Update releaseVersion

Runner 2.281.0 (#1298 )
* Add generateIdTokenUrl as an env var * Add generateIdTokenUrl to env vars * Update runnerversion * Remove old relese notes * Update releaseNote.md
2025-12-10 20:36:49 +00:00 · 2021-08-30 19:27:28 +02:00 · 2021-08-30 18:57:24 +02:00 · 2021-08-30 11:52:12 +02:00 · 2021-08-26 13:29:02 -04:00 · 2021-08-25 23:07:19 +02:00
11 changed files with 109 additions and 5 deletions
--- a/releaseNote.md
+++ b/releaseNote.md
@@ -2,7 +2,7 @@

 ## Bugs

- Fixed an issue where composite steps would not run on `failure()` or `always()` when the job failed (#1273)
+- Fixed an issue where GHES runners fail to download public docker images (#1199)

 ## Misc

--- a/2
+++ b/2
@@ -1 +1 @@
-2.280.3
+2.281.0
--- a/src/Runner.Common/HostContext.cs
+++ b/src/Runner.Common/HostContext.cs
@@ -90,6 +90,8 @@ namespace GitHub.Runner.Common
            this.SecretMasker.AddValueEncoder(ValueEncoders.UriDataEscape);
            this.SecretMasker.AddValueEncoder(ValueEncoders.XmlDataEscape);
            this.SecretMasker.AddValueEncoder(ValueEncoders.TrimDoubleQuotes);
+            this.SecretMasker.AddValueEncoder(ValueEncoders.PowerShellPreAmpersandEscape);
+            this.SecretMasker.AddValueEncoder(ValueEncoders.PowerShellPostAmpersandEscape);

            // Create the trace manager.
            if (string.IsNullOrEmpty(logFile))
--- a/src/Runner.Listener/Configuration/ConfigurationManager.cs
+++ b/src/Runner.Listener/Configuration/ConfigurationManager.cs
@@ -117,6 +117,7 @@ namespace GitHub.Runner.Listener.Configuration
                try
                {
                    // Determine the service deployment type based on connection data. (Hosted/OnPremises)
+                    // Hosted usually means github.com or localhost, while OnPremises means GHES or GHAE
                    runnerSettings.IsHostedServer = runnerSettings.GitHubUrl == null || UrlUtil.IsHostedServer(new UriBuilder(runnerSettings.GitHubUrl));

                    // Warn if the Actions server url and GHES server url has different Host
--- a/src/Runner.Worker/ContainerOperationProvider.cs
+++ b/src/Runner.Worker/ContainerOperationProvider.cs
@@ -494,7 +494,8 @@ namespace GitHub.Runner.Worker
        private void UpdateRegistryAuthForGitHubToken(IExecutionContext executionContext, ContainerInfo container)
        {
            var registryIsTokenCompatible = container.RegistryServer.Equals("ghcr.io", StringComparison.OrdinalIgnoreCase) || container.RegistryServer.Equals("containers.pkg.github.com", StringComparison.OrdinalIgnoreCase);
-            if (!registryIsTokenCompatible)
+            var isFallbackTokenFromHostedGithub = HostContext.GetService<IConfigurationStore>().GetSettings().IsHostedServer;
+            if (!registryIsTokenCompatible || !isFallbackTokenFromHostedGithub)
            {
                return;
            }
--- a/src/Runner.Worker/Handlers/ContainerActionHandler.cs
+++ b/src/Runner.Worker/Handlers/ContainerActionHandler.cs
@@ -217,6 +217,7 @@ namespace GitHub.Runner.Worker.Handlers
            if (systemConnection.Data.TryGetValue("GenerateIdTokenUrl", out var generateIdTokenUrl) && !string.IsNullOrEmpty(generateIdTokenUrl))
            {
                Environment["ACTIONS_ID_TOKEN_REQUEST_URL"] = generateIdTokenUrl;
+                Environment["ACTIONS_ID_TOKEN_REQUEST_TOKEN"] = systemConnection.Authorization.Parameters[EndpointAuthorizationParameters.AccessToken];
            }

            foreach (var variable in this.Environment)
--- a/src/Runner.Worker/Handlers/NodeScriptActionHandler.cs
+++ b/src/Runner.Worker/Handlers/NodeScriptActionHandler.cs
@@ -56,6 +56,7 @@ namespace GitHub.Runner.Worker.Handlers
            if (systemConnection.Data.TryGetValue("GenerateIdTokenUrl", out var generateIdTokenUrl) && !string.IsNullOrEmpty(generateIdTokenUrl))
            {
                Environment["ACTIONS_ID_TOKEN_REQUEST_URL"] = generateIdTokenUrl;
+                Environment["ACTIONS_ID_TOKEN_REQUEST_TOKEN"] = systemConnection.Authorization.Parameters[EndpointAuthorizationParameters.AccessToken];
            }

            // Resolve the target script.
--- a/src/Runner.Worker/Handlers/ScriptHandler.cs
+++ b/src/Runner.Worker/Handlers/ScriptHandler.cs
@@ -147,7 +147,8 @@ namespace GitHub.Runner.Worker.Handlers
            // Add Telemetry to JobContext to send with JobCompleteMessage
            if (stage == ActionRunStage.Main)
            {
-                var telemetry = new ActionsStepTelemetry {
+                var telemetry = new ActionsStepTelemetry
+                {
                    IsEmbedded = ExecutionContext.IsEmbedded,
                    Type = "run",
                };
@@ -276,6 +277,13 @@ namespace GitHub.Runner.Worker.Handlers
                fileName = node12;
            }
 #endif
+            var systemConnection = ExecutionContext.Global.Endpoints.Single(x => string.Equals(x.Name, WellKnownServiceEndpointNames.SystemVssConnection, StringComparison.OrdinalIgnoreCase));
+            if (systemConnection.Data.TryGetValue("GenerateIdTokenUrl", out var generateIdTokenUrl) && !string.IsNullOrEmpty(generateIdTokenUrl))
+            {
+                Environment["ACTIONS_ID_TOKEN_REQUEST_URL"] = generateIdTokenUrl;
+                Environment["ACTIONS_ID_TOKEN_REQUEST_TOKEN"] = systemConnection.Authorization.Parameters[EndpointAuthorizationParameters.AccessToken];
+            }
+
            ExecutionContext.Debug($"{fileName} {arguments}");

            using (var stdoutManager = new OutputManager(ExecutionContext, ActionCommandManager))
--- a/src/Sdk/DTLogging/Logging/ValueEncoders.cs
+++ b/src/Sdk/DTLogging/Logging/ValueEncoders.cs
@@ -2,6 +2,7 @@
 using System.ComponentModel;
 using System.Security;
 using System.Text;
+using System.Text.RegularExpressions;
 using Newtonsoft.Json;

 namespace GitHub.DistributedTask.Logging
@@ -80,6 +81,65 @@ namespace GitHub.DistributedTask.Logging
            return trimmed;
        }

+        public static String PowerShellPreAmpersandEscape(String value)
+        {
+            // if the secret is passed to PS as a command and it causes an error, sections of it can be surrounded by color codes
+            // or printed individually. 
+            
+            // The secret secretpart1&secretpart2&secretpart3 would be split into 2 sections:
+            // 'secretpart1&secretpart2&' and 'secretpart3'. This method masks for the first section.
+            
+            // The secret secretpart1&+secretpart2&secretpart3 would be split into 2 sections:
+            // 'secretpart1&+' and (no 's') 'ecretpart2&secretpart3'. This method masks for the first section.
+
+            var trimmed = string.Empty;
+            if (!string.IsNullOrEmpty(value) && value.Contains("&"))
+            {
+                var secretSection = string.Empty;
+                if (value.Contains("&+"))
+                {
+                    secretSection = value.Substring(0, value.IndexOf("&+") + "&+".Length);
+                }
+                else
+                {
+                    secretSection = value.Substring(0, value.LastIndexOf("&") + "&".Length);
+                }
+
+                // Don't mask short secrets
+                if (secretSection.Length >= 6)
+                {
+                    trimmed = secretSection;
+                }
+            }
+
+            return trimmed;
+        }
+
+        public static String PowerShellPostAmpersandEscape(String value)
+        {
+            var trimmed = string.Empty;
+            if (!string.IsNullOrEmpty(value) && value.Contains("&"))
+            {
+                var secretSection = string.Empty;
+                if (value.Contains("&+"))
+                {
+                    // +1 to skip the letter that got colored
+                    secretSection = value.Substring(value.IndexOf("&+") + "&+".Length + 1);
+                }
+                else
+                {
+                    secretSection = value.Substring(value.LastIndexOf("&") + "&".Length);
+                }
+
+                if (secretSection.Length >= 6)
+                {
+                    trimmed = secretSection;
+                }
+            }
+
+            return trimmed;
+        }
+
        private static string Base64StringEscapeShift(String value, int shift)
        {
            var bytes = Encoding.UTF8.GetBytes(value);
--- a/src/Test/L0/HostContextL0.cs
+++ b/src/Test/L0/HostContextL0.cs
@@ -112,6 +112,36 @@ namespace GitHub.Runner.Common.Tests
            }
        }

+        [Theory]
+        [InlineData("secret&secret&secret", "secret&secret&\x0033[96msecret\x0033[0m", "***\x0033[96m***\x0033[0m")]
+        [InlineData("secret&secret+secret", "secret&\x0033[96msecret+secret\x0033[0m", "***\x0033[96m***\x0033[0m")]
+        [InlineData("secret+secret&secret", "secret+secret&\x0033[96msecret\x0033[0m", "***\x0033[96m***\x0033[0m")]
+        [InlineData("secret&secret&+secretsecret", "secret&secret&+\x0033[96ms\x0033[0mecretsecret", "***\x0033[96ms\x0033[0m***")]
+        [InlineData("secret&+secret&secret", "secret&+\x0033[96ms\x0033[0mecret&secret", "***\x0033[96ms\x0033[0m***")]
+        [InlineData("secret&+secret&+secret", "secret&+\x0033[96ms\x0033[0mecret&+secret", "***\x0033[96ms\x0033[0m***")]
+        [InlineData("secret&+secret&secret&+secret", "secret&+\x0033[96ms\x0033[0mecret&secret&+secret", "***\x0033[96ms\x0033[0m***")]
+        [Trait("Level", "L0")]
+        [Trait("Category", "Common")]
+        public void SecretSectionMasking(string secret, string rawOutput, string maskedOutput)
+        {
+            try
+            {
+                // Arrange.
+                Setup();
+
+                // Act.
+                _hc.SecretMasker.AddValue(secret);
+
+                // Assert.
+                Assert.Equal(maskedOutput, _hc.SecretMasker.MaskSecrets(rawOutput));
+            }
+            finally
+            {
+                // Cleanup.
+                Teardown();
+            }
+        }
+
        [Fact]
        [Trait("Level", "L0")]
        [Trait("Category", "Common")]
--- a/src/runnerversion
+++ b/src/runnerversion
@@ -1 +1 @@
-2.280.3
+2.281.0
Author	SHA1	Message	Date
Ferenc Hammerl	b6aa01fabc	Update releaseVersion	2021-08-30 19:27:28 +02:00
Ferenc Hammerl	3615fb6923	Runner 2.281.0 (#1298 ) * Add generateIdTokenUrl as an env var * Add generateIdTokenUrl to env vars * Update runnerversion * Remove old relese notes * Update releaseNote.md	2021-08-30 18:57:24 +02:00
Ferenc Hammerl	f61dcad5bb	Don't try to login to ghcr.io with GHES tokens (#1291 ) * Don't try GHXX tokens for ghcr.io login * Explain hosted / onpremise in comment * Nitfix variable name	2021-08-30 11:52:12 +02:00
Tingluo Huang	62d568674c	Add `ACTIONS_ID_TOKEN_REQUEST_URL/Token` to script as well. (#1287 )	2021-08-26 13:29:02 -04:00
Ferenc Hammerl	07c00f6a8a	PowerShell secret masking (#1258 ) * Trim pwsh special chars when masking secrets * Add pwsh valueEncoder * Explain regex * Update ValueEncoders.cs * Add tests for pwsh color codes in secrets * Formatting * Group tests into theories * Split secret on PS chars and mask for them * Clean up comments * Remove unused unittest * Rename escape methods	2021-08-25 23:07:19 +02:00
Tingluo Huang	05b84297b7	Add extra env for the Token log-in action is going to use to request ID_TOKEN. (#1270 )	2021-08-23 14:50:35 -04:00
Thomas Boop	04679b56a9	Runner 2.280.3 Release (#1276 )	2021-08-19 08:40:11 -04:00
Thomas Boop	d2ca24fa43	For Main Steps, just run the step, don't check condition (#1273 ) * For Main Steps, just run the step, don't check condition * fix whitespace * pr feedback	2021-08-18 16:40:25 -04:00
Thomas Boop	abdaacfa6e	Runner release 2.280.2 (#1259 ) * Runner release 2.280.2 * update * update	2021-08-12 12:55:45 -04:00
Thomas Boop	53fd7161e2	send path when resolving actions (#1250 )	2021-08-11 09:48:32 -04:00
Ferenc Hammerl	ce68f3b167	Allow the use of flags in scripts/create-latest-svc.sh in a backwards compatible way (#1220 ) * Use flags in svc creation script * Refactor regex and add comments * Fix indentation and typo in user matching * Consistency use flags in automation scripts * Update documentation to reflect new usage * Make example more readable * Remove test echos from script * Remove test echo * Format scripts and remove test script * Remove tar * Use getopts and single letter flags * Update docs to show flag usage * Update usage of create svc * Revert svc to not use flags * Revert delete script * Update docs * Readd deleted comments	2021-08-09 10:22:19 +02:00
Thomas Boop	e2c7329292	Release notes for 2.280.1 runner (#1244 )	2021-08-04 13:28:32 -04:00
Thomas Boop	22a9d89772	Correctly set post step step context (#1243 )	2021-08-04 11:39:22 -04:00
Thomas Boop	3851acd0cf	fix continue on error (#1238 )	2021-08-03 17:44:58 -04:00
Tingluo Huang	aab4aca8f7	Finish job when worker crashed with IOException. (#1239 )	2021-08-03 16:21:39 -04:00
@@ -1 +1 @@
 .280.3
 .281.0