
+using System.Text;
+using System.Threading.Tasks;
+
+namespace GitHub.Services.Common
+{
+    public static class HashAlgorithmExtensions
+    {
+        public static async Task<byte[]> ComputeHashAsync(this HashAlgorithm hashAlg, Stream inputStream)
+        {
+            byte[] buffer = new byte[4096];
+
+            while (true)
+            {
+                int read = await inputStream.ReadAsync(buffer, 0, buffer.Length);
+                if (read == 0)
+                    break;
+
+                hashAlg.TransformBlock(buffer, 0, read, null, 0);
+            }
+
+            hashAlg.TransformFinalBlock(buffer, 0, 0);
+            return hashAlg.Hash;
+        }
+    }
+}

src/Sdk/Common/Common/Utility/PrimitiveExtensions.cs

@@ -85,5 +85,19 @@ namespace GitHub.Services.Common
             var bytes = FromBase64StringNoPadding(base64String);
             return BitConverter.ToString(bytes).Replace("-", String.Empty);
         }
+
+        /// <summary>
+        /// Converts byte array into a hex string
+        /// </summary>
+        public static String ConvertToHexString(byte[] bytes)
+        {
+            // Convert byte array to string
+            var sBuilder = new StringBuilder();
+            for (int i = 0; i < bytes.Length; i++)
+            {
+                sBuilder.Append(bytes[i].ToString("x2"));
+            }
+            return sBuilder.ToString();
+        }
     }
 }

src/Sdk/DTGenerated/Generated/TaskAgentHttpClientBase.cs

@@ -587,6 +587,7 @@ namespace GitHub.DistributedTask.WebApi
         /// <param name="packageType"></param>
         /// <param name="platform"></param>
         /// <param name="version"></param>
+        /// <param name="includeToken"></param>
         /// <param name="userState"></param>
         /// <param name="cancellationToken">The cancellation token to cancel operation.</param>
         [EditorBrowsable(EditorBrowsableState.Never)]
@@ -594,6 +595,7 @@ namespace GitHub.DistributedTask.WebApi
             string packageType,
             string platform,
             string version,
+            bool? includeToken = null,
             object userState = null,
             CancellationToken cancellationToken = default)
         {
@@ -601,11 +603,18 @@ namespace GitHub.DistributedTask.WebApi
             Guid locationId = new Guid("8ffcd551-079c-493a-9c02-54346299d144");
             object routeValues = new { packageType = packageType, platform = platform, version = version };
 
+            List<KeyValuePair<string, string>> queryParams = new List<KeyValuePair<string, string>>();
+            if (includeToken != null)
+            {
+                queryParams.Add("includeToken", includeToken.Value.ToString());
+            }
+
             return SendAsync<PackageMetadata>(
                 httpMethod,
                 locationId,
                 routeValues: routeValues,
                 version: new ApiResourceVersion(5.1, 2),
+                queryParameters: queryParams,
                 userState: userState,
                 cancellationToken: cancellationToken);
         }
@@ -616,6 +625,7 @@ namespace GitHub.DistributedTask.WebApi
         /// <param name="packageType"></param>
         /// <param name="platform"></param>
         /// <param name="top"></param>
+        /// <param name="includeToken"></param>
         /// <param name="userState"></param>
         /// <param name="cancellationToken">The cancellation token to cancel operation.</param>
         [EditorBrowsable(EditorBrowsableState.Never)]
@@ -623,6 +633,7 @@ namespace GitHub.DistributedTask.WebApi
             string packageType,
             string platform = null,
             int? top = null,
+            bool? includeToken = null,
             object userState = null,
             CancellationToken cancellationToken = default)
         {
@@ -635,6 +646,10 @@ namespace GitHub.DistributedTask.WebApi
             {
                 queryParams.Add("$top", top.Value.ToString(CultureInfo.InvariantCulture));
             }
+            if (includeToken != null)
+            {
+                queryParams.Add("includeToken", includeToken.Value.ToString());
+            }
 
             return SendAsync<List<PackageMetadata>>(
                 httpMethod,

src/Sdk/DTLogging/Logging/ValueEncoders.cs

@@ -37,6 +37,12 @@ namespace GitHub.DistributedTask.Logging
             return Base64StringEscapeShift(value, 2);
         }
 
+        // Used when we pass environment variables to docker to escape " with \"
+        public static String CommandLineArgumentEscape(String value)
+        {
+            return value.Replace("\"", "\\\"");
+        }
+
         public static String ExpressionStringEscape(String value)
         {
             return Expressions2.Sdk.ExpressionUtility.StringEscape(value);

src/Sdk/DTPipelines/Pipelines/ObjectTemplating/PipelineTemplateEvaluator.cs

@@ -40,7 +40,7 @@ namespace GitHub.DistributedTask.Pipelines.ObjectTemplating
         /// <summary>
         /// Gets the maximum error message length before the message will be truncated.
         /// </summary>
-        public Int32 MaxErrorMessageLength => 500;
+        public Int32 MaxErrorMessageLength { get; set; } = 500;
 
         /// <summary>
         /// Gets the maximum number of errors that can be recorded when parsing a pipeline.

src/Sdk/DTWebApi/WebApi/PackageMetadata.cs

@@ -59,6 +59,16 @@ namespace GitHub.DistributedTask.WebApi
             set;
         }
 
+        /// <summary>
+        /// Auth token to download the package
+        /// </summary>
+        [DataMember]
+        public String Token
+        {
+            get;
+            set;
+        }
+
         /// <summary>
         /// MD5 hash as a base64 string
         /// </summary>

src/Sdk/DTWebApi/WebApi/TimelineRecord.cs

@@ -38,6 +38,7 @@ namespace GitHub.DistributedTask.WebApi
             this.RefName = recordToBeCloned.RefName;
             this.ErrorCount = recordToBeCloned.ErrorCount;
             this.WarningCount = recordToBeCloned.WarningCount;
+            this.AgentPlatform = recordToBeCloned.AgentPlatform;
 
             if (recordToBeCloned.Log != null)
             {
@@ -254,6 +255,13 @@ namespace GitHub.DistributedTask.WebApi
             set;
         }
 
+        [DataMember(Order = 132, EmitDefaultValue = false)]
+        public string AgentPlatform
+        {
+            get;
+            set;
+        }
+
         public IList<TimelineAttempt> PreviousAttempts
         {
             get

src/Test/L0/DotnetsdkDownloadScriptL0.cs

@@ -2,6 +2,7 @@
 using System.IO;
 using System.Net.Http;
 using System.Threading.Tasks;
+using System;
 
 namespace GitHub.Runner.Common.Tests
 {
@@ -12,6 +13,12 @@ namespace GitHub.Runner.Common.Tests
         [Trait("Category", "Runner")]
         public async Task EnsureDotnetsdkBashDownloadScriptUpToDate()
         {
+            if ((DateTime.UtcNow.Month - 1) % 3 != 0)
+            {
+                // Only check these script once a quater.
+                return;
+            }
+
             string shDownloadUrl = "https://dot.net/v1/dotnet-install.sh";
 
             using (HttpClient downloadClient = new HttpClient())
@@ -36,6 +43,12 @@ namespace GitHub.Runner.Common.Tests
         [Trait("Category", "Runner")]
         public async Task EnsureDotnetsdkPowershellDownloadScriptUpToDate()
         {
+            if ((DateTime.UtcNow.Month - 1) % 3 != 0)
+            {
+                // Only check these script once a quater.
+                return;
+            }
+
             string ps1DownloadUrl = "https://dot.net/v1/dotnet-install.ps1";
 
             using (HttpClient downloadClient = new HttpClient())

src/dir.proj

@@ -25,7 +25,7 @@
             <BuildConstants Include="}"/>
         </ItemGroup>
 
-        <WriteLinesToFile File="Runner.Sdk/BuildConstants.cs" Lines="@(BuildConstants)" Overwrite="true" Encoding="Unicode"/>
+        <WriteLinesToFile File="Runner.Sdk/BuildConstants.cs" Lines="@(BuildConstants)" Overwrite="true" />
     </Target>
 
     <ItemGroup>

src/runnerversion

@@ -1 +1 @@
-2.276.1
+2.278.1