Delete docker-image.yml

Without creating a session, the service is not able to access the keychains for the user specified under `UserName`. This causes any workflow that deals with code signing to fail as the only keychain loaded with be the system one. This should fix #350

job.yml

@@ -0,0 +1,74 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: pod-admin
+  namespace: default
+rules:
+  - apiGroups: [""]
+    resources: ["pods", "pods/log", "pods/attach", "pods/exec"]
+    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: default-pod-admin
+  namespace: default
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: pod-admin
+subjects:
+  - kind: ServiceAccount
+    name: default
+    namespace: default
+
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  namespace: default
+  name: actions-runners
+spec:
+  template:
+    spec:
+      # hostNetwork: true
+      volumes:
+        - name: runner-working
+          emptyDir: {}
+      containers:
+        - name: k8srunner
+          image: huangtingluo/kube-runner:v0
+          imagePullPolicy: Always
+          volumeMounts:
+            - mountPath: /actions-runner/_work
+              name: runner-working
+          env:
+            - name: GITHUB_PAT
+              value: ghp_
+            - name: RUNNER_CONFIG_URL
+              value: https://github.com/bbq-beets/ting-test
+            - name: K8S_NODE_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+            - name: K8S_POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            - name: K8S_POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            - name: K8S_POD_IP
+              valueFrom:
+                fieldRef:
+                  fieldPath: status.podIP
+            - name: K8S_POD_SERVICE_ACCOUNT
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.serviceAccountName
+      restartPolicy: Never
+  backoffLimit: 1
+  completions: 1
+  parallelism: 1

releaseNote.md

@@ -1,14 +1,11 @@
 ## Features
 
-- Collect more telemetry
-- Make `runner.name` available as a runner context variable
-- Add attempt number (`run_attempt`) to GitHub context 
-- When using the `--ephemeral` flag, ensure that the runner cleans up local `.runner` and `.credentials` files after completion (#1337)
+## Bugs
+
+- Fixed an issue where ephemeral runners did not restart after upgrading (#1396)
 
 ## Misc
 
-- Improved network troubleshooting docs
-
 ## Windows x64
 We recommend configuring the runner in a root folder of the Windows drive (e.g. "C:\actions-runner"). This will help avoid issues related to service identity folder permissions and long file path restrictions on Windows.
 

releaseVersion

@@ -1 +1 @@
-2.283.1
+<Update to ./src/runnerversion when creating release>

src/Dockerfile

@@ -0,0 +1,78 @@
+FROM mcr.microsoft.com/dotnet/sdk:3.1 AS Build
+
+# ENV RUNNER_CONFIG_URL=""
+# ENV GITHUB_PAT=""
+# ENV RUNNER_NAME=""
+# ENV RUNNER_GROUP=""
+# ENV RUNNER_LABELS=""
+# ENV GITHUB_RUNNER_SCOPE=""
+# ENV GITHUB_SERVER_URL=""
+# ENV GITHUB_API_URL=""
+# ENV K8S_HOST_IP=""
+
+RUN apt-get update --fix-missing \
+    && apt-get install -y --no-install-recommends \
+    curl \
+    # jq \
+    # git \
+    apt-utils \
+    apt-transport-https \
+    unzip \
+    net-tools\
+    gnupg2\
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/*
+
+# Install kubectl
+# RUN curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key add - && \
+#     echo "deb https://apt.kubernetes.io/ kubernetes-xenial main" | tee -a /etc/apt/sources.list.d/kubernetes.list && \
+#     apt-get update && apt-get -y install --no-install-recommends kubectl
+
+# Install docker
+# RUN curl -fsSL https://get.docker.com -o get-docker.sh
+# RUN sh get-docker.sh
+
+# Allow runner to run as root
+# ENV RUNNER_ALLOW_RUNASROOT=1
+
+# Directory for runner to operate in
+RUN mkdir /actions-runner
+RUN mkdir /actions-runner/src
+WORKDIR /actions-runner/src
+
+COPY ./ /actions-runner/src
+
+RUN /actions-runner/src/dev.sh l
+
+FROM mcr.microsoft.com/dotnet/core/runtime-deps:3.1
+
+ENV RUNNER_CONFIG_URL=""
+ENV GITHUB_PAT=""
+
+RUN apt-get update --fix-missing \
+    && apt-get install -y --no-install-recommends \
+    curl \
+    # jq \
+    # git \
+    # apt-utils \
+    # apt-transport-https \
+    # unzip \
+    # net-tools\
+    gnupg2\
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/*
+
+# Install kubectl
+RUN curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key add - && \
+    echo "deb https://apt.kubernetes.io/ kubernetes-xenial main" | tee -a /etc/apt/sources.list.d/kubernetes.list && \
+    apt-get update && apt-get -y install --no-install-recommends kubectl
+
+
+# Allow runner to run as root
+ENV RUNNER_ALLOW_RUNASROOT=1
+
+# Directory for runner to operate in
+RUN mkdir /actions-runner
+WORKDIR /actions-runner
+COPY --from=Build /actions-runner/_layout /actions-runner
+ENTRYPOINT ["./entrypoint.sh"] 

src/Misc/containerEngineHandlers/kubeInnerHandler/.eslintignore

@@ -0,0 +1,3 @@
+dist/
+lib/
+node_modules/

src/Misc/containerEngineHandlers/kubeInnerHandler/.eslintrc.json

@@ -0,0 +1,59 @@
+{
+    "plugins": ["jest", "@typescript-eslint"],
+    "extends": ["plugin:github/es6"],
+    "parser": "@typescript-eslint/parser",
+    "parserOptions": {
+      "ecmaVersion": 9,
+      "sourceType": "module",
+      "project": "./tsconfig.json"
+    },
+    "rules": {
+      "eslint-comments/no-use": "off",
+      "import/no-namespace": "off",
+      "no-console": "off",
+      "no-unused-vars": "off",
+      "@typescript-eslint/no-unused-vars": "error",
+      "@typescript-eslint/explicit-member-accessibility": ["error", {"accessibility": "no-public"}],
+      "@typescript-eslint/no-require-imports": "error",
+      "@typescript-eslint/array-type": "error",
+      "@typescript-eslint/await-thenable": "error",
+      "@typescript-eslint/ban-ts-ignore": "error",
+      "camelcase": "off",
+      "@typescript-eslint/camelcase": "error",
+      "@typescript-eslint/class-name-casing": "error",
+      "@typescript-eslint/explicit-function-return-type": ["error", {"allowExpressions": true}],
+      "@typescript-eslint/func-call-spacing": ["error", "never"],
+      "@typescript-eslint/generic-type-naming": ["error", "^[A-Z][A-Za-z]*$"],
+      "@typescript-eslint/no-array-constructor": "error",
+      "@typescript-eslint/no-empty-interface": "error",
+      "@typescript-eslint/no-explicit-any": "error",
+      "@typescript-eslint/no-extraneous-class": "error",
+      "@typescript-eslint/no-for-in-array": "error",
+      "@typescript-eslint/no-inferrable-types": "error",
+      "@typescript-eslint/no-misused-new": "error",
+      "@typescript-eslint/no-namespace": "error",
+      "@typescript-eslint/no-non-null-assertion": "warn",
+      "@typescript-eslint/no-object-literal-type-assertion": "error",
+      "@typescript-eslint/no-unnecessary-qualifier": "error",
+      "@typescript-eslint/no-unnecessary-type-assertion": "error",
+      "@typescript-eslint/no-useless-constructor": "error",
+      "@typescript-eslint/no-var-requires": "error",
+      "@typescript-eslint/prefer-for-of": "warn",
+      "@typescript-eslint/prefer-function-type": "warn",
+      "@typescript-eslint/prefer-includes": "error",
+      "@typescript-eslint/prefer-interface": "error",
+      "@typescript-eslint/prefer-string-starts-ends-with": "error",
+      "@typescript-eslint/promise-function-async": "error",
+      "@typescript-eslint/require-array-sort-compare": "error",
+      "@typescript-eslint/restrict-plus-operands": "error",
+      "semi": "off",
+      "@typescript-eslint/semi": ["error", "never"],
+      "@typescript-eslint/type-annotation-spacing": "error",
+      "@typescript-eslint/unbound-method": "error"
+    },
+    "env": {
+      "node": true,
+      "es6": true,
+      "jest/globals": true
+    }
+  }

src/Misc/containerEngineHandlers/kubeInnerHandler/.prettierignore

@@ -0,0 +1,3 @@
+dist/
+lib/
+node_modules/

src/Misc/containerEngineHandlers/kubeInnerHandler/.prettierrc.json

@@ -0,0 +1,11 @@
+{
+    "printWidth": 80,
+    "tabWidth": 2,
+    "useTabs": false,
+    "semi": false,
+    "singleQuote": true,
+    "trailingComma": "none",
+    "bracketSpacing": false,
+    "arrowParens": "avoid",
+    "parser": "typescript"
+  }

src/Misc/containerEngineHandlers/kubeInnerHandler/README.md

@@ -0,0 +1 @@
+To update kubeInnerHandler under `Misc/layoutbin` run `npm install && npm run all`

src/Misc/containerEngineHandlers/kubeInnerHandler/package.json

@@ -0,0 +1,36 @@
+{
+  "name": "kubeInnerHandler",
+  "version": "1.0.0",
+  "description": "GitHub Actions",
+  "main": "lib/kubeInnerHandler.js",
+  "scripts": {
+    "build": "tsc",
+    "format": "prettier --write **/*.ts",
+    "format-check": "prettier --check **/*.ts",
+    "lint": "eslint src/**/*.ts",
+    "pack": "ncc build -o ../../layoutbin/kubeInnerHandler",
+    "all": "npm run build && npm run format && npm run lint && npm run pack"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/actions/runner.git"
+  },
+  "keywords": [
+    "actions"
+  ],
+  "author": "GitHub Actions",
+  "license": "MIT",
+  "dependencies": {
+    "@actions/exec": "^1.1.0",
+    "@actions/core": "^1.6.0"
+  },
+  "devDependencies": {
+    "@types/node": "^12.7.12",
+    "@typescript-eslint/parser": "^2.8.0",
+    "@zeit/ncc": "^0.20.5",
+    "eslint": "^6.8.0",
+    "eslint-plugin-github": "^2.0.0",
+    "prettier": "^1.19.1",
+    "typescript": "^3.6.4"
+  }
+}

src/Misc/containerEngineHandlers/kubeInnerHandler/src/kubeInnerHandler.ts

@@ -0,0 +1,49 @@
+import * as exec from '@actions/exec'
+import * as core from '@actions/core'
+import * as events from 'events'
+import * as readline from 'readline'
+
+async function run(): Promise<void> {
+  let input = ''
+
+  const rl = readline.createInterface({
+    input: process.stdin
+  })
+
+  rl.on('line', line => {
+    core.debug(`Line from STDIN: ${line}`)
+    input = line
+  })
+
+  await events.once(rl, 'close')
+
+  core.debug(input)
+
+  const execInput = JSON.parse(input)
+  core.debug(JSON.stringify(execInput))
+
+  // podman exec -i --workdir /__w/canary/canary
+  // -e GITHUB_JOB -e GITHUB_REF -e GITHUB_SHA -e GITHUB_REPOSITORY
+  // -e GITHUB_REPOSITORY_OWNER -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER
+  // -e GITHUB_RETENTION_DAYS -e GITHUB_RUN_ATTEMPT -e GITHUB_ACTOR
+  // -e GITHUB_WORKFLOW -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GITHUB_EVENT_NAME
+  // -e GITHUB_SERVER_URL -e GITHUB_API_URL -e GITHUB_GRAPHQL_URL
+  // -e GITHUB_WORKSPACE -e GITHUB_ACTION -e GITHUB_EVENT_PATH -e GITHUB_ACTION_REPOSITORY
+  // -e GITHUB_ACTION_REF -e GITHUB_PATH -e GITHUB_ENV -e RUNNER_DEBUG
+  // -e RUNNER_OS -e RUNNER_NAME -e RUNNER_TOOL_CACHE
+  // -e RUNNER_TEMP -e RUNNER_WORKSPACE
+  //   eccdf520697a035599d6e8c8dc801f004fdd3797cdce88f590aba3669a88d9bc sh -e /__w/_temp/d3b30383-719c-4e76-a16f-8f85443352be.sh
+
+  const execArgs = []
+  const args = (<string>execInput.arguments).split(' ')
+  core.debug(JSON.stringify(args))
+  execArgs.push(...args)
+
+  core.debug(JSON.stringify(execArgs))
+
+  await exec.exec(execInput.fileName, execArgs, {
+    env: execInput.environmentVariables
+  })
+}
+
+run()

src/Misc/containerEngineHandlers/kubeInnerHandler/tsconfig.json

@@ -0,0 +1,12 @@
+{
+  "compilerOptions": {
+    "target": "es6",                          /* Specify ECMAScript target version: 'ES3' (default), 'ES5', 'ES2015', 'ES2016', 'ES2017', 'ES2018', 'ES2019' or 'ESNEXT'. */
+    "module": "commonjs",                     /* Specify module code generation: 'none', 'commonjs', 'amd', 'system', 'umd', 'es2015', or 'ESNext'. */
+    "outDir": "./lib",                        /* Redirect output structure to the directory. */
+    "rootDir": "./src",                       /* Specify the root directory of input files. Use to control the output directory structure with --outDir. */
+    "strict": true,                           /* Enable all strict type-checking options. */
+    "noImplicitAny": true,                    /* Raise error on expressions and declarations with an implied 'any' type. */
+    "esModuleInterop": true                   /* Enables emit interoperability between CommonJS and ES Modules via creation of namespace objects for all imports. Implies 'allowSyntheticDefaultImports'. */
+  },
+  "exclude": ["node_modules", "**/*.test.ts"]
+}

src/Misc/containerEngineHandlers/kubectlHandler/.eslintignore

@@ -0,0 +1,3 @@
+dist/
+lib/
+node_modules/

src/Misc/containerEngineHandlers/kubectlHandler/.eslintrc.json

@@ -0,0 +1,59 @@
+{
+    "plugins": ["jest", "@typescript-eslint"],
+    "extends": ["plugin:github/es6"],
+    "parser": "@typescript-eslint/parser",
+    "parserOptions": {
+      "ecmaVersion": 9,
+      "sourceType": "module",
+      "project": "./tsconfig.json"
+    },
+    "rules": {
+      "eslint-comments/no-use": "off",
+      "import/no-namespace": "off",
+      "no-console": "off",
+      "no-unused-vars": "off",
+      "@typescript-eslint/no-unused-vars": "error",
+      "@typescript-eslint/explicit-member-accessibility": ["error", {"accessibility": "no-public"}],
+      "@typescript-eslint/no-require-imports": "error",
+      "@typescript-eslint/array-type": "error",
+      "@typescript-eslint/await-thenable": "error",
+      "@typescript-eslint/ban-ts-ignore": "error",
+      "camelcase": "off",
+      "@typescript-eslint/camelcase": "error",
+      "@typescript-eslint/class-name-casing": "error",
+      "@typescript-eslint/explicit-function-return-type": ["error", {"allowExpressions": true}],
+      "@typescript-eslint/func-call-spacing": ["error", "never"],
+      "@typescript-eslint/generic-type-naming": ["error", "^[A-Z][A-Za-z]*$"],
+      "@typescript-eslint/no-array-constructor": "error",
+      "@typescript-eslint/no-empty-interface": "error",
+      "@typescript-eslint/no-explicit-any": "error",
+      "@typescript-eslint/no-extraneous-class": "error",
+      "@typescript-eslint/no-for-in-array": "error",
+      "@typescript-eslint/no-inferrable-types": "error",
+      "@typescript-eslint/no-misused-new": "error",
+      "@typescript-eslint/no-namespace": "error",
+      "@typescript-eslint/no-non-null-assertion": "warn",
+      "@typescript-eslint/no-object-literal-type-assertion": "error",
+      "@typescript-eslint/no-unnecessary-qualifier": "error",
+      "@typescript-eslint/no-unnecessary-type-assertion": "error",
+      "@typescript-eslint/no-useless-constructor": "error",
+      "@typescript-eslint/no-var-requires": "error",
+      "@typescript-eslint/prefer-for-of": "warn",
+      "@typescript-eslint/prefer-function-type": "warn",
+      "@typescript-eslint/prefer-includes": "error",
+      "@typescript-eslint/prefer-interface": "error",
+      "@typescript-eslint/prefer-string-starts-ends-with": "error",
+      "@typescript-eslint/promise-function-async": "error",
+      "@typescript-eslint/require-array-sort-compare": "error",
+      "@typescript-eslint/restrict-plus-operands": "error",
+      "semi": "off",
+      "@typescript-eslint/semi": ["error", "never"],
+      "@typescript-eslint/type-annotation-spacing": "error",
+      "@typescript-eslint/unbound-method": "error"
+    },
+    "env": {
+      "node": true,
+      "es6": true,
+      "jest/globals": true
+    }
+  }

src/Misc/containerEngineHandlers/kubectlHandler/.prettierignore

@@ -0,0 +1,3 @@
+dist/
+lib/
+node_modules/

src/Misc/containerEngineHandlers/kubectlHandler/.prettierrc.json

@@ -0,0 +1,11 @@
+{
+    "printWidth": 80,
+    "tabWidth": 2,
+    "useTabs": false,
+    "semi": false,
+    "singleQuote": true,
+    "trailingComma": "none",
+    "bracketSpacing": false,
+    "arrowParens": "avoid",
+    "parser": "typescript"
+  }

src/Misc/containerEngineHandlers/kubectlHandler/README.md

@@ -0,0 +1 @@
+To update kubectlHandler under `Misc/layoutbin` run `npm install && npm run all`

src/Misc/containerEngineHandlers/kubectlHandler/package.json

@@ -0,0 +1,36 @@
+{
+  "name": "kubectlHandler",
+  "version": "1.0.0",
+  "description": "GitHub Actions",
+  "main": "lib/kubectlHandler.js",
+  "scripts": {
+    "build": "tsc",
+    "format": "prettier --write **/*.ts",
+    "format-check": "prettier --check **/*.ts",
+    "lint": "eslint src/**/*.ts",
+    "pack": "ncc build -o ../../layoutbin/kubectlHandler",
+    "all": "npm run build && npm run format && npm run lint && npm run pack"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/actions/runner.git"
+  },
+  "keywords": [
+    "actions"
+  ],
+  "author": "GitHub Actions",
+  "license": "MIT",
+  "dependencies": {
+    "@actions/exec": "^1.1.0",
+    "@actions/core": "^1.6.0"
+  },
+  "devDependencies": {
+    "@types/node": "^12.7.12",
+    "@typescript-eslint/parser": "^2.8.0",
+    "@zeit/ncc": "^0.20.5",
+    "eslint": "^6.8.0",
+    "eslint-plugin-github": "^2.0.0",
+    "prettier": "^1.19.1",
+    "typescript": "^3.6.4"
+  }
+}

src/Misc/containerEngineHandlers/kubectlHandler/src/kubectlHandler.ts

@@ -0,0 +1,156 @@
+import * as exec from '@actions/exec'
+import * as core from '@actions/core'
+import * as events from 'events'
+import * as readline from 'readline'
+
+async function run(): Promise<void> {
+  let input = ''
+
+  const rl = readline.createInterface({
+    input: process.stdin
+  })
+
+  rl.on('line', line => {
+    core.debug(`Line from STDIN: ${line}`)
+    input = line
+  })
+
+  await events.once(rl, 'close')
+
+  core.debug(input)
+
+  const inputJson = JSON.parse(input)
+  core.debug(JSON.stringify(inputJson))
+
+  const command = inputJson.command
+  if (command === 'Create') {
+    const creationInput = inputJson.creationInput
+    core.debug(JSON.stringify(creationInput))
+    const containers = creationInput.containers
+    const jobContainer = containers[0]
+
+    // const networkName = 'actions_podman_network'
+    // // podman network create {network}  -> track and return `network` for ${{job.container.network}}
+    // await exec.exec('podman', ['network', 'create', networkName])
+
+    const containerImage = `${jobContainer.containerImage}`
+    // podman pull docker.io/library/{image}
+    // await exec.exec('podman', ['pull', containerImage])
+
+    // kubectl run e088c842be1f46b394212618408aaba0_node1016jessie_6196c9
+    //      --image=node:10.16-jessie
+    //      -- tail -f /dev/null
+    const runArgs = ['run', 'job-container']
+    // runArgs.push(`--workdir=${jobContainer.containerWorkDirectory}`)
+    // runArgs.push(`--network=${networkName}`)
+
+    // for (const mountVolume of jobContainer.mountVolumes) {
+    //   runArgs.push(
+    //     `-v=${mountVolume.sourceVolumePath}:${mountVolume.targetVolumePath}`
+    //   )
+    // }
+    runArgs.push(`--image=${containerImage}`)
+    runArgs.push(`--`)
+    runArgs.push(`tail`)
+    runArgs.push(`-f`)
+    runArgs.push(`/dev/null`)
+
+    core.debug(JSON.stringify(runArgs))
+
+    // const containerId = await exec.getExecOutput('podman', [
+    //   'create',
+    //   // `--workdir ${jobContainer.containerWorkDirectory}`,
+    //   `--network=${networkName}`,
+    //   // `-v=/Users/ting/Desktop/runner/_layout/_work:/__w`,
+    //   `--entrypoint=${jobContainer.containerEntryPoint}`,
+    //   `${containerImage}`,
+    //   `${jobContainer.containerEntryPointArgs}`
+    // ])
+
+    await exec.exec('kubectl', runArgs)
+
+    // get PATH inside the container
+
+    const waitArgs = ['wait', '--for=condition=Ready', 'pod/job-container']
+    await exec.exec('kubectl', waitArgs)
+
+    // output containerId for ${{job.container.id}}
+
+    // copy over node.js
+    const cpNodeArgs = [
+      'cp',
+      '/actions-runner/externals/node12/bin',
+      'job-container:/__runner_util/'
+    ]
+    await exec.exec('kubectl', cpNodeArgs)
+
+    // copy over innerhandler
+    const cpKubeInnerArgs = [
+      'cp',
+      '/actions-runner/bin/kubeInnerHandler',
+      'job-container:/__runner_util/kubeInnerHandler'
+    ]
+    await exec.exec('kubectl', cpKubeInnerArgs)
+
+    // copy over _work
+    const cpWorkArgs = ['cp', '/actions-runner/_work', 'job-container:/__w/']
+    await exec.exec('kubectl', cpWorkArgs)
+
+    const creationOutput = {
+      JobContainerId: 'job-container',
+      Network: 'job-container'
+    }
+
+    const output = JSON.stringify({CreationOutput: creationOutput})
+    core.debug(output)
+
+    process.stderr.write(
+      `___CONTAINER_ENGINE_HANDLER_OUTPUT___${output}___CONTAINER_ENGINE_HANDLER_OUTPUT___`
+    )
+  } else if (command === 'Remove') {
+    const removeInput = inputJson.removeInput
+    core.debug(JSON.stringify(removeInput))
+    // const jobContainerId = removeInput.jobContainerId
+
+    // await exec.exec('kubectl', ['delete', 'pod', jobContainerId, '--force'])
+    // await exec.exec('podman', ['network', 'rm', '-f', network])
+  } else if (command === 'Exec') {
+    const execInput = inputJson.execInput
+    core.debug(JSON.stringify(execInput))
+
+    // podman exec -i --workdir /__w/canary/canary
+    // -e GITHUB_JOB -e GITHUB_REF -e GITHUB_SHA -e GITHUB_REPOSITORY
+    // -e GITHUB_REPOSITORY_OWNER -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER
+    // -e GITHUB_RETENTION_DAYS -e GITHUB_RUN_ATTEMPT -e GITHUB_ACTOR
+    // -e GITHUB_WORKFLOW -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GITHUB_EVENT_NAME
+    // -e GITHUB_SERVER_URL -e GITHUB_API_URL -e GITHUB_GRAPHQL_URL
+    // -e GITHUB_WORKSPACE -e GITHUB_ACTION -e GITHUB_EVENT_PATH -e GITHUB_ACTION_REPOSITORY
+    // -e GITHUB_ACTION_REF -e GITHUB_PATH -e GITHUB_ENV -e RUNNER_DEBUG
+    // -e RUNNER_OS -e RUNNER_NAME -e RUNNER_TOOL_CACHE
+    // -e RUNNER_TEMP -e RUNNER_WORKSPACE
+    //   eccdf520697a035599d6e8c8dc801f004fdd3797cdce88f590aba3669a88d9bc sh -e /__w/_temp/d3b30383-719c-4e76-a16f-8f85443352be.sh
+
+    const cpTempArgs = [
+      'cp',
+      '/actions-runner/_work/_temp',
+      'job-container:/__w/'
+    ]
+    await exec.exec('kubectl', cpTempArgs)
+
+    const execArgs = ['exec']
+    execArgs.push(execInput.jobContainer.containerId)
+    execArgs.push('-i')
+    execArgs.push('-t')
+    execArgs.push('--')
+    execArgs.push('/__runner_util/node')
+    execArgs.push('/__runner_util/kubeInnerHandler')
+
+    core.debug(JSON.stringify(execArgs))
+
+    await exec.exec('kubectl', execArgs, {
+      input: Buffer.from(JSON.stringify(execInput))
+    })
+  }
+}
+
+run()

src/Misc/containerEngineHandlers/kubectlHandler/tsconfig.json

@@ -0,0 +1,12 @@
+{
+  "compilerOptions": {
+    "target": "es6",                          /* Specify ECMAScript target version: 'ES3' (default), 'ES5', 'ES2015', 'ES2016', 'ES2017', 'ES2018', 'ES2019' or 'ESNEXT'. */
+    "module": "commonjs",                     /* Specify module code generation: 'none', 'commonjs', 'amd', 'system', 'umd', 'es2015', or 'ESNext'. */
+    "outDir": "./lib",                        /* Redirect output structure to the directory. */
+    "rootDir": "./src",                       /* Specify the root directory of input files. Use to control the output directory structure with --outDir. */
+    "strict": true,                           /* Enable all strict type-checking options. */
+    "noImplicitAny": true,                    /* Raise error on expressions and declarations with an implied 'any' type. */
+    "esModuleInterop": true                   /* Enables emit interoperability between CommonJS and ES Modules via creation of namespace objects for all imports. Implies 'allowSyntheticDefaultImports'. */
+  },
+  "exclude": ["node_modules", "**/*.test.ts"]
+}

src/Misc/containerEngineHandlers/podmanHandler/.eslintignore

@@ -0,0 +1,3 @@
+dist/
+lib/
+node_modules/

src/Misc/containerEngineHandlers/podmanHandler/.eslintrc.json

@@ -0,0 +1,59 @@
+{
+    "plugins": ["jest", "@typescript-eslint"],
+    "extends": ["plugin:github/es6"],
+    "parser": "@typescript-eslint/parser",
+    "parserOptions": {
+      "ecmaVersion": 9,
+      "sourceType": "module",
+      "project": "./tsconfig.json"
+    },
+    "rules": {
+      "eslint-comments/no-use": "off",
+      "import/no-namespace": "off",
+      "no-console": "off",
+      "no-unused-vars": "off",
+      "@typescript-eslint/no-unused-vars": "error",
+      "@typescript-eslint/explicit-member-accessibility": ["error", {"accessibility": "no-public"}],
+      "@typescript-eslint/no-require-imports": "error",
+      "@typescript-eslint/array-type": "error",
+      "@typescript-eslint/await-thenable": "error",
+      "@typescript-eslint/ban-ts-ignore": "error",
+      "camelcase": "off",
+      "@typescript-eslint/camelcase": "error",
+      "@typescript-eslint/class-name-casing": "error",
+      "@typescript-eslint/explicit-function-return-type": ["error", {"allowExpressions": true}],
+      "@typescript-eslint/func-call-spacing": ["error", "never"],
+      "@typescript-eslint/generic-type-naming": ["error", "^[A-Z][A-Za-z]*$"],
+      "@typescript-eslint/no-array-constructor": "error",
+      "@typescript-eslint/no-empty-interface": "error",
+      "@typescript-eslint/no-explicit-any": "error",
+      "@typescript-eslint/no-extraneous-class": "error",
+      "@typescript-eslint/no-for-in-array": "error",
+      "@typescript-eslint/no-inferrable-types": "error",
+      "@typescript-eslint/no-misused-new": "error",
+      "@typescript-eslint/no-namespace": "error",
+      "@typescript-eslint/no-non-null-assertion": "warn",
+      "@typescript-eslint/no-object-literal-type-assertion": "error",
+      "@typescript-eslint/no-unnecessary-qualifier": "error",
+      "@typescript-eslint/no-unnecessary-type-assertion": "error",
+      "@typescript-eslint/no-useless-constructor": "error",
+      "@typescript-eslint/no-var-requires": "error",
+      "@typescript-eslint/prefer-for-of": "warn",
+      "@typescript-eslint/prefer-function-type": "warn",
+      "@typescript-eslint/prefer-includes": "error",
+      "@typescript-eslint/prefer-interface": "error",
+      "@typescript-eslint/prefer-string-starts-ends-with": "error",
+      "@typescript-eslint/promise-function-async": "error",
+      "@typescript-eslint/require-array-sort-compare": "error",
+      "@typescript-eslint/restrict-plus-operands": "error",
+      "semi": "off",
+      "@typescript-eslint/semi": ["error", "never"],
+      "@typescript-eslint/type-annotation-spacing": "error",
+      "@typescript-eslint/unbound-method": "error"
+    },
+    "env": {
+      "node": true,
+      "es6": true,
+      "jest/globals": true
+    }
+  }

src/Misc/containerEngineHandlers/podmanHandler/.prettierignore

@@ -0,0 +1,3 @@
+dist/
+lib/
+node_modules/

src/Misc/containerEngineHandlers/podmanHandler/.prettierrc.json

@@ -0,0 +1,11 @@
+{
+    "printWidth": 80,
+    "tabWidth": 2,
+    "useTabs": false,
+    "semi": false,
+    "singleQuote": true,
+    "trailingComma": "none",
+    "bracketSpacing": false,
+    "arrowParens": "avoid",
+    "parser": "typescript"
+  }

src/Misc/containerEngineHandlers/podmanHandler/README.md

@@ -0,0 +1 @@
+To update podmanHandler under `Misc/layoutbin` run `npm install && npm run all`

src/Misc/containerEngineHandlers/podmanHandler/package.json

@@ -0,0 +1,36 @@
+{
+  "name": "podmanHandler",
+  "version": "1.0.0",
+  "description": "GitHub Actions",
+  "main": "lib/podmanHandler.js",
+  "scripts": {
+    "build": "tsc",
+    "format": "prettier --write **/*.ts",
+    "format-check": "prettier --check **/*.ts",
+    "lint": "eslint src/**/*.ts",
+    "pack": "ncc build -o ../../layoutbin/podmanHandler",
+    "all": "npm run build && npm run format && npm run lint && npm run pack"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/actions/runner.git"
+  },
+  "keywords": [
+    "actions"
+  ],
+  "author": "GitHub Actions",
+  "license": "MIT",
+  "dependencies": {
+    "@actions/exec": "^1.1.0",
+    "@actions/core": "^1.6.0"
+  },
+  "devDependencies": {
+    "@types/node": "^12.7.12",
+    "@typescript-eslint/parser": "^2.8.0",
+    "@zeit/ncc": "^0.20.5",
+    "eslint": "^6.8.0",
+    "eslint-plugin-github": "^2.0.0",
+    "prettier": "^1.19.1",
+    "typescript": "^3.6.4"
+  }
+}

src/Misc/containerEngineHandlers/podmanHandler/src/podmanHandler.ts

@@ -0,0 +1,150 @@
+import * as exec from '@actions/exec'
+import * as core from '@actions/core'
+import * as events from 'events'
+import * as readline from 'readline'
+
+async function run(): Promise<void> {
+  let input = ''
+
+  const rl = readline.createInterface({
+    input: process.stdin
+  })
+
+  rl.on('line', line => {
+    core.debug(`Line from STDIN: ${line}`)
+    input = line
+  })
+
+  await events.once(rl, 'close')
+
+  core.debug(input)
+
+  const inputJson = JSON.parse(input)
+  core.debug(JSON.stringify(inputJson))
+
+  const command = inputJson.command
+  if (command === 'Create') {
+    const creationInput = inputJson.creationInput
+    core.debug(JSON.stringify(creationInput))
+    const containers = creationInput.containers
+    const jobContainer = containers[0]
+
+    const networkName = 'actions_podman_network'
+    // podman network create {network}  -> track and return `network` for ${{job.container.network}}
+    await exec.exec('podman', ['network', 'create', networkName])
+
+    const containerImage = `docker.io/library/${jobContainer.containerImage}`
+    // podman pull docker.io/library/{image}
+    await exec.exec('podman', ['pull', containerImage])
+
+    // podman create --name e088c842be1f46b394212618408aaba0_node1016jessie_6196c9
+    //      --label fa4e14
+    //      --workdir /__w/canary/canary
+    //      --network github_network_f98a6e1e96e74d919d814c165641cba3
+    //      -e "HOME=/github/home" -e GITHUB_ACTIONS=true -e CI=true
+    //      -v "/var/run/docker.sock":"/var/run/docker.sock"
+    //      -v "/home/runner/work":"/__w"
+    //      -v "/home/runner/runners/2.283.2/externals":"/__e":ro
+    //      -v "/home/runner/work/_temp":"/__w/_temp"
+    //      -v "/home/runner/work/_actions":"/__w/_actions"
+    //      -v "/opt/hostedtoolcache":"/__t"
+    //      -v "/home/runner/work/_temp/_github_home":"/github/home"
+    //      -v "/home/runner/work/_temp/_github_workflow":"/github/workflow"
+    //      --entrypoint "tail" node:10.16-jessie "-f" "/dev/null"
+    const creatArgs = ['create']
+    creatArgs.push(`--workdir=${jobContainer.containerWorkDirectory}`)
+    creatArgs.push(`--network=${networkName}`)
+
+    for (const mountVolume of jobContainer.mountVolumes) {
+      creatArgs.push(
+        `-v=${mountVolume.sourceVolumePath}:${mountVolume.targetVolumePath}`
+      )
+    }
+
+    creatArgs.push(`--entrypoint=tail`)
+    creatArgs.push(containerImage)
+    creatArgs.push(`-f`)
+    creatArgs.push(`/dev/null`)
+
+    core.debug(JSON.stringify(creatArgs))
+
+    // const containerId = await exec.getExecOutput('podman', [
+    //   'create',
+    //   // `--workdir ${jobContainer.containerWorkDirectory}`,
+    //   `--network=${networkName}`,
+    //   // `-v=/Users/ting/Desktop/runner/_layout/_work:/__w`,
+    //   `--entrypoint=${jobContainer.containerEntryPoint}`,
+    //   `${containerImage}`,
+    //   `${jobContainer.containerEntryPointArgs}`
+    // ])
+
+    const containerId = await exec.getExecOutput('podman', creatArgs)
+
+    core.debug(JSON.stringify(containerId))
+
+    // podman start {containerId}
+    await exec.exec('podman', ['start', containerId.stdout.trim()])
+
+    // get PATH inside the container
+
+    // output containerId for ${{job.container.id}}
+
+    const creationOutput = {
+      JobContainerId: containerId.stdout.trim(),
+      Network: networkName
+    }
+
+    const output = JSON.stringify({CreationOutput: creationOutput})
+    core.debug(output)
+
+    process.stderr.write(
+      `___CONTAINER_ENGINE_HANDLER_OUTPUT___${output}___CONTAINER_ENGINE_HANDLER_OUTPUT___`
+    )
+  } else if (command === 'Remove') {
+    const removeInput = inputJson.removeInput
+    core.debug(JSON.stringify(removeInput))
+    const jobContainerId = removeInput.jobContainerId
+    const network = removeInput.network
+
+    await exec.exec('podman', ['rm', '-f', jobContainerId])
+    await exec.exec('podman', ['network', 'rm', '-f', network])
+  } else if (command === 'Exec') {
+    const execInput = inputJson.execInput
+    core.debug(JSON.stringify(execInput))
+
+    // podman exec -i --workdir /__w/canary/canary
+    // -e GITHUB_JOB -e GITHUB_REF -e GITHUB_SHA -e GITHUB_REPOSITORY
+    // -e GITHUB_REPOSITORY_OWNER -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER
+    // -e GITHUB_RETENTION_DAYS -e GITHUB_RUN_ATTEMPT -e GITHUB_ACTOR
+    // -e GITHUB_WORKFLOW -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GITHUB_EVENT_NAME
+    // -e GITHUB_SERVER_URL -e GITHUB_API_URL -e GITHUB_GRAPHQL_URL
+    // -e GITHUB_WORKSPACE -e GITHUB_ACTION -e GITHUB_EVENT_PATH -e GITHUB_ACTION_REPOSITORY
+    // -e GITHUB_ACTION_REF -e GITHUB_PATH -e GITHUB_ENV -e RUNNER_DEBUG
+    // -e RUNNER_OS -e RUNNER_NAME -e RUNNER_TOOL_CACHE
+    // -e RUNNER_TEMP -e RUNNER_WORKSPACE
+    //   eccdf520697a035599d6e8c8dc801f004fdd3797cdce88f590aba3669a88d9bc sh -e /__w/_temp/d3b30383-719c-4e76-a16f-8f85443352be.sh
+
+    const execArgs = ['exec']
+    execArgs.push('-i')
+    execArgs.push(`--workdir=${execInput.workingDirectory}`)
+    for (const envKey of execInput.environmentKeys) {
+      execArgs.push(`-e=${envKey}`)
+    }
+    execArgs.push(execInput.jobContainer.containerId)
+    execArgs.push(execInput.fileName)
+
+    const args = (<string>execInput.arguments).split(' ')
+    core.debug(JSON.stringify(args))
+
+    execArgs.push(...args)
+
+    core.debug(JSON.stringify(execArgs))
+
+    await exec.exec('podman', execArgs)
+  }
+
+  await exec.exec('podman', ['network', 'ls'])
+  await exec.exec('podman', ['ps', '-a'])
+}
+
+run()

src/Misc/containerEngineHandlers/podmanHandler/tsconfig.json

@@ -0,0 +1,12 @@
+{
+  "compilerOptions": {
+    "target": "es6",                          /* Specify ECMAScript target version: 'ES3' (default), 'ES5', 'ES2015', 'ES2016', 'ES2017', 'ES2018', 'ES2019' or 'ESNEXT'. */
+    "module": "commonjs",                     /* Specify module code generation: 'none', 'commonjs', 'amd', 'system', 'umd', 'es2015', or 'ESNext'. */
+    "outDir": "./lib",                        /* Redirect output structure to the directory. */
+    "rootDir": "./src",                       /* Specify the root directory of input files. Use to control the output directory structure with --outDir. */
+    "strict": true,                           /* Enable all strict type-checking options. */
+    "noImplicitAny": true,                    /* Raise error on expressions and declarations with an implied 'any' type. */
+    "esModuleInterop": true                   /* Enables emit interoperability between CommonJS and ES Modules via creation of namespace objects for all imports. Implies 'allowSyntheticDefaultImports'. */
+  },
+  "exclude": ["node_modules", "**/*.test.ts"]
+}

src/Misc/layoutbin/actions.runner.plist.template

@@ -25,5 +25,7 @@
     </dict>
     <key>ProcessType</key>
     <string>Interactive</string>
+    <key>SessionCreate</key>
+    <true/>
   </dict>
 </plist>

src/Misc/layoutbin/podman-handler.js

@@ -0,0 +1,49 @@
+// Job container creation
+
+// podman network create {network}  -> track and return `network` for ${{job.container.network}}
+
+// podman pull docker.io/library/{image}
+
+// podman create --name e088c842be1f46b394212618408aaba0_node1016jessie_6196c9 
+//      --label fa4e14 
+//      --workdir /__w/canary/canary 
+//      --network github_network_f98a6e1e96e74d919d814c165641cba3  
+//      -e "HOME=/github/home" -e GITHUB_ACTIONS=true -e CI=true 
+//      -v "/var/run/docker.sock":"/var/run/docker.sock" 
+//      -v "/home/runner/work":"/__w" 
+//      -v "/home/runner/runners/2.283.2/externals":"/__e":ro 
+//      -v "/home/runner/work/_temp":"/__w/_temp" 
+//      -v "/home/runner/work/_actions":"/__w/_actions" 
+//      -v "/opt/hostedtoolcache":"/__t" 
+//      -v "/home/runner/work/_temp/_github_home":"/github/home" 
+//      -v "/home/runner/work/_temp/_github_workflow":"/github/workflow" 
+//      --entrypoint "tail" node:10.16-jessie "-f" "/dev/null"
+
+// podman start {containerId}
+
+// get PATH inside the container
+
+// output containerId for ${{job.container.id}}
+
+
+
+// Job container stop
+
+// podman rm --force {containerId}
+
+// podman network rm {network}
+
+
+// Run step
+
+// podman exec -i --workdir /__w/canary/canary 
+// -e GITHUB_JOB -e GITHUB_REF -e GITHUB_SHA -e GITHUB_REPOSITORY 
+// -e GITHUB_REPOSITORY_OWNER -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER 
+// -e GITHUB_RETENTION_DAYS -e GITHUB_RUN_ATTEMPT -e GITHUB_ACTOR 
+// -e GITHUB_WORKFLOW -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GITHUB_EVENT_NAME 
+// -e GITHUB_SERVER_URL -e GITHUB_API_URL -e GITHUB_GRAPHQL_URL 
+// -e GITHUB_WORKSPACE -e GITHUB_ACTION -e GITHUB_EVENT_PATH -e GITHUB_ACTION_REPOSITORY 
+// -e GITHUB_ACTION_REF -e GITHUB_PATH -e GITHUB_ENV -e RUNNER_DEBUG 
+// -e RUNNER_OS -e RUNNER_NAME -e RUNNER_TOOL_CACHE 
+// -e RUNNER_TEMP -e RUNNER_WORKSPACE 
+//   eccdf520697a035599d6e8c8dc801f004fdd3797cdce88f590aba3669a88d9bc sh -e /__w/_temp/d3b30383-719c-4e76-a16f-8f85443352be.sh

src/Misc/layoutbin/update.sh.template

@@ -18,6 +18,8 @@ downloadrunnerversion=_DOWNLOAD_RUNNER_VERSION_
 logfile="_UPDATE_LOG_"
 restartinteractiverunner=_RESTART_INTERACTIVE_RUNNER_
 
+telemetryfile="$rootfolder/_diag/.telemetry"
+
 # log user who run the script
 date "+[%F %T-%4N] --------whoami--------" >> "$logfile" 2>&1
 whoami >> "$logfile" 2>&1
@@ -118,40 +120,101 @@ then
     exit 1
 fi
 
-# fix upgrade issue with macOS
+# fix upgrade issue with macOS when running as a service
+attemptedtargetedfix=0
 currentplatform=$(uname | awk '{print tolower($0)}')
-if [[ "$currentplatform" == 'darwin' ]]; then
-    # need a short-term fix for https://github.com/actions/runner/issues/743
-    # we will recreate all the ./externals/node12/bin/node of the past 5 versions
-    # v2.280.3 v2.280.2 v2.280.1 v2.279.0 v2.278.0
-    if [[ ! -e "$rootfolder/externals.2.280.3/node12/bin/node" ]]
+if [[ "$currentplatform" == 'darwin'  && restartinteractiverunner -eq 0 ]]; then
+    # We needed a fix for https://github.com/actions/runner/issues/743
+    # We will recreate the ./externals/node12/bin/node of the past runner version that launched the runnerlistener service
+    # Otherwise mac gatekeeper kills the processes we spawn on creation as we are running a process with no backing file
+
+    # We need the pid for the nodejs loop, get that here, its the parent of the runner C# pid
+    # assumption here is only one process is invoking rootfolder/runsvc.sh
+    procgroup=$(ps x -o pgid,command | grep "$rootfolder/runsvc.sh" | grep -v grep | awk '{print $1}')
+    if [[ $? -eq 0 && -n "$procgroup" ]]
     then
-        mkdir -p "$rootfolder/externals.2.280.3/node12/bin"
-        cp "$rootfolder/externals/node12/bin/node" "$rootfolder/externals.2.280.3/node12/bin/node"
+        # inspect the open file handles to find the node process
+        # we can't actually inspect the process using ps because it uses relative paths and doesn't follow symlinks
+        path=$(lsof -a -g "$procgroup" -F n | grep node12/bin/node | grep externals | tail -1 | cut -c2-)
+        if [[ $? -eq 0 && -n "$path" ]]
+        then
+            # trim the last 5 characters of the path '/node'
+            trimmedpath=$(dirname "$path")
+            if [[ $? -eq 0 && -n "$trimmedpath" ]]
+            then
+                attemptedtargetedfix=1
+                # Create the path if it does not exist
+                if [[ ! -e "$path" ]]
+                then
+                    date "+[%F %T-%4N] Creating fallback node at path $path" >> "$logfile" 2>&1
+                    mkdir -p "$trimmedpath"
+                    cp "$rootfolder/externals/node12/bin/node" "$path"
+                else
+                    date "+[%F %T-%4N] Path for fallback node exists, skipping creating $path" >> "$logfile" 2>&1
+                fi
+            else
+                date "+[%F %T-%4N] DarwinRunnerUpgrade: Failed to trim runner path. TrimmedPath: $trimmedpath, path: $path, pgid: $procgroup, root: $rootfolder" >> "$logfile" 2>&1
+                date "+[%F %T-%4N] DarwinRunnerUpgrade: Failed to trim runner path. TrimmedPath: $trimmedpath, path: $path, pgid: $procgroup, root: $rootfolder" >> "$telemetryfile" 2>&1
+            fi
+        else
+            date "+[%F %T-%4N] DarwinRunnerUpgrade: Failed to find runner path. Path: $path, pgid: $procgroup, root: $rootfolder" >> "$logfile" 2>&1
+            date "+[%F %T-%4N] DarwinRunnerUpgrade: Failed to find runner path. Path: $path, pgid: $procgroup, root: $rootfolder" >> "$telemetryfile" 2>&1
+        fi
+    else
+            date "+[%F %T-%4N] DarwinRunnerUpgrade: Failed to find runner pgid. pgid: $procgroup, root: $rootfolder" >> "$logfile" 2>&1
+            date "+[%F %T-%4N] DarwinRunnerUpgrade: Failed to find runner pgid. pgid: $procgroup, root: $rootfolder" >> "$telemetryfile" 2>&1
     fi
 
-    if [[ ! -e "$rootfolder/externals.2.280.2/node12/bin/node" ]]
+    if [ $attemptedtargetedfix -eq 0 ]
     then
-        mkdir -p "$rootfolder/externals.2.280.2/node12/bin"
-        cp "$rootfolder/externals/node12/bin/node" "$rootfolder/externals.2.280.2/node12/bin/node"
-    fi
 
-    if [[ ! -e "$rootfolder/externals.2.280.1/node12/bin/node" ]]
-    then
-        mkdir -p "$rootfolder/externals.2.280.1/node12/bin"
-        cp "$rootfolder/externals/node12/bin/node" "$rootfolder/externals.2.280.1/node12/bin/node"
-    fi
+        date "+[%F %T-%4N] DarwinRunnerUpgrade: Defaulting to old macOS service fix" >> "$logfile" 2>&1
+        date "+[%F %T-%4N] DarwinRunnerUpgrade: Defaulting to old macOS service fix" >> "$telemetryfile" 2>&1
+        if [[ ! -e "$rootfolder/externals.2.280.3/node12/bin/node" ]]
+        then
+            mkdir -p "$rootfolder/externals.2.280.3/node12/bin"
+            cp "$rootfolder/externals/node12/bin/node" "$rootfolder/externals.2.280.3/node12/bin/node"
+        fi
 
-    if [[ ! -e "$rootfolder/externals.2.279.0/node12/bin/node" ]]
-    then
-        mkdir -p "$rootfolder/externals.2.279.0/node12/bin"
-        cp "$rootfolder/externals/node12/bin/node" "$rootfolder/externals.2.279.0/node12/bin/node"
-    fi
+        if [[ ! -e "$rootfolder/externals.2.280.2/node12/bin/node" ]]
+        then
+            mkdir -p "$rootfolder/externals.2.280.2/node12/bin"
+            cp "$rootfolder/externals/node12/bin/node" "$rootfolder/externals.2.280.2/node12/bin/node"
+        fi
 
-    if [[ ! -e "$rootfolder/externals.2.278.0/node12/bin/node" ]]
-    then
-        mkdir -p "$rootfolder/externals.2.278.0/node12/bin"
-        cp "$rootfolder/externals/node12/bin/node" "$rootfolder/externals.2.278.0/node12/bin/node"
+        if [[ ! -e "$rootfolder/externals.2.280.1/node12/bin/node" ]]
+        then
+            mkdir -p "$rootfolder/externals.2.280.1/node12/bin"
+            cp "$rootfolder/externals/node12/bin/node" "$rootfolder/externals.2.280.1/node12/bin/node"
+        fi
+
+        # GHES 3.2
+        if [[ ! -e "$rootfolder/externals.2.279.0/node12/bin/node" ]]
+        then
+            mkdir -p "$rootfolder/externals.2.279.0/node12/bin"
+            cp "$rootfolder/externals/node12/bin/node" "$rootfolder/externals.2.279.0/node12/bin/node"
+        fi
+
+        # GHES 3.1.2 or later
+        if [[ ! -e "$rootfolder/externals.2.278.0/node12/bin/node" ]]
+        then
+            mkdir -p "$rootfolder/externals.2.278.0/node12/bin"
+            cp "$rootfolder/externals/node12/bin/node" "$rootfolder/externals.2.278.0/node12/bin/node"
+        fi
+
+        # GHES 3.1.0
+        if [[ ! -e "$rootfolder/externals.2.276.1/node12/bin/node" ]]
+        then
+            mkdir -p "$rootfolder/externals.2.276.1/node12/bin"
+            cp "$rootfolder/externals/node12/bin/node" "$rootfolder/externals.2.276.1/node12/bin/node"
+        fi
+
+        # GHES 3.0
+        if [[ ! -e "$rootfolder/externals.2.273.5/node12/bin/node" ]]
+        then
+            mkdir -p "$rootfolder/externals.2.273.5/node12/bin"
+            cp "$rootfolder/externals/node12/bin/node" "$rootfolder/externals.2.273.5/node12/bin/node"
+        fi
     fi
 fi
 

src/Misc/layoutroot/entrypoint.sh

@@ -0,0 +1,68 @@
+#!/bin/bash
+
+set -euo pipefail
+
+function fatal() {
+   echo "error: $1" >&2
+   exit 1
+}
+
+[ -n "${GITHUB_PAT:-""}" ] || fatal "GITHUB_PAT variable must be set"
+[ -n "${RUNNER_CONFIG_URL:-""}" ] || fatal "RUNNER_CONFIG_URL variable must be set"
+# [ -n "${RUNNER_NAME:-""}" ] || fatal "RUNNER_NAME variable must be set"
+
+# if [ -n "${RUNNER_NAME}" ]; then
+#     # Use container id to gen unique runner name if name not provide
+#     CONTAINER_ID=$(cat /proc/self/cgroup | head -n 1 | tr '/' '\n' | tail -1 | cut -c1-12)
+#     RUNNER_NAME="actions-runner-${CONTAINER_ID}"
+# fi
+
+# if the scope has a slash, it's a repo runner
+# orgs_or_repos="orgs"
+# if [[ "$GITHUB_RUNNER_SCOPE" == *\/* ]]; then
+#     orgs_or_repos="repos"
+# fi
+
+# RUNNER_REG_URL="${GITHUB_SERVER_URL:=https://github.com}/${GITHUB_RUNNER_SCOPE}"
+
+# echo "Runner Name      : ${RUNNER_NAME}"
+echo "Registration URL : ${RUNNER_CONFIG_URL}"
+# echo "GitHub API URL   : ${GITHUB_API_URL:=https://api.github.com}"
+# echo "Runner Labels    : ${RUNNER_LABELS:=""}"
+
+# TODO: if api url is not default, validate it ends in /api/v3
+
+# RUNNER_LABELS_ARG=""
+# if [ -n "${RUNNER_LABELS}" ]; then
+#     RUNNER_LABELS_ARG="--labels ${RUNNER_LABELS}"
+# fi
+
+# RUNNER_GROUP_ARG=""
+# if [ -n "${RUNNER_GROUP}" ]; then
+#     RUNNER_GROUP_ARG="--runnergroup ${RUNNER_GROUP}"
+# fi
+
+# if [ -n "${K8S_HOST_IP}" ]; then
+#     export http_proxy=http://$K8S_HOST_IP:9090
+# fi
+
+# curl -v -s -X POST ${GITHUB_API_URL}/${orgs_or_repos}/${GITHUB_RUNNER_SCOPE}/actions/runners/registration-token -H "authorization: token $GITHUB_PAT" -H "accept: application/vnd.github.everest-preview+json"
+
+# Generate registration token
+# RUNNER_REG_TOKEN=$(curl -s -X POST ${GITHUB_API_URL}/${orgs_or_repos}/${GITHUB_RUNNER_SCOPE}/actions/runners/registration-token -H "authorization: token $GITHUB_PAT" -H "accept: application/vnd.github.everest-preview+json" | jq -r '.token')
+
+# Create the runner and configure it
+./config.sh --unattended --url $RUNNER_CONFIG_URL --pat $GITHUB_PAT --replace --ephemeral
+
+# while (! docker version ); do
+#   # Docker takes a few seconds to initialize
+#   echo "Waiting for Docker to launch..."
+#   sleep 1
+# done
+
+# unset env
+unset RUNNER_CONFIG_URL
+unset GITHUB_PAT
+
+# Run it
+./run.sh

src/Misc/layoutroot/run.sh

@@ -43,6 +43,21 @@ else
         else
             sleep 5
         fi
+    elif [[ $returnCode == 4 ]]; then
+        if [ ! -x "$(command -v sleep)" ]; then
+            if [ ! -x "$(command -v ping)" ]; then
+                COUNT="0"
+                while [[ $COUNT != 5000 ]]; do
+                    echo "SLEEP" > /dev/null
+                    COUNT=$[$COUNT+1]
+                done
+            else
+                ping -c 5 127.0.0.1 > /dev/null
+            fi
+        else
+            sleep 5
+        fi
+        "$DIR"/bin/Runner.Listener run $*
     else
         exit $returnCode
     fi

src/Runner.Common/Constants.cs

@@ -26,6 +26,7 @@ namespace GitHub.Runner.Common
         Certificates,
         Options,
         SetupInfo,
+        Telemetry
     }
 
     public static class Constants
@@ -128,7 +129,7 @@ namespace GitHub.Runner.Common
                     public static readonly string Ephemeral = "ephemeral";
                     public static readonly string Help = "help";
                     public static readonly string Replace = "replace";
-                    public static readonly string Once = "once"; // TODO: Remove in 10/2021
+                    public static readonly string Once = "once"; // Keep this around since customers still relies on it
                     public static readonly string RunAsService = "runasservice";
                     public static readonly string Unattended = "unattended";
                     public static readonly string Version = "version";
@@ -154,6 +155,7 @@ namespace GitHub.Runner.Common
             public static readonly string LowDiskSpace = "LOW_DISK_SPACE";
             public static readonly string UnsupportedCommand = "UNSUPPORTED_COMMAND";
             public static readonly string UnsupportedCommandMessageDisabled = "The `{0}` command is disabled. Please upgrade to using Environment Files or opt into unsecure command execution by setting the `ACTIONS_ALLOW_UNSECURE_COMMANDS` environment variable to `true`. For more information see: https://github.blog/changelog/2020-10-01-github-actions-deprecating-set-env-and-add-path-commands/";
+            public static readonly string UnsupportedStopCommandTokenDisabled = "You cannot use a endToken that is an empty string, the string 'pause-logging', or another workflow command. For more information see:  https://docs.github.com/en/actions/learn-github-actions/workflow-commands-for-github-actions#example-stopping-and-starting-workflow-commands or opt into insecure command execution by setting the `ACTIONS_ALLOW_UNSECURE_STOPCOMMAND_TOKENS` environment variable to `true`.";
         }
 
         public static class RunnerEvent
@@ -213,6 +215,7 @@ namespace GitHub.Runner.Common
                 // Keep alphabetical
                 //
                 public static readonly string AllowUnsupportedCommands = "ACTIONS_ALLOW_UNSECURE_COMMANDS";
+                public static readonly string AllowUnsupportedStopCommandTokens = "ACTIONS_ALLOW_UNSECURE_STOPCOMMAND_TOKENS";
                 public static readonly string RunnerDebug = "ACTIONS_RUNNER_DEBUG";
                 public static readonly string StepDebug = "ACTIONS_STEP_DEBUG";
             }

src/Runner.Common/HostContext.cs

@@ -342,6 +342,12 @@ namespace GitHub.Runner.Common
                         GetDirectory(WellKnownDirectory.Root),
                         ".setup_info");
                     break;
+                
+                case WellKnownConfigFile.Telemetry:
+                    path = Path.Combine(
+                        GetDirectory(WellKnownDirectory.Diag),
+                        ".telemetry");
+                    break;
 
                 default:
                     throw new NotSupportedException($"Unexpected well known config file: '{configFile}'");

src/Runner.Common/JobServer.cs

@@ -2,8 +2,11 @@
 using System;
 using System.Collections.Generic;
 using System.IO;
+using System.Net.Http;
 using System.Threading;
 using System.Threading.Tasks;
+using GitHub.Runner.Sdk;
+using GitHub.Services.Common;
 using GitHub.Services.WebApi;
 
 namespace GitHub.Runner.Common
@@ -36,6 +39,9 @@ namespace GitHub.Runner.Common
         {
             _connection = jobConnection;
             int attemptCount = 5;
+            var configurationStore = HostContext.GetService<IConfigurationStore>();
+            var runnerSettings = configurationStore.GetSettings();
+ 
             while (!_connection.HasAuthenticated && attemptCount-- > 0)
             {
                 try
@@ -45,8 +51,13 @@ namespace GitHub.Runner.Common
                 }
                 catch (Exception ex) when (attemptCount > 0)
                 {
-                    Trace.Info($"Catch exception during connect. {attemptCount} attemp left.");
+                    Trace.Info($"Catch exception during connect. {attemptCount} attempts left.");
                     Trace.Error(ex);
+
+                    if (runnerSettings.IsHostedServer)
+                    {
+                        await CheckNetworkEndpointsAsync();
+                    }
                 }
 
                 await Task.Delay(100);
@@ -56,6 +67,52 @@ namespace GitHub.Runner.Common
             _hasConnection = true;
         }
 
+        private async Task CheckNetworkEndpointsAsync()
+        {
+            try
+            {
+                Trace.Info("Requesting Actions Service health endpoint status");
+                using (var httpClientHandler = HostContext.CreateHttpClientHandler())
+                using (var actionsClient = new HttpClient(httpClientHandler))
+                {
+                    var baseUri = new Uri(_connection.Uri.GetLeftPart(UriPartial.Authority));
+
+                    actionsClient.DefaultRequestHeaders.UserAgent.AddRange(HostContext.UserAgents);
+
+                    // Call the _apis/health endpoint
+                    var response = await actionsClient.GetAsync(new Uri(baseUri, "_apis/health"));
+                    Trace.Info($"Actions health status code: {response.StatusCode}");
+                }
+            }
+            catch (Exception ex)
+            {
+                // Log error, but continue as this call is best-effort
+                Trace.Info($"Actions Service health endpoint failed due to {ex.GetType().Name}");
+                Trace.Error(ex);
+            }
+
+            try
+            {
+                Trace.Info("Requesting Github API endpoint status");
+                // This is a dotcom public API... just call it directly
+                using (var httpClientHandler = HostContext.CreateHttpClientHandler())
+                using (var gitHubClient = new HttpClient(httpClientHandler))
+                {
+                    gitHubClient.DefaultRequestHeaders.UserAgent.AddRange(HostContext.UserAgents);
+
+                    // Call the api.github.com endpoint
+                    var response = await gitHubClient.GetAsync("https://api.github.com");
+                    Trace.Info($"api.github.com status code: {response.StatusCode}");
+                }
+            }
+            catch (Exception ex)
+            {
+                // Log error, but continue as this call is best-effort
+                Trace.Info($"Github API endpoint failed due to {ex.GetType().Name}");
+                Trace.Error(ex);
+            }
+        }
+
         private void CheckConnection()
         {
             if (!_hasConnection)

src/Runner.Common/RunnerServer.cs

@@ -29,8 +29,10 @@ namespace GitHub.Runner.Common
         // Configuration
         Task<TaskAgent> AddAgentAsync(Int32 agentPoolId, TaskAgent agent);
         Task DeleteAgentAsync(int agentPoolId, int agentId);
+        Task DeleteAgentAsync(int agentId);
         Task<List<TaskAgentPool>> GetAgentPoolsAsync(string agentPoolName = null, TaskAgentPoolType poolType = TaskAgentPoolType.Automation);
         Task<List<TaskAgent>> GetAgentsAsync(int agentPoolId, string agentName = null);
+        Task<List<TaskAgent>> GetAgentsAsync(string agentName);
         Task<TaskAgent> ReplaceAgentAsync(int agentPoolId, TaskAgent agent);
 
         // messagequeue
@@ -252,6 +254,11 @@ namespace GitHub.Runner.Common
             return _genericTaskAgentClient.GetAgentsAsync(agentPoolId, agentName, false);
         }
 
+        public Task<List<TaskAgent>> GetAgentsAsync(string agentName)
+        {
+            return GetAgentsAsync(0, agentName); // search in all all agentPools
+        }
+
         public Task<TaskAgent> ReplaceAgentAsync(int agentPoolId, TaskAgent agent)
         {
             CheckConnection(RunnerConnectionType.Generic);
@@ -264,6 +271,11 @@ namespace GitHub.Runner.Common
             return _genericTaskAgentClient.DeleteAgentAsync(agentPoolId, agentId);
         }
 
+        public Task DeleteAgentAsync(int agentId)
+        {
+            return DeleteAgentAsync(0, agentId); // agentPool is ignored server side
+        }
+
         //-----------------------------------------------------------------
         // MessageQueue
         //-----------------------------------------------------------------

src/Runner.Listener/CommandSettings.cs

@@ -31,6 +31,7 @@ namespace GitHub.Runner.Listener
             Constants.Runner.CommandLine.Flags.Commit,
             Constants.Runner.CommandLine.Flags.Ephemeral,
             Constants.Runner.CommandLine.Flags.Help,
+            Constants.Runner.CommandLine.Flags.Once,
             Constants.Runner.CommandLine.Flags.Replace,
             Constants.Runner.CommandLine.Flags.RunAsService,
             Constants.Runner.CommandLine.Flags.Unattended,
@@ -68,7 +69,7 @@ namespace GitHub.Runner.Listener
         public bool Version => TestFlag(Constants.Runner.CommandLine.Flags.Version);
         public bool Ephemeral => TestFlag(Constants.Runner.CommandLine.Flags.Ephemeral);
 
-        // TODO: Remove in 10/2021
+        // Keep this around since customers still relies on it
         public bool RunOnce => TestFlag(Constants.Runner.CommandLine.Flags.Once);
 
         // Constructor.

src/Runner.Listener/Configuration/ConfigurationManager.cs

@@ -415,7 +415,7 @@ namespace GitHub.Runner.Listener.Configuration
                     // Determine the service deployment type based on connection data. (Hosted/OnPremises)
                     await _runnerServer.ConnectAsync(new Uri(settings.ServerUrl), creds);
 
-                    var agents = await _runnerServer.GetAgentsAsync(settings.PoolId, settings.AgentName);
+                    var agents = await _runnerServer.GetAgentsAsync(settings.AgentName);
                     Trace.Verbose("Returns {0} agents", agents.Count);
                     TaskAgent agent = agents.FirstOrDefault();
                     if (agent == null)
@@ -424,7 +424,7 @@ namespace GitHub.Runner.Listener.Configuration
                     }
                     else
                     {
-                        await _runnerServer.DeleteAgentAsync(settings.PoolId, settings.AgentId);
+                        await _runnerServer.DeleteAgentAsync(settings.AgentId);
 
                         _term.WriteLine();
                         _term.WriteSuccessMessage("Runner removed successfully");

src/Runner.Listener/Runner.cs

@@ -233,8 +233,14 @@ namespace GitHub.Runner.Listener
                     Trace.Info($"Set runner startup type - {startType}");
                     HostContext.StartupType = startType;
 
+                    if (command.RunOnce)
+                    {
+                        _term.WriteLine("Warning: '--once' is going to be deprecated in the future, please consider using '--ephemeral' during runner registration.", ConsoleColor.Yellow);
+                        _term.WriteLine("https://docs.github.com/en/actions/hosting-your-own-runners/autoscaling-with-self-hosted-runners#using-ephemeral-runners-for-autoscaling", ConsoleColor.Yellow);
+                    }
+
                     // Run the runner interactively or as service
-                    return await RunAsync(settings, command.RunOnce || settings.Ephemeral);  // TODO: Remove RunOnce later.
+                    return await RunAsync(settings, command.RunOnce || settings.Ephemeral);
                 }
                 else
                 {
@@ -310,6 +316,9 @@ namespace GitHub.Runner.Listener
 
                 IJobDispatcher jobDispatcher = null;
                 CancellationTokenSource messageQueueLoopTokenSource = CancellationTokenSource.CreateLinkedTokenSource(HostContext.RunnerShutdownToken);
+                
+                // Should we try to cleanup ephemeral runners
+                bool runOnceJobCompleted = false;
                 try
                 {
                     var notification = HostContext.GetService<IJobNotification>();
@@ -371,6 +380,7 @@ namespace GitHub.Runner.Listener
                                 Task completeTask = await Task.WhenAny(getNextMessage, jobDispatcher.RunOnceJobCompleted.Task);
                                 if (completeTask == jobDispatcher.RunOnceJobCompleted.Task)
                                 {
+                                    runOnceJobCompleted = true;
                                     Trace.Info("Job has finished at backend, the runner will exit since it is running under onetime use mode.");
                                     Trace.Info("Stop message queue looping.");
                                     messageQueueLoopTokenSource.Cancel();
@@ -479,7 +489,7 @@ namespace GitHub.Runner.Listener
 
                     messageQueueLoopTokenSource.Dispose();
 
-                    if (settings.Ephemeral)
+                    if (settings.Ephemeral && runOnceJobCompleted)
                     {
                         var configManager = HostContext.GetService<IConfigurationManager>();
                         configManager.DeleteLocalRunnerConfig();

src/Runner.Worker/ActionCommandManager.cs

@@ -108,22 +108,18 @@ namespace GitHub.Runner.Worker
                     // Stop command
                     if (string.Equals(actionCommand.Command, _stopCommand, StringComparison.OrdinalIgnoreCase))
                     {
-                        context.Output(input);
-                        context.Debug("Paused processing commands until '##[{actionCommand.Data}]' is received");
+                        ValidateStopToken(context, actionCommand.Data);
+
                         _stopToken = actionCommand.Data;
-                        if (_registeredCommands.Contains(actionCommand.Data)
-                            || string.IsNullOrEmpty(actionCommand.Data)
-                            || string.Equals(actionCommand.Data, "pause-logging", StringComparison.OrdinalIgnoreCase))
-                        {
-                            var telemetry = new JobTelemetry
-                            {
-                                Message = $"Invoked ::stopCommand:: with token: [{actionCommand.Data}]",
-                                Type = JobTelemetryType.ActionCommand
-                            };
-                            context.JobTelemetry.Add(telemetry);
-                        }
                         _stopProcessCommand = true;
                         _registeredCommands.Add(_stopToken);
+                        if (_stopToken.Length > 6)
+                        {
+                            HostContext.SecretMasker.AddValue(_stopToken);
+                        }
+
+                        context.Output(input);
+                        context.Debug("Paused processing commands until the token you called ::stopCommands:: with is received");
                         return true;
                     }
                     // Found command
@@ -157,6 +153,40 @@ namespace GitHub.Runner.Worker
             return true;
         }
 
+        private void ValidateStopToken(IExecutionContext context, string stopToken)
+        {
+#if OS_WINDOWS
+            var envContext = context.ExpressionValues["env"] as DictionaryContextData;
+#else
+            var envContext = context.ExpressionValues["env"] as CaseSensitiveDictionaryContextData;
+#endif
+            var allowUnsecureStopCommandTokens = false;
+            allowUnsecureStopCommandTokens = StringUtil.ConvertToBoolean(Environment.GetEnvironmentVariable(Constants.Variables.Actions.AllowUnsupportedStopCommandTokens));
+            if (!allowUnsecureStopCommandTokens && envContext.ContainsKey(Constants.Variables.Actions.AllowUnsupportedStopCommandTokens))
+            {
+                allowUnsecureStopCommandTokens = StringUtil.ConvertToBoolean(envContext[Constants.Variables.Actions.AllowUnsupportedStopCommandTokens].ToString());
+            }
+
+            bool isTokenInvalid = _registeredCommands.Contains(stopToken)
+                || string.IsNullOrEmpty(stopToken)
+                || string.Equals(stopToken, "pause-logging", StringComparison.OrdinalIgnoreCase);
+
+            if (isTokenInvalid)
+            {
+                var telemetry = new JobTelemetry
+                {
+                    Message = $"Invoked ::stopCommand:: with token: [{stopToken}]",
+                    Type = JobTelemetryType.ActionCommand
+                };
+                context.JobTelemetry.Add(telemetry);
+            }
+
+            if (isTokenInvalid && !allowUnsecureStopCommandTokens)
+            {
+                throw new Exception(Constants.Runner.UnsupportedStopCommandTokenDisabled);
+            }
+        }
+
         internal static bool EnhancedAnnotationsEnabled(IExecutionContext context)
         {
             return context.Global.Variables.GetBoolean("DistributedTask.EnhancedAnnotations") ?? false;

src/Runner.Worker/ActionManager.cs

@@ -633,7 +633,12 @@ namespace GitHub.Runner.Worker
                 }
                 catch (Exception ex) when (!executionContext.CancellationToken.IsCancellationRequested) // Do not retry if the run is canceled.
                 {
-                    if (attempt < 3)
+                    // UnresolvableActionDownloadInfoException is a 422 client error, don't retry
+                    // Some possible cases are:
+                    // * Repo is rate limited
+                    // * Repo or tag doesn't exist, or isn't public
+                    // * Policy validation failed
+                    if (attempt < 3 && !(ex is WebApi.UnresolvableActionDownloadInfoException))
                     {
                         executionContext.Output($"Failed to resolve action download info. Error: {ex.Message}");
                         executionContext.Debug(ex.ToString());
@@ -649,6 +654,7 @@ namespace GitHub.Runner.Worker
                         // Some possible cases are:
                         // * Repo is rate limited
                         // * Repo or tag doesn't exist, or isn't public
+                        // * Policy validation failed
                         if (ex is WebApi.UnresolvableActionDownloadInfoException)
                         {
                             throw;

src/Runner.Worker/Container/ContainerInfo.cs

@@ -54,7 +54,7 @@ namespace GitHub.Runner.Worker.Container
             _pathMappings.Add(new PathMapping(hostContext.GetDirectory(WellKnownDirectory.Externals), "/__e"));
             if (this.IsJobContainer)
             {
-                this.MountVolumes.Add(new MountVolume("/var/run/docker.sock", "/var/run/docker.sock"));
+                // this.MountVolumes.Add(new MountVolume("/var/run/docker.sock", "/var/run/docker.sock"));
             }
 #endif
             if (container.Ports?.Count > 0)

src/Runner.Worker/ContainerOperationProvider.cs

@@ -12,9 +12,88 @@ using GitHub.Runner.Sdk;
 using GitHub.DistributedTask.Pipelines.ContextData;
 using Microsoft.Win32;
 using GitHub.DistributedTask.Pipelines.ObjectTemplating;
+using System.Threading.Channels;
+using GitHub.Services.WebApi;
+using System.Text;
+using System.Runtime.Serialization;
 
 namespace GitHub.Runner.Worker
 {
+    [DataContract]
+    public class ContainerEngineHandlerInput
+    {
+        [DataMember]
+        public string Command { get; set; }
+
+        [DataMember]
+        public ContainersCreationInput CreationInput { get; set; }
+
+        [DataMember]
+        public JobContainerExecInput ExecInput { get; set; }
+
+        [DataMember]
+        public ContainersRemoveInput RemoveInput { get; set; }
+    }
+
+    [DataContract]
+    public class ContainersCreationInput
+    {
+        [DataMember]
+        public List<ContainerInfo> Containers { get; set; }
+    }
+
+    [DataContract]
+    public class JobContainerExecInput
+    {
+        [DataMember]
+        public ContainerInfo JobContainer { get; set; }
+
+        [DataMember]
+        public string WorkingDirectory { get; set; }
+
+
+        [DataMember]
+        public string FileName { get; set; }
+
+
+        [DataMember]
+        public string Arguments { get; set; }
+
+
+        [DataMember]
+        public List<string> EnvironmentKeys { get; set; }
+
+        [DataMember]
+        public Dictionary<string, string> EnvironmentVariables { get; set; }
+    }
+
+
+
+    [DataContract]
+    public class ContainersRemoveInput
+    {
+        [DataMember]
+        public string Network { get; set; }
+        [DataMember]
+        public string JobContainerId { get; set; }
+    }
+
+    [DataContract]
+    public class ContainersCreationOutput
+    {
+        [DataMember]
+        public string Network { get; set; }
+        [DataMember]
+        public string JobContainerId { get; set; }
+    }
+
+    [DataContract]
+    public class ContainerEngineHandlerOutput
+    {
+        [DataMember]
+        public ContainersCreationOutput CreationOutput { get; set; }
+    }
+
     [ServiceLocator(Default = typeof(ContainerOperationProvider))]
     public interface IContainerOperationProvider : IRunnerService
     {
@@ -24,25 +103,57 @@ namespace GitHub.Runner.Worker
 
     public class ContainerOperationProvider : RunnerService, IContainerOperationProvider
     {
-        private IDockerCommandManager _dockerManager;
+        private IDockerCommandManager _dockerManager = null;
 
         public override void Initialize(IHostContext hostContext)
         {
             base.Initialize(hostContext);
-            _dockerManager = HostContext.GetService<IDockerCommandManager>();
+            // _dockerManager = HostContext.GetService<IDockerCommandManager>();
         }
 
         public async Task StartContainersAsync(IExecutionContext executionContext, object data)
         {
             Trace.Entering();
-            if (!Constants.Runner.Platform.Equals(Constants.OSPlatform.Linux))
-            {
-                throw new NotSupportedException("Container operations are only supported on Linux runners");
-            }
+            // if (!Constants.Runner.Platform.Equals(Constants.OSPlatform.Linux))
+            // {
+            //     throw new NotSupportedException("Container operations are only supported on Linux runners");
+            // }
             ArgUtil.NotNull(executionContext, nameof(executionContext));
             List<ContainerInfo> containers = data as List<ContainerInfo>;
             ArgUtil.NotNull(containers, nameof(containers));
 
+            foreach (var container in containers)
+            {
+                if (container.IsJobContainer)
+                {
+                    // Configure job container - Mount workspace and tools, set up environment, and start long running process
+                    var githubContext = executionContext.ExpressionValues["github"] as GitHubContext;
+                    ArgUtil.NotNull(githubContext, nameof(githubContext));
+                    var workingDirectory = githubContext["workspace"] as StringContextData;
+                    ArgUtil.NotNullOrEmpty(workingDirectory, nameof(workingDirectory));
+                    container.MountVolumes.Add(new MountVolume(HostContext.GetDirectory(WellKnownDirectory.Work), container.TranslateToContainerPath(HostContext.GetDirectory(WellKnownDirectory.Work))));
+                    container.MountVolumes.Add(new MountVolume(HostContext.GetDirectory(WellKnownDirectory.Externals), container.TranslateToContainerPath(HostContext.GetDirectory(WellKnownDirectory.Externals)), true));
+                    container.MountVolumes.Add(new MountVolume(HostContext.GetDirectory(WellKnownDirectory.Temp), container.TranslateToContainerPath(HostContext.GetDirectory(WellKnownDirectory.Temp))));
+                    // container.MountVolumes.Add(new MountVolume(HostContext.GetDirectory(WellKnownDirectory.Actions), container.TranslateToContainerPath(HostContext.GetDirectory(WellKnownDirectory.Actions))));
+                    container.MountVolumes.Add(new MountVolume(HostContext.GetDirectory(WellKnownDirectory.Tools), container.TranslateToContainerPath(HostContext.GetDirectory(WellKnownDirectory.Tools))));
+
+                    var tempHomeDirectory = Path.Combine(HostContext.GetDirectory(WellKnownDirectory.Temp), "_github_home");
+                    Directory.CreateDirectory(tempHomeDirectory);
+                    container.MountVolumes.Add(new MountVolume(tempHomeDirectory, "/github/home"));
+                    container.AddPathTranslateMapping(tempHomeDirectory, "/github/home");
+                    container.ContainerEnvironmentVariables["HOME"] = container.TranslateToContainerPath(tempHomeDirectory);
+
+                    var tempWorkflowDirectory = Path.Combine(HostContext.GetDirectory(WellKnownDirectory.Temp), "_github_workflow");
+                    Directory.CreateDirectory(tempWorkflowDirectory);
+                    container.MountVolumes.Add(new MountVolume(tempWorkflowDirectory, "/github/workflow"));
+                    container.AddPathTranslateMapping(tempWorkflowDirectory, "/github/workflow");
+
+                    container.ContainerWorkDirectory = container.TranslateToContainerPath(workingDirectory);
+                    container.ContainerEntryPoint = "tail";
+                    container.ContainerEntryPointArgs = "-f /dev/null";
+                }
+            }
+
             var postJobStep = new JobExtensionRunner(runAsync: this.StopContainersAsync,
                                                 condition: $"{PipelineTemplateConstants.Always}()",
                                                 displayName: "Stop containers",
@@ -51,9 +162,71 @@ namespace GitHub.Runner.Worker
             executionContext.Debug($"Register post job cleanup for stopping/deleting containers.");
             executionContext.RegisterPostJobStep(postJobStep);
 
-            // Check whether we are inside a container.
-            // Our container feature requires to map working directory from host to the container.
-            // If we are already inside a container, we will not able to find out the real working direcotry path on the host.
+            var podManHandler = Path.Combine(HostContext.GetDirectory(WellKnownDirectory.Bin), "kubectlHandler", "index.js");
+            if (File.Exists(podManHandler))
+            {
+                var podmanInput = new ContainerEngineHandlerInput()
+                {
+                    Command = "Create",
+                    CreationInput = new ContainersCreationInput()
+                    {
+                        Containers = containers
+                    }
+                };
+
+                ContainerEngineHandlerOutput podmanOutput = null;
+                using (var processInvoker = HostContext.CreateService<IProcessInvoker>())
+                {
+                    var redirectStandardIn = Channel.CreateUnbounded<string>(new UnboundedChannelOptions() { SingleReader = true, SingleWriter = true });
+                    redirectStandardIn.Writer.TryWrite(JsonUtility.ToString(podmanInput));
+
+                    processInvoker.OutputDataReceived += delegate (object sender, ProcessDataReceivedEventArgs message)
+                    {
+                        executionContext.Output(message.Data);
+                    };
+
+                    processInvoker.ErrorDataReceived += delegate (object sender, ProcessDataReceivedEventArgs message)
+                    {
+                        executionContext.Output(message.Data);
+                        if (podmanOutput == null && message.Data.IndexOf("___CONTAINER_ENGINE_HANDLER_OUTPUT___") >= 0)
+                        {
+                            try
+                            {
+                                podmanOutput = JsonUtility.FromString<ContainerEngineHandlerOutput>(message.Data.Replace("___CONTAINER_ENGINE_HANDLER_OUTPUT___", ""));
+                            }
+                            catch (Exception ex)
+                            {
+                                executionContext.Error(ex);
+                            }
+                        }
+                    };
+
+                    // Execute the process. Exit code 0 should always be returned.
+                    // A non-zero exit code indicates infrastructural failure.
+                    // Task failure should be communicated over STDOUT using ## commands.
+                    await processInvoker.ExecuteAsync(workingDirectory: HostContext.GetDirectory(WellKnownDirectory.Bin),
+                                                      fileName: Path.Combine(HostContext.GetDirectory(WellKnownDirectory.Externals), "node12", "bin", $"node{IOUtil.ExeExtension}"),
+                                                      arguments: podManHandler,
+                                                      environment: null,
+                                                      requireExitCodeZero: false,
+                                                      outputEncoding: Encoding.UTF8,
+                                                      killProcessOnCancel: false,
+                                                      redirectStandardIn: redirectStandardIn,
+                                                      cancellationToken: executionContext.CancellationToken);
+                }
+
+                if (podmanOutput != null)
+                {
+                    executionContext.JobContext.Container["network"] = new StringContextData(podmanOutput.CreationOutput.Network);
+                    executionContext.JobContext.Container["id"] = new StringContextData(podmanOutput.CreationOutput.JobContainerId);
+                    executionContext.Global.Container.ContainerId = podmanOutput.CreationOutput.JobContainerId;
+                }
+            }
+            else
+            {
+                // Check whether we are inside a container.
+                // Our container feature requires to map working directory from host to the container.
+                // If we are already inside a container, we will not able to find out the real working direcotry path on the host.
 #if OS_WINDOWS
             // service CExecSvc is Container Execution Agent.
             ServiceController[] scServices = ServiceController.GetServices();
@@ -62,11 +235,11 @@ namespace GitHub.Runner.Worker
                 throw new NotSupportedException("Container feature is not supported when runner is already running inside container.");
             }
 #else
-            var initProcessCgroup = File.ReadLines("/proc/1/cgroup");
-            if (initProcessCgroup.Any(x => x.IndexOf(":/docker/", StringComparison.OrdinalIgnoreCase) >= 0))
-            {
-                throw new NotSupportedException("Container feature is not supported when runner is already running inside container.");
-            }
+                var initProcessCgroup = File.ReadLines("/proc/1/cgroup");
+                if (initProcessCgroup.Any(x => x.IndexOf(":/docker/", StringComparison.OrdinalIgnoreCase) >= 0))
+                {
+                    throw new NotSupportedException("Container feature is not supported when runner is already running inside container.");
+                }
 #endif
 
 #if OS_WINDOWS
@@ -90,68 +263,69 @@ namespace GitHub.Runner.Worker
             }
 #endif
 
-            // Check docker client/server version
-            executionContext.Output("##[group]Checking docker version");
-            DockerVersion dockerVersion = await _dockerManager.DockerVersion(executionContext);
-            executionContext.Output("##[endgroup]");
+                // Check docker client/server version
+                executionContext.Output("##[group]Checking docker version");
+                DockerVersion dockerVersion = await _dockerManager.DockerVersion(executionContext);
+                executionContext.Output("##[endgroup]");
 
-            ArgUtil.NotNull(dockerVersion.ServerVersion, nameof(dockerVersion.ServerVersion));
-            ArgUtil.NotNull(dockerVersion.ClientVersion, nameof(dockerVersion.ClientVersion));
+                ArgUtil.NotNull(dockerVersion.ServerVersion, nameof(dockerVersion.ServerVersion));
+                ArgUtil.NotNull(dockerVersion.ClientVersion, nameof(dockerVersion.ClientVersion));
 
 #if OS_WINDOWS
             Version requiredDockerEngineAPIVersion = new Version(1, 30);  // Docker-EE version 17.6
 #else
-            Version requiredDockerEngineAPIVersion = new Version(1, 35); // Docker-CE version 17.12
+                Version requiredDockerEngineAPIVersion = new Version(1, 35); // Docker-CE version 17.12
 #endif
 
-            if (dockerVersion.ServerVersion < requiredDockerEngineAPIVersion)
-            {
-                throw new NotSupportedException($"Min required docker engine API server version is '{requiredDockerEngineAPIVersion}', your docker ('{_dockerManager.DockerPath}') server version is '{dockerVersion.ServerVersion}'");
-            }
-            if (dockerVersion.ClientVersion < requiredDockerEngineAPIVersion)
-            {
-                throw new NotSupportedException($"Min required docker engine API client version is '{requiredDockerEngineAPIVersion}', your docker ('{_dockerManager.DockerPath}') client version is '{dockerVersion.ClientVersion}'");
-            }
-
-            // Clean up containers left by previous runs
-            executionContext.Output("##[group]Clean up resources from previous jobs");
-            var staleContainers = await _dockerManager.DockerPS(executionContext, $"--all --quiet --no-trunc --filter \"label={_dockerManager.DockerInstanceLabel}\"");
-            foreach (var staleContainer in staleContainers)
-            {
-                int containerRemoveExitCode = await _dockerManager.DockerRemove(executionContext, staleContainer);
-                if (containerRemoveExitCode != 0)
+                if (dockerVersion.ServerVersion < requiredDockerEngineAPIVersion)
                 {
-                    executionContext.Warning($"Delete stale containers failed, docker rm fail with exit code {containerRemoveExitCode} for container {staleContainer}");
+                    throw new NotSupportedException($"Min required docker engine API server version is '{requiredDockerEngineAPIVersion}', your docker ('{_dockerManager.DockerPath}') server version is '{dockerVersion.ServerVersion}'");
+                }
+                if (dockerVersion.ClientVersion < requiredDockerEngineAPIVersion)
+                {
+                    throw new NotSupportedException($"Min required docker engine API client version is '{requiredDockerEngineAPIVersion}', your docker ('{_dockerManager.DockerPath}') client version is '{dockerVersion.ClientVersion}'");
                 }
-            }
 
-            int networkPruneExitCode = await _dockerManager.DockerNetworkPrune(executionContext);
-            if (networkPruneExitCode != 0)
-            {
-                executionContext.Warning($"Delete stale container networks failed, docker network prune fail with exit code {networkPruneExitCode}");
-            }
-            executionContext.Output("##[endgroup]");
+                // Clean up containers left by previous runs
+                executionContext.Output("##[group]Clean up resources from previous jobs");
+                var staleContainers = await _dockerManager.DockerPS(executionContext, $"--all --quiet --no-trunc --filter \"label={_dockerManager.DockerInstanceLabel}\"");
+                foreach (var staleContainer in staleContainers)
+                {
+                    int containerRemoveExitCode = await _dockerManager.DockerRemove(executionContext, staleContainer);
+                    if (containerRemoveExitCode != 0)
+                    {
+                        executionContext.Warning($"Delete stale containers failed, docker rm fail with exit code {containerRemoveExitCode} for container {staleContainer}");
+                    }
+                }
 
-            // Create local docker network for this job to avoid port conflict when multiple runners run on same machine.
-            // All containers within a job join the same network
-            executionContext.Output("##[group]Create local container network");
-            var containerNetwork = $"github_network_{Guid.NewGuid().ToString("N")}";
-            await CreateContainerNetworkAsync(executionContext, containerNetwork);
-            executionContext.JobContext.Container["network"] = new StringContextData(containerNetwork);
-            executionContext.Output("##[endgroup]");
+                int networkPruneExitCode = await _dockerManager.DockerNetworkPrune(executionContext);
+                if (networkPruneExitCode != 0)
+                {
+                    executionContext.Warning($"Delete stale container networks failed, docker network prune fail with exit code {networkPruneExitCode}");
+                }
+                executionContext.Output("##[endgroup]");
 
-            foreach (var container in containers)
-            {
-                container.ContainerNetwork = containerNetwork;
-                await StartContainerAsync(executionContext, container);
-            }
+                // Create local docker network for this job to avoid port conflict when multiple runners run on same machine.
+                // All containers within a job join the same network
+                executionContext.Output("##[group]Create local container network");
+                var containerNetwork = $"github_network_{Guid.NewGuid().ToString("N")}";
+                await CreateContainerNetworkAsync(executionContext, containerNetwork);
+                executionContext.JobContext.Container["network"] = new StringContextData(containerNetwork);
+                executionContext.Output("##[endgroup]");
 
-            executionContext.Output("##[group]Waiting for all services to be ready");
-            foreach (var container in containers.Where(c => !c.IsJobContainer))
-            {
-                await ContainerHealthcheck(executionContext, container);
+                foreach (var container in containers)
+                {
+                    container.ContainerNetwork = containerNetwork;
+                    await StartContainerAsync(executionContext, container);
+                }
+
+                executionContext.Output("##[group]Waiting for all services to be ready");
+                foreach (var container in containers.Where(c => !c.IsJobContainer))
+                {
+                    await ContainerHealthcheck(executionContext, container);
+                }
+                executionContext.Output("##[endgroup]");
             }
-            executionContext.Output("##[endgroup]");
         }
 
         public async Task StopContainersAsync(IExecutionContext executionContext, object data)
@@ -162,12 +336,69 @@ namespace GitHub.Runner.Worker
             List<ContainerInfo> containers = data as List<ContainerInfo>;
             ArgUtil.NotNull(containers, nameof(containers));
 
-            foreach (var container in containers)
+            var podManHandler = Path.Combine(HostContext.GetDirectory(WellKnownDirectory.Bin), "kubectlHandler", "index.js");
+            if (File.Exists(podManHandler))
             {
-                await StopContainerAsync(executionContext, container);
+                var podmanInput = new ContainerEngineHandlerInput()
+                {
+                    Command = "Remove",
+                    RemoveInput = new ContainersRemoveInput()
+                    {
+                        Network = executionContext.JobContext.Container["network"].ToString(),
+                        JobContainerId = executionContext.JobContext.Container["id"].ToString()
+                    }
+                };
+
+                ContainerEngineHandlerOutput podmanOutput = null;
+                using (var processInvoker = HostContext.CreateService<IProcessInvoker>())
+                {
+                    var redirectStandardIn = Channel.CreateUnbounded<string>(new UnboundedChannelOptions() { SingleReader = true, SingleWriter = true });
+                    redirectStandardIn.Writer.TryWrite(JsonUtility.ToString(podmanInput));
+
+                    processInvoker.OutputDataReceived += delegate (object sender, ProcessDataReceivedEventArgs message)
+                    {
+                        executionContext.Output(message.Data);
+                    };
+
+                    processInvoker.ErrorDataReceived += delegate (object sender, ProcessDataReceivedEventArgs message)
+                    {
+                        executionContext.Output(message.Data);
+                        if (podmanOutput == null && message.Data.IndexOf("___CONTAINER_ENGINE_HANDLER_OUTPUT___") >= 0)
+                        {
+                            try
+                            {
+                                podmanOutput = JsonUtility.FromString<ContainerEngineHandlerOutput>(message.Data.Replace("___CONTAINER_ENGINE_HANDLER_OUTPUT___", ""));
+                            }
+                            catch (Exception ex)
+                            {
+                                executionContext.Error(ex);
+                            }
+                        }
+                    };
+
+                    // Execute the process. Exit code 0 should always be returned.
+                    // A non-zero exit code indicates infrastructural failure.
+                    // Task failure should be communicated over STDOUT using ## commands.
+                    await processInvoker.ExecuteAsync(workingDirectory: HostContext.GetDirectory(WellKnownDirectory.Work),
+                                                      fileName: Path.Combine(HostContext.GetDirectory(WellKnownDirectory.Externals), "node12", "bin", $"node{IOUtil.ExeExtension}"),
+                                                      arguments: podManHandler,
+                                                      environment: null,
+                                                      requireExitCodeZero: false,
+                                                      outputEncoding: Encoding.UTF8,
+                                                      killProcessOnCancel: false,
+                                                      redirectStandardIn: redirectStandardIn,
+                                                      cancellationToken: executionContext.CancellationToken);
+                }
+            }
+            else
+            {
+                foreach (var container in containers)
+                {
+                    await StopContainerAsync(executionContext, container);
+                }
+                // Remove the container network
+                await RemoveContainerNetworkAsync(executionContext, containers.First().ContainerNetwork);
             }
-            // Remove the container network
-            await RemoveContainerNetworkAsync(executionContext, containers.First().ContainerNetwork);
         }
 
         private async Task StartContainerAsync(IExecutionContext executionContext, ContainerInfo container)

src/Runner.Worker/GitHubContext.cs

@@ -23,6 +23,9 @@ namespace GitHub.Runner.Worker
             "job",
             "path",
             "ref",
+            "ref_name",
+            "ref_protected",
+            "ref_type",
             "repository",
             "repository_owner",
             "retention_days",
@@ -39,9 +42,16 @@ namespace GitHub.Runner.Worker
         {
             foreach (var data in this)
             {
-                if (_contextEnvAllowlist.Contains(data.Key) && data.Value is StringContextData value)
+                if (_contextEnvAllowlist.Contains(data.Key))
                 {
-                    yield return new KeyValuePair<string, string>($"GITHUB_{data.Key.ToUpperInvariant()}", value);
+                    if (data.Value is StringContextData value)
+                    {
+                        yield return new KeyValuePair<string, string>($"GITHUB_{data.Key.ToUpperInvariant()}", value);
+                    }
+                    else if (data.Value is BooleanContextData booleanValue)
+                    {
+                        yield return new KeyValuePair<string, string>($"GITHUB_{data.Key.ToUpperInvariant()}", booleanValue.ToString());
+                    }
                 }
             }
         }

src/Runner.Worker/Handlers/StepHost.cs

@@ -21,6 +21,8 @@ namespace GitHub.Runner.Worker.Handlers
         event EventHandler<ProcessDataReceivedEventArgs> OutputDataReceived;
         event EventHandler<ProcessDataReceivedEventArgs> ErrorDataReceived;
 
+        IExecutionContext ExecutionContext { get; set; }
+
         string ResolvePathForStepHost(string path);
 
         Task<string> DetermineNodeRuntimeVersion(IExecutionContext executionContext);
@@ -53,6 +55,8 @@ namespace GitHub.Runner.Worker.Handlers
         public event EventHandler<ProcessDataReceivedEventArgs> OutputDataReceived;
         public event EventHandler<ProcessDataReceivedEventArgs> ErrorDataReceived;
 
+        public IExecutionContext ExecutionContext { get; set; }
+
         public string ResolvePathForStepHost(string path)
         {
             return path;
@@ -99,6 +103,8 @@ namespace GitHub.Runner.Worker.Handlers
         public event EventHandler<ProcessDataReceivedEventArgs> OutputDataReceived;
         public event EventHandler<ProcessDataReceivedEventArgs> ErrorDataReceived;
 
+        public IExecutionContext ExecutionContext { get; set; }
+
         public string ResolvePathForStepHost(string path)
         {
             // make sure container exist.
@@ -174,69 +180,138 @@ namespace GitHub.Runner.Worker.Handlers
             ArgUtil.NotNull(Container, nameof(Container));
             ArgUtil.NotNullOrEmpty(Container.ContainerId, nameof(Container.ContainerId));
 
-            var dockerManager = HostContext.GetService<IDockerCommandManager>();
-            string dockerClientPath = dockerManager.DockerPath;
-
-            // Usage:  docker exec [OPTIONS] CONTAINER COMMAND [ARG...]
-            IList<string> dockerCommandArgs = new List<string>();
-            dockerCommandArgs.Add($"exec");
-
-            // [OPTIONS]
-            dockerCommandArgs.Add($"-i");
-            dockerCommandArgs.Add($"--workdir {workingDirectory}");
-            foreach (var env in environment)
+            var podManHandler = Path.Combine(HostContext.GetDirectory(WellKnownDirectory.Bin), "kubectlHandler", "index.js");
+            if (File.Exists(podManHandler))
             {
-                // e.g. -e MY_SECRET maps the value into the exec'ed process without exposing
-                // the value directly in the command
-                dockerCommandArgs.Add($"-e {env.Key}");
+                var podmanInput = new ContainerEngineHandlerInput()
+                {
+                    Command = "Exec",
+                    ExecInput = new JobContainerExecInput()
+                    {
+                        JobContainer = this.Container,
+                        WorkingDirectory = workingDirectory,
+                        FileName = fileName,
+                        Arguments = arguments,
+                        EnvironmentKeys = environment.Keys.ToList(),
+                        EnvironmentVariables = environment.ToDictionary(x => x.Key, y => y.Value)
+                    }
+                };
+
+                // make sure all env are using container path
+                foreach (var envKey in environment.Keys.ToList())
+                {
+                    environment[envKey] = this.Container.TranslateToContainerPath(environment[envKey]);
+                }
+
+                // ContainerEngineHandlerOutput podmanOutput = null;
+                using (var processInvoker = HostContext.CreateService<IProcessInvoker>())
+                {
+                    var redirectStandardIn = Channel.CreateUnbounded<string>(new UnboundedChannelOptions() { SingleReader = true, SingleWriter = true });
+                    redirectStandardIn.Writer.TryWrite(JsonUtility.ToString(podmanInput));
+
+                    // processInvoker.OutputDataReceived += delegate (object sender, ProcessDataReceivedEventArgs message)
+                    // {
+                    //     ExecutionContext.Output(message.Data);
+                    // };
+
+                    // processInvoker.ErrorDataReceived += delegate (object sender, ProcessDataReceivedEventArgs message)
+                    // {
+                    //     executionContext.Output(message.Data);
+                    //     if (podmanOutput == null && message.Data.IndexOf("___CONTAINER_ENGINE_HANDLER_OUTPUT___") >= 0)
+                    //     {
+                    //         try
+                    //         {
+                    //             podmanOutput = JsonUtility.FromString<ContainerEngineHandlerOutput>(message.Data.Replace("___CONTAINER_ENGINE_HANDLER_OUTPUT___", ""));
+                    //         }
+                    //         catch (Exception ex)
+                    //         {
+                    //             executionContext.Error(ex);
+                    //         }
+                    //     }
+                    // };
+                    processInvoker.OutputDataReceived += OutputDataReceived;
+                    processInvoker.ErrorDataReceived += ErrorDataReceived;
+
+                    // Execute the process. Exit code 0 should always be returned.
+                    // A non-zero exit code indicates infrastructural failure.
+                    // Task failure should be communicated over STDOUT using ## commands.
+                    return await processInvoker.ExecuteAsync(workingDirectory: HostContext.GetDirectory(WellKnownDirectory.Work),
+                                                      fileName: Path.Combine(HostContext.GetDirectory(WellKnownDirectory.Externals), "node12", "bin", $"node{IOUtil.ExeExtension}"),
+                                                      arguments: podManHandler,
+                                                      environment: environment,
+                                                      requireExitCodeZero: requireExitCodeZero,
+                                                      outputEncoding: Encoding.UTF8,
+                                                      killProcessOnCancel: killProcessOnCancel,
+                                                      redirectStandardIn: redirectStandardIn,
+                                                      cancellationToken: cancellationToken);
+                }
             }
-            if (!string.IsNullOrEmpty(PrependPath))
+            else
             {
-                // Prepend tool paths to container's PATH
-                var fullPath = !string.IsNullOrEmpty(Container.ContainerRuntimePath) ? $"{PrependPath}:{Container.ContainerRuntimePath}" : PrependPath;
-                dockerCommandArgs.Add($"-e PATH=\"{fullPath}\"");
-            }
+                var dockerManager = HostContext.GetService<IDockerCommandManager>();
+                string dockerClientPath = dockerManager.DockerPath;
 
-            // CONTAINER
-            dockerCommandArgs.Add($"{Container.ContainerId}");
+                // Usage:  docker exec [OPTIONS] CONTAINER COMMAND [ARG...]
+                IList<string> dockerCommandArgs = new List<string>();
+                dockerCommandArgs.Add($"exec");
 
-            // COMMAND
-            dockerCommandArgs.Add(fileName);
+                // [OPTIONS]
+                dockerCommandArgs.Add($"-i");
+                dockerCommandArgs.Add($"--workdir {workingDirectory}");
+                foreach (var env in environment)
+                {
+                    // e.g. -e MY_SECRET maps the value into the exec'ed process without exposing
+                    // the value directly in the command
+                    dockerCommandArgs.Add($"-e {env.Key}");
+                }
+                if (!string.IsNullOrEmpty(PrependPath))
+                {
+                    // Prepend tool paths to container's PATH
+                    var fullPath = !string.IsNullOrEmpty(Container.ContainerRuntimePath) ? $"{PrependPath}:{Container.ContainerRuntimePath}" : PrependPath;
+                    dockerCommandArgs.Add($"-e PATH=\"{fullPath}\"");
+                }
 
-            // [ARG...]
-            dockerCommandArgs.Add(arguments);
+                // CONTAINER
+                dockerCommandArgs.Add($"{Container.ContainerId}");
 
-            string dockerCommandArgstring = string.Join(" ", dockerCommandArgs);
+                // COMMAND
+                dockerCommandArgs.Add(fileName);
 
-            // make sure all env are using container path
-            foreach (var envKey in environment.Keys.ToList())
-            {
-                environment[envKey] = this.Container.TranslateToContainerPath(environment[envKey]);
-            }
+                // [ARG...]
+                dockerCommandArgs.Add(arguments);
 
-            using (var processInvoker = HostContext.CreateService<IProcessInvoker>())
-            {
-                processInvoker.OutputDataReceived += OutputDataReceived;
-                processInvoker.ErrorDataReceived += ErrorDataReceived;
+                string dockerCommandArgstring = string.Join(" ", dockerCommandArgs);
+
+                // make sure all env are using container path
+                foreach (var envKey in environment.Keys.ToList())
+                {
+                    environment[envKey] = this.Container.TranslateToContainerPath(environment[envKey]);
+                }
+
+                using (var processInvoker = HostContext.CreateService<IProcessInvoker>())
+                {
+                    processInvoker.OutputDataReceived += OutputDataReceived;
+                    processInvoker.ErrorDataReceived += ErrorDataReceived;
 
 #if OS_WINDOWS
                 // It appears that node.exe outputs UTF8 when not in TTY mode.
                 outputEncoding = Encoding.UTF8;
 #else
-                // Let .NET choose the default.
-                outputEncoding = null;
+                    // Let .NET choose the default.
+                    outputEncoding = null;
 #endif
 
-                return await processInvoker.ExecuteAsync(workingDirectory: HostContext.GetDirectory(WellKnownDirectory.Work),
-                                                         fileName: dockerClientPath,
-                                                         arguments: dockerCommandArgstring,
-                                                         environment: environment,
-                                                         requireExitCodeZero: requireExitCodeZero,
-                                                         outputEncoding: outputEncoding,
-                                                         killProcessOnCancel: killProcessOnCancel,
-                                                         redirectStandardIn: null,
-                                                         inheritConsoleHandler: inheritConsoleHandler,
-                                                         cancellationToken: cancellationToken);
+                    return await processInvoker.ExecuteAsync(workingDirectory: HostContext.GetDirectory(WellKnownDirectory.Work),
+                                                             fileName: dockerClientPath,
+                                                             arguments: dockerCommandArgstring,
+                                                             environment: environment,
+                                                             requireExitCodeZero: requireExitCodeZero,
+                                                             outputEncoding: outputEncoding,
+                                                             killProcessOnCancel: killProcessOnCancel,
+                                                             redirectStandardIn: null,
+                                                             inheritConsoleHandler: inheritConsoleHandler,
+                                                             cancellationToken: cancellationToken);
+                }
             }
         }
     }

src/Runner.Worker/JobRunner.cs

@@ -7,6 +7,7 @@ using System;
 using System.Collections.Generic;
 using System.IO;
 using System.Linq;
+using System.Text;
 using System.Threading;
 using System.Threading.Tasks;
 using System.Net.Http;
@@ -228,6 +229,9 @@ namespace GitHub.Runner.Worker
                 return result;
             }
 
+            // Load any upgrade telemetry
+            LoadFromTelemetryFile(jobContext.JobTelemetry);
+
             // Make sure we don't submit secrets as telemetry
             MaskTelemetrySecrets(jobContext.JobTelemetry);
 
@@ -285,6 +289,30 @@ namespace GitHub.Runner.Worker
             }
         }
 
+        private void LoadFromTelemetryFile(List<JobTelemetry> jobTelemetry)
+        {
+            try
+            {
+                var telemetryFilePath = HostContext.GetConfigFile(WellKnownConfigFile.Telemetry);
+                if (File.Exists(telemetryFilePath))
+                {
+                    var telemetryData = File.ReadAllText(telemetryFilePath, Encoding.UTF8);
+                    var telemetry = new JobTelemetry
+                    {
+                        Message = $"Runner File Telemetry:\n{telemetryData}",
+                        Type = JobTelemetryType.General
+                    };
+                    jobTelemetry.Add(telemetry);
+                    IOUtil.DeleteFile(telemetryFilePath);
+                }
+            }
+            catch (Exception e)
+            {
+                Trace.Error("Error when trying to load telemetry from telemetry file");
+                Trace.Error(e);
+            }
+        }
+
         private async Task ShutdownQueue(bool throwOnFailure)
         {
             if (_jobServerQueue != null)

src/Test/L0/Worker/ActionCommandManagerL0.cs

@@ -2,6 +2,7 @@
 using System.Collections.Generic;
 using System.IO;
 using System.Runtime.CompilerServices;
+using GitHub.DistributedTask.Pipelines.ContextData;
 using GitHub.DistributedTask.WebApi;
 using GitHub.Runner.Worker;
 using GitHub.Runner.Worker.Container;
@@ -83,6 +84,7 @@ namespace GitHub.Runner.Common.Tests.Worker
         {
             using (TestHostContext hc = CreateTestContext())
             {
+                _ec.Setup(x => x.ExpressionValues).Returns(GetExpressionValues());
                 _ec.Setup(x => x.Write(It.IsAny<string>(), It.IsAny<string>()))
                    .Returns((string tag, string line) =>
                             {
@@ -105,6 +107,88 @@ namespace GitHub.Runner.Common.Tests.Worker
             }
         }
 
+        [Theory]
+        [InlineData("stop-commands", "1")]
+        [InlineData("", "1")]
+        [InlineData("set-env", "1")]
+        [InlineData("stop-commands", "true")]
+        [InlineData("", "true")]
+        [InlineData("set-env", "true")]
+        [Trait("Level", "L0")]
+        [Trait("Category", "Worker")]
+        public void StopProcessCommand__AllowsInvalidStopTokens__IfEnvVarIsSet(string invalidToken, string allowUnsupportedStopCommandTokens)
+        {
+            using (TestHostContext hc = CreateTestContext())
+            {
+                _ec.Object.Global.EnvironmentVariables = new Dictionary<string, string>();
+                var expressionValues = new DictionaryContextData
+            {
+                ["env"] =
+#if OS_WINDOWS
+                        new DictionaryContextData{ { Constants.Variables.Actions.AllowUnsupportedStopCommandTokens, new StringContextData(allowUnsupportedStopCommandTokens) }}
+#else
+                        new CaseSensitiveDictionaryContextData{ { Constants.Variables.Actions.AllowUnsupportedStopCommandTokens, new StringContextData(allowUnsupportedStopCommandTokens) }}
+#endif
+            };
+                _ec.Setup(x => x.ExpressionValues).Returns(expressionValues);
+                _ec.Setup(x => x.JobTelemetry).Returns(new List<JobTelemetry>());
+
+                Assert.True(_commandManager.TryProcessCommand(_ec.Object, $"::stop-commands::{invalidToken}", null));
+            }
+        }
+
+        [Theory]
+        [InlineData("stop-commands")]
+        [InlineData("")]
+        [InlineData("set-env")]
+        [Trait("Level", "L0")]
+        [Trait("Category", "Worker")]
+        public void StopProcessCommand__FailOnInvalidStopTokens(string invalidToken)
+        {
+            using (TestHostContext hc = CreateTestContext())
+            {
+                _ec.Object.Global.EnvironmentVariables = new Dictionary<string, string>();
+                _ec.Setup(x => x.ExpressionValues).Returns(GetExpressionValues());
+                _ec.Setup(x => x.JobTelemetry).Returns(new List<JobTelemetry>());
+                Assert.Throws<Exception>(() => _commandManager.TryProcessCommand(_ec.Object, $"::stop-commands::{invalidToken}", null));
+            }
+        }
+
+        [Fact]
+        [Trait("Level", "L0")]
+        [Trait("Category", "Worker")]
+        public void StopProcessCommandAcceptsValidToken()
+        {
+            var validToken = "randomToken";
+            using (TestHostContext hc = CreateTestContext())
+            {
+                _ec.Setup(x => x.ExpressionValues).Returns(GetExpressionValues());
+                Assert.True(_commandManager.TryProcessCommand(_ec.Object, $"::stop-commands::{validToken}", null));
+                Assert.False(_commandManager.TryProcessCommand(_ec.Object, "##[set-env name=foo]bar", null));
+                Assert.True(_commandManager.TryProcessCommand(_ec.Object, $"::{validToken}::", null));
+                Assert.True(_commandManager.TryProcessCommand(_ec.Object, "##[set-env name=foo]bar", null));
+            }
+        }
+
+        [Fact]
+        [Trait("Level", "L0")]
+        [Trait("Category", "Worker")]
+        public void StopProcessCommandMasksValidTokenForEntireRun()
+        {
+            var validToken = "randomToken";
+            using (TestHostContext hc = CreateTestContext())
+            {
+                _ec.Setup(x => x.ExpressionValues).Returns(GetExpressionValues());
+                Assert.True(_commandManager.TryProcessCommand(_ec.Object, $"::stop-commands::{validToken}", null));
+                Assert.False(_commandManager.TryProcessCommand(_ec.Object, "##[set-env name=foo]bar", null));
+                Assert.Equal("***", hc.SecretMasker.MaskSecrets(validToken));
+
+                Assert.True(_commandManager.TryProcessCommand(_ec.Object, $"::{validToken}::", null));
+                Assert.True(_commandManager.TryProcessCommand(_ec.Object, "##[set-env name=foo]bar", null));
+                Assert.Equal("***", hc.SecretMasker.MaskSecrets(validToken));
+            }
+        }
+
         [Fact]
         [Trait("Level", "L0")]
         [Trait("Category", "Worker")]
@@ -202,15 +286,15 @@ namespace GitHub.Runner.Common.Tests.Worker
                                 return 1;
                             });
 
-                var registeredCommands = new HashSet<string>(new string[1]{ "warning" });
+                var registeredCommands = new HashSet<string>(new string[1] { "warning" });
                 ActionCommand command;
-                
+
                 // Columns when lines are different
                 ActionCommand.TryParseV2("::warning line=1,endLine=2,col=1,endColumn=2::this is a warning", registeredCommands, out command);
                 Assert.Equal("1", command.Properties["col"]);
                 IssueCommandExtension.ValidateLinesAndColumns(command, _ec.Object);
                 Assert.False(command.Properties.ContainsKey("col"));
-            
+
                 // No lines with columns
                 ActionCommand.TryParseV2("::warning col=1,endColumn=2::this is a warning", registeredCommands, out command);
                 Assert.Equal("1", command.Properties["col"]);
@@ -375,5 +459,19 @@ namespace GitHub.Runner.Common.Tests.Worker
 
             return hostContext;
         }
+
+        private DictionaryContextData GetExpressionValues()
+        {
+            return new DictionaryContextData
+            {
+                ["env"] =
+#if OS_WINDOWS
+                        new DictionaryContextData()
+#else
+                        new CaseSensitiveDictionaryContextData()
+#endif
+            };
+        }
+
     }
 }

src/dir.proj

@@ -2,10 +2,10 @@
 <Project ToolsVersion="14.0" DefaultTargets="Build" 
     xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
     <Target Name="GenerateConstant">
-        <Exec Command="git rev-parse HEAD" ConsoleToMSBuild="true">
+        <!-- <Exec Command="git rev-parse HEAD" ConsoleToMSBuild="true">
             <Output TaskParameter="ConsoleOutput" PropertyName="GitInfoCommitHash" />
-        </Exec>
-        <Message Text="Building $(Product): $(GitInfoCommitHash) --- $(PackageRuntime)" Importance="high"/>
+        </Exec> -->
+        <Message Text="Building $(Product): --- $(PackageRuntime)" Importance="high"/>
 
         <ItemGroup>
             <BuildConstants Include="namespace GitHub.Runner.Sdk"/>
@@ -14,7 +14,7 @@
             <BuildConstants Include="%20%20%20%20{"/>
             <BuildConstants Include="%20%20%20%20%20%20%20%20public static class Source"/>
             <BuildConstants Include="%20%20%20%20%20%20%20%20{"/>
-            <BuildConstants Include="%20%20%20%20%20%20%20%20%20%20%20%20public static readonly string CommitHash = %22$(GitInfoCommitHash)%22%3B"/>
+            <BuildConstants Include="%20%20%20%20%20%20%20%20%20%20%20%20public static readonly string CommitHash = %22dfcfae49e59b6dc3c2bb5295c649b33c4b49c964%22%3B"/>
             <BuildConstants Include="%20%20%20%20%20%20%20%20}%0A"/>
             <BuildConstants Include="%20%20%20%20%20%20%20%20public static class RunnerPackage"/>
             <BuildConstants Include="%20%20%20%20%20%20%20%20{"/>
@@ -27,7 +27,6 @@
 
         <WriteLinesToFile File="Runner.Sdk/BuildConstants.cs" Lines="@(BuildConstants)" Overwrite="true" />
 
-        <Exec Command="git update-index --assume-unchanged ./Runner.Sdk/BuildConstants.cs" ConsoleToMSBuild="true" />
     </Target>
 
     <ItemGroup>

src/runnerversion

@@ -1 +1 @@
-2.283.1
+2.283.3