Release 2.283.0

* Update releaseNote.md

* Update runnerversion

* Update releaseNote.md

Co-authored-by: Patrick Ellis <319655+pje@users.noreply.github.com>

Co-authored-by: Patrick Ellis <319655+pje@users.noreply.github.com>

.editorconfig

@@ -0,0 +1,8 @@
+# https://editorconfig.org/
+
+[*]
+insert_final_newline = true # ensure all files end with a single newline
+trim_trailing_whitespace = true # attempt to remove trailing whitespace on save
+
+[*.md]
+trim_trailing_whitespace = false # in markdown, "two trailing spaces" is unfortunately meaningful; it means `<br>`

.gitattributes

@@ -20,7 +20,7 @@
 #
 # Merging from the command prompt will add diff markers to the files if there
 # are conflicts (Merging from VS is not affected by the settings below, in VS
-# the diff markers are never inserted). Diff markers may cause the following 
+# the diff markers are never inserted). Diff markers may cause the following
 # file extensions to fail to load in VS. An alternative would be to treat
 # these files as binary and thus will always conflict and require user
 # intervention with every merge. To do so, just uncomment the entries below
@@ -70,9 +70,9 @@
 
 ###############################################################################
 # diff behavior for common document formats
-# 
+#
 # Convert binary document formats to text before diffing them. This feature
-# is only available from the command line. Turn it on by uncommenting the 
+# is only available from the command line. Turn it on by uncommenting the
 # entries below.
 ###############################################################################
 *.doc   diff=astextplain

.github/ISSUE_TEMPLATE/enhancement_request.md

@@ -24,4 +24,4 @@ If applicable, add a code snippet.
 **Additional information**
 Add any other context about the feature here.
 
-NOTE: if the feature request has been agreed upon then the assignee will create an ADR.   See docs/adrs/README.md
+NOTE: if the feature request has been agreed upon then the assignee will create an ADR.   See docs/adrs/README.md

.github/workflows/build.yml

@@ -7,12 +7,12 @@ on:
     - main
     - releases/*
     paths-ignore:
-    - '**.md'    
+    - '**.md'
   pull_request:
     branches:
     - '*'
     paths-ignore:
-    - '**.md'    
+    - '**.md'
 
 jobs:
   build:

.github/workflows/codeql.yml

@@ -28,7 +28,7 @@ jobs:
       #   languages: go, javascript, csharp, python, cpp, java
 
     - name: Manual build
-      run : | 
+      run : |
         ./dev.sh layout Release linux-x64
       working-directory: src
 

.github/workflows/release.yml

@@ -5,7 +5,7 @@ on:
   push:
     paths:
     - releaseVersion
-  
+
 jobs:
   check:
     if: startsWith(github.ref, 'refs/heads/releases/') || github.ref == 'refs/heads/main'
@@ -13,8 +13,8 @@ jobs:
     steps:
     - uses: actions/checkout@v2
 
-    # Make sure ./releaseVersion match ./src/runnerversion 
-    # Query GitHub release ensure version is not used 
+    # Make sure ./releaseVersion match ./src/runnerversion
+    # Query GitHub release ensure version is not used
     - name: Check version
       uses: actions/github-script@0.3.0
       with:
@@ -42,7 +42,7 @@ jobs:
               throw e
             }
           }
-  
+
   build:
     needs: check
     outputs:
@@ -152,7 +152,7 @@ jobs:
           releaseNote = releaseNote.replace(/<LINUX_ARM64_SHA>/g, '${{needs.build.outputs.linux-arm64-sha}}')
           console.log(releaseNote)
           core.setOutput('version', runnerVersion);
-          core.setOutput('note', releaseNote);  
+          core.setOutput('note', releaseNote);
     # Create GitHub release
     - uses: actions/create-release@master
       id: createRelease

.vscode/launch.json

@@ -54,4 +54,4 @@
             "requireExactSource": false,
         },
     ],
-}
+}

docs/automate.md

@@ -21,7 +21,7 @@ export RUNNER_CFG_PAT=yourPAT
 
 :point_right: [Sample script here](../scripts/create-latest-svc.sh) :point_left:
 
-Run as a one-liner. NOTE: replace with yourorg/yourrepo (repo level) or just yourorg (org level) 
+Run as a one-liner. NOTE: replace with yourorg/yourrepo (repo level) or just yourorg (org level)
 ```bash
 curl -s https://raw.githubusercontent.com/actions/runner/main/scripts/create-latest-svc.sh | bash -s yourorg/yourrepo
 ```
@@ -47,7 +47,7 @@ curl -s https://raw.githubusercontent.com/actions/runner/main/scripts/create-lat
 
 The runner is installed as a service using `systemd` and `systemctl`. Docker does not support `systemd` for service configuration on a container.
 
-## Uninstall running as service 
+## Uninstall running as service
 
 **Scenario**: Run on a machine or VM ([not container](#why-cant-i-use-a-container)) which automates:
 
@@ -57,7 +57,7 @@ The runner is installed as a service using `systemd` and `systemctl`. Docker doe
 
 :point_right: [Sample script here](../scripts/remove-svc.sh) :point_left:
 
-Repo level one liner.  NOTE: replace with yourorg/yourrepo (repo level) or just yourorg (org level) 
+Repo level one liner.  NOTE: replace with yourorg/yourrepo (repo level) or just yourorg (org level)
 ```bash
 curl -s https://raw.githubusercontent.com/actions/runner/main/scripts/remove-svc.sh | bash -s yourorg/yourrepo
 ```

docs/checks/actions.md

@@ -18,16 +18,16 @@ Make sure the runner has access to actions service for GitHub.com or GitHub Ente
 
 - DNS lookup for api.github.com or myGHES.com using dotnet
 - Ping api.github.com or myGHES.com using dotnet
-- Make HTTP GET to https://api.github.com or https://myGHES.com/api/v3 using dotnet, check response headers contains `X-GitHub-Request-Id` 
+- Make HTTP GET to https://api.github.com or https://myGHES.com/api/v3 using dotnet, check response headers contains `X-GitHub-Request-Id`
 ---
 - DNS lookup for vstoken.actions.githubusercontent.com using dotnet
 - Ping vstoken.actions.githubusercontent.com using dotnet
-- Make HTTP GET to https://vstoken.actions.githubusercontent.com/_apis/health or https://myGHES.com/_services/vstoken/_apis/health using dotnet, check response headers contains `x-vss-e2eid` 
+- Make HTTP GET to https://vstoken.actions.githubusercontent.com/_apis/health or https://myGHES.com/_services/vstoken/_apis/health using dotnet, check response headers contains `x-vss-e2eid`
 ---
 - DNS lookup for pipelines.actions.githubusercontent.com using dotnet
 - Ping pipelines.actions.githubusercontent.com using dotnet
-- Make HTTP GET to https://pipelines.actions.githubusercontent.com/_apis/health or https://myGHES.com/_services/pipelines/_apis/health using dotnet, check response headers contains `x-vss-e2eid` 
-- Make HTTP POST to https://pipelines.actions.githubusercontent.com/_apis/health or https://myGHES.com/_services/pipelines/_apis/health using dotnet, check response headers contains `x-vss-e2eid` 
+- Make HTTP GET to https://pipelines.actions.githubusercontent.com/_apis/health or https://myGHES.com/_services/pipelines/_apis/health using dotnet, check response headers contains `x-vss-e2eid`
+- Make HTTP POST to https://pipelines.actions.githubusercontent.com/_apis/health or https://myGHES.com/_services/pipelines/_apis/health using dotnet, check response headers contains `x-vss-e2eid`
 
 ## How to fix the issue?
 
@@ -42,4 +42,4 @@ Make sure the runner has access to actions service for GitHub.com or GitHub Ente
   
 ## Still not working?
 
-Contact GitHub customer service or log an issue at https://github.com/actions/runner if you think it's a runner issue.
+Contact GitHub customer service or log an issue at https://github.com/actions/runner if you think it's a runner issue.

docs/checks/git.md

@@ -31,4 +31,4 @@ The test also set environment variable `GIT_TRACE=1` and `GIT_CURL_VERBOSE=1` be
   
 ## Still not working?
 
-Contact GitHub customer service or log an issue at https://github.com/actions/runner if you think it's a runner issue.
+Contact GitHub customer service or log an issue at https://github.com/actions/runner if you think it's a runner issue.

docs/checks/internet.md

@@ -13,7 +13,7 @@ Even the runner is configured to GitHub Enterprise Server, the runner can still
 
 - DNS lookup for api.github.com using dotnet
 - Ping api.github.com using dotnet
-- Make HTTP GET to https://api.github.com using dotnet, check response headers contains `X-GitHub-Request-Id` 
+- Make HTTP GET to https://api.github.com using dotnet, check response headers contains `X-GitHub-Request-Id`
 
 ## How to fix the issue?
 
@@ -23,4 +23,4 @@ Even the runner is configured to GitHub Enterprise Server, the runner can still
 
 ## Still not working?
 
-Contact GitHub customer service or log an issue at https://github.com/actions/runner if you think it's a runner issue.
+Contact GitHub customer service or log an issue at https://github.com/actions/runner if you think it's a runner issue.

docs/checks/network.md

@@ -25,7 +25,7 @@ Use a 3rd party tool to make the same requests as the runner did would be a good
 
 - Use `nslookup` to check DNS
 - Use `ping` to check Ping
-- Use `traceroute`, `tracepath`, or `tracert` to check the network route between the runner and the Actions service 
+- Use `traceroute`, `tracepath`, or `tracert` to check the network route between the runner and the Actions service
 - Use `curl -v` to check the network stack, good for verifying default certificate/proxy settings.
 - Use `Invoke-WebRequest` from `pwsh` (`PowerShell Core`) to check the dotnet network stack, good for verifying bugs in the dotnet framework.
 
@@ -50,11 +50,12 @@ If you are having trouble connecting, try these steps:
     - The runner runs on .net core, lets validate the local settings for that stack
     - Open up `pwsh`
     - Run the command using the urls above `Invoke-WebRequest {url}`
-3. If not, get a packet trace using a tool like wireshark and start looking at the TLS handshake. 
+3. If not, get a packet trace using a tool like wireshark and start looking at the TLS handshake.
     - If you see a Client Hello followed by a Server RST:
       - You may need to configure your TLS settings to use the correct version
         - You should support TLS version 1.2 or later
       - You may need to configure your TLS settings to have up to date cipher suites, this may be solved by system updates and patches.
+        - Most notably, on windows server 2012 make sure [the tls cipher suite update](https://support.microsoft.com/en-us/topic/update-adds-new-tls-cipher-suites-and-changes-cipher-suite-priorities-in-windows-8-1-and-windows-server-2012-r2-8e395e43-c8ef-27d8-b60c-0fc57d526d94) is installed
       - Your firewall, proxy or network configuration may be blocking the connection
       - You will want to reach out to whoever is in charge of your network with these pcap files to further troubleshoot
     - If you see a failure later in the handshake:

docs/checks/nodejs.md

@@ -27,4 +27,4 @@ All javascript base Actions will get executed by the built-in `node` at `<runner
   
 ## Still not working?
 
-Contact GitHub customer service or log an issue at https://github.com/actions/runner if you think it's a runner issue.
+Contact GitHub customer service or log an issue at https://github.com/actions/runner if you think it's a runner issue.

docs/checks/sslcert.md

@@ -12,7 +12,7 @@ As long as your certificate is generated properly, most of the issues should be
 > !!! DO NOT SKIP SSL CERT VALIDATION !!!  
 > !!! IT IS A BAD SECURITY PRACTICE !!!  
 
-### Download SSL certificate chain 
+### Download SSL certificate chain
 
 Depends on how your SSL server certificate gets configured, you might need to download the whole certificate chain from a machine that has trusted the SSL certificate's CA.
 
@@ -28,7 +28,7 @@ The actions runner is a dotnet core application which will follow how dotnet loa
 
 You can get full details documentation at [here](https://docs.microsoft.com/en-us/dotnet/standard/security/cross-platform-cryptography#x509store)
 
-In short: 
+In short:
 - Windows: Load from Windows certificate store.
 - Linux: Load from OpenSSL CA cert bundle.
 - macOS: Load from macOS KeyChain.
@@ -43,13 +43,13 @@ To let the runner trusts your CA certificate, you will need to:
       1. RedHat: https://www.redhat.com/sysadmin/ca-certificates-cli
       2. Ubuntu: http://manpages.ubuntu.com/manpages/focal/man8/update-ca-certificates.8.html
       3. Google search: "trust ca certificate on [linux distribution]"
-      4. If all approaches failed, set environment variable `SSL_CERT_FILE` to the CA bundle `.pem` file we get. 
+      4. If all approaches failed, set environment variable `SSL_CERT_FILE` to the CA bundle `.pem` file we get.
     > To verify cert gets installed properly on Linux, you can try use `curl -v https://sitewithsslissue.com` and `pwsh -Command \"Invoke-WebRequest -Uri https://sitewithsslissue.com\"`
 
 ### Trust CA certificate for Git CLI
 
 Git uses various CA bundle file depends on your operation system.
-- Git packaged the CA bundle file within the Git installation on Windows 
+- Git packaged the CA bundle file within the Git installation on Windows
 - Git use OpenSSL certificate CA bundle file on Linux and macOS
 
 You can check where Git check CA file by running:

docs/contribute.md

@@ -12,7 +12,7 @@ Issues in this repository should be for the runner application.  Note that the V
 
 ## Enhancements and Feature Requests
 
-We ask that before significant effort is put into code changes, that we have agreement on taking the change before time is invested in code changes. 
+We ask that before significant effort is put into code changes, that we have agreement on taking the change before time is invested in code changes.
 
 1. Create a feature request.  Once agreed we will take the enhancement
 2. Create an ADR to agree on the details of the change.
@@ -46,9 +46,9 @@ Tip: Make sure your job can run on this runner. The easiest way is to set `runs-
 
 
 ## Development Life Cycle
-If you're using VS Code, you can follow [these](contribute/vscode.md) steps instead. 
+If you're using VS Code, you can follow [these](contribute/vscode.md) steps instead.
 
-### To Build, Test, Layout 
+### To Build, Test, Layout
 
 Navigate to the `src` directory and run the following command:
 

docs/contribute/vscode.md

@@ -4,7 +4,7 @@ These examples use VS Code, but the idea should be similar across all IDEs as lo
 ## Configure
 
 To successfully start the runner, you need to register it using a repository and a runner registration token.
-Run `Configure` first to build the source code and set up the runner in `_layout`. 
+Run `Configure` first to build the source code and set up the runner in `_layout`.
 Once it's done creating `_layout`, it asks for the url of your repository and your token in the terminal.
 
 Check [Quickstart](../contribute.md#quickstart-run-a-job-from-a-real-repository) if you don't know how to get this token.
@@ -34,7 +34,7 @@ All the configs below can be found in `.vscode/launch.json`.
 
 If you launch `Run` or `Run [build]`, it starts a process called `Runner.Listener`.
 This process will receive any job queued on this repository if the job runs on matching labels (e.g `runs-on: self-hosted`).
-Once a job is received, a `Runner.Listener` starts a new process of `Runner.Worker`. 
+Once a job is received, a `Runner.Listener` starts a new process of `Runner.Worker`.
 Since this is a diferent process, you can't use the same debugger session debug it.
 Instead, a parallel debugging session has to be started, using a different launch config.
 Luckily, VS Code supports multiple parallel debugging sessions.
@@ -45,7 +45,7 @@ Because the worker process is usually started by the listener instead of an IDE,
 For this reason, `Runner.Worker` can be configured to wait for a debugger to be attached before it begins any actual work.
 
 Set the environment variable `GITHUB_ACTIONS_RUNNER_ATTACH_DEBUGGER` to `true` or `1` to enable this wait.
-All worker processes now will wait 20 seconds before they start working on their task. 
+All worker processes now will wait 20 seconds before they start working on their task.
 
 This gives enough time to attach a debugger by running `Debug Worker`.
 If for some reason you have multiple workers running, run the launch config `Attach` instead.

docs/design/auth.md

@@ -58,4 +58,4 @@ Authentication in a workflow run to github.com can be accomplished by using the
 
 Hosted runner authentication differs from self-hosted authentication in that runners do not undergo a registration process, but instead, the hosted runners get the OAuth token directly by reading the `.credentials` file. The scope of this particular token is limited for a given workflow job execution, and the token is revoked as soon as the job is finished.
 
-![Hosted runner config and start](../res/hosted-config-start.png)
+![Hosted runner config and start](../res/hosted-config-start.png)

docs/start/envlinux.md

@@ -27,7 +27,7 @@ Dependencies is missing for Dotnet Core 3.0
 Execute ./bin/installdependencies.sh to install any missing Dotnet Core 3.0 dependencies.
 ```
 You can easily correct the problem by executing `./bin/installdependencies.sh`.  
-The `installdependencies.sh` script should install all required dependencies on all supported Linux versions   
+The `installdependencies.sh` script should install all required dependencies on all supported Linux versions  
 > Note: The `installdependencies.sh` script will try to use the default package management mechanism on your Linux flavor (ex. `yum`/`apt-get`/`apt`).
 
 ### Full dependencies list
@@ -35,15 +35,15 @@ The `installdependencies.sh` script should install all required dependencies on
 Debian based OS (Debian, Ubuntu, Linux Mint)
 
 - liblttng-ust0
-- libkrb5-3 
+- libkrb5-3
 - zlib1g
 - libssl1.1, libssl1.0.2 or libssl1.0.0
 - libicu63, libicu60, libicu57 or libicu55
 
 Fedora based OS (Fedora, Red Hat Enterprise Linux, CentOS, Oracle Linux 7)
 
-- lttng-ust 
-- openssl-libs 
+- lttng-ust
+- openssl-libs
 - krb5-libs
 - zlib
 - libicu

docs/start/envosx.md

@@ -5,7 +5,7 @@
 ## Supported Versions
 
   - macOS High Sierra (10.13) and later versions
- 
+
 ## Apple Silicon M1
 
 The runner is currently not supported on devices with an Apple M1 chip.  

releaseNote.md

@@ -1,20 +1,13 @@
 ## Features
 
-- Support the `--ephemeral` flag (#660)
-  - This optional flag will configure the runner to only take one job, and let the service un-configure the runner after that job finishes.
-  - Expect to see more info in the Github API documentation soon. We'll link to those docs directly as they become generally available!
-
-## Bugs
-
-- Fix a bug in `script/delete` wherein a repo with multiple runners would be unable to find the correct runner (#1268) (#1269)
-- Mitigate a race condition when requesting an OIDC `Id_token` (#1320)
-- Make client retries more resilient in JobServer (#1316)
+- Collect more telemetry
+- Make `runner.name` available as a runner context variable
+- Add attempt number (`run_attempt`) to GitHub context 
+- When using the `--ephemeral` flag, ensure that the runner cleans up local `.runner` and `.credentials` files after completion (#1337)
 
 ## Misc
 
-- Increase readability of colored console output (#1295) (#1319)
-- Add more network troubleshooting to the docs (#1325)
-- Bump [path-parse](https://github.com/jbgutierrez/path-parse) from 1.0.6 to 1.0.7 (#1256)
+- Improved network troubleshooting docs
 
 ## Windows x64
 We recommend configuring the runner in a root folder of the Windows drive (e.g. "C:\actions-runner"). This will help avoid issues related to service identity folder permissions and long file path restrictions on Windows.
@@ -26,7 +19,7 @@ mkdir \actions-runner ; cd \actions-runner
 # Download the latest runner package
 Invoke-WebRequest -Uri https://github.com/actions/runner/releases/download/v<RUNNER_VERSION>/actions-runner-win-x64-<RUNNER_VERSION>.zip -OutFile actions-runner-win-x64-<RUNNER_VERSION>.zip
 # Extract the installer
-Add-Type -AssemblyName System.IO.Compression.FileSystem ; 
+Add-Type -AssemblyName System.IO.Compression.FileSystem ;
 [System.IO.Compression.ZipFile]::ExtractToDirectory("$PWD\actions-runner-win-x64-<RUNNER_VERSION>.zip", "$PWD")
 ```
 

releaseVersion

@@ -1 +1 @@
-<Update to ./src/runnerversion when creating release>
+2.283.0

scripts/README.md

@@ -1,4 +1,4 @@
 # Sample scripts for self-hosted runners
 
 Here are some examples to work from if you'd like to automate your use of self-hosted runners.
-See the docs [here](../docs/automate.md).
+See the docs [here](../docs/automate.md).

src/Runner.Common/JobServer.cs

@@ -2,19 +2,16 @@
 using System;
 using System.Collections.Generic;
 using System.IO;
-using System.Net.Http;
 using System.Threading;
 using System.Threading.Tasks;
-using GitHub.Runner.Sdk;
 using GitHub.Services.WebApi;
-using GitHub.Services.Common;
 
 namespace GitHub.Runner.Common
 {
     [ServiceLocator(Default = typeof(JobServer))]
     public interface IJobServer : IRunnerService
     {
-        Task ConnectAsync(Uri jobServerUrl, VssCredentials jobServerCredential, DelegatingHandler[] delegatingHandler = null);
+        Task ConnectAsync(VssConnection jobConnection);
 
         // logging and console
         Task<TaskLog> AppendLogContentAsync(Guid scopeIdentifier, string hubName, Guid planId, int logId, Stream uploadStream, CancellationToken cancellationToken);
@@ -35,21 +32,20 @@ namespace GitHub.Runner.Common
         private VssConnection _connection;
         private TaskHttpClient _taskClient;
 
-        public async Task ConnectAsync(Uri jobServerUrl, VssCredentials jobServerCredential, DelegatingHandler[] delegatingHandler = null)
+        public async Task ConnectAsync(VssConnection jobConnection)
         {
-            Trace.Info($"Establishing connection for JobServer");
+            _connection = jobConnection;
             int attemptCount = 5;
-
-            while (attemptCount-- > 0)
+            while (!_connection.HasAuthenticated && attemptCount-- > 0)
             {
                 try
                 {
-                    await RefreshConnectionAsync(jobServerUrl, jobServerCredential, delegatingHandler);
+                    await _connection.ConnectAsync();
                     break;
                 }
                 catch (Exception ex) when (attemptCount > 0)
                 {
-                    Trace.Info($"Catch exception during connect. {attemptCount} attempts left.");
+                    Trace.Info($"Catch exception during connect. {attemptCount} attemp left.");
                     Trace.Error(ex);
                 }
 
@@ -57,15 +53,6 @@ namespace GitHub.Runner.Common
             }
 
             _taskClient = _connection.GetClient<TaskHttpClient>();
-        }
-
-        private async Task RefreshConnectionAsync(Uri jobServerUrl, VssCredentials jobServerCredential, DelegatingHandler[] delegatingHandler)
-        {
-            Trace.Info($"Refresh JobServer VssConnection to get on a different AFD node.");
-            _hasConnection = false;
-            _connection?.Dispose();
-            _connection = VssUtil.CreateConnection(jobServerUrl, jobServerCredential, delegatingHandler);
-            await _connection.ConnectAsync();
             _hasConnection = true;
         }
 

src/Runner.Listener/Configuration/ConfigurationManager.cs

@@ -22,6 +22,7 @@ namespace GitHub.Runner.Listener.Configuration
         bool IsConfigured();
         Task ConfigureAsync(CommandSettings command);
         Task UnconfigureAsync(CommandSettings command);
+        void DeleteLocalRunnerConfig();
         RunnerSettings LoadSettings();
     }
 
@@ -329,6 +330,38 @@ namespace GitHub.Runner.Listener.Configuration
 #endif
         }
 
+        // Delete .runner and .credentials files
+        public void DeleteLocalRunnerConfig()
+        {
+            bool isConfigured = _store.IsConfigured();
+            bool hasCredentials = _store.HasCredentials();
+            //delete credential config files
+            var currentAction = "Removing .credentials";
+            if (hasCredentials)
+            {
+                _store.DeleteCredential();
+                var keyManager = HostContext.GetService<IRSAKeyManager>();
+                keyManager.DeleteKey();
+                _term.WriteSuccessMessage("Removed .credentials");
+            }
+            else
+            {
+                _term.WriteLine("Does not exist. Skipping " + currentAction);
+            }
+
+            //delete settings config file
+            currentAction = "Removing .runner";
+            if (isConfigured)
+            {
+                _store.DeleteSettings();
+                _term.WriteSuccessMessage("Removed .runner");
+            }
+            else
+            {
+                _term.WriteLine("Does not exist. Skipping " + currentAction);
+            }
+        }
+
         public async Task UnconfigureAsync(CommandSettings command)
         {
             string currentAction = string.Empty;
@@ -402,31 +435,7 @@ namespace GitHub.Runner.Listener.Configuration
                     _term.WriteLine("Cannot connect to server, because config files are missing. Skipping removing runner from the server.");
                 }
 
-                //delete credential config files
-                currentAction = "Removing .credentials";
-                if (hasCredentials)
-                {
-                    _store.DeleteCredential();
-                    var keyManager = HostContext.GetService<IRSAKeyManager>();
-                    keyManager.DeleteKey();
-                    _term.WriteSuccessMessage("Removed .credentials");
-                }
-                else
-                {
-                    _term.WriteLine("Does not exist. Skipping " + currentAction);
-                }
-
-                //delete settings config file
-                currentAction = "Removing .runner";
-                if (isConfigured)
-                {
-                    _store.DeleteSettings();
-                    _term.WriteSuccessMessage("Removed .runner");
-                }
-                else
-                {
-                    _term.WriteLine("Does not exist. Skipping " + currentAction);
-                }
+                DeleteLocalRunnerConfig();
             }
             catch (Exception)
             {

src/Runner.Listener/JobDispatcher.cs

@@ -36,7 +36,10 @@ namespace GitHub.Runner.Listener
     {
         private readonly Lazy<Dictionary<long, TaskResult>> _localRunJobResult = new Lazy<Dictionary<long, TaskResult>>();
         private int _poolId;
-        RunnerSettings _runnerSetting;
+
+        IConfigurationStore _configurationStore;
+
+        RunnerSettings _runnerSettings;
         private static readonly string _workerProcessName = $"Runner.Worker{IOUtil.ExeExtension}";
 
         // this is not thread-safe
@@ -54,9 +57,9 @@ namespace GitHub.Runner.Listener
             base.Initialize(hostContext);
 
             // get pool id from config
-            var configurationStore = hostContext.GetService<IConfigurationStore>();
-            _runnerSetting = configurationStore.GetSettings();
-            _poolId = _runnerSetting.PoolId;
+            _configurationStore = hostContext.GetService<IConfigurationStore>();
+            _runnerSettings = _configurationStore.GetSettings();
+            _poolId = _runnerSettings.PoolId;
 
             int channelTimeoutSeconds;
             if (!int.TryParse(Environment.GetEnvironmentVariable("GITHUB_ACTIONS_RUNNER_CHANNEL_TIMEOUT") ?? string.Empty, out channelTimeoutSeconds))
@@ -510,8 +513,9 @@ namespace GitHub.Runner.Listener
 
                                     var jobServer = HostContext.GetService<IJobServer>();
                                     VssCredentials jobServerCredential = VssUtil.GetVssCredential(systemConnection);
+                                    VssConnection jobConnection = VssUtil.CreateConnection(systemConnection.Url, jobServerCredential);
+                                    await jobServer.ConnectAsync(jobConnection);
 
-                                    await jobServer.ConnectAsync(systemConnection.Url, jobServerCredential);
                                     await LogWorkerProcessUnhandledException(jobServer, message, detailInfo);
 
                                     // Go ahead to finish the job with result 'Failed' if the STDERR from worker is System.IO.IOException, since it typically means we are running out of disk space.
@@ -660,13 +664,15 @@ namespace GitHub.Runner.Listener
                 try
                 {
                     request = await runnerServer.RenewAgentRequestAsync(poolId, requestId, lockToken, orchestrationId, token);
-
                     Trace.Info($"Successfully renew job request {requestId}, job is valid till {request.LockedUntil.Value}");
 
                     if (!firstJobRequestRenewed.Task.IsCompleted)
                     {
                         // fire first renew succeed event.
                         firstJobRequestRenewed.TrySetResult(0);
+
+                        // Update settings if the runner name has been changed server-side
+                        UpdateAgentNameIfNeeded(request.ReservedAgent?.Name);
                     }
 
                     if (encounteringError > 0)
@@ -766,6 +772,27 @@ namespace GitHub.Runner.Listener
             }
         }
 
+        private void UpdateAgentNameIfNeeded(string agentName)
+        {
+            var isNewAgentName = !string.Equals(_runnerSettings.AgentName, agentName, StringComparison.Ordinal);
+            if (!isNewAgentName || string.IsNullOrEmpty(agentName))
+            {
+                return;
+            }
+
+            _runnerSettings.AgentName = agentName;
+            try
+            {
+                _configurationStore.SaveSettings(_runnerSettings);
+            }
+            catch (Exception ex)
+            {
+                Trace.Error("Cannot update the settings file:");
+                Trace.Error(ex);
+            }
+
+        }
+
         // Best effort upload any logs for this job.
         private async Task TryUploadUnfinishedLogs(Pipelines.AgentJobRequestMessage message)
         {
@@ -790,8 +817,9 @@ namespace GitHub.Runner.Listener
 
                 var jobServer = HostContext.GetService<IJobServer>();
                 VssCredentials jobServerCredential = VssUtil.GetVssCredential(systemConnection);
+                VssConnection jobConnection = VssUtil.CreateConnection(systemConnection.Url, jobServerCredential);
 
-                await jobServer.ConnectAsync(systemConnection.Url, jobServerCredential);
+                await jobServer.ConnectAsync(jobConnection);
 
                 var timeline = await jobServer.GetTimelineAsync(message.Plan.ScopeIdentifier, message.Plan.PlanType, message.Plan.PlanId, message.Timeline.Id, CancellationToken.None);
 

src/Runner.Listener/Runner.cs

@@ -214,7 +214,7 @@ namespace GitHub.Runner.Listener
                     var startupTypeAsString = command.GetStartupType();
                     if (string.IsNullOrEmpty(startupTypeAsString) && configuredAsService)
                     {
-                        // We need try our best to make the startup type accurate 
+                        // We need try our best to make the startup type accurate
                         // The problem is coming from runner autoupgrade, which result an old version service host binary but a newer version runner binary
                         // At that time the servicehost won't pass --startuptype to Runner.Listener while the runner is actually running as service.
                         // We will guess the startup type only when the runner is configured as service and the guess will based on whether STDOUT/STDERR/STDIN been redirect or not
@@ -478,6 +478,12 @@ namespace GitHub.Runner.Listener
                     }
 
                     messageQueueLoopTokenSource.Dispose();
+
+                    if (settings.Ephemeral)
+                    {
+                        var configManager = HostContext.GetService<IConfigurationManager>();
+                        configManager.DeleteLocalRunnerConfig();
+                    }
                 }
             }
             catch (TaskAgentAccessTokenExpiredException)

src/Runner.Worker/ActionCommandManager.cs

@@ -1,7 +1,5 @@
-using GitHub.DistributedTask.Pipelines;
-using GitHub.DistributedTask.Pipelines.ContextData;
+using GitHub.DistributedTask.Pipelines.ContextData;
 using GitHub.DistributedTask.WebApi;
-using GitHub.Runner.Common.Util;
 using GitHub.Runner.Worker.Container;
 using System;
 using System.Collections.Generic;
@@ -113,6 +111,15 @@ namespace GitHub.Runner.Worker
                         context.Output(input);
                         context.Debug("Paused processing commands until '##[{actionCommand.Data}]' is received");
                         _stopToken = actionCommand.Data;
+                        if (_registeredCommands.Contains(actionCommand.Data) || string.IsNullOrEmpty(actionCommand.Data))
+                        {
+                            var telemetry = new JobTelemetry
+                            {
+                                Message = $"Invoked ::stopCommand:: with token: [{actionCommand.Data}]",
+                                Type = JobTelemetryType.ActionCommand
+                            };
+                            context.JobTelemetry.Add(telemetry);
+                        }
                         _stopProcessCommand = true;
                         _registeredCommands.Add(_stopToken);
                         return true;

src/Runner.Worker/ExecutionContext.cs

@@ -52,6 +52,7 @@ namespace GitHub.Runner.Worker
         Dictionary<string, VariableValue> JobOutputs { get; }
         ActionsEnvironmentReference ActionsEnvironment { get; }
         List<ActionsStepTelemetry> ActionsStepsTelemetry { get; }
+        List<JobTelemetry> JobTelemetry { get; }
         DictionaryContextData ExpressionValues { get; }
         IList<IFunctionInfo> ExpressionFunctions { get; }
         JobContext JobContext { get; }
@@ -150,6 +151,7 @@ namespace GitHub.Runner.Worker
 
         public ActionsEnvironmentReference ActionsEnvironment { get; private set; }
         public List<ActionsStepTelemetry> ActionsStepsTelemetry { get; private set; }
+        public List<JobTelemetry> JobTelemetry { get; private set; }
         public DictionaryContextData ExpressionValues { get; } = new DictionaryContextData();
         public IList<IFunctionInfo> ExpressionFunctions { get; } = new List<IFunctionInfo>();
 
@@ -294,6 +296,7 @@ namespace GitHub.Runner.Worker
             child.ContextName = contextName;
             child.EmbeddedId = embeddedId;
             child.SiblingScopeName = siblingScopeName;
+            child.JobTelemetry = JobTelemetry;
             if (intraActionState == null)
             {
                 child.IntraActionState = new Dictionary<string, string>(StringComparer.OrdinalIgnoreCase);
@@ -650,6 +653,8 @@ namespace GitHub.Runner.Worker
             // ActionsStepTelemetry
             ActionsStepsTelemetry = new List<ActionsStepTelemetry>();
 
+            JobTelemetry = new List<JobTelemetry>();
+
             // Service container info
             Global.ServiceContainers = new List<ContainerInfo>();
 

src/Runner.Worker/GitHubContext.cs

@@ -26,6 +26,7 @@ namespace GitHub.Runner.Worker
             "repository",
             "repository_owner",
             "retention_days",
+            "run_attempt",
             "run_id",
             "run_number",
             "server_url",

src/Runner.Worker/JobRunner.cs

@@ -48,8 +48,8 @@ namespace GitHub.Runner.Worker
             Trace.Info($"Creating job server with URL: {jobServerUrl}");
             // jobServerQueue is the throttling reporter.
             _jobServerQueue = HostContext.GetService<IJobServerQueue>();
-            
-            await jobServer.ConnectAsync(jobServerUrl, jobServerCredential, new DelegatingHandler[] { new ThrottlingReportHandler(_jobServerQueue) });
+            VssConnection jobConnection = VssUtil.CreateConnection(jobServerUrl, jobServerCredential, new DelegatingHandler[] { new ThrottlingReportHandler(_jobServerQueue) });
+            await jobServer.ConnectAsync(jobConnection);
 
             _jobServerQueue.Start(message);
             HostContext.WritePerfCounter($"WorkerJobServerQueueStarted_{message.RequestId.ToString()}");
@@ -106,6 +106,9 @@ namespace GitHub.Runner.Worker
 
                 jobContext.SetRunnerContext("os", VarUtil.OS);
 
+                var runnerSettings = HostContext.GetService<IConfigurationStore>().GetSettings();
+                jobContext.SetRunnerContext("name", runnerSettings.AgentName);
+
                 string toolsDirectory = HostContext.GetDirectory(WellKnownDirectory.Tools);
                 Directory.CreateDirectory(toolsDirectory);
                 jobContext.SetRunnerContext("tool_cache", toolsDirectory);
@@ -225,8 +228,12 @@ namespace GitHub.Runner.Worker
                 return result;
             }
 
+            // Make sure we don't submit secrets as telemetry
+            MaskTelemetrySecrets(jobContext.JobTelemetry);
+
             Trace.Info("Raising job completed event.");
-            var jobCompletedEvent = new JobCompletedEvent(message.RequestId, message.JobId, result, jobContext.JobOutputs, jobContext.ActionsEnvironment, jobContext.ActionsStepsTelemetry);
+            var jobCompletedEvent = new JobCompletedEvent(message.RequestId, message.JobId, result, jobContext.JobOutputs, jobContext.ActionsEnvironment, jobContext.ActionsStepsTelemetry, jobContext.JobTelemetry);
+
 
             var completeJobRetryLimit = 5;
             var exceptions = new List<Exception>();
@@ -270,6 +277,14 @@ namespace GitHub.Runner.Worker
             throw new AggregateException(exceptions);
         }
 
+        private void MaskTelemetrySecrets(List<JobTelemetry> jobTelemetry)
+        {
+            foreach (var telemetryItem in jobTelemetry)
+            {
+                telemetryItem.Message = HostContext.SecretMasker.MaskSecrets(telemetryItem.Message);
+            }
+        }
+
         private async Task ShutdownQueue(bool throwOnFailure)
         {
             if (_jobServerQueue != null)

src/Sdk/DTWebApi/WebApi/JobEvent.cs

@@ -153,6 +153,19 @@ namespace GitHub.DistributedTask.WebApi
         {
             this.ActionsEnvironment = actionsEnvironment;
             this.ActionsStepsTelemetry = actionsStepsTelemetry;
+        }        
+        
+        public JobCompletedEvent(
+            Int64 requestId,
+            Guid jobId,
+            TaskResult result,
+            Dictionary<String, VariableValue> outputs,
+            ActionsEnvironmentReference actionsEnvironment,
+            List<ActionsStepTelemetry> actionsStepsTelemetry,
+            List<JobTelemetry> jobTelemetry)
+            : this(requestId, jobId, result, outputs, actionsEnvironment, actionsStepsTelemetry)
+        {
+            this.JobTelemetry = jobTelemetry;
         }
 
         [DataMember(EmitDefaultValue = false)]
@@ -189,6 +202,13 @@ namespace GitHub.DistributedTask.WebApi
             get;
             set;
         }
+
+        [DataMember(EmitDefaultValue = false)]
+        public List<JobTelemetry> JobTelemetry
+        {
+            get;
+            set;
+        }
     }
 
     [DataContract]

src/Sdk/DTWebApi/WebApi/JobTelemetry.cs

@@ -0,0 +1,17 @@
+using System.Runtime.Serialization;
+
+namespace GitHub.DistributedTask.WebApi
+{
+    /// <summary>
+    /// Information about a job run on the runner
+    /// </summary>
+    [DataContract]
+    public class JobTelemetry
+    {
+        [DataMember(EmitDefaultValue = false)]
+        public string Message { get; set; }
+
+        [DataMember(EmitDefaultValue = false)]
+        public JobTelemetryType Type { get; set; }
+    }
+}

src/Sdk/DTWebApi/WebApi/JobTelemetryType.cs

@@ -0,0 +1,13 @@
+using System.Runtime.Serialization;
+
+namespace GitHub.DistributedTask.WebApi
+{
+    public enum JobTelemetryType
+    {
+        [EnumMember]
+        General = 0,
+
+        [EnumMember]
+        ActionCommand = 1,
+    }
+}

src/Test/L0/Listener/Configuration/ConfigurationManagerL0.cs

@@ -161,7 +161,8 @@ namespace GitHub.Runner.Common.Tests.Listener.Configuration
                        "--work", _expectedWorkFolder,
                        "--auth", _expectedAuthType,
                        "--token", _expectedToken,
-                       "--labels", userLabels
+                       "--labels", userLabels,
+                       "--ephemeral",
                     });
                 trace.Info("Constructed.");
                 _store.Setup(x => x.IsConfigured()).Returns(false);
@@ -179,6 +180,7 @@ namespace GitHub.Runner.Common.Tests.Listener.Configuration
                 Assert.True(s.AgentName.Equals(_expectedAgentName));
                 Assert.True(s.PoolId.Equals(_secondRunnerGroupId));
                 Assert.True(s.WorkFolder.Equals(_expectedWorkFolder));
+                Assert.True(s.Ephemeral.Equals(true));
 
                 // validate GetAgentPoolsAsync gets called twice with automation pool type
                 _runnerServer.Verify(x => x.GetAgentPoolsAsync(It.IsAny<string>(), It.Is<TaskAgentPoolType>(p => p == TaskAgentPoolType.Automation)), Times.Exactly(2));

src/Test/L0/Listener/JobDispatcherL0.cs

@@ -264,6 +264,170 @@ namespace GitHub.Runner.Common.Tests.Listener
             }
         }
 
+        [Fact]
+        [Trait("Level", "L0")]
+        [Trait("Category", "Runner")]
+        public async void RenewJobRequestNewAgentNameUpdatesSettings()
+        {
+            //Arrange
+            using (var hc = new TestHostContext(this))
+            {
+                var count = 0;
+                var oldName = "OldName";
+                var newName = "NewName";
+                var oldSettings = new RunnerSettings { AgentName = oldName };
+                var reservedAgent = new TaskAgentReference { Name = newName };
+
+                var trace = hc.GetTrace(nameof(DispatcherRenewJobRequestStopOnJobTokenExpiredExceptions));
+                TaskCompletionSource<int> firstJobRequestRenewed = new TaskCompletionSource<int>();
+                CancellationTokenSource cancellationTokenSource = new CancellationTokenSource();
+
+                var request = new Mock<TaskAgentJobRequest>();
+                request.Object.ReservedAgent = reservedAgent;
+                PropertyInfo lockUntilProperty = request.Object.GetType().GetProperty("LockedUntil", BindingFlags.Instance | BindingFlags.NonPublic | BindingFlags.Public);
+                Assert.NotNull(lockUntilProperty);
+                lockUntilProperty.SetValue(request.Object, DateTime.UtcNow.AddMinutes(5));
+                hc.SetSingleton<IRunnerServer>(_runnerServer.Object);
+                hc.SetSingleton<IConfigurationStore>(_configurationStore.Object);
+                _configurationStore.Setup(x => x.GetSettings()).Returns(oldSettings);
+                _runnerServer.Setup(x => x.RenewAgentRequestAsync(It.IsAny<int>(), It.IsAny<long>(), It.IsAny<Guid>(), It.IsAny<string>(), It.IsAny<CancellationToken>()))
+                            .Returns(() =>
+                            {
+                                count++;
+                                if (count < 5)
+                                {
+                                    return Task.FromResult<TaskAgentJobRequest>(request.Object);
+                                }
+                                else if (count == 5 || count == 6 || count == 7)
+                                {
+                                    throw new TimeoutException("");
+                                }
+                                else
+                                {
+                                    cancellationTokenSource.Cancel();
+                                    return Task.FromResult<TaskAgentJobRequest>(request.Object);
+                                }
+                            });
+
+                var jobDispatcher = new JobDispatcher();
+                jobDispatcher.Initialize(hc);
+
+                // Act
+                await jobDispatcher.RenewJobRequestAsync(0, 0, Guid.Empty, Guid.NewGuid().ToString(), firstJobRequestRenewed, cancellationTokenSource.Token);
+
+                // Assert
+                _configurationStore.Verify(x => x.SaveSettings(It.Is<RunnerSettings>(settings => settings.AgentName == newName)), Times.Once);
+            }
+        }
+
+        [Fact]
+        [Trait("Level", "L0")]
+        [Trait("Category", "Runner")]
+        public async void RenewJobRequestSameAgentNameIgnored()
+        {
+            //Arrange
+            using (var hc = new TestHostContext(this))
+            {
+                var count = 0;
+                var oldName = "OldName";
+                var newName = "OldName";
+                var oldSettings = new RunnerSettings { AgentName = oldName };
+                var reservedAgent = new TaskAgentReference { Name = newName };
+
+                var trace = hc.GetTrace(nameof(DispatcherRenewJobRequestStopOnJobTokenExpiredExceptions));
+                TaskCompletionSource<int> firstJobRequestRenewed = new TaskCompletionSource<int>();
+                CancellationTokenSource cancellationTokenSource = new CancellationTokenSource();
+
+                var request = new Mock<TaskAgentJobRequest>();
+                request.Object.ReservedAgent = reservedAgent;
+                PropertyInfo lockUntilProperty = request.Object.GetType().GetProperty("LockedUntil", BindingFlags.Instance | BindingFlags.NonPublic | BindingFlags.Public);
+                Assert.NotNull(lockUntilProperty);
+                lockUntilProperty.SetValue(request.Object, DateTime.UtcNow.AddMinutes(5));
+                hc.SetSingleton<IRunnerServer>(_runnerServer.Object);
+                hc.SetSingleton<IConfigurationStore>(_configurationStore.Object);
+                _configurationStore.Setup(x => x.GetSettings()).Returns(oldSettings);
+                _runnerServer.Setup(x => x.RenewAgentRequestAsync(It.IsAny<int>(), It.IsAny<long>(), It.IsAny<Guid>(), It.IsAny<string>(), It.IsAny<CancellationToken>()))
+                            .Returns(() =>
+                            {
+                                count++;
+                                if (count < 5)
+                                {
+                                    return Task.FromResult<TaskAgentJobRequest>(request.Object);
+                                }
+                                else if (count == 5 || count == 6 || count == 7)
+                                {
+                                    throw new TimeoutException("");
+                                }
+                                else
+                                {
+                                    cancellationTokenSource.Cancel();
+                                    return Task.FromResult<TaskAgentJobRequest>(request.Object);
+                                }
+                            });
+                var jobDispatcher = new JobDispatcher();
+                jobDispatcher.Initialize(hc);
+
+                // Act
+                await jobDispatcher.RenewJobRequestAsync(0, 0, Guid.Empty, Guid.NewGuid().ToString(), firstJobRequestRenewed, cancellationTokenSource.Token);
+
+                // Assert
+                _configurationStore.Verify(x => x.SaveSettings(It.IsAny<RunnerSettings>()), Times.Never);
+            }
+        }
+
+        [Fact]
+        [Trait("Level", "L0")]
+        [Trait("Category", "Runner")]
+        public async void RenewJobRequestNullAgentNameIgnored()
+        {
+            //Arrange
+            using (var hc = new TestHostContext(this))
+            {
+                var count = 0;
+                var oldName = "OldName";
+                var oldSettings = new RunnerSettings { AgentName = oldName };
+
+                var trace = hc.GetTrace(nameof(DispatcherRenewJobRequestStopOnJobTokenExpiredExceptions));
+                TaskCompletionSource<int> firstJobRequestRenewed = new TaskCompletionSource<int>();
+                CancellationTokenSource cancellationTokenSource = new CancellationTokenSource();
+
+                var request = new Mock<TaskAgentJobRequest>();
+                PropertyInfo lockUntilProperty = request.Object.GetType().GetProperty("LockedUntil", BindingFlags.Instance | BindingFlags.NonPublic | BindingFlags.Public);
+                Assert.NotNull(lockUntilProperty);
+                lockUntilProperty.SetValue(request.Object, DateTime.UtcNow.AddMinutes(5));
+                hc.SetSingleton<IRunnerServer>(_runnerServer.Object);
+                hc.SetSingleton<IConfigurationStore>(_configurationStore.Object);
+                _configurationStore.Setup(x => x.GetSettings()).Returns(oldSettings);
+                _runnerServer.Setup(x => x.RenewAgentRequestAsync(It.IsAny<int>(), It.IsAny<long>(), It.IsAny<Guid>(), It.IsAny<string>(), It.IsAny<CancellationToken>()))
+                            .Returns(() =>
+                            {
+                                count++;
+                                if (count < 5)
+                                {
+                                    return Task.FromResult<TaskAgentJobRequest>(request.Object);
+                                }
+                                else if (count == 5 || count == 6 || count == 7)
+                                {
+                                    throw new TimeoutException("");
+                                }
+                                else
+                                {
+                                    cancellationTokenSource.Cancel();
+                                    return Task.FromResult<TaskAgentJobRequest>(request.Object);
+                                }
+                            });
+
+                var jobDispatcher = new JobDispatcher();
+                jobDispatcher.Initialize(hc);
+
+                // Act
+                await jobDispatcher.RenewJobRequestAsync(0, 0, Guid.Empty, Guid.NewGuid().ToString(), firstJobRequestRenewed, cancellationTokenSource.Token);
+
+                // Assert
+                _configurationStore.Verify(x => x.SaveSettings(It.IsAny<RunnerSettings>()), Times.Never);
+            }
+        }
+
         [Fact]
         [Trait("Level", "L0")]
         [Trait("Category", "Runner")]

src/Test/L0/Listener/RunnerL0.cs

@@ -149,6 +149,9 @@ namespace GitHub.Runner.Common.Tests.Listener
                     _messageListener.Verify(x => x.CreateSessionAsync(It.IsAny<CancellationToken>()), Times.Once());
                     _messageListener.Verify(x => x.DeleteSessionAsync(), Times.Once());
                     _messageListener.Verify(x => x.DeleteMessageAsync(It.IsAny<TaskAgentMessage>()), Times.AtLeastOnce());
+
+                    // verify that we didn't try to delete local settings file (since we're not ephemeral)
+                    _configurationManager.Verify(x => x.DeleteLocalRunnerConfig(), Times.Never());
                 }
             }
         }
@@ -312,6 +315,9 @@ namespace GitHub.Runner.Common.Tests.Listener
                 _messageListener.Verify(x => x.CreateSessionAsync(It.IsAny<CancellationToken>()), Times.Once());
                 _messageListener.Verify(x => x.DeleteSessionAsync(), Times.Once());
                 _messageListener.Verify(x => x.DeleteMessageAsync(It.IsAny<TaskAgentMessage>()), Times.AtLeastOnce());
+
+                // verify that we did try to delete local settings file (since we're ephemeral)
+                _configurationManager.Verify(x => x.DeleteLocalRunnerConfig(), Times.Once());
             }
         }
 

src/runnerversion

@@ -1 +1 @@
-2.282.0
+2.283.0