Localize help message to the current platform

This reverts commit 4359dd605b.

.editorconfig

@@ -0,0 +1,8 @@
+# https://editorconfig.org/
+
+[*]
+insert_final_newline = true # ensure all files end with a single newline
+trim_trailing_whitespace = true # attempt to remove trailing whitespace on save
+
+[*.md]
+trim_trailing_whitespace = false # in markdown, "two trailing spaces" is unfortunately meaningful; it means `<br>`

.gitattributes

@@ -20,7 +20,7 @@
 #
 # Merging from the command prompt will add diff markers to the files if there
 # are conflicts (Merging from VS is not affected by the settings below, in VS
-# the diff markers are never inserted). Diff markers may cause the following 
+# the diff markers are never inserted). Diff markers may cause the following
 # file extensions to fail to load in VS. An alternative would be to treat
 # these files as binary and thus will always conflict and require user
 # intervention with every merge. To do so, just uncomment the entries below
@@ -70,9 +70,9 @@
 
 ###############################################################################
 # diff behavior for common document formats
-# 
+#
 # Convert binary document formats to text before diffing them. This feature
-# is only available from the command line. Turn it on by uncommenting the 
+# is only available from the command line. Turn it on by uncommenting the
 # entries below.
 ###############################################################################
 *.doc   diff=astextplain

.github/ISSUE_TEMPLATE/enhancement_request.md

@@ -24,4 +24,4 @@ If applicable, add a code snippet.
 **Additional information**
 Add any other context about the feature here.
 
-NOTE: if the feature request has been agreed upon then the assignee will create an ADR.   See docs/adrs/README.md
+NOTE: if the feature request has been agreed upon then the assignee will create an ADR.   See docs/adrs/README.md

.github/workflows/build.yml

@@ -7,12 +7,12 @@ on:
     - main
     - releases/*
     paths-ignore:
-    - '**.md'    
+    - '**.md'
   pull_request:
     branches:
     - '*'
     paths-ignore:
-    - '**.md'    
+    - '**.md'
 
 jobs:
   build:

.github/workflows/codeql.yml

@@ -28,7 +28,7 @@ jobs:
       #   languages: go, javascript, csharp, python, cpp, java
 
     - name: Manual build
-      run : | 
+      run : |
         ./dev.sh layout Release linux-x64
       working-directory: src
 

.github/workflows/release.yml

@@ -5,7 +5,7 @@ on:
   push:
     paths:
     - releaseVersion
-  
+
 jobs:
   check:
     if: startsWith(github.ref, 'refs/heads/releases/') || github.ref == 'refs/heads/main'
@@ -13,8 +13,8 @@ jobs:
     steps:
     - uses: actions/checkout@v2
 
-    # Make sure ./releaseVersion match ./src/runnerversion 
+    # Make sure ./releaseVersion match ./src/runnerversion
-    # Query GitHub release ensure version is not used 
+    # Query GitHub release ensure version is not used
     - name: Check version
       uses: actions/github-script@0.3.0
       with:
@@ -42,7 +42,7 @@ jobs:
               throw e
             }
           }
-  
+
   build:
     needs: check
     outputs:
@@ -152,7 +152,7 @@ jobs:
           releaseNote = releaseNote.replace(/<LINUX_ARM64_SHA>/g, '${{needs.build.outputs.linux-arm64-sha}}')
           console.log(releaseNote)
           core.setOutput('version', runnerVersion);
-          core.setOutput('note', releaseNote);  
+          core.setOutput('note', releaseNote);
     # Create GitHub release
     - uses: actions/create-release@master
       id: createRelease

docs/automate.md

@@ -21,7 +21,7 @@ export RUNNER_CFG_PAT=yourPAT
 
 :point_right: [Sample script here](../scripts/create-latest-svc.sh) :point_left:
 
-Run as a one-liner. NOTE: replace with yourorg/yourrepo (repo level) or just yourorg (org level) 
+Run as a one-liner. NOTE: replace with yourorg/yourrepo (repo level) or just yourorg (org level)
 ```bash
 curl -s https://raw.githubusercontent.com/actions/runner/main/scripts/create-latest-svc.sh | bash -s yourorg/yourrepo
 ```
@@ -47,7 +47,7 @@ curl -s https://raw.githubusercontent.com/actions/runner/main/scripts/create-lat
 
 The runner is installed as a service using `systemd` and `systemctl`. Docker does not support `systemd` for service configuration on a container.
 
-## Uninstall running as service 
+## Uninstall running as service
 
 **Scenario**: Run on a machine or VM ([not container](#why-cant-i-use-a-container)) which automates:
 
@@ -57,7 +57,7 @@ The runner is installed as a service using `systemd` and `systemctl`. Docker doe
 
 :point_right: [Sample script here](../scripts/remove-svc.sh) :point_left:
 
-Repo level one liner.  NOTE: replace with yourorg/yourrepo (repo level) or just yourorg (org level) 
+Repo level one liner.  NOTE: replace with yourorg/yourrepo (repo level) or just yourorg (org level)
 ```bash
 curl -s https://raw.githubusercontent.com/actions/runner/main/scripts/remove-svc.sh | bash -s yourorg/yourrepo
 ```

docs/checks/actions.md

@@ -18,16 +18,16 @@ Make sure the runner has access to actions service for GitHub.com or GitHub Ente
 
 - DNS lookup for api.github.com or myGHES.com using dotnet
 - Ping api.github.com or myGHES.com using dotnet
-- Make HTTP GET to https://api.github.com or https://myGHES.com/api/v3 using dotnet, check response headers contains `X-GitHub-Request-Id` 
+- Make HTTP GET to https://api.github.com or https://myGHES.com/api/v3 using dotnet, check response headers contains `X-GitHub-Request-Id`
 ---
 - DNS lookup for vstoken.actions.githubusercontent.com using dotnet
 - Ping vstoken.actions.githubusercontent.com using dotnet
-- Make HTTP GET to https://vstoken.actions.githubusercontent.com/_apis/health or https://myGHES.com/_services/vstoken/_apis/health using dotnet, check response headers contains `x-vss-e2eid` 
+- Make HTTP GET to https://vstoken.actions.githubusercontent.com/_apis/health or https://myGHES.com/_services/vstoken/_apis/health using dotnet, check response headers contains `x-vss-e2eid`
 ---
 - DNS lookup for pipelines.actions.githubusercontent.com using dotnet
 - Ping pipelines.actions.githubusercontent.com using dotnet
-- Make HTTP GET to https://pipelines.actions.githubusercontent.com/_apis/health or https://myGHES.com/_services/pipelines/_apis/health using dotnet, check response headers contains `x-vss-e2eid` 
+- Make HTTP GET to https://pipelines.actions.githubusercontent.com/_apis/health or https://myGHES.com/_services/pipelines/_apis/health using dotnet, check response headers contains `x-vss-e2eid`
-- Make HTTP POST to https://pipelines.actions.githubusercontent.com/_apis/health or https://myGHES.com/_services/pipelines/_apis/health using dotnet, check response headers contains `x-vss-e2eid` 
+- Make HTTP POST to https://pipelines.actions.githubusercontent.com/_apis/health or https://myGHES.com/_services/pipelines/_apis/health using dotnet, check response headers contains `x-vss-e2eid`
 
 ## How to fix the issue?
 
@@ -42,4 +42,4 @@ Make sure the runner has access to actions service for GitHub.com or GitHub Ente
   
 ## Still not working?
 
-Contact GitHub customer service or log an issue at https://github.com/actions/runner if you think it's a runner issue.
+Contact GitHub customer service or log an issue at https://github.com/actions/runner if you think it's a runner issue.

docs/checks/git.md

@@ -31,4 +31,4 @@ The test also set environment variable `GIT_TRACE=1` and `GIT_CURL_VERBOSE=1` be
   
 ## Still not working?
 
-Contact GitHub customer service or log an issue at https://github.com/actions/runner if you think it's a runner issue.
+Contact GitHub customer service or log an issue at https://github.com/actions/runner if you think it's a runner issue.

docs/checks/internet.md

@@ -13,7 +13,7 @@ Even the runner is configured to GitHub Enterprise Server, the runner can still
 
 - DNS lookup for api.github.com using dotnet
 - Ping api.github.com using dotnet
-- Make HTTP GET to https://api.github.com using dotnet, check response headers contains `X-GitHub-Request-Id` 
+- Make HTTP GET to https://api.github.com using dotnet, check response headers contains `X-GitHub-Request-Id`
 
 ## How to fix the issue?
 
@@ -23,4 +23,4 @@ Even the runner is configured to GitHub Enterprise Server, the runner can still
 
 ## Still not working?
 
-Contact GitHub customer service or log an issue at https://github.com/actions/runner if you think it's a runner issue.
+Contact GitHub customer service or log an issue at https://github.com/actions/runner if you think it's a runner issue.

docs/checks/network.md

@@ -2,17 +2,19 @@
 
 ### Common things that can cause the runner to not working properly
 
-- Bug in the runner or the dotnet framework that causes actions runner can't make Http request in a certain network environment.
+- A bug in the runner or the dotnet framework that causes the actions runner to be unable to make Http requests in a certain network environment.
 
-- Proxy/Firewall block certain HTTP method, like it block all POST and PUT calls which the runner will use to upload logs.
+- A Proxy or Firewall may block certain HTTP method, such as blocking all POST and PUT calls which the runner will use to upload logs.
 
-- Proxy/Firewall only allows requests with certain user-agent to pass through and the actions runner user-agent is not in the allow list.
+- A Proxy or Firewall may only allows requests with certain user-agent to pass through and the actions runner user-agent is not in the allow list.
 
-- Proxy try to decrypt and exam HTTPS traffic for security purpose but cause the actions-runner to fail to finish SSL handshake due to the lack of trusting proxy's CA.
+- A Proxy try to decrypt and exam HTTPS traffic for security purpose but cause the actions-runner to fail to finish SSL handshake due to the lack of trusting proxy's CA.
 
-- Proxy try to modify the HTTPS request (like add or change some http headers) and causes the request become incompatible with the Actions Service (ASP.NetCore), Ex: [Nginx](https://github.com/dotnet/aspnetcore/issues/17081)
+- The SSL handshake may fail if the client and server do not support the same TLS version, or the same cipher suites.
 
-- Firewall rules that block action runner from accessing certain hosts, ex: `*.github.com`, `*.actions.githubusercontent.com`, etc.
+- A Proxy may try to modify the HTTPS request (like add or change some http headers) and causes the request become incompatible with the Actions Service (ASP.NetCore), Ex: [Nginx](https://github.com/dotnet/aspnetcore/issues/17081)
+
+- Firewall rules that block action runner from accessing certain hosts, ex: `*.github.com`, `*.actions.githubusercontent.com`, etc
 
 
 ### Identify and solve these problems
@@ -23,10 +25,38 @@ Use a 3rd party tool to make the same requests as the runner did would be a good
 
 - Use `nslookup` to check DNS
 - Use `ping` to check Ping
-- Use `traceroute`, `tracepath`, or `tracert` to check the network route between the runner and the Actions service 
+- Use `traceroute`, `tracepath`, or `tracert` to check the network route between the runner and the Actions service
 - Use `curl -v` to check the network stack, good for verifying default certificate/proxy settings.
 - Use `Invoke-WebRequest` from `pwsh` (`PowerShell Core`) to check the dotnet network stack, good for verifying bugs in the dotnet framework.
 
 If the 3rd party tool is also experiencing the same error as the runner does, then you might want to contact your network administrator for help.
 
-Otherwise, contact GitHub customer support or log an issue at https://github.com/actions/runner
+Otherwise, contact GitHub customer support or log an issue at https://github.com/actions/runner
+
+### Troubleshooting: Why can't I configure a runner?
+
+If you are having trouble connecting, try these steps:
+
+1. Validate you can reach our endpoints from your web browser. If not, double check your local network connection
+    - For hosted Github:
+      - https://api.github.com/
+      - https://vstoken.actions.githubusercontent.com/_apis/health
+      - https://pipelines.actions.githubusercontent.com/_apis/health
+    - For GHES/GHAE
+      - https://myGHES.com/_services/vstoken/_apis/health
+      - https://myGHES.com/_services/pipelines/_apis/health
+      - https://myGHES.com/api/v3
+2. Validate you can reach those endpoints in powershell core
+    - The runner runs on .net core, lets validate the local settings for that stack
+    - Open up `pwsh`
+    - Run the command using the urls above `Invoke-WebRequest {url}`
+3. If not, get a packet trace using a tool like wireshark and start looking at the TLS handshake.
+    - If you see a Client Hello followed by a Server RST:
+      - You may need to configure your TLS settings to use the correct version
+        - You should support TLS version 1.2 or later
+      - You may need to configure your TLS settings to have up to date cipher suites, this may be solved by system updates and patches.
+        - Most notably, on windows server 2012 make sure [the tls cipher suite update](https://support.microsoft.com/en-us/topic/update-adds-new-tls-cipher-suites-and-changes-cipher-suite-priorities-in-windows-8-1-and-windows-server-2012-r2-8e395e43-c8ef-27d8-b60c-0fc57d526d94) is installed
+      - Your firewall, proxy or network configuration may be blocking the connection
+      - You will want to reach out to whoever is in charge of your network with these pcap files to further troubleshoot
+    - If you see a failure later in the handshake:
+      - Try the fix in the [SSLCert Fix](./sslcert.md)

docs/checks/nodejs.md

@@ -27,4 +27,4 @@ All javascript base Actions will get executed by the built-in `node` at `<runner
   
 ## Still not working?
 
-Contact GitHub customer service or log an issue at https://github.com/actions/runner if you think it's a runner issue.
+Contact GitHub customer service or log an issue at https://github.com/actions/runner if you think it's a runner issue.

docs/checks/sslcert.md

@@ -12,7 +12,7 @@ As long as your certificate is generated properly, most of the issues should be
 > !!! DO NOT SKIP SSL CERT VALIDATION !!!  
 > !!! IT IS A BAD SECURITY PRACTICE !!!  
 
-### Download SSL certificate chain 
+### Download SSL certificate chain
 
 Depends on how your SSL server certificate gets configured, you might need to download the whole certificate chain from a machine that has trusted the SSL certificate's CA.
 
@@ -28,7 +28,7 @@ The actions runner is a dotnet core application which will follow how dotnet loa
 
 You can get full details documentation at [here](https://docs.microsoft.com/en-us/dotnet/standard/security/cross-platform-cryptography#x509store)
 
-In short: 
+In short:
 - Windows: Load from Windows certificate store.
 - Linux: Load from OpenSSL CA cert bundle.
 - macOS: Load from macOS KeyChain.
@@ -43,13 +43,13 @@ To let the runner trusts your CA certificate, you will need to:
       1. RedHat: https://www.redhat.com/sysadmin/ca-certificates-cli
       2. Ubuntu: http://manpages.ubuntu.com/manpages/focal/man8/update-ca-certificates.8.html
       3. Google search: "trust ca certificate on [linux distribution]"
-      4. If all approaches failed, set environment variable `SSL_CERT_FILE` to the CA bundle `.pem` file we get. 
+      4. If all approaches failed, set environment variable `SSL_CERT_FILE` to the CA bundle `.pem` file we get.
     > To verify cert gets installed properly on Linux, you can try use `curl -v https://sitewithsslissue.com` and `pwsh -Command \"Invoke-WebRequest -Uri https://sitewithsslissue.com\"`
 
 ### Trust CA certificate for Git CLI
 
 Git uses various CA bundle file depends on your operation system.
-- Git packaged the CA bundle file within the Git installation on Windows 
+- Git packaged the CA bundle file within the Git installation on Windows
 - Git use OpenSSL certificate CA bundle file on Linux and macOS
 
 You can check where Git check CA file by running:

docs/contribute.md

@@ -12,7 +12,7 @@ Issues in this repository should be for the runner application.  Note that the V
 
 ## Enhancements and Feature Requests
 
-We ask that before significant effort is put into code changes, that we have agreement on taking the change before time is invested in code changes. 
+We ask that before significant effort is put into code changes, that we have agreement on taking the change before time is invested in code changes.
 
 1. Create a feature request.  Once agreed we will take the enhancement
 2. Create an ADR to agree on the details of the change.
@@ -46,9 +46,9 @@ Tip: Make sure your job can run on this runner. The easiest way is to set `runs-
 
 
 ## Development Life Cycle
-If you're using VS Code, you can follow [these](contribute/vscode.md) steps instead. 
+If you're using VS Code, you can follow [these](contribute/vscode.md) steps instead.
 
-### To Build, Test, Layout 
+### To Build, Test, Layout
 
 Navigate to the `src` directory and run the following command:
 

docs/contribute/vscode.md

@@ -4,7 +4,7 @@ These examples use VS Code, but the idea should be similar across all IDEs as lo
 ## Configure
 
 To successfully start the runner, you need to register it using a repository and a runner registration token.
-Run `Configure` first to build the source code and set up the runner in `_layout`. 
+Run `Configure` first to build the source code and set up the runner in `_layout`.
 Once it's done creating `_layout`, it asks for the url of your repository and your token in the terminal.
 
 Check [Quickstart](../contribute.md#quickstart-run-a-job-from-a-real-repository) if you don't know how to get this token.
@@ -34,7 +34,7 @@ All the configs below can be found in `.vscode/launch.json`.
 
 If you launch `Run` or `Run [build]`, it starts a process called `Runner.Listener`.
 This process will receive any job queued on this repository if the job runs on matching labels (e.g `runs-on: self-hosted`).
-Once a job is received, a `Runner.Listener` starts a new process of `Runner.Worker`. 
+Once a job is received, a `Runner.Listener` starts a new process of `Runner.Worker`.
 Since this is a diferent process, you can't use the same debugger session debug it.
 Instead, a parallel debugging session has to be started, using a different launch config.
 Luckily, VS Code supports multiple parallel debugging sessions.
@@ -45,7 +45,7 @@ Because the worker process is usually started by the listener instead of an IDE,
 For this reason, `Runner.Worker` can be configured to wait for a debugger to be attached before it begins any actual work.
 
 Set the environment variable `GITHUB_ACTIONS_RUNNER_ATTACH_DEBUGGER` to `true` or `1` to enable this wait.
-All worker processes now will wait 20 seconds before they start working on their task. 
+All worker processes now will wait 20 seconds before they start working on their task.
 
 This gives enough time to attach a debugger by running `Debug Worker`.
 If for some reason you have multiple workers running, run the launch config `Attach` instead.

docs/design/auth.md

@@ -58,4 +58,4 @@ Authentication in a workflow run to github.com can be accomplished by using the
 
 Hosted runner authentication differs from self-hosted authentication in that runners do not undergo a registration process, but instead, the hosted runners get the OAuth token directly by reading the `.credentials` file. The scope of this particular token is limited for a given workflow job execution, and the token is revoked as soon as the job is finished.
 
-![Hosted runner config and start](../res/hosted-config-start.png)
+![Hosted runner config and start](../res/hosted-config-start.png)

docs/start/envlinux.md

@@ -27,7 +27,7 @@ Dependencies is missing for Dotnet Core 3.0
 Execute ./bin/installdependencies.sh to install any missing Dotnet Core 3.0 dependencies.
 ```
 You can easily correct the problem by executing `./bin/installdependencies.sh`.  
-The `installdependencies.sh` script should install all required dependencies on all supported Linux versions   
+The `installdependencies.sh` script should install all required dependencies on all supported Linux versions  
 > Note: The `installdependencies.sh` script will try to use the default package management mechanism on your Linux flavor (ex. `yum`/`apt-get`/`apt`).
 
 ### Full dependencies list
@@ -35,15 +35,15 @@ The `installdependencies.sh` script should install all required dependencies on
 Debian based OS (Debian, Ubuntu, Linux Mint)
 
 - liblttng-ust0
-- libkrb5-3 
+- libkrb5-3
 - zlib1g
 - libssl1.1, libssl1.0.2 or libssl1.0.0
 - libicu63, libicu60, libicu57 or libicu55
 
 Fedora based OS (Fedora, Red Hat Enterprise Linux, CentOS, Oracle Linux 7)
 
-- lttng-ust 
+- lttng-ust
-- openssl-libs 
+- openssl-libs
 - krb5-libs
 - zlib
 - libicu

docs/start/envosx.md

@@ -5,7 +5,7 @@
 ## Supported Versions
 
   - macOS High Sierra (10.13) and later versions
- 
+
 ## Apple Silicon M1
 
 The runner is currently not supported on devices with an Apple M1 chip.  

releaseNote.md

@@ -1,12 +1,20 @@
 ## Features
 
+- Support the `--ephemeral` flag (#660)
+  - This optional flag will configure the runner to only take one job, and let the service un-configure the runner after that job finishes.
+  - Expect to see more info in the Github API documentation soon. We'll link to those docs directly as they become generally available!
+
 ## Bugs
 
-- Send Path when resolving actions so we can correctly validate Policy for Composite Actions (#1250)
+- Fix a bug in `script/delete` wherein a repo with multiple runners would be unable to find the correct runner (#1268) (#1269)
+- Mitigate a race condition when requesting an OIDC `Id_token` (#1320)
+- Make client retries more resilient in JobServer (#1316)
 
 ## Misc
 
-- Allows flags instead of parameters when configuring the runner (#1220)
+- Increase readability of colored console output (#1295) (#1319)
+- Add more network troubleshooting to the docs (#1325)
+- Bump [path-parse](https://github.com/jbgutierrez/path-parse) from 1.0.6 to 1.0.7 (#1256)
 
 ## Windows x64
 We recommend configuring the runner in a root folder of the Windows drive (e.g. "C:\actions-runner"). This will help avoid issues related to service identity folder permissions and long file path restrictions on Windows.
@@ -18,7 +26,7 @@ mkdir \actions-runner ; cd \actions-runner
 # Download the latest runner package
 Invoke-WebRequest -Uri https://github.com/actions/runner/releases/download/v<RUNNER_VERSION>/actions-runner-win-x64-<RUNNER_VERSION>.zip -OutFile actions-runner-win-x64-<RUNNER_VERSION>.zip
 # Extract the installer
-Add-Type -AssemblyName System.IO.Compression.FileSystem ; 
+Add-Type -AssemblyName System.IO.Compression.FileSystem ;
 [System.IO.Compression.ZipFile]::ExtractToDirectory("$PWD\actions-runner-win-x64-<RUNNER_VERSION>.zip", "$PWD")
 ```
 

releaseVersion

@@ -1 +1 @@
-2.280.2
+<Update to ./src/runnerversion when creating release>

scripts/README.md

@@ -1,4 +1,4 @@
 # Sample scripts for self-hosted runners
 
 Here are some examples to work from if you'd like to automate your use of self-hosted runners.
-See the docs [here](../docs/automate.md).
+See the docs [here](../docs/automate.md).

scripts/delete.sh

@@ -51,7 +51,7 @@ fi
 # Ensure offline
 #--------------------------------------
 runner_status=$(curl -s -X GET ${base_api_url}/${runner_scope}/actions/runners?per_page=100  -H "accept: application/vnd.github.everest-preview+json" -H "authorization: token ${RUNNER_CFG_PAT}" \
-        | jq -M -j ".runners | .[] | [select(.name == \"${runner_name}\")] | .[0].status")
+        | jq -M -j ".runners | .[] | select(.name == \"${runner_name}\") | .status")
 
 if [ -z "${runner_status}" ]; then 
     fatal "Could not find runner with name ${runner_name}"
@@ -67,7 +67,7 @@ fi
 # Get id of runner to remove
 #--------------------------------------
 runner_id=$(curl -s -X GET ${base_api_url}/${runner_scope}/actions/runners?per_page=100  -H "accept: application/vnd.github.everest-preview+json" -H "authorization: token ${RUNNER_CFG_PAT}" \
-        | jq -M -j ".runners | .[] | [select(.name == \"${runner_name}\")] | .[0].id")
+        | jq -M -j ".runners | .[] | select(.name == \"${runner_name}\") | .id")
 
 if [ -z "${runner_id}" ]; then 
     fatal "Could not find runner with name ${runner_name}"

src/Misc/expressionFunc/hashFiles/package-lock.json

@@ -1947,9 +1947,9 @@
       "dev": true
     },
     "path-parse": {
-      "version": "1.0.6",
+      "version": "1.0.7",
-      "resolved": "https://registry.npmjs.org/path-parse/-/path-parse-1.0.6.tgz",
+      "resolved": "https://registry.npmjs.org/path-parse/-/path-parse-1.0.7.tgz",
-      "integrity": "sha512-GSmOT2EbHrINBf9SR7CDELwlJ8AENk3Qn7OikK4nFYAu3Ote2+JYNVvkpAEQm3/TLNEJFD/xZJjzyxg3KBWOzw==",
+      "integrity": "sha512-LDJzPVEEEPR+y48z93A0Ed0yXb8pAByGWo/k5YYdYgpY2/2EsOsksJrq7lOHxryrVOn1ejG6oAp8ahvOIQD8sw==",
       "dev": true
     },
     "path-type": {

src/Misc/layoutbin/update.sh.template

@@ -118,6 +118,43 @@ then
     exit 1
 fi
 
+# fix upgrade issue with macOS
+currentplatform=$(uname | awk '{print tolower($0)}')
+if [[ "$currentplatform" == 'darwin' ]]; then
+    # need a short-term fix for https://github.com/actions/runner/issues/743
+    # we will recreate all the ./externals/node12/bin/node of the past 5 versions
+    # v2.280.3 v2.280.2 v2.280.1 v2.279.0 v2.278.0
+    if [[ ! -e "$rootfolder/externals.2.280.3/node12/bin/node" ]]
+    then
+        mkdir -p "$rootfolder/externals.2.280.3/node12/bin"
+        cp "$rootfolder/externals/node12/bin/node" "$rootfolder/externals.2.280.3/node12/bin/node"
+    fi
+
+    if [[ ! -e "$rootfolder/externals.2.280.2/node12/bin/node" ]]
+    then
+        mkdir -p "$rootfolder/externals.2.280.2/node12/bin"
+        cp "$rootfolder/externals/node12/bin/node" "$rootfolder/externals.2.280.2/node12/bin/node"
+    fi
+
+    if [[ ! -e "$rootfolder/externals.2.280.1/node12/bin/node" ]]
+    then
+        mkdir -p "$rootfolder/externals.2.280.1/node12/bin"
+        cp "$rootfolder/externals/node12/bin/node" "$rootfolder/externals.2.280.1/node12/bin/node"
+    fi
+
+    if [[ ! -e "$rootfolder/externals.2.279.0/node12/bin/node" ]]
+    then
+        mkdir -p "$rootfolder/externals.2.279.0/node12/bin"
+        cp "$rootfolder/externals/node12/bin/node" "$rootfolder/externals.2.279.0/node12/bin/node"
+    fi
+
+    if [[ ! -e "$rootfolder/externals.2.278.0/node12/bin/node" ]]
+    then
+        mkdir -p "$rootfolder/externals.2.278.0/node12/bin"
+        cp "$rootfolder/externals/node12/bin/node" "$rootfolder/externals.2.278.0/node12/bin/node"
+    fi
+fi
+
 date "+[%F %T-%4N] Update succeed" >> "$logfile"
 
 # rename the update log file with %logfile%.succeed/.failed/succeedneedrestart

src/Runner.Common/ConfigurationStore.cs

@@ -33,6 +33,9 @@ namespace GitHub.Runner.Common
         [DataMember(EmitDefaultValue = false)]
         public string PoolName { get; set; }
 
+        [DataMember(EmitDefaultValue = false)]
+        public bool Ephemeral { get; set; }
+
         [DataMember(EmitDefaultValue = false)]
         public string ServerUrl { get; set; }
 

src/Runner.Common/Constants.cs

@@ -125,9 +125,10 @@ namespace GitHub.Runner.Common
                 {
                     public static readonly string Check = "check";
                     public static readonly string Commit = "commit";
+                    public static readonly string Ephemeral = "ephemeral";
                     public static readonly string Help = "help";
                     public static readonly string Replace = "replace";
-                    public static readonly string Once = "once";
+                    public static readonly string Once = "once"; // TODO: Remove in 10/2021
                     public static readonly string RunAsService = "runasservice";
                     public static readonly string Unattended = "unattended";
                     public static readonly string Version = "version";

src/Runner.Common/HostContext.cs

@@ -90,6 +90,8 @@ namespace GitHub.Runner.Common
             this.SecretMasker.AddValueEncoder(ValueEncoders.UriDataEscape);
             this.SecretMasker.AddValueEncoder(ValueEncoders.XmlDataEscape);
             this.SecretMasker.AddValueEncoder(ValueEncoders.TrimDoubleQuotes);
+            this.SecretMasker.AddValueEncoder(ValueEncoders.PowerShellPreAmpersandEscape);
+            this.SecretMasker.AddValueEncoder(ValueEncoders.PowerShellPostAmpersandEscape);
 
             // Create the trace manager.
             if (string.IsNullOrEmpty(logFile))

src/Runner.Common/JobServerQueue.cs

@@ -15,6 +15,7 @@ namespace GitHub.Runner.Common
     [ServiceLocator(Default = typeof(JobServerQueue))]
     public interface IJobServerQueue : IRunnerService, IThrottlingReporter
     {
+        TaskCompletionSource<int> JobRecordUpdated { get; }
         event EventHandler<ThrottlingEventArgs> JobServerQueueThrottling;
         Task ShutdownAsync();
         void Start(Pipelines.AgentJobRequestMessage jobRequest);
@@ -62,8 +63,11 @@ namespace GitHub.Runner.Common
         private IJobServer _jobServer;
         private Task[] _allDequeueTasks;
         private readonly TaskCompletionSource<int> _jobCompletionSource = new TaskCompletionSource<int>();
+        private readonly TaskCompletionSource<int> _jobRecordUpdated = new TaskCompletionSource<int>();
         private bool _queueInProcess = false;
 
+        public TaskCompletionSource<int> JobRecordUpdated => _jobRecordUpdated;
+
         public event EventHandler<ThrottlingEventArgs> JobServerQueueThrottling;
 
         // Web console dequeue will start with process queue every 250ms for the first 60*4 times (~60 seconds).
@@ -287,11 +291,11 @@ namespace GitHub.Runner.Common
                                 {
                                     await _jobServer.AppendTimelineRecordFeedAsync(_scopeIdentifier, _hubName, _planId, _jobTimelineId, _jobTimelineRecordId, stepRecordId, batch.Select(logLine => logLine.Line).ToList(), batch[0].LineNumber.Value, default(CancellationToken));
                                 }
-                                else 
+                                else
                                 {
                                     await _jobServer.AppendTimelineRecordFeedAsync(_scopeIdentifier, _hubName, _planId, _jobTimelineId, _jobTimelineRecordId, stepRecordId, batch.Select(logLine => logLine.Line).ToList(), default(CancellationToken));
                                 }
-                                
+
                                 if (_firstConsoleOutputs)
                                 {
                                     HostContext.WritePerfCounter($"WorkerJobServerQueueAppendFirstConsoleOutput_{_planId.ToString()}");
@@ -455,6 +459,14 @@ namespace GitHub.Runner.Common
                             {
                                 Trace.Verbose("Cleanup buffered timeline record for timeline: {0}.", update.TimelineId);
                             }
+
+                            if (!_jobRecordUpdated.Task.IsCompleted &&
+                                update.PendingRecords.Any(x => x.Id == _jobTimelineRecordId && x.State != null))
+                            {
+                                // We have changed the state of the job
+                                Trace.Info("Job timeline record has been updated for the first time.");
+                                _jobRecordUpdated.TrySetResult(0);
+                            }
                         }
                         catch (Exception ex)
                         {

src/Runner.Common/Terminal.cs

@@ -164,9 +164,8 @@ namespace GitHub.Runner.Common
             if (!Silent)
             {
                 Console.WriteLine();
-                Console.ForegroundColor = ConsoleColor.White;
-                Console.WriteLine($"# {message}");
                 Console.ResetColor();
+                Console.WriteLine($"# {message}");
                 Console.WriteLine();
             }
         }
@@ -177,9 +176,8 @@ namespace GitHub.Runner.Common
             {
                 Console.ForegroundColor = ConsoleColor.Green;
                 Console.Write("√ ");
-                Console.ForegroundColor = ConsoleColor.White;
-                Console.WriteLine(message);
                 Console.ResetColor();
+                Console.WriteLine(message);
             }
         }
 

src/Runner.Listener/CommandSettings.cs

@@ -29,10 +29,10 @@ namespace GitHub.Runner.Listener
         {
             Constants.Runner.CommandLine.Flags.Check,
             Constants.Runner.CommandLine.Flags.Commit,
+            Constants.Runner.CommandLine.Flags.Ephemeral,
             Constants.Runner.CommandLine.Flags.Help,
             Constants.Runner.CommandLine.Flags.Replace,
             Constants.Runner.CommandLine.Flags.RunAsService,
-            Constants.Runner.CommandLine.Flags.Once,
             Constants.Runner.CommandLine.Flags.Unattended,
             Constants.Runner.CommandLine.Flags.Version
         };
@@ -66,7 +66,9 @@ namespace GitHub.Runner.Listener
         public bool Help => TestFlag(Constants.Runner.CommandLine.Flags.Help);
         public bool Unattended => TestFlag(Constants.Runner.CommandLine.Flags.Unattended);
         public bool Version => TestFlag(Constants.Runner.CommandLine.Flags.Version);
+        public bool Ephemeral => TestFlag(Constants.Runner.CommandLine.Flags.Ephemeral);
 
+        // TODO: Remove in 10/2021
         public bool RunOnce => TestFlag(Constants.Runner.CommandLine.Flags.Once);
 
         // Constructor.

src/Runner.Listener/Configuration/ConfigurationManager.cs

@@ -65,18 +65,18 @@ namespace GitHub.Runner.Listener.Configuration
         public async Task ConfigureAsync(CommandSettings command)
         {
             _term.WriteLine();
-            _term.WriteLine("--------------------------------------------------------------------------------", ConsoleColor.White);
+            _term.WriteLine("--------------------------------------------------------------------------------");
-            _term.WriteLine("|        ____ _ _   _   _       _          _        _   _                      |", ConsoleColor.White);
+            _term.WriteLine("|        ____ _ _   _   _       _          _        _   _                      |");
-            _term.WriteLine("|       / ___(_) |_| | | |_   _| |__      / \\   ___| |_(_) ___  _ __  ___      |", ConsoleColor.White);
+            _term.WriteLine("|       / ___(_) |_| | | |_   _| |__      / \\   ___| |_(_) ___  _ __  ___      |");
-            _term.WriteLine("|      | |  _| | __| |_| | | | | '_ \\    / _ \\ / __| __| |/ _ \\| '_ \\/ __|     |", ConsoleColor.White);
+            _term.WriteLine("|      | |  _| | __| |_| | | | | '_ \\    / _ \\ / __| __| |/ _ \\| '_ \\/ __|     |");
-            _term.WriteLine("|      | |_| | | |_|  _  | |_| | |_) |  / ___ \\ (__| |_| | (_) | | | \\__ \\     |", ConsoleColor.White);
+            _term.WriteLine("|      | |_| | | |_|  _  | |_| | |_) |  / ___ \\ (__| |_| | (_) | | | \\__ \\     |");
-            _term.WriteLine("|       \\____|_|\\__|_| |_|\\__,_|_.__/  /_/   \\_\\___|\\__|_|\\___/|_| |_|___/     |", ConsoleColor.White);
+            _term.WriteLine("|       \\____|_|\\__|_| |_|\\__,_|_.__/  /_/   \\_\\___|\\__|_|\\___/|_| |_|___/     |");
-            _term.WriteLine("|                                                                              |", ConsoleColor.White);
+            _term.WriteLine("|                                                                              |");
-            _term.Write("|                       ", ConsoleColor.White);
+            _term.Write("|                       ");
             _term.Write("Self-hosted runner registration", ConsoleColor.Cyan);
-            _term.WriteLine("                        |", ConsoleColor.White);
+            _term.WriteLine("                        |");
-            _term.WriteLine("|                                                                              |", ConsoleColor.White);
+            _term.WriteLine("|                                                                              |");
-            _term.WriteLine("--------------------------------------------------------------------------------", ConsoleColor.White);
+            _term.WriteLine("--------------------------------------------------------------------------------");
 
             Trace.Info(nameof(ConfigureAsync));
             if (IsConfigured())
@@ -117,6 +117,7 @@ namespace GitHub.Runner.Listener.Configuration
                 try
                 {
                     // Determine the service deployment type based on connection data. (Hosted/OnPremises)
+                    // Hosted usually means github.com or localhost, while OnPremises means GHES or GHAE
                     runnerSettings.IsHostedServer = runnerSettings.GitHubUrl == null || UrlUtil.IsHostedServer(new UriBuilder(runnerSettings.GitHubUrl));
 
                     // Warn if the Actions server url and GHES server url has different Host
@@ -194,6 +195,7 @@ namespace GitHub.Runner.Listener.Configuration
             TaskAgent agent;
             while (true)
             {
+                runnerSettings.Ephemeral = command.Ephemeral;
                 runnerSettings.AgentName = command.GetRunnerName();
 
                 _term.WriteLine();
@@ -210,7 +212,7 @@ namespace GitHub.Runner.Listener.Configuration
                     if (command.GetReplace())
                     {
                         // Update existing agent with new PublicKey, agent version.
-                        agent = UpdateExistingAgent(agent, publicKey, userLabels);
+                        agent = UpdateExistingAgent(agent, publicKey, userLabels, runnerSettings.Ephemeral);
 
                         try
                         {
@@ -233,7 +235,7 @@ namespace GitHub.Runner.Listener.Configuration
                 else
                 {
                     // Create a new agent.
-                    agent = CreateNewAgent(runnerSettings.AgentName, publicKey, userLabels);
+                    agent = CreateNewAgent(runnerSettings.AgentName, publicKey, userLabels, runnerSettings.Ephemeral);
 
                     try
                     {
@@ -346,12 +348,9 @@ namespace GitHub.Runner.Listener.Configuration
 
                     _term.WriteLine();
                     _term.WriteSuccessMessage("Runner service removed");
-#elif OS_LINUX
+#else
-                    // unconfig system D service first
+                    // unconfig systemd or osx service first
-                    throw new Exception("Unconfigure service first");
+                    throw new Exception("Uninstall service first");
-#elif OS_OSX
-                    // unconfig osx service first
-                    throw new Exception("Unconfigure service first");
 #endif
                 }
 
@@ -458,7 +457,7 @@ namespace GitHub.Runner.Listener.Configuration
         }
 
 
-        private TaskAgent UpdateExistingAgent(TaskAgent agent, RSAParameters publicKey, ISet<string> userLabels)
+        private TaskAgent UpdateExistingAgent(TaskAgent agent, RSAParameters publicKey, ISet<string> userLabels, bool ephemeral)
         {
             ArgUtil.NotNull(agent, nameof(agent));
             agent.Authorization = new TaskAgentAuthorization
@@ -469,6 +468,8 @@ namespace GitHub.Runner.Listener.Configuration
             // update should replace the existing labels
             agent.Version = BuildConstants.RunnerPackage.Version;
             agent.OSDescription = RuntimeInformation.OSDescription;
+            agent.Ephemeral = ephemeral;
+            agent.MaxParallelism = 1;
 
             agent.Labels.Clear();
 
@@ -484,7 +485,7 @@ namespace GitHub.Runner.Listener.Configuration
             return agent;
         }
 
-        private TaskAgent CreateNewAgent(string agentName, RSAParameters publicKey, ISet<string> userLabels)
+        private TaskAgent CreateNewAgent(string agentName, RSAParameters publicKey, ISet<string> userLabels, bool ephemeral)
         {
             TaskAgent agent = new TaskAgent(agentName)
             {
@@ -495,6 +496,7 @@ namespace GitHub.Runner.Listener.Configuration
                 MaxParallelism = 1,
                 Version = BuildConstants.RunnerPackage.Version,
                 OSDescription = RuntimeInformation.OSDescription,
+                Ephemeral = ephemeral,
             };
 
             agent.Labels.Add(new AgentLabel("self-hosted", LabelType.System));

src/Runner.Listener/Configuration/PromptManager.cs

@@ -85,7 +85,7 @@ namespace GitHub.Runner.Listener.Configuration
             while (true)
             {
                 // Write the message prompt.
-                _terminal.Write($"{description} ", ConsoleColor.White);
+                _terminal.Write($"{description} ");
 
                 if(!string.IsNullOrEmpty(defaultValue))
                 {

src/Runner.Listener/Program.cs

@@ -95,7 +95,16 @@ namespace GitHub.Runner.Listener
                 var unknownCommandlines = command.Validate();
                 if (unknownCommandlines.Count > 0)
                 {
-                    terminal.WriteError($"Unrecognized command-line input arguments: '{string.Join(", ", unknownCommandlines)}'. For usage refer to: .\\config.cmd --help or ./config.sh --help");
+                    string separator;
+                    string ext;
+#if OS_WINDOWS
+                    separator = "\\";
+                    ext = "cmd";
+#else
+                    separator = "/";
+                    ext = "sh";
+#endif
+                    terminal.WriteError($"Unrecognized command-line input arguments: '{string.Join(", ", unknownCommandlines)}'. For usage refer to `.{separator}config.{ext} --help`");
                 }
 
                 // Defer to the Runner class to execute the command.

src/Runner.Listener/Runner.cs

@@ -234,7 +234,7 @@ namespace GitHub.Runner.Listener
                     HostContext.StartupType = startType;
 
                     // Run the runner interactively or as service
-                    return await RunAsync(settings, command.RunOnce);
+                    return await RunAsync(settings, command.RunOnce || settings.Ephemeral);  // TODO: Remove RunOnce later.
                 }
                 else
                 {
@@ -466,8 +466,16 @@ namespace GitHub.Runner.Listener
                         await jobDispatcher.ShutdownAsync();
                     }
 
-                    //TODO: make sure we don't mask more important exception
+                    try
-                    await _listener.DeleteSessionAsync();
+                    {
+                        await _listener.DeleteSessionAsync();
+                    }
+                    catch (Exception ex) when (runOnce)
+                    {
+                        // ignore exception during delete session for ephemeral runner since the runner might already be deleted from the server side
+                        // and the delete session call will ends up with 401.
+                        Trace.Info($"Ignore any exception during DeleteSession for an ephemeral runner. {ex}");
+                    }
 
                     messageQueueLoopTokenSource.Dispose();
                 }
@@ -512,7 +520,9 @@ Config Options:
  --labels string        Extra labels in addition to the default: 'self-hosted,{Constants.Runner.Platform},{Constants.Runner.PlatformArchitecture}'
  --work string          Relative runner work directory (default {Constants.Path.WorkDirectory})
  --replace              Replace any existing runner with the same name (default false)
- --pat                  GitHub personal access token used for checking network connectivity when executing `.{separator}run.{ext} --check`");
+ --pat                  GitHub personal access token used for checking network connectivity when executing `.{separator}run.{ext} --check`
+ --ephemeral            Configure the runner to only take one job and then let the service un-configure the runner after the job finishes (default false)");
+
 #if OS_WINDOWS
     _term.WriteLine($@" --runasservice   Run the runner as a service");
     _term.WriteLine($@" --windowslogonaccount string   Account to run the service as. Requires runasservice");

src/Runner.Listener/SelfUpdater.cs

@@ -74,10 +74,12 @@ namespace GitHub.Runner.Listener
                 await jobDispatcher.WaitAsync(token);
                 Trace.Info($"All running job has exited.");
 
+                // We need to keep runner backup around for macOS until we fixed https://github.com/actions/runner/issues/743
+#if !OS_OSX
                 // delete runner backup
                 DeletePreviousVersionRunnerBackup(token);
                 Trace.Info($"Delete old version runner backup.");
-
+#endif
                 // generate update script from template
                 await UpdateRunnerUpdateStateAsync("Generate and execute update script.");
 
@@ -96,7 +98,7 @@ namespace GitHub.Runner.Listener
                 invokeScript.Start();
                 Trace.Info($"Update script start running");
 
-                await UpdateRunnerUpdateStateAsync("Runner will exit shortly for update, should back online within 10 seconds.");
+                await UpdateRunnerUpdateStateAsync("Runner will exit shortly for update, should be back online within 10 seconds.");
 
                 return true;
             }

src/Runner.Worker/ContainerOperationProvider.cs

@@ -494,7 +494,8 @@ namespace GitHub.Runner.Worker
         private void UpdateRegistryAuthForGitHubToken(IExecutionContext executionContext, ContainerInfo container)
         {
             var registryIsTokenCompatible = container.RegistryServer.Equals("ghcr.io", StringComparison.OrdinalIgnoreCase) || container.RegistryServer.Equals("containers.pkg.github.com", StringComparison.OrdinalIgnoreCase);
-            if (!registryIsTokenCompatible)
+            var isFallbackTokenFromHostedGithub = HostContext.GetService<IConfigurationStore>().GetSettings().IsHostedServer;
+            if (!registryIsTokenCompatible || !isFallbackTokenFromHostedGithub)
             {
                 return;
             }

src/Runner.Worker/ExecutionContext.cs

@@ -980,18 +980,6 @@ namespace GitHub.Runner.Worker
             context.Write(null, message);
         }
 
-        public static void WriteDetails(this IExecutionContext context, string message)
-        {
-            if (context.IsEmbedded)
-            {
-                context.Debug(message);
-            }
-            else
-            {
-                context.Output(message);
-            }
-        }
-
         // Do not add a format string overload. See comment on ExecutionContext.Write().
         public static void Command(this IExecutionContext context, string message)
         {

src/Runner.Worker/GitHubContext.cs

@@ -26,6 +26,7 @@ namespace GitHub.Runner.Worker
             "repository",
             "repository_owner",
             "retention_days",
+            "run_attempt",
             "run_id",
             "run_number",
             "server_url",

src/Runner.Worker/Handlers/CompositeActionHandler.cs

@@ -295,99 +295,108 @@ namespace GitHub.Runner.Worker.Handlers
                 CancellationTokenRegistration? jobCancelRegister = null;
                 try
                 {
-                    // Register job cancellation call back only if job cancellation token not been fire before each step run
+                    // For main steps just run the action
-                    if (!ExecutionContext.Root.CancellationToken.IsCancellationRequested)
+                    if (stage == ActionRunStage.Main)
-                    {
-                        // Test the condition again. The job was canceled after the condition was originally evaluated.
-                        jobCancelRegister = ExecutionContext.Root.CancellationToken.Register(() =>
-                        {
-                            // Mark job as cancelled
-                            ExecutionContext.Root.Result = TaskResult.Canceled;
-                            ExecutionContext.Root.JobContext.Status = ExecutionContext.Root.Result?.ToActionResult();
-
-                            step.ExecutionContext.Debug($"Re-evaluate condition on job cancellation for step: '{step.DisplayName}'.");
-                            var conditionReTestTraceWriter = new ConditionTraceWriter(Trace, null); // host tracing only
-                            var conditionReTestResult = false;
-                            if (HostContext.RunnerShutdownToken.IsCancellationRequested)
-                            {
-                                step.ExecutionContext.Debug($"Skip Re-evaluate condition on runner shutdown.");
-                            }
-                            else
-                            {
-                                try
-                                {
-                                    var templateEvaluator = step.ExecutionContext.ToPipelineTemplateEvaluator(conditionReTestTraceWriter);
-                                    var condition = new BasicExpressionToken(null, null, null, step.Condition);
-                                    conditionReTestResult = templateEvaluator.EvaluateStepIf(condition, step.ExecutionContext.ExpressionValues, step.ExecutionContext.ExpressionFunctions, step.ExecutionContext.ToExpressionState());
-                                }
-                                catch (Exception ex)
-                                {
-                                    // Cancel the step since we get exception while re-evaluate step condition
-                                    Trace.Info("Caught exception from expression when re-test condition on job cancellation.");
-                                    step.ExecutionContext.Error(ex);
-                                }
-                            }
-
-                            if (!conditionReTestResult)
-                            {
-                                // Cancel the step
-                                Trace.Info("Cancel current running step.");
-                                step.ExecutionContext.CancelToken();
-                            }
-                        });
-                    }
-                    else
-                    {
-                        if (ExecutionContext.Root.Result != TaskResult.Canceled)
-                        {
-                            // Mark job as cancelled
-                            ExecutionContext.Root.Result = TaskResult.Canceled;
-                            ExecutionContext.Root.JobContext.Status = ExecutionContext.Root.Result?.ToActionResult();
-                        }
-                    }
-                    // Evaluate condition
-                    step.ExecutionContext.Debug($"Evaluating condition for step: '{step.DisplayName}'");
-                    var conditionTraceWriter = new ConditionTraceWriter(Trace, step.ExecutionContext);
-                    var conditionResult = false;
-                    var conditionEvaluateError = default(Exception);
-                    if (HostContext.RunnerShutdownToken.IsCancellationRequested)
-                    {
-                        step.ExecutionContext.Debug($"Skip evaluate condition on runner shutdown.");
-                    }
-                    else
-                    {
-                        try
-                        {
-                            var templateEvaluator = step.ExecutionContext.ToPipelineTemplateEvaluator(conditionTraceWriter);
-                            var condition = new BasicExpressionToken(null, null, null, step.Condition);
-                            conditionResult = templateEvaluator.EvaluateStepIf(condition, step.ExecutionContext.ExpressionValues, step.ExecutionContext.ExpressionFunctions, step.ExecutionContext.ToExpressionState());
-                        }
-                        catch (Exception ex)
-                        {
-                            Trace.Info("Caught exception from expression.");
-                            Trace.Error(ex);
-                            conditionEvaluateError = ex;
-                        }
-                    }
-                    if (!conditionResult && conditionEvaluateError == null)
-                    {
-                        // Condition is false
-                        Trace.Info("Skipping step due to condition evaluation.");
-                        step.ExecutionContext.Result = TaskResult.Skipped;
-                        continue;
-                    }
-                    else if (conditionEvaluateError != null)
-                    {
-                        // Condition error
-                        step.ExecutionContext.Error(conditionEvaluateError);
-                        step.ExecutionContext.Result = TaskResult.Failed;
-                        ExecutionContext.Result = TaskResult.Failed;
-                        break;
-                    }
-                    else
                     {
                         await RunStepAsync(step);
                     }
+                    // We need to evaluate conditions for pre/post steps
+                    else
+                    {
+                        // Register job cancellation call back only if job cancellation token not been fire before each step run
+                        if (!ExecutionContext.Root.CancellationToken.IsCancellationRequested)
+                        {
+                            // Test the condition again. The job was canceled after the condition was originally evaluated.
+                            jobCancelRegister = ExecutionContext.Root.CancellationToken.Register(() =>
+                            {
+                                // Mark job as cancelled
+                                ExecutionContext.Root.Result = TaskResult.Canceled;
+                                ExecutionContext.Root.JobContext.Status = ExecutionContext.Root.Result?.ToActionResult();
+
+                                step.ExecutionContext.Debug($"Re-evaluate condition on job cancellation for step: '{step.DisplayName}'.");
+                                var conditionReTestTraceWriter = new ConditionTraceWriter(Trace, null); // host tracing only
+                                var conditionReTestResult = false;
+                                if (HostContext.RunnerShutdownToken.IsCancellationRequested)
+                                {
+                                    step.ExecutionContext.Debug($"Skip Re-evaluate condition on runner shutdown.");
+                                }
+                                else
+                                {
+                                    try
+                                    {
+                                        var templateEvaluator = step.ExecutionContext.ToPipelineTemplateEvaluator(conditionReTestTraceWriter);
+                                        var condition = new BasicExpressionToken(null, null, null, step.Condition);
+                                        conditionReTestResult = templateEvaluator.EvaluateStepIf(condition, step.ExecutionContext.ExpressionValues, step.ExecutionContext.ExpressionFunctions, step.ExecutionContext.ToExpressionState());
+                                    }
+                                    catch (Exception ex)
+                                    {
+                                        // Cancel the step since we get exception while re-evaluate step condition
+                                        Trace.Info("Caught exception from expression when re-test condition on job cancellation.");
+                                        step.ExecutionContext.Error(ex);
+                                    }
+                                }
+
+                                if (!conditionReTestResult)
+                                {
+                                    // Cancel the step
+                                    Trace.Info("Cancel current running step.");
+                                    step.ExecutionContext.CancelToken();
+                                }
+                            });
+                        }
+                        else
+                        {
+                            if (ExecutionContext.Root.Result != TaskResult.Canceled)
+                            {
+                                // Mark job as cancelled
+                                ExecutionContext.Root.Result = TaskResult.Canceled;
+                                ExecutionContext.Root.JobContext.Status = ExecutionContext.Root.Result?.ToActionResult();
+                            }
+                        }
+                        // Evaluate condition
+                        step.ExecutionContext.Debug($"Evaluating condition for step: '{step.DisplayName}'");
+                        var conditionTraceWriter = new ConditionTraceWriter(Trace, step.ExecutionContext);
+                        var conditionResult = false;
+                        var conditionEvaluateError = default(Exception);
+                        if (HostContext.RunnerShutdownToken.IsCancellationRequested)
+                        {
+                            step.ExecutionContext.Debug($"Skip evaluate condition on runner shutdown.");
+                        }
+                        else
+                        {
+                            try
+                            {
+                                var templateEvaluator = step.ExecutionContext.ToPipelineTemplateEvaluator(conditionTraceWriter);
+                                var condition = new BasicExpressionToken(null, null, null, step.Condition);
+                                conditionResult = templateEvaluator.EvaluateStepIf(condition, step.ExecutionContext.ExpressionValues, step.ExecutionContext.ExpressionFunctions, step.ExecutionContext.ToExpressionState());
+                            }
+                            catch (Exception ex)
+                            {
+                                Trace.Info("Caught exception from expression.");
+                                Trace.Error(ex);
+                                conditionEvaluateError = ex;
+                            }
+                        }
+                        if (!conditionResult && conditionEvaluateError == null)
+                        {
+                            // Condition is false
+                            Trace.Info("Skipping step due to condition evaluation.");
+                            step.ExecutionContext.Result = TaskResult.Skipped;
+                            continue;
+                        }
+                        else if (conditionEvaluateError != null)
+                        {
+                            // Condition error
+                            step.ExecutionContext.Error(conditionEvaluateError);
+                            step.ExecutionContext.Result = TaskResult.Failed;
+                            ExecutionContext.Result = TaskResult.Failed;
+                            break;
+                        }
+                        else
+                        {
+                            await RunStepAsync(step);
+                        }
+                    }
                 }
                 finally
                 {

src/Runner.Worker/Handlers/ContainerActionHandler.cs

@@ -50,8 +50,8 @@ namespace GitHub.Runner.Worker.Handlers
                 var dockerFile = Path.Combine(ActionDirectory, Data.Image);
                 ArgUtil.File(dockerFile, nameof(Data.Image));
 
-                ExecutionContext.WriteDetails(ExecutionContext.IsEmbedded ? "Building docker image" : $"##[group]Building docker image");
+                ExecutionContext.Output($"##[group]Building docker image");
-                ExecutionContext.WriteDetails($"Dockerfile for action: '{dockerFile}'.");
+                ExecutionContext.Output($"Dockerfile for action: '{dockerFile}'.");
                 var imageName = $"{dockerManager.DockerInstanceLabel}:{ExecutionContext.Id.ToString("N")}";
                 var buildExitCode = await dockerManager.DockerBuild(
                     ExecutionContext,
@@ -59,7 +59,7 @@ namespace GitHub.Runner.Worker.Handlers
                     dockerFile,
                     Directory.GetParent(dockerFile).FullName,
                     imageName);
-                ExecutionContext.WriteDetails(ExecutionContext.IsEmbedded ? "" : "##[endgroup]");
+                ExecutionContext.Output("##[endgroup]");
 
                 if (buildExitCode != 0)
                 {
@@ -217,6 +217,7 @@ namespace GitHub.Runner.Worker.Handlers
             if (systemConnection.Data.TryGetValue("GenerateIdTokenUrl", out var generateIdTokenUrl) && !string.IsNullOrEmpty(generateIdTokenUrl))
             {
                 Environment["ACTIONS_ID_TOKEN_REQUEST_URL"] = generateIdTokenUrl;
+                Environment["ACTIONS_ID_TOKEN_REQUEST_TOKEN"] = systemConnection.Authorization.Parameters[EndpointAuthorizationParameters.AccessToken];
             }
 
             foreach (var variable in this.Environment)

src/Runner.Worker/Handlers/Handler.cs

@@ -82,7 +82,7 @@ namespace GitHub.Runner.Worker.Handlers
             
             if (stage == ActionRunStage.Post)
             {
-                ExecutionContext.WriteDetails($"Post job cleanup.");
+                ExecutionContext.Output($"Post job cleanup.");
                 return;
             }
 
@@ -118,30 +118,30 @@ namespace GitHub.Runner.Worker.Handlers
                 groupName = "Action details";
             }
 
-            ExecutionContext.WriteDetails(ExecutionContext.IsEmbedded ? groupName : $"##[group]{groupName}");
+            ExecutionContext.Output($"##[group]{groupName}");
 
             if (this.Inputs?.Count > 0)
             {
-                ExecutionContext.WriteDetails("with:");
+                ExecutionContext.Output("with:");
                 foreach (var input in this.Inputs)
                 {
                     if (!string.IsNullOrEmpty(input.Value))
                     {
-                        ExecutionContext.WriteDetails($"  {input.Key}: {input.Value}");
+                        ExecutionContext.Output($"  {input.Key}: {input.Value}");
                     }
                 }
             }
 
             if (this.Environment?.Count > 0)
             {
-                ExecutionContext.WriteDetails("env:");
+                ExecutionContext.Output("env:");
                 foreach (var env in this.Environment)
                 {
-                    ExecutionContext.WriteDetails($"  {env.Key}: {env.Value}");
+                    ExecutionContext.Output($"  {env.Key}: {env.Value}");
                 }
             }
 
-            ExecutionContext.WriteDetails(ExecutionContext.IsEmbedded ? "" : "##[endgroup]");
+            ExecutionContext.Output("##[endgroup]");
         }
 
         public override void Initialize(IHostContext hostContext)

src/Runner.Worker/Handlers/NodeScriptActionHandler.cs

@@ -56,6 +56,7 @@ namespace GitHub.Runner.Worker.Handlers
             if (systemConnection.Data.TryGetValue("GenerateIdTokenUrl", out var generateIdTokenUrl) && !string.IsNullOrEmpty(generateIdTokenUrl))
             {
                 Environment["ACTIONS_ID_TOKEN_REQUEST_URL"] = generateIdTokenUrl;
+                Environment["ACTIONS_ID_TOKEN_REQUEST_TOKEN"] = systemConnection.Authorization.Parameters[EndpointAuthorizationParameters.AccessToken];
             }
 
             // Resolve the target script.

src/Runner.Worker/Handlers/ScriptHandler.cs

@@ -40,7 +40,7 @@ namespace GitHub.Runner.Worker.Handlers
                     firstLine = firstLine.Substring(0, firstNewLine);
                 }
 
-                ExecutionContext.WriteDetails(ExecutionContext.IsEmbedded ? $"Run {firstLine}" : $"##[group]Run {firstLine}");
+                ExecutionContext.Output($"##[group]Run {firstLine}");
             }
             else
             {
@@ -51,7 +51,7 @@ namespace GitHub.Runner.Worker.Handlers
             foreach (var line in multiLines)
             {
                 // Bright Cyan color
-                ExecutionContext.WriteDetails($"\x1b[36;1m{line}\x1b[0m");
+                ExecutionContext.Output($"\x1b[36;1m{line}\x1b[0m");
             }
 
             string argFormat;
@@ -110,23 +110,23 @@ namespace GitHub.Runner.Worker.Handlers
 
             if (!string.IsNullOrEmpty(shellCommandPath))
             {
-                ExecutionContext.WriteDetails($"shell: {shellCommandPath} {argFormat}");
+                ExecutionContext.Output($"shell: {shellCommandPath} {argFormat}");
             }
             else
             {
-                ExecutionContext.WriteDetails($"shell: {shellCommand} {argFormat}");
+                ExecutionContext.Output($"shell: {shellCommand} {argFormat}");
             }
 
             if (this.Environment?.Count > 0)
             {
-                ExecutionContext.WriteDetails("env:");
+                ExecutionContext.Output("env:");
                 foreach (var env in this.Environment)
                 {
-                    ExecutionContext.WriteDetails($"  {env.Key}: {env.Value}");
+                    ExecutionContext.Output($"  {env.Key}: {env.Value}");
                 }
             }
 
-            ExecutionContext.WriteDetails(ExecutionContext.IsEmbedded ? "" : "##[endgroup]");
+            ExecutionContext.Output("##[endgroup]");
         }
 
         public async Task RunAsync(ActionRunStage stage)
@@ -147,7 +147,8 @@ namespace GitHub.Runner.Worker.Handlers
             // Add Telemetry to JobContext to send with JobCompleteMessage
             if (stage == ActionRunStage.Main)
             {
-                var telemetry = new ActionsStepTelemetry {
+                var telemetry = new ActionsStepTelemetry
+                {
                     IsEmbedded = ExecutionContext.IsEmbedded,
                     Type = "run",
                 };
@@ -276,6 +277,13 @@ namespace GitHub.Runner.Worker.Handlers
                 fileName = node12;
             }
 #endif
+            var systemConnection = ExecutionContext.Global.Endpoints.Single(x => string.Equals(x.Name, WellKnownServiceEndpointNames.SystemVssConnection, StringComparison.OrdinalIgnoreCase));
+            if (systemConnection.Data.TryGetValue("GenerateIdTokenUrl", out var generateIdTokenUrl) && !string.IsNullOrEmpty(generateIdTokenUrl))
+            {
+                Environment["ACTIONS_ID_TOKEN_REQUEST_URL"] = generateIdTokenUrl;
+                Environment["ACTIONS_ID_TOKEN_REQUEST_TOKEN"] = systemConnection.Authorization.Parameters[EndpointAuthorizationParameters.AccessToken];
+            }
+
             ExecutionContext.Debug($"{fileName} {arguments}");
 
             using (var stdoutManager = new OutputManager(ExecutionContext, ActionCommandManager))

src/Runner.Worker/IssueMatcher.cs

@@ -350,6 +350,7 @@ namespace GitHub.Runner.Worker
                 case "":
                 case "ERROR":
                 case "WARNING":
+                case "NOTICE":
                     break;
                 default:
                     throw new ArgumentException($"Matcher '{_owner}' contains unexpected default severity '{_severity}'");

src/Runner.Worker/JobRunner.cs

@@ -145,6 +145,16 @@ namespace GitHub.Runner.Worker
                 Trace.Verbose($"Job steps: '{string.Join(", ", jobSteps.Select(x => x.DisplayName))}'");
                 HostContext.WritePerfCounter($"WorkerJobInitialized_{message.RequestId.ToString()}");
 
+                if (systemConnection.Data.TryGetValue("GenerateIdTokenUrl", out var generateIdTokenUrl) &&
+                    !string.IsNullOrEmpty(generateIdTokenUrl))
+                {
+                    // Server won't issue ID_TOKEN for non-inprogress job.
+                    // If the job is trying to use OIDC feature, we want the job to be marked as in-progress before running any customer's steps as much as we can.
+                    // Timeline record update background process runs every 500ms, so delay 1000ms is enough for most of the cases
+                    Trace.Info($"Waiting for job to be marked as started.");
+                    await Task.WhenAny(_jobServerQueue.JobRecordUpdated.Task, Task.Delay(1000));
+                }
+
                 // Run all job steps
                 Trace.Info("Run all job steps.");
                 var stepsRunner = HostContext.GetService<IStepsRunner>();

src/Sdk/DTLogging/Logging/ValueEncoders.cs

@@ -2,6 +2,7 @@
 using System.ComponentModel;
 using System.Security;
 using System.Text;
+using System.Text.RegularExpressions;
 using Newtonsoft.Json;
 
 namespace GitHub.DistributedTask.Logging
@@ -80,6 +81,65 @@ namespace GitHub.DistributedTask.Logging
             return trimmed;
         }
 
+        public static String PowerShellPreAmpersandEscape(String value)
+        {
+            // if the secret is passed to PS as a command and it causes an error, sections of it can be surrounded by color codes
+            // or printed individually. 
+            
+            // The secret secretpart1&secretpart2&secretpart3 would be split into 2 sections:
+            // 'secretpart1&secretpart2&' and 'secretpart3'. This method masks for the first section.
+            
+            // The secret secretpart1&+secretpart2&secretpart3 would be split into 2 sections:
+            // 'secretpart1&+' and (no 's') 'ecretpart2&secretpart3'. This method masks for the first section.
+
+            var trimmed = string.Empty;
+            if (!string.IsNullOrEmpty(value) && value.Contains("&"))
+            {
+                var secretSection = string.Empty;
+                if (value.Contains("&+"))
+                {
+                    secretSection = value.Substring(0, value.IndexOf("&+") + "&+".Length);
+                }
+                else
+                {
+                    secretSection = value.Substring(0, value.LastIndexOf("&") + "&".Length);
+                }
+
+                // Don't mask short secrets
+                if (secretSection.Length >= 6)
+                {
+                    trimmed = secretSection;
+                }
+            }
+
+            return trimmed;
+        }
+
+        public static String PowerShellPostAmpersandEscape(String value)
+        {
+            var trimmed = string.Empty;
+            if (!string.IsNullOrEmpty(value) && value.Contains("&"))
+            {
+                var secretSection = string.Empty;
+                if (value.Contains("&+"))
+                {
+                    // +1 to skip the letter that got colored
+                    secretSection = value.Substring(value.IndexOf("&+") + "&+".Length + 1);
+                }
+                else
+                {
+                    secretSection = value.Substring(value.LastIndexOf("&") + "&".Length);
+                }
+
+                if (secretSection.Length >= 6)
+                {
+                    trimmed = secretSection;
+                }
+            }
+
+            return trimmed;
+        }
+
         private static string Base64StringEscapeShift(String value, int shift)
         {
             var bytes = Encoding.UTF8.GetBytes(value);

src/Sdk/DTWebApi/WebApi/TaskAgentReference.cs

@@ -24,6 +24,7 @@ namespace GitHub.DistributedTask.WebApi
             this.OSDescription = referenceToBeCloned.OSDescription;
             this.ProvisioningState = referenceToBeCloned.ProvisioningState;
             this.AccessPoint = referenceToBeCloned.AccessPoint;
+            this.Ephemeral = referenceToBeCloned.Ephemeral;
 
             if (referenceToBeCloned.m_links != null)
             {
@@ -81,6 +82,16 @@ namespace GitHub.DistributedTask.WebApi
             set;
         }
 
+        /// <summary>
+        /// Signifies that this Agent can only run one job and will be removed by the server after that one job finish.
+        /// </summary>
+        [DataMember]
+        public bool? Ephemeral
+        {
+            get;
+            set;
+        }
+
         /// <summary>
         /// Whether or not the agent is online.
         /// </summary>

src/Test/L0/HostContextL0.cs

@@ -112,6 +112,36 @@ namespace GitHub.Runner.Common.Tests
             }
         }
 
+        [Theory]
+        [InlineData("secret&secret&secret", "secret&secret&\x0033[96msecret\x0033[0m", "***\x0033[96m***\x0033[0m")]
+        [InlineData("secret&secret+secret", "secret&\x0033[96msecret+secret\x0033[0m", "***\x0033[96m***\x0033[0m")]
+        [InlineData("secret+secret&secret", "secret+secret&\x0033[96msecret\x0033[0m", "***\x0033[96m***\x0033[0m")]
+        [InlineData("secret&secret&+secretsecret", "secret&secret&+\x0033[96ms\x0033[0mecretsecret", "***\x0033[96ms\x0033[0m***")]
+        [InlineData("secret&+secret&secret", "secret&+\x0033[96ms\x0033[0mecret&secret", "***\x0033[96ms\x0033[0m***")]
+        [InlineData("secret&+secret&+secret", "secret&+\x0033[96ms\x0033[0mecret&+secret", "***\x0033[96ms\x0033[0m***")]
+        [InlineData("secret&+secret&secret&+secret", "secret&+\x0033[96ms\x0033[0mecret&secret&+secret", "***\x0033[96ms\x0033[0m***")]
+        [Trait("Level", "L0")]
+        [Trait("Category", "Common")]
+        public void SecretSectionMasking(string secret, string rawOutput, string maskedOutput)
+        {
+            try
+            {
+                // Arrange.
+                Setup();
+
+                // Act.
+                _hc.SecretMasker.AddValue(secret);
+
+                // Assert.
+                Assert.Equal(maskedOutput, _hc.SecretMasker.MaskSecrets(rawOutput));
+            }
+            finally
+            {
+                // Cleanup.
+                Teardown();
+            }
+        }
+
         [Fact]
         [Trait("Level", "L0")]
         [Trait("Category", "Common")]

src/Test/L0/Listener/RunnerL0.cs

@@ -243,7 +243,8 @@ namespace GitHub.Runner.Common.Tests.Listener
                 runner.Initialize(hc);
                 var settings = new RunnerSettings
                 {
-                    PoolId = 43242
+                    PoolId = 43242,
+                    Ephemeral = true
                 };
 
                 var message = new TaskAgentMessage()
@@ -294,7 +295,7 @@ namespace GitHub.Runner.Common.Tests.Listener
 
                 _configStore.Setup(x => x.IsServiceConfigured()).Returns(false);
                 //Act
-                var command = new CommandSettings(hc, new string[] { "run", "--once" });
+                var command = new CommandSettings(hc, new string[] { "run" });
                 Task<int> runnerTask = runner.ExecuteCommand(command);
 
                 //Assert
@@ -332,7 +333,8 @@ namespace GitHub.Runner.Common.Tests.Listener
                 runner.Initialize(hc);
                 var settings = new RunnerSettings
                 {
-                    PoolId = 43242
+                    PoolId = 43242,
+                    Ephemeral = true
                 };
 
                 var message1 = new TaskAgentMessage()
@@ -390,7 +392,7 @@ namespace GitHub.Runner.Common.Tests.Listener
 
                 _configStore.Setup(x => x.IsServiceConfigured()).Returns(false);
                 //Act
-                var command = new CommandSettings(hc, new string[] { "run", "--once" });
+                var command = new CommandSettings(hc, new string[] { "run" });
                 Task<int> runnerTask = runner.ExecuteCommand(command);
 
                 //Assert
@@ -431,7 +433,8 @@ namespace GitHub.Runner.Common.Tests.Listener
                 var settings = new RunnerSettings
                 {
                     PoolId = 43242,
-                    AgentId = 5678
+                    AgentId = 5678,
+                    Ephemeral = true
                 };
 
                 var message1 = new TaskAgentMessage()
@@ -475,7 +478,7 @@ namespace GitHub.Runner.Common.Tests.Listener
 
                 _configStore.Setup(x => x.IsServiceConfigured()).Returns(false);
                 //Act
-                var command = new CommandSettings(hc, new string[] { "run", "--once" });
+                var command = new CommandSettings(hc, new string[] { "run" });
                 Task<int> runnerTask = runner.ExecuteCommand(command);
 
                 //Assert

src/Test/L0/Worker/IssueMatcherL0.cs

@@ -392,6 +392,35 @@ namespace GitHub.Runner.Common.Tests.Worker
             Assert.Equal("not-working", match.Message);
         }
 
+        [Fact]
+        [Trait("Level", "L0")]
+        [Trait("Category", "Worker")]
+        public void Matcher_MultiplePatterns_DefaultSeverityNotice()
+        {
+            var config = JsonUtility.FromString<IssueMatchersConfig>(@"
+{
+  ""problemMatcher"": [
+    {
+      ""owner"": ""myMatcher"",
+      ""severity"": ""notice"",
+      ""pattern"": [
+        {
+          ""regexp"": ""^(.+)$"",
+          ""message"": 1
+        }
+      ]
+    }
+  ]
+}
+");
+            config.Validate();
+            var matcher = new IssueMatcher(config.Matchers[0], TimeSpan.FromSeconds(1));
+
+            var match = matcher.Match("just-a-notice");
+            Assert.Equal("notice", match.Severity);
+            Assert.Equal("just-a-notice", match.Message);
+        }
+
         [Fact]
         [Trait("Level", "L0")]
         [Trait("Category", "Worker")]

src/runnerversion

@@ -1 +1 @@
-2.280.2
+2.282.0