Update releaseVersion

* set env in ProcessInvoker sanitized (#2280)

* set env in ProcessInvoker sanitized

* Update runnerversion and rel notes and make it prerelase

---------

Co-authored-by: Stefan Ruvceski <96768603+ruvceskistefan@users.noreply.github.com>

.devcontainer/devcontainer.json

@@ -0,0 +1,24 @@
+// For format details, see https://aka.ms/devcontainer.json. For config options, see the README at:
+{
+	"name": "Actions Runner Devcontainer",
+	"image": "mcr.microsoft.com/devcontainers/base:focal",
+	"features": {
+		"ghcr.io/devcontainers/features/docker-in-docker:1": {},
+		"ghcr.io/devcontainers/features/dotnet": {
+			"version": "6.0.300"
+		}
+	},
+	"customizations": {
+		"vscode": {
+			"extensions": [
+				"ms-azuretools.vscode-docker",
+				"ms-dotnettools.csharp",
+				"eamodio.gitlens"
+			]
+		}
+	},
+	// dotnet restore to install dependencies so OmniSharp works out of the box
+	// src/Test restores all other projects it references, src/Runner.PluginHost is not one of them
+	"postCreateCommand": "dotnet restore src/Test && dotnet restore src/Runner.PluginHost",
+	"remoteUser": "vscode"
+}

.editorconfig

@@ -1,6 +1,7 @@
 # https://editorconfig.org/
 
 [*]
+charset = utf-8 # Set default charset to utf-8
 insert_final_newline = true # ensure all files end with a single newline
 trim_trailing_whitespace = true # attempt to remove trailing whitespace on save
 

.github/workflows/build.yml

@@ -10,7 +10,7 @@ on:
     - '**.md'
   pull_request:
     branches:
-    - '*'
+    - '**'
     paths-ignore:
     - '**.md'
 
@@ -18,7 +18,7 @@ jobs:
   build:
     strategy:
       matrix:
-        runtime: [ linux-x64, linux-arm64, linux-arm, win-x64, osx-x64 ]
+        runtime: [ linux-x64, linux-arm64, linux-arm, win-x64, win-arm64, osx-x64, osx-arm64 ]
         include:
         - runtime: linux-x64
           os: ubuntu-latest
@@ -36,13 +36,21 @@ jobs:
           os: macOS-latest
           devScript: ./dev.sh
 
+        - runtime: osx-arm64
+          os: macOS-latest
+          devScript: ./dev.sh
+
         - runtime: win-x64
           os: windows-2019
           devScript: ./dev
 
+        - runtime: win-arm64
+          os: windows-latest
+          devScript: ./dev
+
     runs-on: ${{ matrix.os }}
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v3
 
     # Build runner layout
     - name: Build & Layout Release
@@ -50,13 +58,6 @@ jobs:
         ${{ matrix.devScript }} layout Release ${{ matrix.runtime }}
       working-directory: src
 
-    # Run tests
-    - name: L0
-      run: |
-        ${{ matrix.devScript }} test
-      working-directory: src
-      if: matrix.runtime != 'linux-arm64' && matrix.runtime != 'linux-arm'
-
     # Check runtime/externals hash
     - name: Compute/Compare runtime and externals Hash
       shell: bash
@@ -80,6 +81,13 @@ jobs:
         DOTNET_RUNTIME_HASH: ${{hashFiles('**/_layout_trims/runtime/**/*')}}
         EXTERNALS_HASH: ${{hashFiles('**/_layout_trims/externals/**/*')}}
 
+    # Run tests
+    - name: L0
+      run: |
+        ${{ matrix.devScript }} test
+      working-directory: src
+      if: matrix.runtime != 'linux-arm64' && matrix.runtime != 'linux-arm' && matrix.runtime != 'osx-arm64' && matrix.runtime != 'win-arm64'
+
     # Create runner package tar.gz/zip
     - name: Package Release
       if: github.event_name != 'pull_request'
@@ -93,7 +101,7 @@ jobs:
       uses: actions/upload-artifact@v2
       with:
         name: runner-package-${{ matrix.runtime }}
-        path: | 
+        path: |
           _package
           _package_trims/trim_externals
           _package_trims/trim_runtime

.github/workflows/codeql.yml

@@ -23,7 +23,7 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL

.github/workflows/lint.yml

@@ -0,0 +1,25 @@
+name: Lint
+
+on:
+  pull_request:
+    branches: [ main ]
+
+jobs:
+  build:
+    name: Lint
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+        with:
+          # Ensure full list of changed files within `super-linter`
+          fetch-depth: 0
+      - name: Run linters
+        uses: github/super-linter@v4
+        env:
+          DEFAULT_BRANCH: ${{ github.base_ref }}
+          DISABLE_ERRORS: true
+          EDITORCONFIG_FILE_NAME: .editorconfig
+          LINTER_RULES_PATH: /src/
+          VALIDATE_ALL_CODEBASE: false
+          VALIDATE_CSHARP: true

.github/workflows/release.yml

@@ -11,7 +11,7 @@ jobs:
     if: startsWith(github.ref, 'refs/heads/releases/') || github.ref == 'refs/heads/main'
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v3
 
     # Make sure ./releaseVersion match ./src/runnerversion
     # Query GitHub release ensure version is not used
@@ -50,25 +50,33 @@ jobs:
       linux-arm64-sha: ${{ steps.sha.outputs.linux-arm64-sha256 }}
       linux-arm-sha: ${{ steps.sha.outputs.linux-arm-sha256 }}
       win-x64-sha: ${{ steps.sha.outputs.win-x64-sha256 }}
+      win-arm64-sha: ${{ steps.sha.outputs.win-arm64-sha256 }}
       osx-x64-sha: ${{ steps.sha.outputs.osx-x64-sha256 }}
+      osx-arm64-sha: ${{ steps.sha.outputs.osx-arm64-sha256 }}
       linux-x64-sha-noexternals: ${{ steps.sha_noexternals.outputs.linux-x64-sha256 }}
       linux-arm64-sha-noexternals: ${{ steps.sha_noexternals.outputs.linux-arm64-sha256 }}
       linux-arm-sha-noexternals: ${{ steps.sha_noexternals.outputs.linux-arm-sha256 }}
       win-x64-sha-noexternals: ${{ steps.sha_noexternals.outputs.win-x64-sha256 }}
+      win-arm64-sha-noexternals: ${{ steps.sha_noexternals.outputs.win-arm64-sha256 }}
       osx-x64-sha-noexternals: ${{ steps.sha_noexternals.outputs.osx-x64-sha256 }}
+      osx-arm64-sha-noexternals: ${{ steps.sha_noexternals.outputs.osx-arm64-sha256 }}
       linux-x64-sha-noruntime: ${{ steps.sha_noruntime.outputs.linux-x64-sha256 }}
       linux-arm64-sha-noruntime: ${{ steps.sha_noruntime.outputs.linux-arm64-sha256 }}
       linux-arm-sha-noruntime: ${{ steps.sha_noruntime.outputs.linux-arm-sha256 }}
       win-x64-sha-noruntime: ${{ steps.sha_noruntime.outputs.win-x64-sha256 }}
+      win-arm64-sha-noruntime: ${{ steps.sha_noruntime.outputs.win-arm64-sha256 }}
       osx-x64-sha-noruntime: ${{ steps.sha_noruntime.outputs.osx-x64-sha256 }}
+      osx-arm64-sha-noruntime: ${{ steps.sha_noruntime.outputs.osx-arm64-sha256 }}
       linux-x64-sha-noruntime-noexternals: ${{ steps.sha_noruntime_noexternals.outputs.linux-x64-sha256 }}
       linux-arm64-sha-noruntime-noexternals: ${{ steps.sha_noruntime_noexternals.outputs.linux-arm64-sha256 }}
       linux-arm-sha-noruntime-noexternals: ${{ steps.sha_noruntime_noexternals.outputs.linux-arm-sha256 }}
       win-x64-sha-noruntime-noexternals: ${{ steps.sha_noruntime_noexternals.outputs.win-x64-sha256 }}
+      win-arm64-sha-noruntime-noexternals: ${{ steps.sha_noruntime_noexternals.outputs.win-arm64-sha256 }}
       osx-x64-sha-noruntime-noexternals: ${{ steps.sha_noruntime_noexternals.outputs.osx-x64-sha256 }}
+      osx-arm64-sha-noruntime-noexternals: ${{ steps.sha_noruntime_noexternals.outputs.osx-arm64-sha256 }}
     strategy:
       matrix:
-        runtime: [ linux-x64, linux-arm64, linux-arm, win-x64, osx-x64 ]
+        runtime: [ linux-x64, linux-arm64, linux-arm, win-x64, osx-x64, osx-arm64, win-arm64 ]
         include:
         - runtime: linux-x64
           os: ubuntu-latest
@@ -86,13 +94,21 @@ jobs:
           os: macOS-latest
           devScript: ./dev.sh
 
+        - runtime: osx-arm64
+          os: macOS-latest
+          devScript: ./dev.sh
+
         - runtime: win-x64
           os: windows-2019
           devScript: ./dev
 
+        - runtime: win-arm64
+          os: windows-latest
+          devScript: ./dev
+
     runs-on: ${{ matrix.os }}
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v3
 
     # Build runner layout
     - name: Build & Layout Release
@@ -100,13 +116,6 @@ jobs:
         ${{ matrix.devScript }} layout Release ${{ matrix.runtime }}
       working-directory: src
 
-    # Run tests
-    - name: L0
-      run: |
-        ${{ matrix.devScript }} test
-      working-directory: src
-      if: matrix.runtime != 'linux-arm64' && matrix.runtime != 'linux-arm'
-
     # Create runner package tar.gz/zip
     - name: Package Release
       if: github.event_name != 'pull_request'
@@ -157,9 +166,9 @@ jobs:
       id: sha_noruntime_noexternals
       name: Compute SHA256
       working-directory: _package_trims/trim_runtime_externals
-    
+
     - name: Create trimmedpackages.json for ${{ matrix.runtime }}
-      if: matrix.runtime == 'win-x64'
+      if: matrix.runtime == 'win-x64' || matrix.runtime == 'win-arm64'
       uses: actions/github-script@0.3.0
       with:
         github-token: ${{secrets.GITHUB_TOKEN}}
@@ -179,7 +188,7 @@ jobs:
           fs.writeFileSync('${{ matrix.runtime }}-trimmedpackages.json', trimmedPackages)
 
     - name: Create trimmedpackages.json for ${{ matrix.runtime }}
-      if: matrix.runtime != 'win-x64'
+      if: matrix.runtime != 'win-x64' && matrix.runtime != 'win-arm64'
       uses: actions/github-script@0.3.0
       with:
         github-token: ${{secrets.GITHUB_TOKEN}}
@@ -217,7 +226,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
 
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v3
 
     # Download runner package tar.gz/zip produced by 'build' job
     - name: Download Artifact
@@ -238,28 +247,49 @@ jobs:
           const runnerVersion = fs.readFileSync('${{ github.workspace }}/src/runnerversion', 'utf8').replace(/\n$/g, '')
           var releaseNote = fs.readFileSync('${{ github.workspace }}/releaseNote.md', 'utf8').replace(/<RUNNER_VERSION>/g, runnerVersion)
           releaseNote = releaseNote.replace(/<WIN_X64_SHA>/g, '${{needs.build.outputs.win-x64-sha}}')
+          releaseNote = releaseNote.replace(/<WIN_ARM64_SHA>/g, '${{needs.build.outputs.win-arm64-sha}}')
           releaseNote = releaseNote.replace(/<OSX_X64_SHA>/g, '${{needs.build.outputs.osx-x64-sha}}')
+          releaseNote = releaseNote.replace(/<OSX_ARM64_SHA>/g, '${{needs.build.outputs.osx-arm64-sha}}')
           releaseNote = releaseNote.replace(/<LINUX_X64_SHA>/g, '${{needs.build.outputs.linux-x64-sha}}')
           releaseNote = releaseNote.replace(/<LINUX_ARM_SHA>/g, '${{needs.build.outputs.linux-arm-sha}}')
           releaseNote = releaseNote.replace(/<LINUX_ARM64_SHA>/g, '${{needs.build.outputs.linux-arm64-sha}}')
           releaseNote = releaseNote.replace(/<WIN_X64_SHA_NOEXTERNALS>/g, '${{needs.build.outputs.win-x64-sha-noexternals}}')
+          releaseNote = releaseNote.replace(/<WIN_ARM64_SHA_NOEXTERNALS>/g, '${{needs.build.outputs.win-arm64-sha-noexternals}}')
           releaseNote = releaseNote.replace(/<OSX_X64_SHA_NOEXTERNALS>/g, '${{needs.build.outputs.osx-x64-sha-noexternals}}')
+          releaseNote = releaseNote.replace(/<OSX_ARM64_SHA_NOEXTERNALS>/g, '${{needs.build.outputs.osx-arm64-sha-noexternals}}')
           releaseNote = releaseNote.replace(/<LINUX_X64_SHA_NOEXTERNALS>/g, '${{needs.build.outputs.linux-x64-sha-noexternals}}')
           releaseNote = releaseNote.replace(/<LINUX_ARM_SHA_NOEXTERNALS>/g, '${{needs.build.outputs.linux-arm-sha-noexternals}}')
           releaseNote = releaseNote.replace(/<LINUX_ARM64_SHA_NOEXTERNALS>/g, '${{needs.build.outputs.linux-arm64-sha-noexternals}}')
           releaseNote = releaseNote.replace(/<WIN_X64_SHA_NORUNTIME>/g, '${{needs.build.outputs.win-x64-sha-noruntime}}')
+          releaseNote = releaseNote.replace(/<WIN_ARM64_SHA_NORUNTIME>/g, '${{needs.build.outputs.win-arm64-sha-noruntime}}')
           releaseNote = releaseNote.replace(/<OSX_X64_SHA_NORUNTIME>/g, '${{needs.build.outputs.osx-x64-sha-noruntime}}')
+          releaseNote = releaseNote.replace(/<OSX_ARM64_SHA_NORUNTIME>/g, '${{needs.build.outputs.osx-arm64-sha-noruntime}}')
           releaseNote = releaseNote.replace(/<LINUX_X64_SHA_NORUNTIME>/g, '${{needs.build.outputs.linux-x64-sha-noruntime}}')
           releaseNote = releaseNote.replace(/<LINUX_ARM_SHA_NORUNTIME>/g, '${{needs.build.outputs.linux-arm-sha-noruntime}}')
           releaseNote = releaseNote.replace(/<LINUX_ARM64_SHA_NORUNTIME>/g, '${{needs.build.outputs.linux-arm64-sha-noruntime}}')
           releaseNote = releaseNote.replace(/<WIN_X64_SHA_NORUNTIME_NOEXTERNALS>/g, '${{needs.build.outputs.win-x64-sha-noruntime-noexternals}}')
+          releaseNote = releaseNote.replace(/<WIN_ARM64_SHA_NORUNTIME_NOEXTERNALS>/g, '${{needs.build.outputs.win-arm64-sha-noruntime-noexternals}}')
           releaseNote = releaseNote.replace(/<OSX_X64_SHA_NORUNTIME_NOEXTERNALS>/g, '${{needs.build.outputs.osx-x64-sha-noruntime-noexternals}}')
+          releaseNote = releaseNote.replace(/<OSX_ARM64_SHA_NORUNTIME_NOEXTERNALS>/g, '${{needs.build.outputs.osx-arm64-sha-noruntime-noexternals}}')
           releaseNote = releaseNote.replace(/<LINUX_X64_SHA_NORUNTIME_NOEXTERNALS>/g, '${{needs.build.outputs.linux-x64-sha-noruntime-noexternals}}')
           releaseNote = releaseNote.replace(/<LINUX_ARM_SHA_NORUNTIME_NOEXTERNALS>/g, '${{needs.build.outputs.linux-arm-sha-noruntime-noexternals}}')
           releaseNote = releaseNote.replace(/<LINUX_ARM64_SHA_NORUNTIME_NOEXTERNALS>/g, '${{needs.build.outputs.linux-arm64-sha-noruntime-noexternals}}')
           console.log(releaseNote)
           core.setOutput('version', runnerVersion);
           core.setOutput('note', releaseNote);
+
+    - name: Validate Packages HASH
+      working-directory: _package
+      run: |
+        ls -l
+        echo "${{needs.build.outputs.win-x64-sha}}  actions-runner-win-x64-${{ steps.releaseNote.outputs.version }}.zip" | shasum -a 256 -c
+        echo "${{needs.build.outputs.win-arm64-sha}}  actions-runner-win-arm64-${{ steps.releaseNote.outputs.version }}.zip" | shasum -a 256 -c
+        echo "${{needs.build.outputs.osx-x64-sha}}  actions-runner-osx-x64-${{ steps.releaseNote.outputs.version }}.tar.gz" | shasum -a 256 -c
+        echo "${{needs.build.outputs.osx-arm64-sha}}  actions-runner-osx-arm64-${{ steps.releaseNote.outputs.version }}.tar.gz" | shasum -a 256 -c
+        echo "${{needs.build.outputs.linux-x64-sha}}  actions-runner-linux-x64-${{ steps.releaseNote.outputs.version }}.tar.gz" | shasum -a 256 -c
+        echo "${{needs.build.outputs.linux-arm-sha}}  actions-runner-linux-arm-${{ steps.releaseNote.outputs.version }}.tar.gz" | shasum -a 256 -c
+        echo "${{needs.build.outputs.linux-arm64-sha}}  actions-runner-linux-arm64-${{ steps.releaseNote.outputs.version }}.tar.gz" | shasum -a 256 -c
+
     # Create GitHub release
     - uses: actions/create-release@master
       id: createRelease
@@ -271,6 +301,7 @@ jobs:
         release_name: "v${{ steps.releaseNote.outputs.version }}"
         body: |
           ${{ steps.releaseNote.outputs.note }}
+        prerelease: true
 
     # Upload release assets (full runner packages)
     - name: Upload Release Asset (win-x64)
@@ -283,6 +314,16 @@ jobs:
         asset_name: actions-runner-win-x64-${{ steps.releaseNote.outputs.version }}.zip
         asset_content_type: application/octet-stream
 
+    - name: Upload Release Asset (win-arm64)
+      uses: actions/upload-release-asset@v1.0.1
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      with:
+        upload_url: ${{ steps.createRelease.outputs.upload_url }}
+        asset_path: ${{ github.workspace }}/_package/actions-runner-win-arm64-${{ steps.releaseNote.outputs.version }}.zip
+        asset_name: actions-runner-win-arm64-${{ steps.releaseNote.outputs.version }}.zip
+        asset_content_type: application/octet-stream
+
     - name: Upload Release Asset (linux-x64)
       uses: actions/upload-release-asset@v1.0.1
       env:
@@ -303,6 +344,16 @@ jobs:
         asset_name: actions-runner-osx-x64-${{ steps.releaseNote.outputs.version }}.tar.gz
         asset_content_type: application/octet-stream
 
+    - name: Upload Release Asset (osx-arm64)
+      uses: actions/upload-release-asset@v1.0.1
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      with:
+        upload_url: ${{ steps.createRelease.outputs.upload_url }}
+        asset_path: ${{ github.workspace }}/_package/actions-runner-osx-arm64-${{ steps.releaseNote.outputs.version }}.tar.gz
+        asset_name: actions-runner-osx-arm64-${{ steps.releaseNote.outputs.version }}.tar.gz
+        asset_content_type: application/octet-stream
+
     - name: Upload Release Asset (linux-arm)
       uses: actions/upload-release-asset@v1.0.1
       env:
@@ -334,6 +385,17 @@ jobs:
         asset_name: actions-runner-win-x64-${{ steps.releaseNote.outputs.version }}-noexternals.zip
         asset_content_type: application/octet-stream
 
+    # Upload release assets (trim externals)
+    - name: Upload Release Asset (win-arm64-noexternals)
+      uses: actions/upload-release-asset@v1.0.1
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      with:
+        upload_url: ${{ steps.createRelease.outputs.upload_url }}
+        asset_path: ${{ github.workspace }}/_package_trims/trim_externals/actions-runner-win-arm64-${{ steps.releaseNote.outputs.version }}-noexternals.zip
+        asset_name: actions-runner-win-arm64-${{ steps.releaseNote.outputs.version }}-noexternals.zip
+        asset_content_type: application/octet-stream
+
     - name: Upload Release Asset (linux-x64-noexternals)
       uses: actions/upload-release-asset@v1.0.1
       env:
@@ -354,6 +416,16 @@ jobs:
         asset_name: actions-runner-osx-x64-${{ steps.releaseNote.outputs.version }}-noexternals.tar.gz
         asset_content_type: application/octet-stream
 
+    - name: Upload Release Asset (osx-arm64-noexternals)
+      uses: actions/upload-release-asset@v1.0.1
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      with:
+        upload_url: ${{ steps.createRelease.outputs.upload_url }}
+        asset_path: ${{ github.workspace }}/_package_trims/trim_externals/actions-runner-osx-arm64-${{ steps.releaseNote.outputs.version }}-noexternals.tar.gz
+        asset_name: actions-runner-osx-arm64-${{ steps.releaseNote.outputs.version }}-noexternals.tar.gz
+        asset_content_type: application/octet-stream
+
     - name: Upload Release Asset (linux-arm-noexternals)
       uses: actions/upload-release-asset@v1.0.1
       env:
@@ -385,6 +457,17 @@ jobs:
         asset_name: actions-runner-win-x64-${{ steps.releaseNote.outputs.version }}-noruntime.zip
         asset_content_type: application/octet-stream
 
+    # Upload release assets (trim runtime)
+    - name: Upload Release Asset (win-arm64-noruntime)
+      uses: actions/upload-release-asset@v1.0.1
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      with:
+        upload_url: ${{ steps.createRelease.outputs.upload_url }}
+        asset_path: ${{ github.workspace }}/_package_trims/trim_runtime/actions-runner-win-arm64-${{ steps.releaseNote.outputs.version }}-noruntime.zip
+        asset_name: actions-runner-win-arm64-${{ steps.releaseNote.outputs.version }}-noruntime.zip
+        asset_content_type: application/octet-stream
+
     - name: Upload Release Asset (linux-x64-noruntime)
       uses: actions/upload-release-asset@v1.0.1
       env:
@@ -405,6 +488,16 @@ jobs:
         asset_name: actions-runner-osx-x64-${{ steps.releaseNote.outputs.version }}-noruntime.tar.gz
         asset_content_type: application/octet-stream
 
+    - name: Upload Release Asset (osx-arm64-noruntime)
+      uses: actions/upload-release-asset@v1.0.1
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      with:
+        upload_url: ${{ steps.createRelease.outputs.upload_url }}
+        asset_path: ${{ github.workspace }}/_package_trims/trim_runtime/actions-runner-osx-arm64-${{ steps.releaseNote.outputs.version }}-noruntime.tar.gz
+        asset_name: actions-runner-osx-arm64-${{ steps.releaseNote.outputs.version }}-noruntime.tar.gz
+        asset_content_type: application/octet-stream
+
     - name: Upload Release Asset (linux-arm-noruntime)
       uses: actions/upload-release-asset@v1.0.1
       env:
@@ -436,6 +529,17 @@ jobs:
         asset_name: actions-runner-win-x64-${{ steps.releaseNote.outputs.version }}-noruntime-noexternals.zip
         asset_content_type: application/octet-stream
 
+    # Upload release assets (trim runtime and externals)
+    - name: Upload Release Asset (win-arm64-noruntime-noexternals)
+      uses: actions/upload-release-asset@v1.0.1
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      with:
+        upload_url: ${{ steps.createRelease.outputs.upload_url }}
+        asset_path: ${{ github.workspace }}/_package_trims/trim_runtime_externals/actions-runner-win-arm64-${{ steps.releaseNote.outputs.version }}-noruntime-noexternals.zip
+        asset_name: actions-runner-win-arm64-${{ steps.releaseNote.outputs.version }}-noruntime-noexternals.zip
+        asset_content_type: application/octet-stream
+
     - name: Upload Release Asset (linux-x64-noruntime-noexternals)
       uses: actions/upload-release-asset@v1.0.1
       env:
@@ -456,6 +560,16 @@ jobs:
         asset_name: actions-runner-osx-x64-${{ steps.releaseNote.outputs.version }}-noruntime-noexternals.tar.gz
         asset_content_type: application/octet-stream
 
+    - name: Upload Release Asset (osx-arm64-noruntime-noexternals)
+      uses: actions/upload-release-asset@v1.0.1
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      with:
+        upload_url: ${{ steps.createRelease.outputs.upload_url }}
+        asset_path: ${{ github.workspace }}/_package_trims/trim_runtime_externals/actions-runner-osx-arm64-${{ steps.releaseNote.outputs.version }}-noruntime-noexternals.tar.gz
+        asset_name: actions-runner-osx-arm64-${{ steps.releaseNote.outputs.version }}-noruntime-noexternals.tar.gz
+        asset_content_type: application/octet-stream
+
     - name: Upload Release Asset (linux-arm-noruntime-noexternals)
       uses: actions/upload-release-asset@v1.0.1
       env:
@@ -487,6 +601,17 @@ jobs:
         asset_name: actions-runner-win-x64-${{ steps.releaseNote.outputs.version }}-trimmedpackages.json
         asset_content_type: application/octet-stream
 
+    # Upload release assets (trimmedpackages.json)
+    - name: Upload Release Asset (win-arm64-trimmedpackages.json)
+      uses: actions/upload-release-asset@v1.0.1
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      with:
+        upload_url: ${{ steps.createRelease.outputs.upload_url }}
+        asset_path: ${{ github.workspace }}/win-arm64-trimmedpackages.json
+        asset_name: actions-runner-win-arm64-${{ steps.releaseNote.outputs.version }}-trimmedpackages.json
+        asset_content_type: application/octet-stream
+
     - name: Upload Release Asset (linux-x64-trimmedpackages.json)
       uses: actions/upload-release-asset@v1.0.1
       env:
@@ -507,6 +632,16 @@ jobs:
         asset_name: actions-runner-osx-x64-${{ steps.releaseNote.outputs.version }}-trimmedpackages.json
         asset_content_type: application/octet-stream
 
+    - name: Upload Release Asset (osx-arm64-trimmedpackages.json)
+      uses: actions/upload-release-asset@v1.0.1
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      with:
+        upload_url: ${{ steps.createRelease.outputs.upload_url }}
+        asset_path: ${{ github.workspace }}/osx-arm64-trimmedpackages.json
+        asset_name: actions-runner-osx-arm64-${{ steps.releaseNote.outputs.version }}-trimmedpackages.json
+        asset_content_type: application/octet-stream
+
     - name: Upload Release Asset (linux-arm-trimmedpackages.json)
       uses: actions/upload-release-asset@v1.0.1
       env:

.vscode/launch.json

@@ -12,7 +12,7 @@
             ],
             "cwd": "${workspaceFolder}/src",
             "console": "integratedTerminal",
-            "requireExactSource": false,
+            "requireExactSource": false
         },
         {
             "name": "Run",
@@ -24,7 +24,7 @@
             ],
             "cwd": "${workspaceFolder}/src",
             "console": "integratedTerminal",
-            "requireExactSource": false,
+            "requireExactSource": false
         },
         {
             "name": "Configure",
@@ -37,21 +37,22 @@
             ],
             "cwd": "${workspaceFolder}/src",
             "console": "integratedTerminal",
-            "requireExactSource": false,
+            "requireExactSource": false
         },
         {
             "name": "Debug Worker",
             "type": "coreclr",
             "request": "attach",
             "processName": "Runner.Worker",
-            "requireExactSource": false,
+            "requireExactSource": false
         },
         {
             "name": "Attach Debugger",
             "type": "coreclr",
             "request": "attach",
             "processId": "${command:pickProcess}",
-            "requireExactSource": false,
+            "requireExactSource": false
         },
     ],
 }
+

docs/adrs/1751-runner-job-hooks.md

@@ -0,0 +1,83 @@
+# ADR: Notification Hooks for Runners
+
+## Context
+
+This ADR details the design changes for supporting custom configurable hooks for on various runner events. This has been a long requested user feature [here](https://github.com/actions/runner/issues/1543), [here](https://github.com/actions/runner/issues/699) and [here](https://github.com/actions/runner/issues/1116) for users to have more information on runner observability, and for the ability to run cleanup and teardown jobs. 
+
+This feature is mainly intended for self hosted runner administrators.
+
+**What we hope to solve with this feature**
+1. A runner admininstrator is able to add custom scripts to cleanup their runner environment at the start or end of a job
+2. A runner admininstrator is able to add custom scripts to help setup their runner environment at the beginning of a job, for reasons like [caching](https://github.com/actions/runner/issues/1543#issuecomment-1050346279)
+3. A runner administrator is able to grab custom telemetry of jobs running on their self hosted runner
+
+**What we don't think this will solve**
+- Policy features that require certain steps run at the beginning or end of all jobs
+  - This would be better solved to in a central place in settings, rather then decentralized on each runner. 
+  - The Proposed `Notification Hooks for Runners` is limited to self hosted runners, we don't beileve Policy features should be
+- Reuse scenarios between jobs are covered by [composite actions](https://docs.github.com/en/actions/creating-actions/creating-a-composite-action) and [resuable workflows](https://docs.github.com/en/actions/using-workflows/reusing-workflows)
+- Security applications, security should be handled on the policy side on the server, not decentralized on each runner
+
+## Hooks
+- We will expose 2 variables that users can set to enable hooks  
+  - `ACTIONS_RUNNER_HOOK_JOB_STARTED`
+  - `ACTIONS_RUNNER_HOOK_JOB_COMPLETED`
+
+You can set these variables to the **absolute** path of a a `.sh` or `.ps1` file.
+
+We will execute `pwsh` (fallback to `powershell`) or `bash` (fallback to `sh`) as appropriate.
+- `.sh` files will execute with the args `-e {pathtofile}`
+- `.ps1` files will execute with the args `-command \". '{pathtofile}'\"`
+
+We will **not** set the [standard flags we typically set](https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsshell) for `runs` commands. So, if you want to set `pipefail` on `bash` for example, you will need to do that in your script.
+
+### UI
+We want to ensure the experience for users invoking workflows is good, if hooks take too long, you may feel your job is delayed or broken. So, much like `Set Up Job`, we will generate two new steps automatically in your job, one for each configured hook: 
+- `Set up runner`  
+- `Complete runner` 
+
+These steps will contain all of the output from invoking your hook, so you will have visibility into the runtime. We will also provide information on the path to the hook, and what shell we are invoking it as, much like we do for `run: ` steps.
+
+### Contexts
+When running your hooks, some context on your job may be helpful.
+- The scripts will have access to the standard [default environment variables](https://docs.github.com/en/actions/learn-github-actions/environment-variables#default-environment-variables)
+  - Some of these variables are step specific like `GITHUB_ACTION`, in which case they will not be set
+- You can pull the full webhook event payload from `GITHUB_EVENT_PATH`
+
+### Commands
+Should we expose [Commands](https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions) and [Environment Files](https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#environment-files)
+
+**Yes**. Imagine a scenario where a runner administrator is deprecating a runner pool, and they need to [warn users](https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#setting-a-warning-message) to swap to a different pool, we should support them in doing this. However, there are some limitations:
+- [save-state](https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#sending-values-to-the-pre-and-post-actions) will **not** be supported, these are not traditional steps with pre and post actions
+- [set-output](https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#using-workflow-commands-to-access-toolkit-functions) will **not** be supported, there is no `id` as this is not a traditional step
+
+
+### Environment Files
+We will also enable [Environment Files](https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#environment-files) to support setup scenarios for the runner environment.
+
+While a self hosted runner admin can [set env variables](https://docs.github.com/en/actions/hosting-your-own-runners/using-a-proxy-server-with-self-hosted-runners#using-a-env-file-to-set-the-proxy-configuration), these apply to all jobs. By enabling the ability to `add a path` and `set an env` we give runner admins the ability to do this dynamically based on the [workflows environment variables](https://docs.github.com/en/actions/learn-github-actions/environment-variables#default-environment-variables) to empower setup scenarios.
+
+
+### Exit codes
+These are **synchronous** hooks, so they will block job execution while they are being run. Exit code 0 will indicate a successful run of the hook and we will proceed with the job, any other exit code will fail the job with an appropriate annotation.
+- There will be no support for `continue-on-error`
+
+## Key Decisions
+- We will expose 2 variables that users can set to enable hooks  
+  - `ACTIONS_RUNNER_HOOK_JOB_STARTED`
+  - `ACTIONS_RUNNER_HOOK_JOB_COMPLETED`
+- Users can set these variables to the path of a `.sh` or `.ps1` file, which we will execute when Jobs are started or completed.
+  - Output from these will be added to a new step at the start/end of a job named `Set up runner` or `Complete runner`. 
+    - These steps will only be generated on runs with these hooks
+- These hooks `always()` execute if the env variable is set
+- These files will execute as the Runner user, outside of any container specification on the job
+- These are **synchronous** hooks
+  - Runner admins can execute a background process for async hooks if they want
+  - We will fail the job and halt execution on any exit code that is not 0. The Runner admin is responsible for returning the correct exit code and ensuring resilency. 
+    - This includes that the runner user needs access to the file in the env and the file must exist
+    - There will be no `continue-on-error` type option on launch
+    - There will be no `timeout` option on launch
+
+## Consequences
+- Runner admins have the ability to tie into the runner job execution to publish their own telemetry or perform their own cleanup or setup
+- New steps will be added to the UI showcasing the output of these hooks

docs/adrs/1891-container-hooks.md

@@ -0,0 +1,596 @@
+# ADR 0000: Container Hooks
+
+**Date**: 2022-05-12
+
+**Status**: Accepted
+
+# Background
+
+[Job Hooks](https://github.com/actions/runner/blob/main/docs/adrs/1751-runner-job-hooks.md) have given users the ability to customize how their self hosted runners run a job.
+Users also want the ability to customize how they run containers during the scope of the job, rather then being locked into the docker implementation we have in the runner. They may want to use podman, kubernetes, or even change the docker commands we run. 
+We should give them that option, and publish examples how how they can create their own hooks.
+
+# Guiding Principles
+- **Extensibility** is the focus, we need to make sure we are flexible enough to cover current and future scenarios, even at the cost of making it harder to utilize these hooks
+- Args should map **directly** to yaml values provided by the user. 
+  - For example, the current runner overrides `HOME`, we can do that in the hook, but we shouldn't pass that hook as an ENV with the other env's the user has set, as that is not user input, it is how the runner invokes containers
+
+## Interface
+- You will set the variable `ACTIONS_RUNNER_CONTAINER_HOOKS=/Users/foo/runner/hooks.js` which is the entrypoint to your hook handler.
+  - There is no partial opt in, you must handle every hook 
+- We will pass a command and some args via `stdin`
+- An exit code of 0 is a success, every other exit code is a failure
+- We will support the same runner commands we support in [Job Hooks](https://github.com/actions/runner/blob/main/docs/adrs/1751-runner-job-hooks.md)
+- On timeout, we will send a sigint to your process. If you fail to terminate within a reasonable amount of time, we will send a sigkill, and eventually kill the process tree.
+
+An example input looks like
+```json
+{
+  "command": "job_cleanup",
+  "responseFile": "/users/thboop/runner/_work/{guid}.json",
+  "args": {},
+  "state": 
+  {
+      "id": "82e8219701fe096a35941d869cf8d71af1d943b5d3bdd718850fb87ac3042480"
+  }
+}
+```
+
+`command` is the command we expect you to invoke
+`responseFile` is the file you need to write your output to, if the command has output
+`args` are the specific arguments the command needs
+`state` is a json blog you can pass around to maintain your state, this is covered in more details below.
+
+### Writing responses to a file
+All text written to stdout or stderr should appear in the job or step logs. With that in mind, we support a few ways to actually return data:
+1. Wrapping the json in some unique tag and processing it like we do commands
+2. Writing to a file
+
+For 1, users typically view logging information as a safe action, so we worry someone accidentialy logging unsantized information and causing unexpected or un-secure behavior. We eventually plan to move off of stdout/stderr style commands in favor of a runner cli. 
+Investing in this area doesn't make a lot of sense at this time.
+
+While writing to a file to communicate isn't the most ideal pattern, its an existing pattern in the runner and serves us well, so lets reuse it.
+
+### Output
+Your output must be correctly formatted json. An example output looks like:
+
+```
+{
+  "state": {},
+  "context"
+  {
+    "container" : 
+    {
+      "id": "82e8219701fe096a35941d869cf8d71af1d943b5d3bdd718850fb87ac3042480"
+      "network": "github_network_53269bd575974817b43f4733536b200c"
+    }
+    "services": {
+      "redis": {
+        "id": "60972d9aa486605e66b0dad4abb638dc3d9116f566579e418166eedb8abb9105",
+        "ports": {
+          "8080": "8080"
+        },
+      "network": "github_network_53269bd575974817b43f4733536b200c"
+    }
+  }
+  "alpine: true,
+}
+```
+
+`state` is a unique field any command can return. If it is not empty, we will store the state for you and pass it into all future commands. You can overwrite it by having the next hook invoked return a unique state.
+
+Other fields are dependent upon the command being run.
+
+### Versioning
+We will not version these hooks at launch. If needed, we can always major version split these hooks in the future. We will ship in Beta to allow for breaking changes for a few months.
+
+### The Job Context
+The [job context](https://docs.github.com/en/actions/learn-github-actions/contexts#example-contents-of-the-job-context) currently has a variety of fields that correspond to containers. We should consider allowing hooks to populate new fields in the job context. That is out of scope for this original release however.
+
+## Hooks
+Hooks are to be implemented at a very high level, and map to actions the runner does, rather then specific docker actions like `docker build` or `docker create`. By mapping to runner actions, we create a very extensible framework that is flexible enough to solve any user concerns in the future. By providing first party implementations, we give users easy starting points to customize specific hooks (like `docker build`) without having to write full blown solutions.
+
+The other would be to provide hooks that mirror every docker call we make, and expose more hooks to help support k8s users, with the expectation that users may have to no-op on multiple hooks if they don't correspond to our use case.
+
+Why we don't want to go that way
+- It feels clunky, users need to understand which hooks they need to implement and which they can ignore, which isn't a great UX
+- It doesn't scale well, I don't want to build a solution where we may need to add more hooks, by mapping to runner actions, updating hooks is a painful experience for users
+- Its overwhelming, its easier to tell users to build 4 hooks and track data themselves, rather then 16 hooks where the runner needs certain information and then needs to provide that information back into each hook. If we expose `Container Create`, you need to return the container you created, then we do `container run` which uses that container. If we just give you an image and say create and run this container, you don't need to store the container id in the runner, and it maps better to k8s scenarios where we don't really have container ids.
+
+### Prepare_job hook
+The `prepare_job` hook is called when a job is started. We pass in any job or service containers the job has. We expect that you:
+- Prune anything from previous jobs if needed
+- Create a network if needed
+- Pull the job and service containers
+- Start the job container
+- Start the service containers
+- Write to the response file some information we need
+  - Required: if the container is alpine, otherwise x64
+  - Optional: any context fields you want to set on the job context, otherwise they will be unavailable for users to use
+- Return 0 when the health checks have succeeded and the job/service containers are started
+
+This hook will **always** be called if you have container hooks enabled, even if no service or job containers exist in the job. This allows you to fail the job or implement a default job container if you want to and no job container has been provided.
+
+
+<details>
+<summary>Example Input</summary>
+<br>
+  
+```
+{
+  "command": "prepare_job",
+  "responseFile": "/users/thboop/runner/_work/{guid}.json",
+  "state": {},
+  "args": 
+  {
+    "jobContainer": {
+      "image": "node:14.16",
+      "workingDirectory": "/__w/thboop-test2/thboop-test2",
+      "createOptions": "--cpus 1",
+      "environmentVariables": {
+        "NODE_ENV": "development"
+      },
+      "userMountVolumes:[
+        {
+          "sourceVolumePath": "my_docker_volume",
+          "targetVolumePath": "/volume_mount",
+          "readOnly": false
+        },
+      ],
+      "mountVolumes": [
+        {
+          "sourceVolumePath": "/home/thomas/git/runner/_layout/_work",
+          "targetVolumePath": "/__w",
+          "readOnly": false
+        },
+        {
+          "sourceVolumePath": "/home/thomas/git/runner/_layout/externals",
+          "targetVolumePath": "/__e",
+          "readOnly": true
+        },
+        {
+          "sourceVolumePath": "/home/thomas/git/runner/_layout/_work/_temp",
+          "targetVolumePath": "/__w/_temp",
+          "readOnly": false
+        },
+        {
+          "sourceVolumePath": "/home/thomas/git/runner/_layout/_work/_actions",
+          "targetVolumePath": "/__w/_actions",
+          "readOnly": false
+        },
+        {
+          "sourceVolumePath": "/home/thomas/git/runner/_layout/_work/_tool",
+          "targetVolumePath": "/__w/_tool",
+          "readOnly": false
+        },
+        {
+          "sourceVolumePath": "/home/thomas/git/runner/_layout/_work/_temp/_github_home",
+          "targetVolumePath": "/github/home",
+          "readOnly": false
+        },
+        {
+          "sourceVolumePath": "/home/thomas/git/runner/_layout/_work/_temp/_github_workflow",
+          "targetVolumePath": "/github/workflow",
+          "readOnly": false
+        }
+      ],
+      "registry": {
+        "username": "foo",
+        "password": "bar",
+        "serverUrl": "https://index.docker.io/v1"
+      },
+      "portMappings": [ "8080:80/tcp", "8080:80/udp" ]
+    },
+    "services": [
+      {
+        "contextName": "redis",
+        "image": "redis",
+        "createOptions": "--cpus 1",
+        "environmentVariables": {},
+        "mountVolumes": [],
+        "portMappings": [ "8080:80/tcp", "8080:80/udp" ]
+        "registry": {
+          "username": "foo",
+          "password": "bar",
+          "serverUrl": "https://index.docker.io/v1"
+        }
+      }
+    ]
+  }
+}
+```
+
+</details>
+
+<details>
+<summary>Field Descriptions</summary>
+<br>
+
+```
+Arg Fields:
+
+jobContainer: **Optional** An Object containing information about the specified job container
+  "image": **Required** A string containing the docker image
+  "workingDirectory": **Required** A string containing the absolute path of the working directory
+  "createOptions": **Optional** The optional create options specified in the [YAML](https://docs.github.com/en/actions/using-jobs/running-jobs-in-a-container#example-running-a-job-within-a-container)
+  "environmentVariables": **Optional** A map of key value env's to set
+  "userMountVolumes: ** Optional** an array of user mount volumes set in the [YAML](https://docs.github.com/en/actions/using-jobs/running-jobs-in-a-container#example-running-a-job-within-a-container)
+    "sourceVolumePath": **Required** The source path to the volume to be mounted into the docker container
+    "targetVolumePath": **Required** The target path to the volume to be mounted into the docker container
+    "readOnly": false **Required** whether or not the mount should be read only
+  "mountVolumes": **Required** an array of mounts to mount into the container, same fields as above
+    "sourceVolumePath": **Required** The source path to the volume to be mounted into the docker container
+    "targetVolumePath": **Required** The target path to the volume to be mounted into the docker container
+    "readOnly": false **Required** whether or not the mount should be read only
+  "registry" **Optional** docker registry credentials to use when using a private container registry
+    "username": **Optional** the username
+    "password": **Optional** the password
+    "serverUrl": **Optional** the registry url
+  "portMappings": **Optional** an array of source:target ports to map into the container
+ 
+"services": an array of service containers to spin up
+  "contextName": **Required** the name of the service in the Job context
+  "image": **Required** A string containing the docker image
+  "createOptions": **Optional** The optional create options specified in the [YAML](https://docs.github.com/en/actions/using-jobs/running-jobs-in-a-container#example-running-a-job-within-a-container)
+  "environmentVariables": **Optional** A map of key value env's to set
+  "mountVolumes": **Required** an array of mounts to mount into the container, same fields as above
+    "sourceVolumePath": **Required** The source path to the volume to be mounted into the docker container
+    "targetVolumePath": **Required** The target path to the volume to be mounted into the docker container
+    "readOnly": false **Required** whether or not the mount should be read only
+  "registry" **Optional** docker registry credentials to use when using a private container registry
+    "username": **Optional** the username
+    "password": **Optional** the password
+    "serverUrl": **Optional** the registry url
+  "portMappings": **Optional** an array of source:target ports to map into the container
+```
+
+</details>
+
+<details>
+<summary>Example Output</summary>
+<br>
+
+```
+{
+  "state": 
+  {
+    "network": "github_network_53269bd575974817b43f4733536b200c",
+    "jobContainer" : "82e8219701fe096a35941d869cf8d71af1d943b5d3bdd718850fb87ac3042480",
+    "serviceContainers": 
+    {
+      "redis": "60972d9aa486605e66b0dad4abb638dc3d9116f566579e418166eedb8abb9105"
+    }
+  },
+  "context"
+  {
+    "container" : 
+    {
+      "id": "82e8219701fe096a35941d869cf8d71af1d943b5d3bdd718850fb87ac3042480"
+      "network": "github_network_53269bd575974817b43f4733536b200c"
+    }
+    "services": {
+      "redis": {
+        "id": "60972d9aa486605e66b0dad4abb638dc3d9116f566579e418166eedb8abb9105",
+        "ports": {
+          "8080": "8080"
+        },
+      "network": "github_network_53269bd575974817b43f4733536b200c"
+    }
+  }
+  "alpine: true,
+}
+```
+
+</details>
+
+
+### Cleanup Job
+The `cleanup_job` hook is called at the end of a job and expects you to:
+- Stop any running service or job containers (or the equiavalent pod)
+- Stop the network (if one exists)
+- Delete any job or service containers (or the equiavalent pod)
+- Delete the network (if one exists)
+- Cleanup anything else that was created for the run
+
+Its input looks like
+
+<details>
+<summary>Example Input</summary>
+<br>
+
+```
+  "command": "cleanup_job",
+  "responseFile": null,
+  "state":
+  {
+    "network": "github_network_53269bd575974817b43f4733536b200c",
+    "jobContainer" : "82e8219701fe096a35941d869cf8d71af1d943b5d3bdd718850fb87ac3042480",
+    "serviceContainers": 
+    {
+      "redis": "60972d9aa486605e66b0dad4abb638dc3d9116f566579e418166eedb8abb9105"
+    }
+  }
+  "args": {}
+```
+  
+</details>
+
+No args are provided.
+  
+No output is expected.
+
+
+### Run Container Step
+The `run_container_step` is called once per container action in your job and expects you to:
+- Pull or build the required container (or fail if you cannot)
+- Run the container action and return the exit code of the container
+- Stream any step logs output to stdout and stderr
+- Cleanup the container after it executes
+
+<details>
+<summary>Example Input for Image</summary>
+<br>
+
+```
+  "command": "run_container_step",
+  "responseFile": null,
+  "state":
+  {
+    "network": "github_network_53269bd575974817b43f4733536b200c",
+    "jobContainer" : "82e8219701fe096a35941d869cf8d71af1d943b5d3bdd718850fb87ac3042480",
+    "serviceContainers": 
+    {
+      "redis": "60972d9aa486605e66b0dad4abb638dc3d9116f566579e418166eedb8abb9105"
+    }
+  }
+  "args":      
+  {
+      "image": "node:14.16",
+      "dockerfile": null,
+      "entryPointArgs": ["-f", "/dev/null"],
+      "entryPoint": "tail",
+      "workingDirectory": "/__w/thboop-test2/thboop-test2",
+      "createOptions": "--cpus 1",
+      "environmentVariables": {
+        "NODE_ENV": "development"
+      },
+      "prependPath":["/foo/bar", "bar/foo"]
+      "userMountVolumes:[
+        {
+          "sourceVolumePath": "my_docker_volume",
+          "targetVolumePath": "/volume_mount",
+          "readOnly": false
+        },
+      ],
+      "mountVolumes": [
+        {
+          "sourceVolumePath": "/home/thomas/git/runner/_layout/_work",
+          "targetVolumePath": "/__w",
+          "readOnly": false
+        },
+        {
+          "sourceVolumePath": "/home/thomas/git/runner/_layout/externals",
+          "targetVolumePath": "/__e",
+          "readOnly": true
+        },
+        {
+          "sourceVolumePath": "/home/thomas/git/runner/_layout/_work/_temp",
+          "targetVolumePath": "/__w/_temp",
+          "readOnly": false
+        },
+        {
+          "sourceVolumePath": "/home/thomas/git/runner/_layout/_work/_actions",
+          "targetVolumePath": "/__w/_actions",
+          "readOnly": false
+        },
+        {
+          "sourceVolumePath": "/home/thomas/git/runner/_layout/_work/_tool",
+          "targetVolumePath": "/__w/_tool",
+          "readOnly": false
+        },
+        {
+          "sourceVolumePath": "/home/thomas/git/runner/_layout/_work/_temp/_github_home",
+          "targetVolumePath": "/github/home",
+          "readOnly": false
+        },
+        {
+          "sourceVolumePath": "/home/thomas/git/runner/_layout/_work/_temp/_github_workflow",
+          "targetVolumePath": "/github/workflow",
+          "readOnly": false
+        }
+      ],
+      "registry": null,
+      "portMappings": { "80": "801" }
+    },
+```
+  
+</details>
+
+
+<details>
+<summary>Example Input for dockerfile</summary>
+<br>
+
+```
+  "command": "run_container_step",
+  "responseFile": null,
+  "state":
+  {
+    "network": "github_network_53269bd575974817b43f4733536b200c",
+    "jobContainer" : "82e8219701fe096a35941d869cf8d71af1d943b5d3bdd718850fb87ac3042480",
+    "services": 
+    {
+      "redis": "60972d9aa486605e66b0dad4abb638dc3d9116f566579e418166eedb8abb9105"
+    }
+  }
+  "args":      
+  {
+      "image": null,
+      "dockerfile": /__w/_actions/foo/dockerfile,
+      "entryPointArgs": ["hello world"],
+      "entryPoint": "echo",
+      "workingDirectory": "/__w/thboop-test2/thboop-test2",
+      "createOptions": "--cpus 1",
+      "environmentVariables": {
+        "NODE_ENV": "development"
+      },
+      "prependPath":["/foo/bar", "bar/foo"]
+      "userMountVolumes:[
+        {
+          "sourceVolumePath": "my_docker_volume",
+          "targetVolumePath": "/volume_mount",
+          "readOnly": false
+        },
+      ],      
+      "mountVolumes": [
+        {
+          "sourceVolumePath": "my_docker_volume",
+          "targetVolumePath": "/volume_mount",
+          "readOnly": false
+        },
+        {
+          "sourceVolumePath": "/home/thomas/git/runner/_layout/_work",
+          "targetVolumePath": "/__w",
+          "readOnly": false
+        },
+        {
+          "sourceVolumePath": "/home/thomas/git/runner/_layout/externals",
+          "targetVolumePath": "/__e",
+          "readOnly": true
+        },
+        {
+          "sourceVolumePath": "/home/thomas/git/runner/_layout/_work/_temp",
+          "targetVolumePath": "/__w/_temp",
+          "readOnly": false
+        },
+        {
+          "sourceVolumePath": "/home/thomas/git/runner/_layout/_work/_actions",
+          "targetVolumePath": "/__w/_actions",
+          "readOnly": false
+        },
+        {
+          "sourceVolumePath": "/home/thomas/git/runner/_layout/_work/_tool",
+          "targetVolumePath": "/__w/_tool",
+          "readOnly": false
+        },
+        {
+          "sourceVolumePath": "/home/thomas/git/runner/_layout/_work/_temp/_github_home",
+          "targetVolumePath": "/github/home",
+          "readOnly": false
+        },
+        {
+          "sourceVolumePath": "/home/thomas/git/runner/_layout/_work/_temp/_github_workflow",
+          "targetVolumePath": "/github/workflow",
+          "readOnly": false
+        }
+      ],
+      "registry": null,
+      "portMappings": [ "8080:80/tcp", "8080:80/udp" ]
+    },
+  }
+```
+  
+</details>
+
+
+<details>
+<summary>Field Descriptions</summary>
+<br>
+
+```
+Arg Fields:
+
+
+"image": **Optional** A string containing the docker image. Otherwise a dockerfile must be provided
+"dockerfile": **Optional** A string containing the path to the dockerfile, otherwise an image must be provided
+"entryPointArgs": **Optional** A list containing the entry point args
+"entryPoint": **Optional** The container entry point to use if the default image entrypoint should be overwritten
+"workingDirectory": **Required** A string containing the absolute path of the working directory
+"createOptions": **Optional** The optional create options specified in the [YAML](https://docs.github.com/en/actions/using-jobs/running-jobs-in-a-container#example-running-a-job-within-a-container)
+"environmentVariables": **Optional** A map of key value env's to set
+"prependPath": **Optional** an array of additional paths to prepend to the $PATH variable
+"userMountVolumes: ** Optional** an array of user mount volumes set in the [YAML](https://docs.github.com/en/actions/using-jobs/running-jobs-in-a-container#example-running-a-job-within-a-container)
+  "sourceVolumePath": **Required** The source path to the volume to be mounted into the docker container
+  "targetVolumePath": **Required** The target path to the volume to be mounted into the docker container
+  "readOnly": false **Required** whether or not the mount should be read only
+"mountVolumes": **Required** an array of mounts to mount into the container, same fields as above
+  "sourceVolumePath": **Required** The source path to the volume to be mounted into the docker container
+  "targetVolumePath": **Required** The target path to the volume to be mounted into the docker container
+  "readOnly": false **Required** whether or not the mount should be read only
+"registry" **Optional** docker registry credentials to use when using a private container registry
+  "username": **Optional** the username
+  "password": **Optional** the password
+  "serverUrl": **Optional** the registry url
+"portMappings": **Optional** an array of source:target ports to map into the container
+```
+  
+</details>
+
+No output is expected
+
+Currently we build all container actions at the start of the job. By doing it during the hook, we move this to just in time building for hooks. We could expose a hook to build/pull a container action, and have those called at the start of a job, but doing so would require hook authors to track the build containers in the state, which could be painful.
+
+### Run Script Step
+The `run_script_step` expects you to:
+- Invoke the provided script inside the job container and return the exit code
+- Stream any step log output to stdout and stderr
+
+<details>
+<summary>Example Input</summary>
+<br>
+
+
+```
+  "command": "run_script_step",
+  "responseFile": null,
+  "state":
+  {
+    "network": "github_network_53269bd575974817b43f4733536b200c",
+    "jobContainer" : "82e8219701fe096a35941d869cf8d71af1d943b5d3bdd718850fb87ac3042480",
+    "serviceContainers": 
+    {
+      "redis": "60972d9aa486605e66b0dad4abb638dc3d9116f566579e418166eedb8abb9105"
+    }
+  }
+  "args": 
+  {
+    "entryPointArgs": ["-e", "/runner/temp/abc123.sh"],
+    "entryPoint": "bash",
+    "environmentVariables": {
+      "NODE_ENV": "development"
+    },
+    "prependPath": ["/foo/bar", "bar/foo"],
+    "workingDirectory": "/__w/thboop-test2/thboop-test2"
+  }
+```
+  
+</details>
+
+<details>
+<summary>Field Descriptions</summary>
+<br>
+
+```
+Arg Fields:
+
+  
+"entryPointArgs": **Optional** A list containing the entry point args
+"entryPoint": **Optional** The container entry point to use if the default image entrypoint should be overwritten
+"prependPath": **Optional** an array of additional paths to prepend to the $PATH variable
+"workingDirectory": **Required** A string containing the absolute path of the working directory
+"environmentVariables": **Optional** A map of key value env's to set
+```
+
+</details>
+
+No output is expected
+
+
+## Limitations
+- We will only support linux on launch
+- Hooks are set by the runner admin, and thus are only supported on self hosted runners 
+
+## Consequences
+- We support non docker scenarios for self hosted runners and allow customers to customize their docker invocations
+- We ship/maintain docs on docker hooks and an open source repo with examples
+- We support these hooks and add enough telemetry to be able to troubleshoot support issues as they come in.

docs/checks/actions.md

@@ -6,13 +6,35 @@
 Make sure the runner has access to actions service for GitHub.com or GitHub Enterprise Server
 
 - For GitHub.com
-  - The runner needs to access https://api.github.com for downloading actions.
-  - The runner needs to access https://vstoken.actions.githubusercontent.com/_apis/.../ for requesting an access token.
-  - The runner needs to access https://pipelines.actions.githubusercontent.com/_apis/.../ for receiving workflow jobs.
+  - The runner needs to access `https://api.github.com` for downloading actions.
+  - The runner needs to access `https://vstoken.actions.githubusercontent.com/_apis/.../` for requesting an access token.
+  - The runner needs to access `https://pipelines.actions.githubusercontent.com/_apis/.../` for receiving workflow jobs.
+
+  These can by tested by running the following `curl` commands from your self-hosted runner machine:
+
+    ```
+    curl -v https://api.github.com/api/v3/zen
+    curl -v https://vstoken.actions.githubusercontent.com/_apis/health
+    curl -v https://pipelines.actions.githubusercontent.com/_apis/health
+    ```
+
 - For GitHub Enterprise Server
-  - The runner needs to access https://myGHES.com/api/v3 for downloading actions.
-  - The runner needs to access https://myGHES.com/_services/vstoken/_apis/.../ for requesting an access token.
-  - The runner needs to access https://myGHES.com/_services/pipelines/_apis/.../ for receiving workflow jobs.
+  - The runner needs to access `https://[hostname]/api/v3` for downloading actions.
+  - The runner needs to access `https://[hostname]/_services/vstoken/_apis/.../` for requesting an access token.
+  - The runner needs to access `https://[hostname]/_services/pipelines/_apis/.../` for receiving workflow jobs.
+  
+  These can by tested by running the following `curl` commands from your self-hosted runner machine, replacing `[hostname]` with the hostname of your appliance, for instance `github.example.com`:
+
+    ```
+    curl -v https://[hostname]/api/v3/zen
+    curl -v https://[hostname]/_services/vstoken/_apis/health
+    curl -v https://[hostname]/_services/pipelines/_apis/health
+    ```
+
+    A common cause of this these connectivity issues is if your to GitHub Enterprise Server appliance is using [the self-signed certificate that is enabled the first time](https://docs.github.com/en/enterprise-server/admin/configuration/configuring-network-settings/configuring-tls) your appliance is started. As self-signed certificates are not trusted by web browsers and Git clients, these clients (including the GitHub Actions runner) will report certificate warnings.
+    
+    We recommend [upload a certificate signed by a trusted authority](https://docs.github.com/en/enterprise-server/admin/configuration/configuring-network-settings/configuring-tls) to GitHub Enterprise Server, or enabling the built-in ][Let's Encrypt support](https://docs.github.com/en/enterprise-server/admin/configuration/configuring-network-settings/configuring-tls).
+
 
 ## What is checked?
 
@@ -42,4 +64,4 @@ Make sure the runner has access to actions service for GitHub.com or GitHub Ente
   
 ## Still not working?
 
-Contact GitHub customer service or log an issue at https://github.com/actions/runner if you think it's a runner issue.
+Contact [GitHub Support](https://support.github.com) if you have further questuons, or log an issue at https://github.com/actions/runner if you think it's a runner issue.

docs/checks/git.md

@@ -20,11 +20,30 @@ The test also set environment variable `GIT_TRACE=1` and `GIT_CURL_VERBOSE=1` be
 
 ## How to fix the issue?
 
-### 1. Check the common network issue
+### 1. Check global and system git config
+
+If you are having issues connecting to the server, check your global and system git config for any unexpected authentication headers. You might be seeing an error like:
+
+```
+fatal: unable to access 'https://github.com/actions/checkout/': The requested URL returned error: 400
+```
+
+The following commands can be used to check for unexpected authentication headers:
+
+```
+$ git config --global --list | grep extraheader
+http.extraheader=AUTHORIZATION: unexpected_auth_header
+
+$ git config --system --list | grep extraheader
+```
+
+The following command can be used to remove the above value: `git config --global --unset http.extraheader`
+
+### 2. Check the common network issue
   
   > Please check the [network doc](./network.md)
 
-### 2. SSL certificate related issue
+### 3. SSL certificate related issue
 
   If you are seeing `SSL Certificate problem:` in the log, it means the `git` can't connect to the GitHub server due to SSL handshake failure.
   > Please check the [SSL cert doc](./sslcert.md)

docs/checks/nodejs.md

@@ -4,9 +4,9 @@
 
 Make sure the built-in node.js has access to GitHub.com or GitHub Enterprise Server.
 
-The runner carries it's own copy of node.js executable under `<runner_root>/externals/node12/`.
+The runner carries its own copy of node.js executable under `<runner_root>/externals/node16/`.
 
-All javascript base Actions will get executed by the built-in `node` at `<runner_root>/externals/node12/`.
+All javascript base Actions will get executed by the built-in `node` at `<runner_root>/externals/node16/`.
 
 > Not the `node` from `$PATH`
 

docs/contribute.md

@@ -27,6 +27,8 @@ An ADR is an Architectural Decision Record.  This allows consensus on the direct
 
 ![Win](res/win_sm.png) Visual Studio 2017 or newer [Install here](https://visualstudio.microsoft.com) (needed for dev sh script)
 
+![Win-arm](res/win_sm.png) Visual Studio 2022 17.3 Preview or later. [Install here](https://docs.microsoft.com/en-us/visualstudio/releases/2022/release-notes-preview)
+
 ## Quickstart: Run a job from a real repository
 
 If you just want to get from building the sourcecode to using it to execute an action, you will need:

docs/start/envlinux.md

@@ -34,7 +34,7 @@ The `installdependencies.sh` script should install all required dependencies on
 
 Debian based OS (Debian, Ubuntu, Linux Mint)
 
-- liblttng-ust0
+- liblttng-ust1 or liblttng-ust0
 - libkrb5-3
 - zlib1g
 - libssl1.1, libssl1.0.2 or libssl1.0.0

docs/start/envosx.md

@@ -5,12 +5,6 @@
 ## Supported Versions
 
   - macOS High Sierra (10.13) and later versions
-
-## Apple Silicon M1
-
-The runner is currently not supported on devices with an Apple M1 chip.  
-We are waiting for official .NET support. You can read more here about the [current state of support here](https://github.com/orgs/dotnet/projects/18#card-56812463).
-Current .NET project board about M1 support:
-https://github.com/orgs/dotnet/projects/18#card-56812463
+  - x64 and arm64 (Apple Silicon)
 
 ## [More .Net Core Prerequisites Information](https://docs.microsoft.com/en-us/dotnet/core/macos-prerequisites?tabs=netcore30)

releaseNote.md

@@ -1,20 +1,19 @@
 ## Features
+- Displays the error logs in dedicated sub-sections of the Initialize containers section (#2182)
+- Add generateServiceConfig option for configure command (#2226)
+- Setting debug using GitHub Action variables (#2234)
+- run.sh installs SIGINT and SIGTERM traps to gracefully stop runner (#2233, 2240)
 
-- Add Runner Configuration option to disable auto update `--disableupdate` (#1558)
-- Introduce `GITHUB_ACTIONS_RUNNER_TLS_NO_VERIFY` env variable to skip SSL Cert Verification on the Runner (#1616)
-- Adds support for downloading trimmed versions of the runner when the entire package does not need to be upgraded (#1568)
 
 ## Bugs
-- Set Outcome/Conclusion for composite action steps (#1600)
+- Use Global.Variables instead of JobContext and include action path/ref in the message. (#2214)
+- Sanitize Windows ENVs (#2280)
 
 ## Misc
-
-- Update `run.sh` to more gracefully handle updates (#1494)
-- Use 8Mb default chunking for File Container Uploads (#1626)
-- Performance improvements in handling large amounts of live logs (#1592)
-- Allow `./svc.sh stop` to exit as soon as runner process exits (#1580)
-- Add additional tracing to help troubleshoot job message corruption (#1587)
-
+- Allow '--disableupdate' in create-latest-svc.sh (#2201)
+- Fix markup for support link (#2114)
+- Add runner devcontainer (#2187)
+- Setup linter for Runner (#2211, #2213, #2216)
 
 ## Windows x64
 We recommend configuring the runner in a root folder of the Windows drive (e.g. "C:\actions-runner"). This will help avoid issues related to service identity folder permissions and long file path restrictions on Windows.
@@ -30,7 +29,23 @@ Add-Type -AssemblyName System.IO.Compression.FileSystem ;
 [System.IO.Compression.ZipFile]::ExtractToDirectory("$PWD\actions-runner-win-x64-<RUNNER_VERSION>.zip", "$PWD")
 ```
 
-## OSX
+## [Pre-release] Windows arm64
+**Warning:** Windows arm64 runners are currently in preview status and use [unofficial versions of nodejs](https://unofficial-builds.nodejs.org/). They are not intended for production workflows.
+
+We recommend configuring the runner in a root folder of the Windows drive (e.g. "C:\actions-runner"). This will help avoid issues related to service identity folder permissions and long file path restrictions on Windows.
+
+The following snipped needs to be run on `powershell`:
+``` powershell
+# Create a folder under the drive root
+mkdir \actions-runner ; cd \actions-runner
+# Download the latest runner package
+Invoke-WebRequest -Uri https://github.com/actions/runner/releases/download/v<RUNNER_VERSION>/actions-runner-win-arm64-<RUNNER_VERSION>.zip -OutFile actions-runner-win-arm64-<RUNNER_VERSION>.zip
+# Extract the installer
+Add-Type -AssemblyName System.IO.Compression.FileSystem ;
+[System.IO.Compression.ZipFile]::ExtractToDirectory("$PWD\actions-runner-win-arm64-<RUNNER_VERSION>.zip", "$PWD")
+```
+
+## OSX x64
 
 ``` bash
 # Create a folder
@@ -41,6 +56,17 @@ curl -O -L https://github.com/actions/runner/releases/download/v<RUNNER_VERSION>
 tar xzf ./actions-runner-osx-x64-<RUNNER_VERSION>.tar.gz
 ```
 
+## OSX arm64 (Apple silicon)
+
+``` bash
+# Create a folder
+mkdir actions-runner && cd actions-runner
+# Download the latest runner package
+curl -O -L https://github.com/actions/runner/releases/download/v<RUNNER_VERSION>/actions-runner-osx-arm64-<RUNNER_VERSION>.tar.gz
+# Extract the installer
+tar xzf ./actions-runner-osx-arm64-<RUNNER_VERSION>.tar.gz
+```
+
 ## Linux x64
 
 ``` bash
@@ -82,25 +108,33 @@ For additional details about configuring, running, or shutting down the runner p
 The SHA-256 checksums for the packages included in this build are shown below:
 
 - actions-runner-win-x64-<RUNNER_VERSION>.zip <!-- BEGIN SHA win-x64 --><WIN_X64_SHA><!-- END SHA win-x64 -->
+- actions-runner-win-arm64-<RUNNER_VERSION>.zip <!-- BEGIN SHA win-arm64 --><WIN_ARM64_SHA><!-- END SHA win-arm64 -->
 - actions-runner-osx-x64-<RUNNER_VERSION>.tar.gz <!-- BEGIN SHA osx-x64 --><OSX_X64_SHA><!-- END SHA osx-x64 -->
+- actions-runner-osx-arm64-<RUNNER_VERSION>.tar.gz <!-- BEGIN SHA osx-arm64 --><OSX_ARM64_SHA><!-- END SHA osx-arm64 -->
 - actions-runner-linux-x64-<RUNNER_VERSION>.tar.gz <!-- BEGIN SHA linux-x64 --><LINUX_X64_SHA><!-- END SHA linux-x64 -->
 - actions-runner-linux-arm64-<RUNNER_VERSION>.tar.gz <!-- BEGIN SHA linux-arm64 --><LINUX_ARM64_SHA><!-- END SHA linux-arm64 -->
 - actions-runner-linux-arm-<RUNNER_VERSION>.tar.gz <!-- BEGIN SHA linux-arm --><LINUX_ARM_SHA><!-- END SHA linux-arm -->
 
 - actions-runner-win-x64-<RUNNER_VERSION>-noexternals.zip <!-- BEGIN SHA win-x64_noexternals --><WIN_X64_SHA_NOEXTERNALS><!-- END SHA win-x64_noexternals -->
+- actions-runner-win-arm64-<RUNNER_VERSION>-noexternals.zip <!-- BEGIN SHA win-arm64_noexternals --><WIN_ARM64_SHA_NOEXTERNALS><!-- END SHA win-arm64_noexternals -->
 - actions-runner-osx-x64-<RUNNER_VERSION>-noexternals.tar.gz <!-- BEGIN SHA osx-x64_noexternals --><OSX_X64_SHA_NOEXTERNALS><!-- END SHA osx-x64_noexternals -->
+- actions-runner-osx-arm64-<RUNNER_VERSION>-noexternals.tar.gz <!-- BEGIN SHA osx-arm64_noexternals --><OSX_ARM64_SHA_NOEXTERNALS><!-- END SHA osx-arm64_noexternals -->
 - actions-runner-linux-x64-<RUNNER_VERSION>-noexternals.tar.gz <!-- BEGIN SHA linux-x64_noexternals --><LINUX_X64_SHA_NOEXTERNALS><!-- END SHA linux-x64_noexternals -->
 - actions-runner-linux-arm64-<RUNNER_VERSION>-noexternals.tar.gz <!-- BEGIN SHA linux-arm64_noexternals --><LINUX_ARM64_SHA_NOEXTERNALS><!-- END SHA linux-arm64_noexternals -->
 - actions-runner-linux-arm-<RUNNER_VERSION>-noexternals.tar.gz <!-- BEGIN SHA linux-arm_noexternals --><LINUX_ARM_SHA_NOEXTERNALS><!-- END SHA linux-arm_noexternals -->
 
 - actions-runner-win-x64-<RUNNER_VERSION>-noruntime.zip <!-- BEGIN SHA win-x64_noruntime --><WIN_X64_SHA_NORUNTIME><!-- END SHA win-x64_noruntime -->
+- actions-runner-win-arm64-<RUNNER_VERSION>-noruntime.zip <!-- BEGIN SHA win-arm64_noruntime --><WIN_ARM64_SHA_NORUNTIME><!-- END SHA win-arm64_noruntime -->
 - actions-runner-osx-x64-<RUNNER_VERSION>-noruntime.tar.gz <!-- BEGIN SHA osx-x64_noruntime --><OSX_X64_SHA_NORUNTIME><!-- END SHA osx-x64_noruntime -->
+- actions-runner-osx-arm64-<RUNNER_VERSION>-noruntime.tar.gz <!-- BEGIN SHA osx-arm64_noruntime --><OSX_ARM64_SHA_NORUNTIME><!-- END SHA osx-arm64_noruntime -->
 - actions-runner-linux-x64-<RUNNER_VERSION>-noruntime.tar.gz <!-- BEGIN SHA linux-x64_noruntime --><LINUX_X64_SHA_NORUNTIME><!-- END SHA linux-x64_noruntime -->
 - actions-runner-linux-arm64-<RUNNER_VERSION>-noruntime.tar.gz <!-- BEGIN SHA linux-arm64_noruntime --><LINUX_ARM64_SHA_NORUNTIME><!-- END SHA linux-arm64_noruntime -->
 - actions-runner-linux-arm-<RUNNER_VERSION>-noruntime.tar.gz <!-- BEGIN SHA linux-arm_noruntime --><LINUX_ARM_SHA_NORUNTIME><!-- END SHA linux-arm_noruntime -->
 
 - actions-runner-win-x64-<RUNNER_VERSION>-noruntime-noexternals.zip <!-- BEGIN SHA win-x64_noruntime_noexternals --><WIN_X64_SHA_NORUNTIME_NOEXTERNALS><!-- END SHA win-x64_noruntime_noexternals -->
+- actions-runner-win-arm64-<RUNNER_VERSION>-noruntime-noexternals.zip <!-- BEGIN SHA win-arm64_noruntime_noexternals --><WIN_ARM64_SHA_NORUNTIME_NOEXTERNALS><!-- END SHA win-arm64_noruntime_noexternals -->
 - actions-runner-osx-x64-<RUNNER_VERSION>-noruntime-noexternals.tar.gz <!-- BEGIN SHA osx-x64_noruntime_noexternals --><OSX_X64_SHA_NORUNTIME_NOEXTERNALS><!-- END SHA osx-x64_noruntime_noexternals -->
+- actions-runner-osx-arm64-<RUNNER_VERSION>-noruntime-noexternals.tar.gz <!-- BEGIN SHA osx-arm64_noruntime_noexternals --><OSX_ARM64_SHA_NORUNTIME_NOEXTERNALS><!-- END SHA osx-arm64_noruntime_noexternals -->
 - actions-runner-linux-x64-<RUNNER_VERSION>-noruntime-noexternals.tar.gz <!-- BEGIN SHA linux-x64_noruntime_noexternals --><LINUX_X64_SHA_NORUNTIME_NOEXTERNALS><!-- END SHA linux-x64_noruntime_noexternals -->
 - actions-runner-linux-arm64-<RUNNER_VERSION>-noruntime-noexternals.tar.gz <!-- BEGIN SHA linux-arm64_noruntime_noexternals --><LINUX_ARM64_SHA_NORUNTIME_NOEXTERNALS><!-- END SHA linux-arm64_noruntime_noexternals -->
 - actions-runner-linux-arm-<RUNNER_VERSION>-noruntime-noexternals.tar.gz <!-- BEGIN SHA linux-arm_noruntime_noexternals --><LINUX_ARM_SHA_NORUNTIME_NOEXTERNALS><!-- END SHA linux-arm_noruntime_noexternals -->

releaseVersion

@@ -1 +1 @@
-2.287.0
+2.299.2

scripts/create-latest-svc.sh

@@ -13,7 +13,7 @@ set -e
 
 flags_found=false
 
-while getopts 's:g:n:u:l:' opt; do
+while getopts 's:g:n:r:u:l:d' opt; do
     flags_found=true
 
     case $opt in
@@ -26,12 +26,18 @@ while getopts 's:g:n:u:l:' opt; do
     n)
         runner_name=$OPTARG
         ;;
+    r)
+        runner_group=$OPTARG
+        ;;
     u)
         svc_user=$OPTARG
         ;;
     l)
         labels=$OPTARG
         ;;
+    d)
+        disableupdate='true'
+        ;;
     *)
         echo "
 Runner Service Installer
@@ -44,8 +50,10 @@ Usage:
     -s          required  scope: repo (:owner/:repo) or org (:organization)
     -g          optional  ghe_hostname: the fully qualified domain name of your GitHub Enterprise Server deployment
     -n          optional  name of the runner, defaults to hostname
+    -r          optional  name of the runner group to add the runner to, defaults to the Default group
     -u          optional  user svc will run as, defaults to current
-    -l          optional  list of labels (split by comma) applied on the runner"
+    -l          optional  list of labels (split by comma) applied on the runner
+    -d          optional  allow runner to remain on the current version for one month after the release of a newer version"
         exit 0
         ;;
     esac
@@ -59,6 +67,7 @@ if ! "$flags_found"; then
     runner_name=${3:-$(hostname)}
     svc_user=${4:-$USER}
     labels=${5}
+    runner_group=${6}
 fi
 
 # apply defaults
@@ -164,8 +173,8 @@ fi
 
 echo
 echo "Configuring ${runner_name} @ $runner_url"
-echo "./config.sh --unattended --url $runner_url --token *** --name $runner_name --labels $labels"
-sudo -E -u ${svc_user} ./config.sh --unattended --url $runner_url --token $RUNNER_TOKEN --name $runner_name --labels $labels
+echo "./config.sh --unattended --url $runner_url --token *** --name $runner_name ${labels:+--labels $labels} ${runner_group:+--runnergroup \"$runner_group\"} ${disableupdate:+--disableupdate}"
+sudo -E -u ${svc_user} ./config.sh --unattended --url $runner_url --token $RUNNER_TOKEN --name $runner_name ${labels:+--labels $labels} ${runner_group:+--runnergroup "$runner_group"} ${disableupdate:+--disableupdate}
 
 #---------------------------------------
 # Configuring as a service

src/Directory.Build.props

@@ -24,10 +24,16 @@
   <PropertyGroup Condition="'$(BUILD_OS)' == 'Windows' AND '$(PackageRuntime)' == 'win-x86'">
     <DefineConstants>$(DefineConstants);X86</DefineConstants>
   </PropertyGroup>
+  <PropertyGroup Condition="'$(BUILD_OS)' == 'Windows' AND '$(PackageRuntime)' == 'win-arm64'">
+    <DefineConstants>$(DefineConstants);ARM64</DefineConstants>
+  </PropertyGroup>
 
-  <PropertyGroup Condition="'$(BUILD_OS)' == 'OSX'">
+  <PropertyGroup Condition="'$(BUILD_OS)' == 'OSX' AND '$(PackageRuntime)' == 'osx-x64'">
     <DefineConstants>$(DefineConstants);X64</DefineConstants>
   </PropertyGroup>
+  <PropertyGroup Condition="'$(BUILD_OS)' == 'OSX' AND '$(PackageRuntime)' == 'osx-arm64'">
+    <DefineConstants>$(DefineConstants);ARM64</DefineConstants>
+  </PropertyGroup>
 
   <PropertyGroup Condition="'$(BUILD_OS)' == 'Linux' AND ('$(PackageRuntime)' == 'linux-x64' OR '$(PackageRuntime)' == '')">
     <DefineConstants>$(DefineConstants);X64</DefineConstants>

src/Misc/contentHash/dotnetRuntime/linux-arm

@@ -1 +1 @@
-de62d296708908cfd1236e58869aebbc2bae8a8c3d629276968542626c508e37
+1d709d93e5d3c6c6c656a61aa6c1781050224788a05b0e6ecc4c3c0408bdf89c

src/Misc/contentHash/dotnetRuntime/linux-arm64

@@ -1 +1 @@
-44fcd0422dd98ed17d2c8e9057ff2260c50165f20674236a4ae7d2645a07df25
+b92a47cfeaad02255b1f7a377060651b73ae5e5db22a188dbbcb4183ab03a03d

src/Misc/contentHash/dotnetRuntime/linux-x64

@@ -1 +1 @@
-e57652cf322ee16ce3af4f9e58f80858746b9e1e60279e991a3b3d9a6baf8d79
+68a9a8ef0843a8bb74241894f6f63fd76241a82295c5337d3cc7a940a314c78e

src/Misc/contentHash/dotnetRuntime/osx-arm64

@@ -0,0 +1 @@
+02c7126ff4d63ee2a0ae390c81434c125630522aadf35903bbeebb1a99d8af99

src/Misc/contentHash/dotnetRuntime/osx-x64

@@ -1 +1 @@
-bdd247b2ff3f51095524412e2ac588e7a87af805e114d6caf2368366ee7be1ea
+c9d5a542f8d765168855a89e83ae0a8970d00869041c4f9a766651c04c72b212

src/Misc/contentHash/dotnetRuntime/win-arm64

@@ -0,0 +1 @@
+39d0683f0f115a211cb10c473e9574c16549a19d4e9a6c637ded3d7022bf809f

src/Misc/contentHash/dotnetRuntime/win-x64

@@ -1 +1 @@
-d23a0cb9f20c0aa1cddb7a39567cd097020cdeb06a1e952940601d1a405c53b8
+d94f2fbaf210297162bc9f3add819d73682c3aa6899e321c3872412b924d5504

src/Misc/contentHash/externals/linux-arm

@@ -1 +1 @@
-6ca4a0e1c50b7079ead05321dcf5835c1c25f23dc632add8c1c4667d416d103e
+6ed30a2c1ee403a610d63e82bb230b9ba846a9c25cec9e4ea8672fb6ed4e1a51

src/Misc/contentHash/externals/linux-arm64

@@ -1 +1 @@
-b5951dc607d782d9c7571a7224e940eb0975bb23c54ff25c7afdbf959a417081
+711c30c51ec52c9b7a9a2eb399d6ab2ab5ee1dc72de11879f2f36f919f163d78

src/Misc/contentHash/externals/linux-x64

@@ -1 +1 @@
-af819e92011cc9cbca90e8299f9f7651f2cf6bf45b42920f9a4ca22795486147
+a49479ca4b4988a06c097e8d22c51fd08a11c13f40807366236213d0e008cf6a

src/Misc/contentHash/externals/osx-arm64

@@ -0,0 +1 @@
+cc4708962a80325de0baa5ae8484e0cb9ae976ac6a4178c1c0d448b8c52bd7f7

src/Misc/contentHash/externals/osx-x64

@@ -1 +1 @@
-aa0e6bf4bfaabf48c962ea3b262dca042629ab332005f73d282faec908847036
+8e97df75230b843462a9b4c578ccec604ee4b4a1066120c85b04374317fa372b

src/Misc/contentHash/externals/win-arm64

@@ -0,0 +1 @@
+e5dace2d41cc0682d096dcce4970079ad48ec7107e46195970eecfdb3df2acef

src/Misc/contentHash/externals/win-x64

@@ -1 +1 @@
-40328cff2b8229f9b578f32739183bd8f6aab481c21dadc052b09f1c7e8e4665
+f75a671e5a188c76680739689aa75331a2c09d483dce9c80023518c48fd67a18

src/Misc/expressionFunc/hashFiles/.eslintrc.json

@@ -1,6 +1,6 @@
 {
-    "plugins": ["jest", "@typescript-eslint"],
-    "extends": ["plugin:github/es6"],
+    "plugins": ["@typescript-eslint"],
+    "extends": ["plugin:github/recommended"],
     "parser": "@typescript-eslint/parser",
     "parserOptions": {
       "ecmaVersion": 9,
@@ -17,13 +17,16 @@
       "@typescript-eslint/no-require-imports": "error",
       "@typescript-eslint/array-type": "error",
       "@typescript-eslint/await-thenable": "error",
-      "@typescript-eslint/ban-ts-ignore": "error",
+      "@typescript-eslint/naming-convention": [
+        "error",
+        {
+          "selector": "default",
+          "format": ["camelCase"]
+        }
+      ],
       "camelcase": "off",
-      "@typescript-eslint/camelcase": "error",
-      "@typescript-eslint/class-name-casing": "error",
       "@typescript-eslint/explicit-function-return-type": ["error", {"allowExpressions": true}],
       "@typescript-eslint/func-call-spacing": ["error", "never"],
-      "@typescript-eslint/generic-type-naming": ["error", "^[A-Z][A-Za-z]*$"],
       "@typescript-eslint/no-array-constructor": "error",
       "@typescript-eslint/no-empty-interface": "error",
       "@typescript-eslint/no-explicit-any": "error",
@@ -33,7 +36,6 @@
       "@typescript-eslint/no-misused-new": "error",
       "@typescript-eslint/no-namespace": "error",
       "@typescript-eslint/no-non-null-assertion": "warn",
-      "@typescript-eslint/no-object-literal-type-assertion": "error",
       "@typescript-eslint/no-unnecessary-qualifier": "error",
       "@typescript-eslint/no-unnecessary-type-assertion": "error",
       "@typescript-eslint/no-useless-constructor": "error",
@@ -41,19 +43,19 @@
       "@typescript-eslint/prefer-for-of": "warn",
       "@typescript-eslint/prefer-function-type": "warn",
       "@typescript-eslint/prefer-includes": "error",
-      "@typescript-eslint/prefer-interface": "error",
       "@typescript-eslint/prefer-string-starts-ends-with": "error",
       "@typescript-eslint/promise-function-async": "error",
       "@typescript-eslint/require-array-sort-compare": "error",
       "@typescript-eslint/restrict-plus-operands": "error",
-      "semi": "off",
       "@typescript-eslint/semi": ["error", "never"],
       "@typescript-eslint/type-annotation-spacing": "error",
-      "@typescript-eslint/unbound-method": "error"
+      "@typescript-eslint/unbound-method": "error",
+      "filenames/match-regex" : "off",
+      "github/no-then" : 1, // warning
+      "semi": "off"
     },
     "env": {
       "node": true,
-      "es6": true,
-      "jest/globals": true
+      "es6": true
     }
   }

src/Misc/expressionFunc/hashFiles/README.md

@@ -1 +1,4 @@
-To update hashFiles under `Misc/layoutbin` run `npm install && npm run all`
+To compile this package (output will be stored in `Misc/layoutbin`) run `npm install && npm run all`.
+
+> Note: this package also needs to be recompiled for dependabot PRs updating one of
+> its dependencies.

src/Misc/expressionFunc/hashFiles/package.json

@@ -25,10 +25,10 @@
   },
   "devDependencies": {
     "@types/node": "^12.7.12",
-    "@typescript-eslint/parser": "^2.8.0",
+    "@typescript-eslint/parser": "^5.15.0",
     "@zeit/ncc": "^0.20.5",
-    "eslint": "^6.8.0",
-    "eslint-plugin-github": "^2.0.0",
+    "eslint": "^8.11.0",
+    "eslint-plugin-github": "^4.3.5",
     "prettier": "^1.19.1",
     "typescript": "^3.6.4"
   }

src/Misc/expressionFunc/hashFiles/src/hashFiles.ts

@@ -1,9 +1,9 @@
-import * as glob from '@actions/glob'
 import * as crypto from 'crypto'
 import * as fs from 'fs'
+import * as glob from '@actions/glob'
+import * as path from 'path'
 import * as stream from 'stream'
 import * as util from 'util'
-import * as path from 'path'
 
 async function run(): Promise<void> {
   // arg0 -> node
@@ -45,7 +45,7 @@ async function run(): Promise<void> {
   result.end()
 
   if (hasMatch) {
-    console.log(`Find ${count} files to hash.`)
+    console.log(`Found ${count} files to hash.`)
     console.error(`__OUTPUT__${result.digest('hex')}__OUTPUT__`)
   } else {
     console.error(`__OUTPUT____OUTPUT__`)
@@ -53,3 +53,11 @@ async function run(): Promise<void> {
 }
 
 run()
+  .then(out => {
+    console.log(out)
+    process.exit(0)
+  })
+  .catch(err => {
+    console.error(err)
+    process.exit(1)
+  })

src/Misc/externals.sh

@@ -3,7 +3,8 @@ PACKAGERUNTIME=$1
 PRECACHE=$2
 
 NODE_URL=https://nodejs.org/dist
-NODE12_VERSION="12.13.1"
+UNOFFICIAL_NODE_URL=https://unofficial-builds.nodejs.org/download/release
+NODE12_VERSION="12.22.7"
 NODE16_VERSION="16.13.0"
 
 get_abs_path() {
@@ -134,16 +135,31 @@ if [[ "$PACKAGERUNTIME" == "win-x64" || "$PACKAGERUNTIME" == "win-x86" ]]; then
     fi
 fi
 
+# Download the external tools only for Windows.
+if [[ "$PACKAGERUNTIME" == "win-arm64" ]]; then
+    # todo: replace these with official release when available
+    acquireExternalTool "$UNOFFICIAL_NODE_URL/v${NODE16_VERSION}/$PACKAGERUNTIME/node.exe" node16/bin
+    acquireExternalTool "$UNOFFICIAL_NODE_URL/v${NODE16_VERSION}/$PACKAGERUNTIME/node.lib" node16/bin
+    if [[ "$PRECACHE" != "" ]]; then
+        acquireExternalTool "https://github.com/microsoft/vswhere/releases/download/2.6.7/vswhere.exe" vswhere
+    fi
+fi
+
 # Download the external tools only for OSX.
 if [[ "$PACKAGERUNTIME" == "osx-x64" ]]; then
     acquireExternalTool "$NODE_URL/v${NODE12_VERSION}/node-v${NODE12_VERSION}-darwin-x64.tar.gz" node12 fix_nested_dir
     acquireExternalTool "$NODE_URL/v${NODE16_VERSION}/node-v${NODE16_VERSION}-darwin-x64.tar.gz" node16 fix_nested_dir
 fi
 
+if [[ "$PACKAGERUNTIME" == "osx-arm64" ]]; then
+    # node.js v12 doesn't support macOS on arm64.
+    acquireExternalTool "$NODE_URL/v${NODE16_VERSION}/node-v${NODE16_VERSION}-darwin-arm64.tar.gz" node16 fix_nested_dir
+fi
+
 # Download the external tools for Linux PACKAGERUNTIMEs.
 if [[ "$PACKAGERUNTIME" == "linux-x64" ]]; then
     acquireExternalTool "$NODE_URL/v${NODE12_VERSION}/node-v${NODE12_VERSION}-linux-x64.tar.gz" node12 fix_nested_dir
-    acquireExternalTool "https://vstsagenttools.blob.core.windows.net/tools/nodejs/${NODE12_VERSION}/alpine/x64/node-${NODE12_VERSION}-alpine-x64.tar.gz" node12_alpine
+    acquireExternalTool "https://vstsagenttools.blob.core.windows.net/tools/nodejs/${NODE12_VERSION}/alpine/x64/node-v${NODE12_VERSION}-alpine-x64.tar.gz" node12_alpine
     acquireExternalTool "$NODE_URL/v${NODE16_VERSION}/node-v${NODE16_VERSION}-linux-x64.tar.gz" node16 fix_nested_dir
     acquireExternalTool "https://vstsagenttools.blob.core.windows.net/tools/nodejs/${NODE16_VERSION}/alpine/x64/node-v${NODE16_VERSION}-alpine-x64.tar.gz" node16_alpine
 fi

src/Misc/layoutbin/RunnerService.js

@@ -3,94 +3,135 @@
 // Licensed under the MIT license. See LICENSE file in the project root for full license information.
 
 var childProcess = require("child_process");
-var path = require("path")
+var path = require("path");
 
-var supported = ['linux', 'darwin']
+var supported = ["linux", "darwin"];
 
 if (supported.indexOf(process.platform) == -1) {
-    console.log('Unsupported platform: ' + process.platform);
-    console.log('Supported platforms are: ' + supported.toString());
-    process.exit(1);
+  console.log("Unsupported platform: " + process.platform);
+  console.log("Supported platforms are: " + supported.toString());
+  process.exit(1);
 }
 
 var stopping = false;
 var listener = null;
 
-var runService = function () {
-    var listenerExePath = path.join(__dirname, '../bin/Runner.Listener');
-    var interactive = process.argv[2] === "interactive";
+var exitServiceAfterNFailures = Number(
+  process.env.GITHUB_ACTIONS_SERVICE_EXIT_AFTER_N_FAILURES
+);
 
-    if (!stopping) {
-        try {
-            if (interactive) {
-                console.log('Starting Runner listener interactively');
-                listener = childProcess.spawn(listenerExePath, ['run'], { env: process.env });
-            } else {
-                console.log('Starting Runner listener with startup type: service');
-                listener = childProcess.spawn(listenerExePath, ['run', '--startuptype', 'service'], { env: process.env });
-            }
-
-            console.log(`Started listener process, pid: ${listener.pid}`);
-
-            listener.stdout.on('data', (data) => {
-                process.stdout.write(data.toString('utf8'));
-            });
-
-            listener.stderr.on('data', (data) => {
-                process.stdout.write(data.toString('utf8'));
-            });
-
-            listener.on("error", (err) => {
-                console.log(`Runner listener fail to start with error ${err.message}`);
-            });
-
-            listener.on('close', (code) => {
-                console.log(`Runner listener exited with error code ${code}`);
-
-                if (code === 0) {
-                    console.log('Runner listener exit with 0 return code, stop the service, no retry needed.');
-                    stopping = true;
-                } else if (code === 1) {
-                    console.log('Runner listener exit with terminated error, stop the service, no retry needed.');
-                    stopping = true;
-                } else if (code === 2) {
-                    console.log('Runner listener exit with retryable error, re-launch runner in 5 seconds.');
-                } else if (code === 3) {
-                    console.log('Runner listener exit because of updating, re-launch runner in 5 seconds.');
-                } else {
-                    console.log('Runner listener exit with undefined return code, re-launch runner in 5 seconds.');
-                }
-
-                if (!stopping) {
-                    setTimeout(runService, 5000);
-                }
-            });
-
-        } catch (ex) {
-            console.log(ex);
-        }
-    }
+if (exitServiceAfterNFailures <= 0) {
+  exitServiceAfterNFailures = NaN;
 }
 
+var consecutiveFailureCount = 0;
+
+var gracefulShutdown = function () {
+  console.log("Shutting down runner listener");
+  stopping = true;
+  if (listener) {
+    console.log("Sending SIGINT to runner listener to stop");
+    listener.kill("SIGINT");
+
+    console.log("Sending SIGKILL to runner listener");
+    setTimeout(() => listener.kill("SIGKILL"), 30000).unref();
+  }
+};
+
+var runService = function () {
+  var listenerExePath = path.join(__dirname, "../bin/Runner.Listener");
+  var interactive = process.argv[2] === "interactive";
+
+  if (!stopping) {
+    try {
+      if (interactive) {
+        console.log("Starting Runner listener interactively");
+        listener = childProcess.spawn(listenerExePath, ["run"], {
+          env: process.env,
+        });
+      } else {
+        console.log("Starting Runner listener with startup type: service");
+        listener = childProcess.spawn(
+          listenerExePath,
+          ["run", "--startuptype", "service"],
+          { env: process.env }
+        );
+      }
+
+      console.log(`Started listener process, pid: ${listener.pid}`);
+
+      listener.stdout.on("data", (data) => {
+        if (data.toString("utf8").includes("Listening for Jobs")) {
+          consecutiveFailureCount = 0;
+        }
+        process.stdout.write(data.toString("utf8"));
+      });
+
+      listener.stderr.on("data", (data) => {
+        process.stdout.write(data.toString("utf8"));
+      });
+
+      listener.on("error", (err) => {
+        console.log(`Runner listener fail to start with error ${err.message}`);
+      });
+
+      listener.on("close", (code) => {
+        console.log(`Runner listener exited with error code ${code}`);
+
+        if (code === 0) {
+          console.log(
+            "Runner listener exit with 0 return code, stop the service, no retry needed."
+          );
+          stopping = true;
+        } else if (code === 1) {
+          console.log(
+            "Runner listener exit with terminated error, stop the service, no retry needed."
+          );
+          stopping = true;
+        } else if (code === 2) {
+          console.log(
+            "Runner listener exit with retryable error, re-launch runner in 5 seconds."
+          );
+          consecutiveFailureCount = 0;
+        } else if (code === 3 || code === 4) {
+          console.log(
+            "Runner listener exit because of updating, re-launch runner in 5 seconds."
+          );
+          consecutiveFailureCount = 0;
+        } else {
+          var messagePrefix = "Runner listener exit with undefined return code";
+          consecutiveFailureCount++;
+          if (
+            !isNaN(exitServiceAfterNFailures) &&
+            consecutiveFailureCount >= exitServiceAfterNFailures
+          ) {
+            console.error(
+              `${messagePrefix}, exiting service after ${consecutiveFailureCount} consecutive failures`
+            );
+            gracefulShutdown();
+            return;
+          } else {
+            console.log(`${messagePrefix}, re-launch runner in 5 seconds.`);
+          }
+        }
+
+        if (!stopping) {
+          setTimeout(runService, 5000);
+        }
+      });
+    } catch (ex) {
+      console.log(ex);
+    }
+  }
+};
+
 runService();
-console.log('Started running service');
+console.log("Started running service");
 
-var gracefulShutdown = function (code) {
-    console.log('Shutting down runner listener');
-    stopping = true;
-    if (listener) {
-        console.log('Sending SIGINT to runner listener to stop');
-        listener.kill('SIGINT');
-
-        console.log('Sending SIGKILL to runner listener');
-        setTimeout(() => listener.kill('SIGKILL'), 30000).unref();
-    }
-}
-
-process.on('SIGINT', () => {
-    gracefulShutdown(0);
+process.on("SIGINT", () => {
+  gracefulShutdown();
 });
 
-process.on('SIGTERM', () => {
-    gracefulShutdown(0);
+process.on("SIGTERM", () => {
+  gracefulShutdown();
 });

src/Misc/layoutbin/darwin.svc.sh.template

@@ -17,7 +17,13 @@ RUNNER_ROOT=`pwd`
 
 LAUNCH_PATH="${HOME}/Library/LaunchAgents"
 PLIST_PATH="${LAUNCH_PATH}/${SVC_NAME}.plist"
-TEMPLATE_PATH=./bin/actions.runner.plist.template
+TEMPLATE_PATH=$GITHUB_ACTIONS_RUNNER_SERVICE_TEMPLATE
+IS_CUSTOM_TEMPLATE=0
+if [[ -z $TEMPLATE_PATH ]]; then
+    TEMPLATE_PATH=./bin/actions.runner.plist.template
+else
+    IS_CUSTOM_TEMPLATE=1
+fi
 TEMP_PATH=./bin/actions.runner.plist.temp
 CONFIG_PATH=.service
 
@@ -29,7 +35,11 @@ function failed()
 }
 
 if [ ! -f "${TEMPLATE_PATH}" ]; then
-    failed "Must run from runner root or install is corrupt"
+    if [[ $IS_CUSTOM_TEMPLATE = 0 ]]; then
+        failed "Must run from runner root or install is corrupt"
+    else
+        failed "Service file at '$GITHUB_ACTIONS_RUNNER_SERVICE_TEMPLATE' using GITHUB_ACTIONS_RUNNER_SERVICE_TEMPLATE env variable is not found"
+    fi
 fi
 
 function install()
@@ -53,7 +63,7 @@ function install()
     mkdir -p "${log_path}" || failed "failed to create ${log_path}"
 
     echo Creating ${PLIST_PATH}
-    sed "s/{{User}}/${SUDO_USER:-$USER}/g; s/{{SvcName}}/$SVC_NAME/g; s@{{RunnerRoot}}@${RUNNER_ROOT}@g; s@{{UserHome}}@$HOME@g;" "${TEMPLATE_PATH}" > "${TEMP_PATH}" || failed "failed to create replacement temp file"
+    sed "s/{{User}}/${USER:-$SUDO_USER}/g; s/{{SvcName}}/$SVC_NAME/g; s@{{RunnerRoot}}@${RUNNER_ROOT}@g; s@{{UserHome}}@$HOME@g;" "${TEMPLATE_PATH}" > "${TEMP_PATH}" || failed "failed to create replacement temp file"
     mv "${TEMP_PATH}" "${PLIST_PATH}" || failed "failed to copy plist"
 
     # Since we started with sudo, runsvc.sh will be owned by root. Change this to current login user.

src/Misc/layoutbin/installdependencies.sh

@@ -66,7 +66,7 @@ then
             fi
         fi
 
-        $apt_get update && $apt_get install -y liblttng-ust0 libkrb5-3 zlib1g
+        $apt_get update && $apt_get install -y libkrb5-3 zlib1g
         if [ $? -ne 0 ]
         then
             echo "'$apt_get' failed with exit code '$?'"
@@ -94,6 +94,14 @@ then
             fi
         }
 
+        apt_get_with_fallbacks liblttng-ust1 liblttng-ust0
+        if [ $? -ne 0 ]
+        then
+            echo "'$apt_get' failed with exit code '$?'"
+            print_errormessage
+            exit 1
+        fi
+
         apt_get_with_fallbacks libssl1.1$ libssl1.0.2$ libssl1.0.0$
         if [ $? -ne 0 ]
         then

src/Misc/layoutbin/runsvc.sh

@@ -10,10 +10,11 @@ if [ -f ".path" ]; then
     echo ".path=${PATH}"
 fi
 
-# insert anything to setup env when running as a service
+nodever=${GITHUB_ACTIONS_RUNNER_FORCED_NODE_VERSION:-node16}
 
+# insert anything to setup env when running as a service
 # run the host process which keep the listener alive
-./externals/node12/bin/node ./bin/RunnerService.js &
+./externals/$nodever/bin/node ./bin/RunnerService.js &
 PID=$!
 wait $PID
 trap - TERM INT

src/Misc/layoutbin/systemd.svc.sh.template

@@ -10,7 +10,13 @@ arg_2=${2}
 RUNNER_ROOT=`pwd`
 
 UNIT_PATH=/etc/systemd/system/${SVC_NAME}
-TEMPLATE_PATH=./bin/actions.runner.service.template
+TEMPLATE_PATH=$GITHUB_ACTIONS_RUNNER_SERVICE_TEMPLATE
+IS_CUSTOM_TEMPLATE=0
+if [[ -z $TEMPLATE_PATH ]]; then
+    TEMPLATE_PATH=./bin/actions.runner.service.template
+else
+    IS_CUSTOM_TEMPLATE=1
+fi
 TEMP_PATH=./bin/actions.runner.service.temp
 CONFIG_PATH=.service
 
@@ -31,7 +37,11 @@ function failed()
 }
 
 if [ ! -f "${TEMPLATE_PATH}" ]; then
-    failed "Must run from runner root or install is corrupt"
+    if [[ $IS_CUSTOM_TEMPLATE = 0 ]]; then
+        failed "Must run from runner root or install is corrupt"
+    else
+        failed "Service file at '$GITHUB_ACTIONS_RUNNER_SERVICE_TEMPLATE' using GITHUB_ACTIONS_RUNNER_SERVICE_TEMPLATE env variable is not found"
+    fi
 fi
 
 #check if we run as root

src/Misc/layoutbin/update.cmd.template

@@ -120,6 +120,9 @@ if ERRORLEVEL 1 (
 
 echo [%date% %time%] Update succeed >> "%logfile%" 2>&1
 
+type nul > update.finished
+echo [%date% %time%] update.finished file creation succeed >> "%logfile%" 2>&1
+
 rem rename the update log file with %logfile%.succeed/.failed/succeedneedrestart
 rem runner service host can base on the log file name determin the result of the runner update
 echo [%date% %time%] Rename "%logfile%" to be "%logfile%.succeed" >> "%logfile%" 2>&1

src/Misc/layoutbin/update.sh.template

@@ -30,13 +30,13 @@ date "+[%F %T-%4N] Waiting for $runnerprocessname ($runnerpid) to complete" >> "
 while [ -e /proc/$runnerpid ]
 do
     date "+[%F %T-%4N] Process $runnerpid still running" >> "$logfile" 2>&1
-    sleep 2
+    "$rootfolder"/safe_sleep.sh 2
 done
 date "+[%F %T-%4N] Process $runnerpid finished running" >> "$logfile" 2>&1
 
 # start re-organize folders
 date "+[%F %T-%4N] Sleep 1 more second to make sure process exited" >> "$logfile" 2>&1
-sleep 1
+"$rootfolder"/safe_sleep.sh 1
 
 # the folder structure under runner root will be
 # ./bin -> bin.2.100.0 (junction folder)
@@ -125,7 +125,7 @@ attemptedtargetedfix=0
 currentplatform=$(uname | awk '{print tolower($0)}')
 if [[ "$currentplatform" == 'darwin'  && restartinteractiverunner -eq 0 ]]; then
     # We needed a fix for https://github.com/actions/runner/issues/743
-    # We will recreate the ./externals/node12/bin/node of the past runner version that launched the runnerlistener service
+    # We will recreate the ./externals/nodeXY/bin/node of the past runner version that launched the runnerlistener service
     # Otherwise mac gatekeeper kills the processes we spawn on creation as we are running a process with no backing file
 
     # We need the pid for the nodejs loop, get that here, its the parent of the runner C# pid
@@ -135,7 +135,13 @@ if [[ "$currentplatform" == 'darwin'  && restartinteractiverunner -eq 0 ]]; then
     then
         # inspect the open file handles to find the node process
         # we can't actually inspect the process using ps because it uses relative paths and doesn't follow symlinks
-        path=$(lsof -a -g "$procgroup" -F n | grep node12/bin/node | grep externals | tail -1 | cut -c2-)
+        nodever="node16"
+        path=$(lsof -a -g "$procgroup" -F n | grep $nodever/bin/node | grep externals | tail -1 | cut -c2-)
+        if [[ $? -ne 0 || -z "$path" ]] # Fallback if RunnerService.js was started with node12
+        then
+            nodever="node12"
+            path=$(lsof -a -g "$procgroup" -F n | grep $nodever/bin/node | grep externals | tail -1 | cut -c2-)
+        fi
         if [[ $? -eq 0 && -n "$path" ]]
         then
             # trim the last 5 characters of the path '/node'
@@ -148,7 +154,7 @@ if [[ "$currentplatform" == 'darwin'  && restartinteractiverunner -eq 0 ]]; then
                 then
                     date "+[%F %T-%4N] Creating fallback node at path $path" >> "$logfile" 2>&1
                     mkdir -p "$trimmedpath"
-                    cp "$rootfolder/externals/node12/bin/node" "$path"
+                    cp "$rootfolder/externals/$nodever/bin/node" "$path"
                 else
                     date "+[%F %T-%4N] Path for fallback node exists, skipping creating $path" >> "$logfile" 2>&1
                 fi
@@ -174,6 +180,9 @@ fi
 
 date "+[%F %T-%4N] Update succeed" >> "$logfile"
 
+touch update.finished
+date "+[%F %T-%4N] update.finished file creation succeed" >> "$logfile"
+
 # rename the update log file with %logfile%.succeed/.failed/succeedneedrestart
 # runner service host can base on the log file name determin the result of the runner update
 date "+[%F %T-%4N] Rename $logfile to be $logfile.succeed" >> "$logfile" 2>&1

src/Misc/layoutroot/run-helper.cmd.template

@@ -1,5 +1,5 @@
 @echo off
-
+SET UPDATEFILE=update.finished
 "%~dp0\bin\Runner.Listener.exe" run %*
 
 rem using `if %ERRORLEVEL% EQU N` insterad of `if ERRORLEVEL N`
@@ -22,16 +22,30 @@ if %ERRORLEVEL% EQU 2 (
 )
 
 if %ERRORLEVEL% EQU 3 (
-  rem Sleep 5 seconds to wait for the runner update process finish
-  echo "Runner listener exit because of updating, re-launch runner in 5 seconds"
-  ping 127.0.0.1 -n 6 -w 1000 >NUL
+  rem Wait for 30 seconds or for flag file to exists for the ephemeral runner update process finish
+  echo "Runner listener exit because of updating, re-launch runner after successful update"
+  FOR /L %%G IN (1,1,30) DO (
+    IF EXIST %UPDATEFILE% (
+      echo "Update finished successfully."
+      del %FILE%
+      exit /b 1
+    )
+    ping 127.0.0.1 -n 2 -w 1000 >NUL
+  )
   exit /b 1
 )
 
 if %ERRORLEVEL% EQU 4 (
-  rem Sleep 5 seconds to wait for the ephemeral runner update process finish
-  echo "Runner listener exit because of updating, re-launch ephemeral runner in 5 seconds"
-  ping 127.0.0.1 -n 6 -w 1000 >NUL
+  rem Wait for 30 seconds or for flag file to exists for the runner update process finish
+  echo "Runner listener exit because of updating, re-launch runner after successful update"
+  FOR /L %%G IN (1,1,30) DO (
+    IF EXIST %UPDATEFILE% (
+      echo "Update finished successfully."
+      del %FILE%
+      exit /b 1
+    )
+    ping 127.0.0.1 -n 2 -w 1000 >NUL
+  )
   exit /b 1
 )
 

src/Misc/layoutroot/run-helper.sh.template

@@ -10,23 +10,17 @@ fi
 # Run
 shopt -s nocasematch
 
-safe_sleep() {
-    if [ ! -x "$(command -v sleep)" ]; then
-        if [ ! -x "$(command -v ping)" ]; then
-            COUNT="0"
-            while [[ $COUNT != 5000 ]]; do
-                echo "SLEEP" > /dev/null
-                COUNT=$[$COUNT+1]
-            done
-        else
-            ping -c 5 127.0.0.1 > /dev/null
-        fi
-    else
-        sleep 5
-    fi
-}
+SOURCE="${BASH_SOURCE[0]}"
+while [ -h "$SOURCE" ]; do # resolve $SOURCE until the file is no longer a symlink
+    DIR="$( cd -P "$( dirname "$SOURCE" )" && pwd )"
+    SOURCE="$(readlink "$SOURCE")"
+    [[ $SOURCE != /* ]] && SOURCE="$DIR/$SOURCE" # if $SOURCE was a relative symlink, we need to resolve it relative to the path where the symlink file was located
+done
+DIR="$( cd -P "$( dirname "$SOURCE" )" && pwd )"
+
+updateFile="update.finished"
+"$DIR"/bin/Runner.Listener run $*
 
-bin/Runner.Listener run $*
 returnCode=$?
 if [[ $returnCode == 0 ]]; then
     echo "Runner listener exit with 0 return code, stop the service, no retry needed."
@@ -36,18 +30,32 @@ elif [[ $returnCode == 1 ]]; then
     exit 0
 elif [[ $returnCode == 2 ]]; then
     echo "Runner listener exit with retryable error, re-launch runner in 5 seconds."
-    safe_sleep
-    exit 1
+    "$DIR"/safe_sleep.sh 5
+    exit 2
 elif [[ $returnCode == 3 ]]; then
-    # Sleep 5 seconds to wait for the runner update process finish
-    echo "Runner listener exit because of updating, re-launch runner in 5 seconds"
-    safe_sleep
-    exit 1
+    # Wait for 30 seconds or for flag file to exists for the runner update process finish
+    echo "Runner listener exit because of updating, re-launch runner after successful update"
+    for i in {0..30}; do
+        if test -f "$updateFile"; then
+            echo "Update finished successfully."
+            rm "$updateFile"
+            break
+        fi
+        "$DIR"/safe_sleep.sh 1
+    done
+    exit 2
 elif [[ $returnCode == 4 ]]; then
-    # Sleep 5 seconds to wait for the ephemeral runner update process finish
-    echo "Runner listener exit because of updating, re-launch ephemeral runner in 5 seconds"
-    safe_sleep
-    exit 1
+    # Wait for 30 seconds or for flag file to exists for the ephemeral runner update process finish
+    echo "Runner listener exit because of updating, re-launch runner after successful update"
+    for i in {0..30}; do
+        if test -f "$updateFile"; then
+            echo "Update finished successfully."
+            rm "$updateFile"
+            break
+        fi
+        "$DIR"/safe_sleep.sh 1
+    done
+    exit 2
 else
     echo "Exiting with unknown error code: ${returnCode}"
     exit 0

src/Misc/layoutroot/run.cmd

@@ -19,7 +19,7 @@ rem Run.
 rem ********************************************************************************
 
 :launch_helper
-copy run-helper.cmd.template run-helper.cmd /Y
+copy "%~dp0run-helper.cmd.template" "%~dp0run-helper.cmd" /Y
 call "%~dp0run-helper.cmd" %*
   
 if %ERRORLEVEL% EQU 1 (
@@ -27,5 +27,5 @@ if %ERRORLEVEL% EQU 1 (
   goto :launch_helper
 ) else (  
   echo "Exiting runner..."
-  exit 0
+  exit /b 0
 )

src/Misc/layoutroot/run.sh

@@ -9,16 +9,52 @@ while [ -h "$SOURCE" ]; do # resolve $SOURCE until the file is no longer a symli
     [[ $SOURCE != /* ]] && SOURCE="$DIR/$SOURCE" # if $SOURCE was a relative symlink, we need to resolve it relative to the path where the symlink file was located
 done
 DIR="$( cd -P "$( dirname "$SOURCE" )" && pwd )"
-cp -f run-helper.sh.template run-helper.sh
-# run the helper process which keep the listener alive
-while :;
-do
-    "$DIR"/run-helper.sh $*
-    returnCode=$?
-    if [[ $returnCode == 1 ]]; then
-        echo "Restarting runner..."
-    else
-        echo "Exiting runner..."
-        exit 0
-    fi
-done
+
+run() {
+    # run the helper process which keep the listener alive
+    while :;
+    do
+        cp -f "$DIR"/run-helper.sh.template "$DIR"/run-helper.sh
+        "$DIR"/run-helper.sh $*
+        returnCode=$?
+        if [[ $returnCode -eq 2 ]]; then
+            echo "Restarting runner..."
+        else
+            echo "Exiting runner..."
+            exit 0
+        fi
+    done
+}
+
+runWithManualTrap() {
+    # Set job control
+    set -m
+
+    trap 'kill -INT -$PID' INT TERM
+
+    # run the helper process which keep the listener alive
+    while :;
+    do
+        cp -f "$DIR"/run-helper.sh.template "$DIR"/run-helper.sh
+        "$DIR"/run-helper.sh $* &
+        PID=$!
+        wait -f $PID
+        returnCode=$?
+        if [[ $returnCode -eq 2 ]]; then
+            echo "Restarting runner..."
+        else
+            echo "Exiting runner..."
+            # Unregister signal handling before exit
+            trap - INT TERM
+            # wait for last parts to be logged
+            wait $PID
+            exit 0
+        fi
+    done
+}
+
+if [[ -z "$RUNNER_MANUALLY_TRAP_SIG" ]]; then
+    run $*
+else
+    runWithManualTrap $*
+fi

src/Misc/layoutroot/safe_sleep.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+
+SECONDS=0
+while [[ $SECONDS != $1 ]]; do
+    :
+done

src/Misc/runnerdotnetruntimeassets

@@ -3,6 +3,7 @@ api-ms-win-core-console-l1-2-0.dll
 api-ms-win-core-datetime-l1-1-0.dll
 api-ms-win-core-debug-l1-1-0.dll
 api-ms-win-core-errorhandling-l1-1-0.dll
+api-ms-win-core-fibers-l1-1-0.dll
 api-ms-win-core-file-l1-1-0.dll
 api-ms-win-core-file-l1-2-0.dll
 api-ms-win-core-file-l2-1-0.dll
@@ -65,12 +66,14 @@ libmscordbi.dylib
 libmscordbi.so
 Microsoft.CSharp.dll
 Microsoft.DiaSymReader.Native.amd64.dll
+Microsoft.DiaSymReader.Native.arm64.dll
 Microsoft.VisualBasic.Core.dll
 Microsoft.VisualBasic.dll
 Microsoft.Win32.Primitives.dll
 Microsoft.Win32.Registry.dll
 mscordaccore.dll
-mscordaccore_amd64_amd64_6.0.21.52210.dll
+mscordaccore_amd64_amd64_6.0.522.21309.dll
+mscordaccore_arm64_arm64_6.0.522.21309.dll
 mscordbi.dll
 mscorlib.dll
 mscorrc.debug.dll
@@ -260,4 +263,4 @@ System.Xml.XmlSerializer.dll
 System.Xml.XPath.dll
 System.Xml.XPath.XDocument.dll
 ucrtbase.dll
-WindowsBase.dll
+WindowsBase.dll

src/Runner.Common/ActionCommand.cs

@@ -1,4 +1,3 @@
-using GitHub.Runner.Common.Util;
 using GitHub.Runner.Sdk;
 using System;
 using System.Collections.Generic;
@@ -32,7 +31,7 @@ namespace GitHub.Runner.Common
             new EscapeMapping(token: "%", replacement: "%25"),
         };
 
-        private readonly Dictionary<string, string> _properties = new Dictionary<string, string>(StringComparer.OrdinalIgnoreCase);
+        private readonly Dictionary<string, string> _properties = new(StringComparer.OrdinalIgnoreCase);
         public const string Prefix = "##[";
         public const string _commandKey = "::";
 

src/Runner.Common/ActionResult.cs

@@ -1,5 +1,3 @@
-using System;
-
 namespace GitHub.Runner.Common
 {
     public enum ActionResult

src/Runner.Common/ActionsRunServer.cs

@@ -0,0 +1,51 @@
+using System;
+using System.Threading;
+using System.Threading.Tasks;
+using GitHub.DistributedTask.Pipelines;
+using GitHub.DistributedTask.WebApi;
+using GitHub.Services.Common;
+using GitHub.Services.WebApi;
+
+namespace GitHub.Runner.Common
+{
+    [ServiceLocator(Default = typeof(ActionsRunServer))]
+    public interface IActionsRunServer : IRunnerService
+    {
+        Task ConnectAsync(Uri serverUrl, VssCredentials credentials);
+
+        Task<AgentJobRequestMessage> GetJobMessageAsync(string id, CancellationToken token);
+    }
+
+    public sealed class ActionsRunServer : RunnerService, IActionsRunServer
+    {
+        private bool _hasConnection;
+        private VssConnection _connection;
+        private TaskAgentHttpClient _taskAgentClient;
+
+        public async Task ConnectAsync(Uri serverUrl, VssCredentials credentials)
+        {
+            _connection = await EstablishVssConnection(serverUrl, credentials, TimeSpan.FromSeconds(100));
+            _taskAgentClient = _connection.GetClient<TaskAgentHttpClient>();
+            _hasConnection = true;
+        }
+
+        private void CheckConnection()
+        {
+            if (!_hasConnection)
+            {
+                throw new InvalidOperationException($"SetConnection");
+            }
+        }
+
+        public Task<AgentJobRequestMessage> GetJobMessageAsync(string id, CancellationToken cancellationToken)
+        {
+            CheckConnection();
+            var jobMessage = RetryRequest<AgentJobRequestMessage>(async () =>
+                                                    {
+                                                        return await _taskAgentClient.GetJobMessageAsync(id, cancellationToken);
+                                                    }, cancellationToken);
+
+            return jobMessage;
+        }
+    }
+}

src/Runner.Common/CommandLineParser.cs

@@ -1,4 +1,3 @@
-using GitHub.Runner.Common.Util;
 using System;
 using System.Collections.Generic;
 using GitHub.DistributedTask.Logging;

src/Runner.Common/ConfigurationStore.cs

@@ -1,4 +1,3 @@
-using GitHub.Runner.Common.Util;
 using GitHub.Runner.Sdk;
 using System;
 using System.IO;
@@ -75,17 +74,18 @@ namespace GitHub.Runner.Common
         {
             get
             {
-                Uri accountUri = new Uri(this.ServerUrl);
+                Uri accountUri = new(this.ServerUrl);
                 string repoOrOrgName = string.Empty;
 
-                if (accountUri.Host.EndsWith(".githubusercontent.com", StringComparison.OrdinalIgnoreCase))
+                if (accountUri.Host.EndsWith(".githubusercontent.com", StringComparison.OrdinalIgnoreCase) && !string.IsNullOrEmpty(this.GitHubUrl))
                 {
-                    Uri gitHubUrl = new Uri(this.GitHubUrl);
+                    Uri gitHubUrl = new(this.GitHubUrl);
 
                     // Use the "NWO part" from the GitHub URL path
                     repoOrOrgName = gitHubUrl.AbsolutePath.Trim('/');
                 }
-                else
+
+                if (string.IsNullOrEmpty(repoOrOrgName))
                 {
                     repoOrOrgName = accountUri.AbsolutePath.Split('/', StringSplitOptions.RemoveEmptyEntries).FirstOrDefault();
                 }

src/Runner.Common/Constants.cs

@@ -77,7 +77,7 @@ namespace GitHub.Runner.Common
             public static readonly Architecture PlatformArchitecture = Architecture.X64;
 #elif ARM
             public static readonly Architecture PlatformArchitecture = Architecture.Arm;
-#elif ARM64            
+#elif ARM64
             public static readonly Architecture PlatformArchitecture = Architecture.Arm64;
 #endif
 
@@ -86,10 +86,11 @@ namespace GitHub.Runner.Common
             public static class CommandLine
             {
                 //if you are adding a new arg, please make sure you update the
-                //validArgs array as well present in the CommandSettings.cs
+                //validOptions dictionary as well present in the CommandSettings.cs
                 public static class Args
                 {
                     public static readonly string Auth = "auth";
+                    public static readonly string JitConfig = "jitconfig";
                     public static readonly string Labels = "labels";
                     public static readonly string MonitorSocketAddress = "monitorsocketaddress";
                     public static readonly string Name = "name";
@@ -121,12 +122,13 @@ namespace GitHub.Runner.Common
                 }
 
                 //if you are adding a new flag, please make sure you update the
-                //validFlags array as well present in the CommandSettings.cs
+                //validOptions dictionary as well present in the CommandSettings.cs
                 public static class Flags
                 {
                     public static readonly string Check = "check";
                     public static readonly string Commit = "commit";
                     public static readonly string Ephemeral = "ephemeral";
+                    public static readonly string GenerateServiceConfig = "generateServiceConfig";
                     public static readonly string Help = "help";
                     public static readonly string Replace = "replace";
                     public static readonly string DisableUpdate = "disableupdate";
@@ -149,14 +151,20 @@ namespace GitHub.Runner.Common
             public static class Features
             {
                 public static readonly string DiskSpaceWarning = "runner.diskspace.warning";
+                public static readonly string Node12Warning = "DistributedTask.AddWarningToNode12Action";
+                public static readonly string UseContainerPathForTemplate = "DistributedTask.UseContainerPathForTemplate";
+                public static readonly string AllowRunnerContainerHooks = "DistributedTask.AllowRunnerContainerHooks";
             }
 
             public static readonly string InternalTelemetryIssueDataKey = "_internal_telemetry";
             public static readonly string WorkerCrash = "WORKER_CRASH";
             public static readonly string LowDiskSpace = "LOW_DISK_SPACE";
             public static readonly string UnsupportedCommand = "UNSUPPORTED_COMMAND";
+            public static readonly string UnsupportedCommandMessage = "The `{0}` command is deprecated and will be disabled soon. Please upgrade to using Environment Files. For more information see: https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/";
             public static readonly string UnsupportedCommandMessageDisabled = "The `{0}` command is disabled. Please upgrade to using Environment Files or opt into unsecure command execution by setting the `ACTIONS_ALLOW_UNSECURE_COMMANDS` environment variable to `true`. For more information see: https://github.blog/changelog/2020-10-01-github-actions-deprecating-set-env-and-add-path-commands/";
-            public static readonly string UnsupportedStopCommandTokenDisabled = "You cannot use a endToken that is an empty string, the string 'pause-logging', or another workflow command. For more information see:  https://docs.github.com/en/actions/learn-github-actions/workflow-commands-for-github-actions#example-stopping-and-starting-workflow-commands or opt into insecure command execution by setting the `ACTIONS_ALLOW_UNSECURE_STOPCOMMAND_TOKENS` environment variable to `true`.";
+            public static readonly string UnsupportedStopCommandTokenDisabled = "You cannot use a endToken that is an empty string, the string 'pause-logging', or another workflow command. For more information see: https://docs.github.com/actions/learn-github-actions/workflow-commands-for-github-actions#example-stopping-and-starting-workflow-commands or opt into insecure command execution by setting the `ACTIONS_ALLOW_UNSECURE_STOPCOMMAND_TOKENS` environment variable to `true`.";
+            public static readonly string UnsupportedSummarySize = "$GITHUB_STEP_SUMMARY upload aborted, supports content up to a size of {0}k, got {1}k. For more information see: https://docs.github.com/actions/using-workflows/workflow-commands-for-github-actions#adding-a-markdown-summary";
+            public static readonly string Node12DetectedAfterEndOfLife = "Node.js 12 actions are deprecated. For more information see: https://github.blog/changelog/2022-09-22-github-actions-all-actions-will-begin-running-on-node16-instead-of-node12/. Please update the following actions to use Node.js 16: {0}";
         }
 
         public static class RunnerEvent
@@ -188,6 +196,13 @@ namespace GitHub.Runner.Common
             public static readonly string Success = "success";
         }
 
+        public static class Hooks
+        {
+            public static readonly string JobStartedStepName = "Set up runner";
+            public static readonly string JobCompletedStepName = "Complete runner";
+            public static readonly string ContainerHooksPath = "ACTIONS_RUNNER_CONTAINER_HOOKS";
+        }
+
         public static class Path
         {
             public static readonly string ActionsDirectory = "_actions";
@@ -217,13 +232,19 @@ namespace GitHub.Runner.Common
                 //
                 public static readonly string AllowUnsupportedCommands = "ACTIONS_ALLOW_UNSECURE_COMMANDS";
                 public static readonly string AllowUnsupportedStopCommandTokens = "ACTIONS_ALLOW_UNSECURE_STOPCOMMAND_TOKENS";
+                public static readonly string RequireJobContainer = "ACTIONS_RUNNER_REQUIRE_JOB_CONTAINER";
                 public static readonly string RunnerDebug = "ACTIONS_RUNNER_DEBUG";
                 public static readonly string StepDebug = "ACTIONS_STEP_DEBUG";
+                public static readonly string AllowActionsUseUnsecureNodeVersion = "ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION";
             }
 
             public static class Agent
             {
                 public static readonly string ToolsDirectory = "agent.ToolsDirectory";
+
+                // Set this env var to "node12" to downgrade the node version for internal functions (e.g hashfiles). This does NOT affect the version of node actions.
+                public static readonly string ForcedInternalNodeVersion = "ACTIONS_RUNNER_FORCED_INTERNAL_NODE_VERSION";
+                public static readonly string ForcedActionsNodeVersion = "ACTIONS_RUNNER_FORCE_ACTIONS_NODE_VERSION";
             }
 
             public static class System
@@ -236,5 +257,12 @@ namespace GitHub.Runner.Common
                 public static readonly string PhaseDisplayName = "system.phaseDisplayName";
             }
         }
+
+        public static class OperatingSystem
+        {
+            public static readonly int Windows11BuildVersion = 22000;
+            // Both windows 10 and windows 11 share the same Major Version 10, need to use the build version to differentiate
+            public static readonly int Windows11MajorVersion = 10;
+        }
     }
 }

src/Runner.Common/ExtensionManager.cs

@@ -1,4 +1,3 @@
-using GitHub.Runner.Common.Util;
 using GitHub.Runner.Sdk;
 using System;
 using System.Collections.Concurrent;
@@ -15,7 +14,7 @@ namespace GitHub.Runner.Common
 
     public sealed class ExtensionManager : RunnerService, IExtensionManager
     {
-        private readonly ConcurrentDictionary<Type, List<IExtension>> _cache = new ConcurrentDictionary<Type, List<IExtension>>();
+        private readonly ConcurrentDictionary<Type, List<IExtension>> _cache = new();
 
         public List<T> GetExtensions<T>() where T : class, IExtension
         {
@@ -60,6 +59,9 @@ namespace GitHub.Runner.Common
                 case "GitHub.Runner.Worker.IFileCommandExtension":
                     Add<T>(extensions, "GitHub.Runner.Worker.AddPathFileCommand, Runner.Worker");
                     Add<T>(extensions, "GitHub.Runner.Worker.SetEnvFileCommand, Runner.Worker");
+                    Add<T>(extensions, "GitHub.Runner.Worker.CreateStepSummaryCommand, Runner.Worker");
+                    Add<T>(extensions, "GitHub.Runner.Worker.SaveStateFileCommand, Runner.Worker");
+                    Add<T>(extensions, "GitHub.Runner.Worker.SetOutputFileCommand, Runner.Worker");
                     break;
                 case "GitHub.Runner.Listener.Check.ICheckExtension":
                     Add<T>(extensions, "GitHub.Runner.Listener.Check.InternetCheck, Runner.Listener");

src/Runner.Common/HostContext.cs

@@ -13,6 +13,7 @@ using System.Runtime.Loader;
 using System.Threading;
 using System.Threading.Tasks;
 using GitHub.DistributedTask.Logging;
+using GitHub.Runner.Common.Util;
 using GitHub.Runner.Sdk;
 
 namespace GitHub.Runner.Common
@@ -50,12 +51,12 @@ namespace GitHub.Runner.Common
         private static int _defaultLogRetentionDays = 30;
         private static int[] _vssHttpMethodEventIds = new int[] { 1, 2, 3, 4, 5, 6, 7, 8, 9, 24 };
         private static int[] _vssHttpCredentialEventIds = new int[] { 11, 13, 14, 15, 16, 17, 18, 20, 21, 22, 27, 29 };
-        private readonly ConcurrentDictionary<Type, object> _serviceInstances = new ConcurrentDictionary<Type, object>();
-        private readonly ConcurrentDictionary<Type, Type> _serviceTypes = new ConcurrentDictionary<Type, Type>();
+        private readonly ConcurrentDictionary<Type, object> _serviceInstances = new();
+        private readonly ConcurrentDictionary<Type, Type> _serviceTypes = new();
         private readonly ISecretMasker _secretMasker = new SecretMasker();
-        private readonly List<ProductInfoHeaderValue> _userAgents = new List<ProductInfoHeaderValue>() { new ProductInfoHeaderValue($"GitHubActionsRunner-{BuildConstants.RunnerPackage.PackageName}", BuildConstants.RunnerPackage.Version) };
-        private CancellationTokenSource _runnerShutdownTokenSource = new CancellationTokenSource();
-        private object _perfLock = new object();
+        private readonly List<ProductInfoHeaderValue> _userAgents = new() { new ProductInfoHeaderValue($"GitHubActionsRunner-{BuildConstants.RunnerPackage.PackageName}", BuildConstants.RunnerPackage.Version) };
+        private CancellationTokenSource _runnerShutdownTokenSource = new();
+        private object _perfLock = new();
         private Tracing _trace;
         private Tracing _actionsHttpTrace;
         private Tracing _netcoreHttpTrace;
@@ -65,7 +66,7 @@ namespace GitHub.Runner.Common
         private IDisposable _diagListenerSubscription;
         private StartupType _startupType;
         private string _perfFile;
-        private RunnerWebProxy _webProxy = new RunnerWebProxy();
+        private RunnerWebProxy _webProxy = new();
 
         public event EventHandler Unloading;
         public CancellationToken RunnerShutdownToken => _runnerShutdownTokenSource.Token;
@@ -216,6 +217,8 @@ namespace GitHub.Runner.Common
                 _userAgents.Add(new ProductInfoHeaderValue("RunnerId", runnerSettings.AgentId.ToString(CultureInfo.InvariantCulture)));
                 _userAgents.Add(new ProductInfoHeaderValue("GroupId", runnerSettings.PoolId.ToString(CultureInfo.InvariantCulture)));
             }
+
+            _userAgents.Add(new ProductInfoHeaderValue("CommitSHA", BuildConstants.Source.CommitHash));
         }
 
         public string GetDirectory(WellKnownDirectory directory)
@@ -639,6 +642,31 @@ namespace GitHub.Runner.Common
             var handlerFactory = context.GetService<IHttpClientHandlerFactory>();
             return handlerFactory.CreateClientHandler(context.WebProxy);
         }
+
+        public static string GetDefaultShellForScript(this IHostContext hostContext, string path, string prependPath)
+        {
+            var trace = hostContext.GetTrace(nameof(GetDefaultShellForScript));
+            switch (Path.GetExtension(path))
+            {
+                case ".sh":
+                    // use 'sh' args but prefer bash
+                    if (WhichUtil.Which("bash", false, trace, prependPath) != null)
+                    {
+                        return "bash";
+                    }
+                    return "sh";
+                case ".ps1":
+                    if (WhichUtil.Which("pwsh", false, trace, prependPath) != null)
+                    {
+                        return "pwsh";
+                    }
+                    return "powershell";
+                case ".js":
+                    return Path.Combine(hostContext.GetDirectory(WellKnownDirectory.Externals), NodeUtil.GetInternalNodeVersion(), "bin", $"node{IOUtil.ExeExtension}") + " {0}";
+                default:
+                    throw new ArgumentException($"{path} is not a valid path to a script. Make sure it ends in '.sh', '.ps1' or '.js'.");
+            }
+        }
     }
 
     public enum ShutdownReason

src/Runner.Common/HostTraceListener.cs

@@ -1,4 +1,3 @@
-using GitHub.Runner.Common.Util;
 using GitHub.Runner.Sdk;
 using System;
 using System.Diagnostics;
@@ -165,7 +164,7 @@ namespace GitHub.Runner.Common
         {
             if (_enableLogRetention)
             {
-                DirectoryInfo diags = new DirectoryInfo(_logFileDirectory);
+                DirectoryInfo diags = new(_logFileDirectory);
                 var logs = diags.GetFiles($"{_logFilePrefix}*.log");
                 foreach (var log in logs)
                 {

src/Runner.Common/JobNotification.cs

@@ -1,10 +1,7 @@
-using System;
-using System.IO;
-using System.IO.Pipes;
+using System;
 using System.Net;
 using System.Net.Sockets;
 using System.Text;
-using System.Threading;
 using System.Threading.Tasks;
 
 namespace GitHub.Runner.Common

src/Runner.Common/JobServer.cs

@@ -1,32 +1,38 @@
-using GitHub.DistributedTask.WebApi;
 using System;
 using System.Collections.Generic;
 using System.IO;
+using System.Linq;
 using System.Net.Http;
+using System.Net.Http.Headers;
+using System.Net.WebSockets;
+using System.Text;
 using System.Threading;
 using System.Threading.Tasks;
+using GitHub.DistributedTask.WebApi;
 using GitHub.Runner.Sdk;
 using GitHub.Services.Common;
 using GitHub.Services.WebApi;
+using GitHub.Services.WebApi.Utilities.Internal;
 
 namespace GitHub.Runner.Common
 {
     [ServiceLocator(Default = typeof(JobServer))]
-    public interface IJobServer : IRunnerService
+    public interface IJobServer : IRunnerService, IAsyncDisposable
     {
         Task ConnectAsync(VssConnection jobConnection);
 
+        void InitializeWebsocketClient(ServiceEndpoint serviceEndpoint);
+
         // logging and console
         Task<TaskLog> AppendLogContentAsync(Guid scopeIdentifier, string hubName, Guid planId, int logId, Stream uploadStream, CancellationToken cancellationToken);
-        Task AppendTimelineRecordFeedAsync(Guid scopeIdentifier, string hubName, Guid planId, Guid timelineId, Guid timelineRecordId, Guid stepId, IList<string> lines, CancellationToken cancellationToken);
-        Task AppendTimelineRecordFeedAsync(Guid scopeIdentifier, string hubName, Guid planId, Guid timelineId, Guid timelineRecordId, Guid stepId, IList<string> lines, long startLine, CancellationToken cancellationToken);
+        Task AppendTimelineRecordFeedAsync(Guid scopeIdentifier, string hubName, Guid planId, Guid timelineId, Guid timelineRecordId, Guid stepId, IList<string> lines, long? startLine, CancellationToken cancellationToken);
         Task<TaskAttachment> CreateAttachmentAsync(Guid scopeIdentifier, string hubName, Guid planId, Guid timelineId, Guid timelineRecordId, String type, String name, Stream uploadStream, CancellationToken cancellationToken);
         Task<TaskLog> CreateLogAsync(Guid scopeIdentifier, string hubName, Guid planId, TaskLog log, CancellationToken cancellationToken);
         Task<Timeline> CreateTimelineAsync(Guid scopeIdentifier, string hubName, Guid planId, Guid timelineId, CancellationToken cancellationToken);
         Task<List<TimelineRecord>> UpdateTimelineRecordsAsync(Guid scopeIdentifier, string hubName, Guid planId, Guid timelineId, IEnumerable<TimelineRecord> records, CancellationToken cancellationToken);
         Task RaisePlanEventAsync<T>(Guid scopeIdentifier, string hubName, Guid planId, T eventData, CancellationToken cancellationToken) where T : JobEvent;
         Task<Timeline> GetTimelineAsync(Guid scopeIdentifier, string hubName, Guid planId, Guid timelineId, CancellationToken cancellationToken);
-        Task<ActionDownloadInfoCollection> ResolveActionDownloadInfoAsync(Guid scopeIdentifier, string hubName, Guid planId, ActionReferenceList actions, CancellationToken cancellationToken);
+        Task<ActionDownloadInfoCollection> ResolveActionDownloadInfoAsync(Guid scopeIdentifier, string hubName, Guid planId, Guid jobId, ActionReferenceList actions, CancellationToken cancellationToken);
     }
 
     public sealed class JobServer : RunnerService, IJobServer
@@ -34,6 +40,20 @@ namespace GitHub.Runner.Common
         private bool _hasConnection;
         private VssConnection _connection;
         private TaskHttpClient _taskClient;
+        private ClientWebSocket _websocketClient;
+
+        private ServiceEndpoint _serviceEndpoint;
+
+        private int totalBatchedLinesAttemptedByWebsocket = 0;
+        private int failedAttemptsToPostBatchedLinesByWebsocket = 0;
+
+
+        private static readonly TimeSpan _minDelayForWebsocketReconnect = TimeSpan.FromMilliseconds(100);
+        private static readonly TimeSpan _maxDelayForWebsocketReconnect = TimeSpan.FromMilliseconds(500);
+        private static readonly int _minWebsocketFailurePercentageAllowed = 50;
+        private static readonly int _minWebsocketBatchedLinesCountToConsider = 5;
+
+        private Task _websocketConnectTask;
 
         public async Task ConnectAsync(VssConnection jobConnection)
         {
@@ -42,7 +62,7 @@ namespace GitHub.Runner.Common
             int attemptCount = totalAttempts;
             var configurationStore = HostContext.GetService<IConfigurationStore>();
             var runnerSettings = configurationStore.GetSettings();
- 
+
             while (!_connection.HasAuthenticated && attemptCount-- > 0)
             {
                 try
@@ -117,6 +137,21 @@ namespace GitHub.Runner.Common
             }
         }
 
+        public void InitializeWebsocketClient(ServiceEndpoint serviceEndpoint)
+        {
+            this._serviceEndpoint = serviceEndpoint;
+            InitializeWebsocketClient(TimeSpan.Zero);
+        }
+
+        public ValueTask DisposeAsync()
+        {
+            CloseWebSocket(WebSocketCloseStatus.NormalClosure, CancellationToken.None);
+
+            GC.SuppressFinalize(this);
+
+            return ValueTask.CompletedTask;
+        }
+
         private void CheckConnection()
         {
             if (!_hasConnection)
@@ -125,6 +160,53 @@ namespace GitHub.Runner.Common
             }
         }
 
+        private void InitializeWebsocketClient(TimeSpan delay)
+        {
+            if (_serviceEndpoint.Authorization != null &&
+                _serviceEndpoint.Authorization.Parameters.TryGetValue(EndpointAuthorizationParameters.AccessToken, out var accessToken) &&
+                !string.IsNullOrEmpty(accessToken))
+            {
+                if (_serviceEndpoint.Data.TryGetValue("FeedStreamUrl", out var feedStreamUrl) && !string.IsNullOrEmpty(feedStreamUrl))
+                {
+                    // let's ensure we use the right scheme
+                    feedStreamUrl = feedStreamUrl.Replace("https://", "wss://").Replace("http://", "ws://");
+                    Trace.Info($"Creating websocket client ..." + feedStreamUrl);
+                    this._websocketClient = new ClientWebSocket();
+                    this._websocketClient.Options.SetRequestHeader("Authorization", $"Bearer {accessToken}");
+                    var userAgentValues = new List<ProductInfoHeaderValue>();
+                    userAgentValues.AddRange(UserAgentUtility.GetDefaultRestUserAgent());
+                    userAgentValues.AddRange(HostContext.UserAgents);
+                    this._websocketClient.Options.SetRequestHeader("User-Agent", string.Join(" ", userAgentValues.Select(x => x.ToString())));
+
+                    this._websocketConnectTask = ConnectWebSocketClient(feedStreamUrl, delay);
+                }
+                else
+                {
+                    Trace.Info($"No FeedStreamUrl found, so we will use Rest API calls for sending feed data");
+                }
+            }
+            else
+            {
+                Trace.Info($"No access token from the service endpoint");
+            }
+        }
+
+        private async Task ConnectWebSocketClient(string feedStreamUrl, TimeSpan delay)
+        {
+            try
+            {
+                Trace.Info($"Attempting to start websocket client with delay {delay}.");
+                await Task.Delay(delay);
+                await this._websocketClient.ConnectAsync(new Uri(feedStreamUrl), default(CancellationToken));
+                Trace.Info($"Successfully started websocket client.");
+            }
+            catch (Exception ex)
+            {
+                Trace.Info("Exception caught during websocket client connect, fallback of HTTP would be used now instead of websocket.");
+                Trace.Error(ex);
+            }
+        }
+
         //-----------------------------------------------------------------
         // Feedback: WebConsole, TimelineRecords and Logs
         //-----------------------------------------------------------------
@@ -135,16 +217,86 @@ namespace GitHub.Runner.Common
             return _taskClient.AppendLogContentAsync(scopeIdentifier, hubName, planId, logId, uploadStream, cancellationToken: cancellationToken);
         }
 
-        public Task AppendTimelineRecordFeedAsync(Guid scopeIdentifier, string hubName, Guid planId, Guid timelineId, Guid timelineRecordId, Guid stepId, IList<string> lines, CancellationToken cancellationToken)
+        public async Task AppendTimelineRecordFeedAsync(Guid scopeIdentifier, string hubName, Guid planId, Guid timelineId, Guid timelineRecordId, Guid stepId, IList<string> lines, long? startLine, CancellationToken cancellationToken)
         {
             CheckConnection();
-            return _taskClient.AppendTimelineRecordFeedAsync(scopeIdentifier, hubName, planId, timelineId, timelineRecordId, stepId, lines, cancellationToken: cancellationToken);
+            var pushedLinesViaWebsocket = false;
+            if (_websocketConnectTask != null)
+            {
+                await _websocketConnectTask;
+            }
+
+            // "_websocketClient != null" implies either: We have a successful connection OR we have to attempt sending again and then reconnect
+            // ...in other words, if websocket client is null, we will skip sending to websocket and just use rest api calls to send data
+            if (_websocketClient != null)
+            {
+                var linesWrapper = startLine.HasValue ? new TimelineRecordFeedLinesWrapper(stepId, lines, startLine.Value) : new TimelineRecordFeedLinesWrapper(stepId, lines);
+                var jsonData = StringUtil.ConvertToJson(linesWrapper);
+                try
+                {
+                    totalBatchedLinesAttemptedByWebsocket++;
+                    var jsonDataBytes = Encoding.UTF8.GetBytes(jsonData);
+                    // break the message into chunks of 1024 bytes
+                    for (var i = 0; i < jsonDataBytes.Length; i += 1 * 1024)
+                    {
+                        var lastChunk = i + (1 * 1024) >= jsonDataBytes.Length;
+                        var chunk = new ArraySegment<byte>(jsonDataBytes, i, Math.Min(1 * 1024, jsonDataBytes.Length - i));
+                        await _websocketClient.SendAsync(chunk, WebSocketMessageType.Text, endOfMessage: lastChunk, cancellationToken);
+                    }
+
+                    pushedLinesViaWebsocket = true;
+                }
+                catch (Exception ex)
+                {
+                    failedAttemptsToPostBatchedLinesByWebsocket++;
+                    Trace.Info($"Caught exception during append web console line to websocket, let's fallback to sending via non-websocket call (total calls: {totalBatchedLinesAttemptedByWebsocket}, failed calls: {failedAttemptsToPostBatchedLinesByWebsocket}, websocket state: {this._websocketClient?.State}).");
+                    Trace.Error(ex);
+                    if (totalBatchedLinesAttemptedByWebsocket > _minWebsocketBatchedLinesCountToConsider)
+                    {
+                        // let's consider failure percentage
+                        if (failedAttemptsToPostBatchedLinesByWebsocket * 100 / totalBatchedLinesAttemptedByWebsocket > _minWebsocketFailurePercentageAllowed)
+                        {
+                            Trace.Info($"Exhausted websocket allowed retries, we will not attempt websocket connection for this job to post lines again.");
+                            CloseWebSocket(WebSocketCloseStatus.InternalServerError, cancellationToken);
+
+                            // By setting it to null, we will ensure that we never try websocket path again for this job
+                            _websocketClient = null;
+                        }
+                    }
+
+                    if (_websocketClient != null)
+                    {
+                        var delay = BackoffTimerHelper.GetRandomBackoff(_minDelayForWebsocketReconnect, _maxDelayForWebsocketReconnect);
+                        Trace.Info($"Websocket is not open, let's attempt to connect back again with random backoff {delay} ms (total calls: {totalBatchedLinesAttemptedByWebsocket}, failed calls: {failedAttemptsToPostBatchedLinesByWebsocket}).");
+                        InitializeWebsocketClient(delay);
+                    }
+                }
+            }
+
+            if (!pushedLinesViaWebsocket && !cancellationToken.IsCancellationRequested)
+            {
+                if (startLine.HasValue)
+                {
+                    await _taskClient.AppendTimelineRecordFeedAsync(scopeIdentifier, hubName, planId, timelineId, timelineRecordId, stepId, lines, startLine.Value, cancellationToken: cancellationToken);
+                }
+                else
+                {
+                    await _taskClient.AppendTimelineRecordFeedAsync(scopeIdentifier, hubName, planId, timelineId, timelineRecordId, stepId, lines, cancellationToken: cancellationToken);
+                }
+            }
         }
 
-        public Task AppendTimelineRecordFeedAsync(Guid scopeIdentifier, string hubName, Guid planId, Guid timelineId, Guid timelineRecordId, Guid stepId, IList<string> lines, long startLine, CancellationToken cancellationToken)
+        private void CloseWebSocket(WebSocketCloseStatus closeStatus, CancellationToken cancellationToken)
         {
-            CheckConnection();
-            return _taskClient.AppendTimelineRecordFeedAsync(scopeIdentifier, hubName, planId, timelineId, timelineRecordId, stepId, lines, startLine, cancellationToken: cancellationToken);
+            try
+            {
+                _websocketClient?.CloseOutputAsync(closeStatus, "Closing websocket", cancellationToken);
+            }
+            catch (Exception websocketEx)
+            {
+                // In some cases this might be okay since the websocket might be open yet, so just close and don't trace exceptions
+                Trace.Info($"Failed to close websocket gracefully {websocketEx.GetType().Name}");
+            }
         }
 
         public Task<TaskAttachment> CreateAttachmentAsync(Guid scopeIdentifier, string hubName, Guid planId, Guid timelineId, Guid timelineRecordId, string type, string name, Stream uploadStream, CancellationToken cancellationToken)
@@ -186,10 +338,10 @@ namespace GitHub.Runner.Common
         //-----------------------------------------------------------------
         // Action download info
         //-----------------------------------------------------------------
-        public Task<ActionDownloadInfoCollection> ResolveActionDownloadInfoAsync(Guid scopeIdentifier, string hubName, Guid planId, ActionReferenceList actions, CancellationToken cancellationToken)
+        public Task<ActionDownloadInfoCollection> ResolveActionDownloadInfoAsync(Guid scopeIdentifier, string hubName, Guid planId, Guid jobId, ActionReferenceList actions, CancellationToken cancellationToken)
         {
             CheckConnection();
-            return _taskClient.ResolveActionDownloadInfoAsync(scopeIdentifier, hubName, planId, actions, cancellationToken: cancellationToken);
+            return _taskClient.ResolveActionDownloadInfoAsync(scopeIdentifier, hubName, planId, jobId, actions, cancellationToken: cancellationToken);
         }
     }
 }

src/Runner.Common/JobServerQueue.cs

@@ -39,19 +39,19 @@ namespace GitHub.Runner.Common
         private Guid _jobTimelineRecordId;
 
         // queue for web console line
-        private readonly ConcurrentQueue<ConsoleLineInfo> _webConsoleLineQueue = new ConcurrentQueue<ConsoleLineInfo>();
+        private readonly ConcurrentQueue<ConsoleLineInfo> _webConsoleLineQueue = new();
 
         // queue for file upload (log file or attachment)
-        private readonly ConcurrentQueue<UploadFileInfo> _fileUploadQueue = new ConcurrentQueue<UploadFileInfo>();
+        private readonly ConcurrentQueue<UploadFileInfo> _fileUploadQueue = new();
 
         // queue for timeline or timeline record update (one queue per timeline)
-        private readonly ConcurrentDictionary<Guid, ConcurrentQueue<TimelineRecord>> _timelineUpdateQueue = new ConcurrentDictionary<Guid, ConcurrentQueue<TimelineRecord>>();
+        private readonly ConcurrentDictionary<Guid, ConcurrentQueue<TimelineRecord>> _timelineUpdateQueue = new();
 
         // indicate how many timelines we have, we will process _timelineUpdateQueue base on the order of timeline in this list
-        private readonly List<Guid> _allTimelines = new List<Guid>();
+        private readonly List<Guid> _allTimelines = new();
 
         // bufferd timeline records that fail to update
-        private readonly Dictionary<Guid, List<TimelineRecord>> _bufferedRetryRecords = new Dictionary<Guid, List<TimelineRecord>>();
+        private readonly Dictionary<Guid, List<TimelineRecord>> _bufferedRetryRecords = new();
 
         // Task for each queue's dequeue process
         private Task _webConsoleLineDequeueTask;
@@ -61,8 +61,8 @@ namespace GitHub.Runner.Common
         // common
         private IJobServer _jobServer;
         private Task[] _allDequeueTasks;
-        private readonly TaskCompletionSource<int> _jobCompletionSource = new TaskCompletionSource<int>();
-        private readonly TaskCompletionSource<int> _jobRecordUpdated = new TaskCompletionSource<int>();
+        private readonly TaskCompletionSource<int> _jobCompletionSource = new();
+        private readonly TaskCompletionSource<int> _jobRecordUpdated = new();
         private bool _queueInProcess = false;
 
         public TaskCompletionSource<int> JobRecordUpdated => _jobRecordUpdated;
@@ -71,7 +71,7 @@ namespace GitHub.Runner.Common
 
         // Web console dequeue will start with process queue every 250ms for the first 60*4 times (~60 seconds).
         // Then the dequeue will happen every 500ms.
-        // In this way, customer still can get instance live console output on job start, 
+        // In this way, customer still can get instance live console output on job start,
         // at the same time we can cut the load to server after the build run for more than 60s
         private int _webConsoleLineAggressiveDequeueCount = 0;
         private const int _webConsoleLineAggressiveDequeueLimit = 4 * 60;
@@ -89,6 +89,10 @@ namespace GitHub.Runner.Common
         {
             Trace.Entering();
 
+            var serviceEndPoint = jobRequest.Resources.Endpoints.Single(x => string.Equals(x.Name, WellKnownServiceEndpointNames.SystemVssConnection, StringComparison.OrdinalIgnoreCase));
+
+            _jobServer.InitializeWebsocketClient(serviceEndPoint);
+
             if (_queueInProcess)
             {
                 Trace.Info("No-opt, all queue process tasks are running.");
@@ -156,6 +160,9 @@ namespace GitHub.Runner.Common
             await ProcessTimelinesUpdateQueueAsync(runOnce: true);
             Trace.Info("Timeline update queue drained.");
 
+            Trace.Info($"Disposing job server ...");
+            await _jobServer.DisposeAsync();
+
             Trace.Info("All queue process tasks have been stopped, and all queues are drained.");
         }
 
@@ -230,8 +237,8 @@ namespace GitHub.Runner.Common
                 }
 
                 // Group consolelines by timeline record of each step
-                Dictionary<Guid, List<TimelineRecordLogLine>> stepsConsoleLines = new Dictionary<Guid, List<TimelineRecordLogLine>>();
-                List<Guid> stepRecordIds = new List<Guid>(); // We need to keep lines in order
+                Dictionary<Guid, List<TimelineRecordLogLine>> stepsConsoleLines = new();
+                List<Guid> stepRecordIds = new(); // We need to keep lines in order
                 int linesCounter = 0;
                 ConsoleLineInfo lineInfo;
                 while (_webConsoleLineQueue.TryDequeue(out lineInfo))
@@ -257,7 +264,7 @@ namespace GitHub.Runner.Common
                 {
                     // Split consolelines into batch, each batch will container at most 100 lines.
                     int batchCounter = 0;
-                    List<List<TimelineRecordLogLine>> batchedLines = new List<List<TimelineRecordLogLine>>();
+                    List<List<TimelineRecordLogLine>> batchedLines = new();
                     foreach (var line in stepsConsoleLines[stepRecordId])
                     {
                         var currentBatch = batchedLines.ElementAtOrDefault(batchCounter);
@@ -292,14 +299,10 @@ namespace GitHub.Runner.Common
                         {
                             try
                             {
-                                // we will not requeue failed batch, since the web console lines are time sensitive.
-                                if (batch[0].LineNumber.HasValue)
+                                // Give at most 60s for each request. 
+                                using (var timeoutTokenSource = new CancellationTokenSource(TimeSpan.FromSeconds(60)))
                                 {
-                                    await _jobServer.AppendTimelineRecordFeedAsync(_scopeIdentifier, _hubName, _planId, _jobTimelineId, _jobTimelineRecordId, stepRecordId, batch.Select(logLine => logLine.Line).ToList(), batch[0].LineNumber.Value, default(CancellationToken));
-                                }
-                                else
-                                {
-                                    await _jobServer.AppendTimelineRecordFeedAsync(_scopeIdentifier, _hubName, _planId, _jobTimelineId, _jobTimelineRecordId, stepRecordId, batch.Select(logLine => logLine.Line).ToList(), default(CancellationToken));
+                                    await _jobServer.AppendTimelineRecordFeedAsync(_scopeIdentifier, _hubName, _planId, _jobTimelineId, _jobTimelineRecordId, stepRecordId, batch.Select(logLine => logLine.Line).ToList(), batch[0].LineNumber, timeoutTokenSource.Token);
                                 }
 
                                 if (_firstConsoleOutputs)
@@ -335,7 +338,7 @@ namespace GitHub.Runner.Common
         {
             while (!_jobCompletionSource.Task.IsCompleted || runOnce)
             {
-                List<UploadFileInfo> filesToUpload = new List<UploadFileInfo>();
+                List<UploadFileInfo> filesToUpload = new();
                 UploadFileInfo dequeueFile;
                 while (_fileUploadQueue.TryDequeue(out dequeueFile))
                 {
@@ -395,13 +398,13 @@ namespace GitHub.Runner.Common
         {
             while (!_jobCompletionSource.Task.IsCompleted || runOnce)
             {
-                List<PendingTimelineRecord> pendingUpdates = new List<PendingTimelineRecord>();
+                List<PendingTimelineRecord> pendingUpdates = new();
                 foreach (var timeline in _allTimelines)
                 {
                     ConcurrentQueue<TimelineRecord> recordQueue;
                     if (_timelineUpdateQueue.TryGetValue(timeline, out recordQueue))
                     {
-                        List<TimelineRecord> records = new List<TimelineRecord>();
+                        List<TimelineRecord> records = new();
                         TimelineRecord record;
                         while (recordQueue.TryDequeue(out record))
                         {
@@ -423,7 +426,7 @@ namespace GitHub.Runner.Common
                 // we need track whether we have new sub-timeline been created on the last run.
                 // if so, we need continue update timeline record even we on the last run.
                 bool pendingSubtimelineUpdate = false;
-                List<Exception> mainTimelineRecordsUpdateErrors = new List<Exception>();
+                List<Exception> mainTimelineRecordsUpdateErrors = new();
                 if (pendingUpdates.Count > 0)
                 {
                     foreach (var update in pendingUpdates)
@@ -489,8 +492,8 @@ namespace GitHub.Runner.Common
 
                 if (runOnce)
                 {
-                    // continue process timeline records update, 
-                    // we might have more records need update, 
+                    // continue process timeline records update,
+                    // we might have more records need update,
                     // since we just create a new sub-timeline
                     if (pendingSubtimelineUpdate)
                     {
@@ -526,7 +529,7 @@ namespace GitHub.Runner.Common
                 return timelineRecords;
             }
 
-            Dictionary<Guid, TimelineRecord> dict = new Dictionary<Guid, TimelineRecord>();
+            Dictionary<Guid, TimelineRecord> dict = new();
             foreach (TimelineRecord rec in timelineRecords)
             {
                 if (rec == null)

src/Runner.Common/JobStatusEventArgs.cs

@@ -0,0 +1,14 @@
+using System;
+using GitHub.DistributedTask.WebApi;
+
+namespace GitHub.Runner.Common
+{
+    public class JobStatusEventArgs : EventArgs
+    {
+        public JobStatusEventArgs(TaskAgentStatus status)
+        {
+            this.Status = status;
+        }
+        public TaskAgentStatus Status { get; private set; }
+    }
+}

src/Runner.Common/Logging.cs

@@ -1,4 +1,3 @@
-using GitHub.Runner.Common.Util;
 using System;
 using System.IO;
 

src/Runner.Common/ProcessChannel.cs

@@ -76,7 +76,7 @@ namespace GitHub.Runner.Common
 
         public async Task<WorkerMessage> ReceiveAsync(CancellationToken cancellationToken)
         {
-            WorkerMessage result = new WorkerMessage(MessageType.NotInitialized, string.Empty);
+            WorkerMessage result = new(MessageType.NotInitialized, string.Empty);
             result.MessageType = (MessageType)await _readStream.ReadInt32Async(cancellationToken);
             result.Body = await _readStream.ReadStringAsync(cancellationToken);
             Trace.Info($"Receiving message of length {result.Body.Length}, with hash '{IOUtil.GetSha256Hash(result.Body)}'");

src/Runner.Common/ProcessExtensions.cs

@@ -291,7 +291,7 @@ namespace GitHub.Runner.Common
         public static string GetEnvironmentVariable(this Process process, IHostContext hostContext, string variable)
         {
             var trace = hostContext.GetTrace(nameof(LinuxProcessExtensions));
-            Dictionary<string, string> env = new Dictionary<string, string>();
+            Dictionary<string, string> env = new();
 
             if (Directory.Exists("/proc"))
             {
@@ -322,8 +322,8 @@ namespace GitHub.Runner.Common
                 // It doesn't escape '=' or ' ', so we can't parse the output into a dictionary of all envs.
                 // So we only look for the env you request, in the format of variable=value. (it won't work if you variable contains = or space)
                 trace.Info($"Read env from output of `ps e -p {process.Id} -o command`");
-                List<string> psOut = new List<string>();
-                object outputLock = new object();
+                List<string> psOut = new();
+                object outputLock = new();
                 using (var p = hostContext.CreateService<IProcessInvoker>())
                 {
                     p.OutputDataReceived += delegate (object sender, ProcessDataReceivedEventArgs stdout)

src/Runner.Common/ProcessInvoker.cs

@@ -1,4 +1,4 @@
-using GitHub.Runner.Common.Util;
+using GitHub.Runner.Common.Util;
 using GitHub.Runner.Sdk;
 using System;
 using System.Collections.Generic;

src/Runner.Common/RunServer.cs

@@ -0,0 +1,59 @@
+using System;
+using System.Threading;
+using System.Threading.Tasks;
+using GitHub.DistributedTask.Pipelines;
+using GitHub.DistributedTask.WebApi;
+using GitHub.Runner.Sdk;
+using GitHub.Services.Common;
+using GitHub.Services.WebApi;
+using Sdk.WebApi.WebApi.RawClient;
+
+namespace GitHub.Runner.Common
+{
+    [ServiceLocator(Default = typeof(RunServer))]
+    public interface IRunServer : IRunnerService
+    {
+        Task ConnectAsync(Uri serverUrl, VssCredentials credentials);
+
+        Task<AgentJobRequestMessage> GetJobMessageAsync(string id, CancellationToken token);
+    }
+
+    public sealed class RunServer : RunnerService, IRunServer
+    {
+        private bool _hasConnection;
+        private Uri requestUri;
+        private RawConnection _connection;
+        private RunServiceHttpClient _runServiceHttpClient;
+
+        public async Task ConnectAsync(Uri serverUri, VssCredentials credentials)
+        {
+            requestUri = serverUri;
+
+            _connection = VssUtil.CreateRawConnection(new Uri(serverUri.Authority), credentials);
+            _runServiceHttpClient = await _connection.GetClientAsync<RunServiceHttpClient>();
+            _hasConnection = true;
+        }
+
+        private void CheckConnection()
+        {
+            if (!_hasConnection)
+            {
+                throw new InvalidOperationException($"SetConnection");
+            }
+        }
+
+        public Task<AgentJobRequestMessage> GetJobMessageAsync(string id, CancellationToken cancellationToken)
+        {
+            CheckConnection();
+            var jobMessage = RetryRequest<AgentJobRequestMessage>(
+                async () => await _runServiceHttpClient.GetJobMessageAsync(requestUri, id, cancellationToken), cancellationToken);
+            if (jobMessage == null)
+            {
+                throw new TaskOrchestrationJobNotFoundException(id);
+            }
+
+            return jobMessage;
+        }
+
+    }
+}

src/Runner.Common/Runner.Common.csproj

@@ -3,7 +3,7 @@
   <PropertyGroup>
     <TargetFramework>net6.0</TargetFramework>
     <OutputType>Library</OutputType>
-    <RuntimeIdentifiers>win-x64;win-x86;linux-x64;linux-arm64;linux-arm;osx-x64</RuntimeIdentifiers>
+    <RuntimeIdentifiers>win-x64;win-x86;linux-x64;linux-arm64;linux-arm;osx-x64;osx-arm64;win-arm64</RuntimeIdentifiers>
     <TargetLatestRuntimePatch>true</TargetLatestRuntimePatch>
     <NoWarn>NU1701;NU1603</NoWarn>
     <Version>$(Version)</Version>
@@ -16,7 +16,7 @@
 
   <ItemGroup>
     <PackageReference Include="Microsoft.Win32.Registry" Version="4.4.0" />
-    <PackageReference Include="Newtonsoft.Json" Version="11.0.2" />
+    <PackageReference Include="Newtonsoft.Json" Version="13.0.1" />
     <PackageReference Include="System.Security.Cryptography.ProtectedData" Version="4.4.0" />
     <PackageReference Include="System.Text.Encoding.CodePages" Version="4.4.0" />
     <PackageReference Include="System.Threading.Channels" Version="4.4.0" />

src/Runner.Common/RunnerServer.cs

@@ -1,9 +1,8 @@
-using GitHub.DistributedTask.WebApi;
+using GitHub.DistributedTask.WebApi;
 using System;
 using System.Collections.Generic;
 using System.Threading;
 using System.Threading.Tasks;
-using GitHub.Runner.Common.Util;
 using GitHub.Services.WebApi;
 using GitHub.Services.Common;
 using GitHub.Runner.Sdk;
@@ -39,7 +38,7 @@ namespace GitHub.Runner.Common
         Task<TaskAgentSession> CreateAgentSessionAsync(Int32 poolId, TaskAgentSession session, CancellationToken cancellationToken);
         Task DeleteAgentMessageAsync(Int32 poolId, Int64 messageId, Guid sessionId, CancellationToken cancellationToken);
         Task DeleteAgentSessionAsync(Int32 poolId, Guid sessionId, CancellationToken cancellationToken);
-        Task<TaskAgentMessage> GetAgentMessageAsync(Int32 poolId, Guid sessionId, Int64? lastMessageId, CancellationToken cancellationToken);
+        Task<TaskAgentMessage> GetAgentMessageAsync(Int32 poolId, Guid sessionId, Int64? lastMessageId, TaskAgentStatus status, CancellationToken cancellationToken);
 
         // job request
         Task<TaskAgentJobRequest> GetAgentRequestAsync(int poolId, long requestId, CancellationToken cancellationToken);
@@ -180,31 +179,6 @@ namespace GitHub.Runner.Common
             }
         }
 
-        private async Task<VssConnection> EstablishVssConnection(Uri serverUrl, VssCredentials credentials, TimeSpan timeout)
-        {
-            Trace.Info($"Establish connection with {timeout.TotalSeconds} seconds timeout.");
-            int attemptCount = 5;
-            while (attemptCount-- > 0)
-            {
-                var connection = VssUtil.CreateConnection(serverUrl, credentials, timeout: timeout);
-                try
-                {
-                    await connection.ConnectAsync();
-                    return connection;
-                }
-                catch (Exception ex) when (attemptCount > 0)
-                {
-                    Trace.Info($"Catch exception during connect. {attemptCount} attempt left.");
-                    Trace.Error(ex);
-
-                    await HostContext.Delay(TimeSpan.FromMilliseconds(100), CancellationToken.None);
-                }
-            }
-
-            // should never reach here.
-            throw new InvalidOperationException(nameof(EstablishVssConnection));
-        }
-
         private void CheckConnection(RunnerConnectionType connectionType)
         {
             switch (connectionType)
@@ -298,10 +272,10 @@ namespace GitHub.Runner.Common
             return _messageTaskAgentClient.DeleteAgentSessionAsync(poolId, sessionId, cancellationToken: cancellationToken);
         }
 
-        public Task<TaskAgentMessage> GetAgentMessageAsync(Int32 poolId, Guid sessionId, Int64? lastMessageId, CancellationToken cancellationToken)
+        public Task<TaskAgentMessage> GetAgentMessageAsync(Int32 poolId, Guid sessionId, Int64? lastMessageId, TaskAgentStatus status, CancellationToken cancellationToken)
         {
             CheckConnection(RunnerConnectionType.MessageQueue);
-            return _messageTaskAgentClient.GetMessageAsync(poolId, sessionId, lastMessageId, cancellationToken: cancellationToken);
+            return _messageTaskAgentClient.GetMessageAsync(poolId, sessionId, lastMessageId, status, cancellationToken: cancellationToken);
         }
 
         //-----------------------------------------------------------------

src/Runner.Common/RunnerService.cs

@@ -1,4 +1,10 @@
 using System;
+using System.Threading;
+using System.Threading.Tasks;
+using GitHub.Runner.Sdk;
+using GitHub.Services.Common;
+using GitHub.Services.WebApi;
+using Sdk.WebApi.WebApi.RawClient;
 
 namespace GitHub.Runner.Common
 {
@@ -21,9 +27,9 @@ namespace GitHub.Runner.Common
         protected IHostContext HostContext { get; private set; }
         protected Tracing Trace { get; private set; }
 
-        public string TraceName 
+        public string TraceName
         {
-            get 
+            get
             {
                 return GetType().Name;
             }
@@ -35,5 +41,57 @@ namespace GitHub.Runner.Common
             Trace = HostContext.GetTrace(TraceName);
             Trace.Entering();
         }
+
+        protected async Task<VssConnection> EstablishVssConnection(Uri serverUrl, VssCredentials credentials, TimeSpan timeout)
+        {
+            Trace.Info($"EstablishVssConnection");
+            Trace.Info($"Establish connection with {timeout.TotalSeconds} seconds timeout.");
+            int attemptCount = 5;
+            while (attemptCount-- > 0)
+            {
+                var connection = VssUtil.CreateConnection(serverUrl, credentials, timeout: timeout);
+                try
+                {
+                    await connection.ConnectAsync();
+                    return connection;
+                }
+                catch (Exception ex) when (attemptCount > 0)
+                {
+                    Trace.Info($"Catch exception during connect. {attemptCount} attempt left.");
+                    Trace.Error(ex);
+
+                    await HostContext.Delay(TimeSpan.FromMilliseconds(100), CancellationToken.None);
+                }
+            }
+
+            // should never reach here.
+            throw new InvalidOperationException(nameof(EstablishVssConnection));
+        }
+
+        protected async Task<T> RetryRequest<T>(Func<Task<T>> func,
+            CancellationToken cancellationToken,
+            int maxRetryAttemptsCount = 5
+        )
+        {
+            var retryCount = 0;
+            while (true)
+            {
+                retryCount++;
+                cancellationToken.ThrowIfCancellationRequested();
+                try
+                {
+                    return await func();
+                }
+                // TODO: Add handling of non-retriable exceptions: https://github.com/github/actions-broker/issues/122
+                catch (Exception ex) when (retryCount < maxRetryAttemptsCount)
+                {
+                    Trace.Error("Catch exception during get full job message");
+                    Trace.Error(ex);
+                    var backOff = BackoffTimerHelper.GetRandomBackoff(TimeSpan.FromSeconds(5), TimeSpan.FromSeconds(15));
+                    Trace.Warning($"Back off {backOff.TotalSeconds} seconds before next retry. {maxRetryAttemptsCount - retryCount} attempt left.");
+                    await Task.Delay(backOff, cancellationToken);
+                }
+            }
+        }
     }
 }

src/Runner.Common/Terminal.cs

@@ -81,7 +81,7 @@ namespace GitHub.Runner.Common
             }
 
             // Trace whether a value was entered.
-            string val = new String(chars.ToArray());
+            string val = new(chars.ToArray());
             if (!string.IsNullOrEmpty(val))
             {
                 HostContext.SecretMasker.AddValue(val);

src/Runner.Common/ThrottlingReportHandler.cs

@@ -1,10 +1,9 @@
-using System;
+using System;
 using System.Collections.Generic;
 using System.Linq;
 using System.Net.Http;
 using System.Threading;
 using System.Threading.Tasks;
-using GitHub.Runner.Common.Util;
 using GitHub.Runner.Sdk;
 using GitHub.Services.Common.Internal;
 

src/Runner.Common/TraceManager.cs

@@ -1,4 +1,3 @@
-using GitHub.Runner.Common.Util;
 using System;
 using System.Collections.Concurrent;
 using System.Diagnostics;
@@ -15,7 +14,7 @@ namespace GitHub.Runner.Common
 
     public sealed class TraceManager : ITraceManager
     {
-        private readonly ConcurrentDictionary<string, Tracing> _sources = new ConcurrentDictionary<string, Tracing>(StringComparer.OrdinalIgnoreCase);
+        private readonly ConcurrentDictionary<string, Tracing> _sources = new(StringComparer.OrdinalIgnoreCase);
         private readonly HostTraceListener _hostTraceListener;
         private TraceSetting _traceSetting;
         private ISecretMasker _secretMasker;

src/Runner.Common/Tracing.cs

@@ -1,5 +1,3 @@
-
-using GitHub.Runner.Common.Util;
 using Newtonsoft.Json;
 using System;
 using System.Diagnostics;

src/Runner.Common/Util/NodeUtil.cs

@@ -0,0 +1,28 @@
+using System;
+using System.Collections.ObjectModel;
+
+namespace GitHub.Runner.Common.Util
+{
+    public static class NodeUtil
+    {
+        private const string _defaultNodeVersion = "node16";
+
+#if (OS_OSX || OS_WINDOWS) && ARM64
+        public static readonly ReadOnlyCollection<string> BuiltInNodeVersions = new(new[] { "node16" });
+#else
+        public static readonly ReadOnlyCollection<string> BuiltInNodeVersions = new(new[] { "node12", "node16" });
+#endif
+
+        public static string GetInternalNodeVersion()
+        {
+            var forcedInternalNodeVersion = Environment.GetEnvironmentVariable(Constants.Variables.Agent.ForcedInternalNodeVersion);
+            var isForcedInternalNodeVersion = !string.IsNullOrEmpty(forcedInternalNodeVersion) && BuiltInNodeVersions.Contains(forcedInternalNodeVersion);
+
+            if (isForcedInternalNodeVersion)
+            {
+                return forcedInternalNodeVersion;
+            }
+            return _defaultNodeVersion;
+        }
+    }
+}

src/Runner.Common/Util/VarUtil.cs

@@ -1,7 +1,4 @@
-using System;
-using System.Collections.Generic;
-using System.Linq;
-using GitHub.Runner.Sdk;
+using System;
 
 namespace GitHub.Runner.Common.Util
 {

src/Runner.Listener/Checks/CheckUtil.cs

@@ -10,6 +10,7 @@ using System.Net.NetworkInformation;
 using System.Threading;
 using System.Threading.Tasks;
 using GitHub.Runner.Common;
+using GitHub.Runner.Common.Util;
 using GitHub.Runner.Sdk;
 using GitHub.Services.Common;
 
@@ -314,12 +315,12 @@ namespace GitHub.Runner.Listener.Check
                     });
 
                     var downloadCertScript = Path.Combine(hostContext.GetDirectory(WellKnownDirectory.Bin), "checkScripts", "downloadCert");
-                    var node12 = Path.Combine(hostContext.GetDirectory(WellKnownDirectory.Externals), "node12", "bin", $"node{IOUtil.ExeExtension}");
-                    result.Logs.Add($"{DateTime.UtcNow.ToString("O")} Run '{node12} \"{downloadCertScript}\"' ");
+                    var node = Path.Combine(hostContext.GetDirectory(WellKnownDirectory.Externals), NodeUtil.GetInternalNodeVersion(), "bin", $"node{IOUtil.ExeExtension}");
+                    result.Logs.Add($"{DateTime.UtcNow.ToString("O")} Run '{node} \"{downloadCertScript}\"' ");
                     result.Logs.Add($"{DateTime.UtcNow.ToString("O")} {StringUtil.ConvertToJson(env)}");
                     await processInvoker.ExecuteAsync(
                         hostContext.GetDirectory(WellKnownDirectory.Root),
-                        node12,
+                        node,
                         $"\"{downloadCertScript}\"",
                         env,
                         true,
@@ -346,8 +347,8 @@ namespace GitHub.Runner.Listener.Check
     public sealed class HttpEventSourceListener : EventListener
     {
         private readonly List<string> _logs;
-        private readonly object _lock = new object();
-        private readonly Dictionary<string, HashSet<string>> _ignoredEvent = new Dictionary<string, HashSet<string>>
+        private readonly object _lock = new();
+        private readonly Dictionary<string, HashSet<string>> _ignoredEvent = new()
         {
             {
                 "Microsoft-System-Net-Http",

src/Runner.Listener/Checks/GitCheck.cs

@@ -2,7 +2,6 @@ using System;
 using System.Collections.Generic;
 using System.IO;
 using System.Linq;
-using System.Net;
 using System.Threading;
 using System.Threading.Tasks;
 using GitHub.Runner.Common;
@@ -168,4 +167,4 @@ namespace GitHub.Runner.Listener.Check
             return result;
         }
     }
-}
+}

src/Runner.Listener/Checks/NodeJsCheck.cs

@@ -2,10 +2,10 @@ using System;
 using System.Collections.Generic;
 using System.IO;
 using System.Linq;
-using System.Net;
 using System.Threading;
 using System.Threading.Tasks;
 using GitHub.Runner.Common;
+using GitHub.Runner.Common.Util;
 using GitHub.Runner.Sdk;
 
 namespace GitHub.Runner.Listener.Check
@@ -86,7 +86,7 @@ namespace GitHub.Runner.Listener.Check
                 result.Logs.Add($"{DateTime.UtcNow.ToString("O")} ***************************************************************************************************************");
 
                 // Request to github.com or ghes server
-                Uri requestUrl = new Uri(url);
+                Uri requestUrl = new(url);
                 var env = new Dictionary<string, string>()
                 {
                     { "HOSTNAME", requestUrl.Host },
@@ -144,12 +144,12 @@ namespace GitHub.Runner.Listener.Check
                     });
 
                     var makeWebRequestScript = Path.Combine(HostContext.GetDirectory(WellKnownDirectory.Bin), "checkScripts", "makeWebRequest.js");
-                    var node12 = Path.Combine(HostContext.GetDirectory(WellKnownDirectory.Externals), "node12", "bin", $"node{IOUtil.ExeExtension}");
-                    result.Logs.Add($"{DateTime.UtcNow.ToString("O")} Run '{node12} \"{makeWebRequestScript}\"' ");
+                    var node = Path.Combine(HostContext.GetDirectory(WellKnownDirectory.Externals), NodeUtil.GetInternalNodeVersion(), "bin", $"node{IOUtil.ExeExtension}");
+                    result.Logs.Add($"{DateTime.UtcNow.ToString("O")} Run '{node} \"{makeWebRequestScript}\"' ");
                     result.Logs.Add($"{DateTime.UtcNow.ToString("O")} {StringUtil.ConvertToJson(env)}");
                     await processInvoker.ExecuteAsync(
                         HostContext.GetDirectory(WellKnownDirectory.Root),
-                        node12,
+                        node,
                         $"\"{makeWebRequestScript}\"",
                         env,
                         true,
@@ -178,4 +178,4 @@ namespace GitHub.Runner.Listener.Check
             return result;
         }
     }
-}
+}

src/Runner.Listener/CommandSettings.cs

@@ -4,7 +4,6 @@ using System;
 using System.Collections;
 using System.Collections.Generic;
 using System.Linq;
-using GitHub.DistributedTask.Logging;
 using GitHub.Runner.Common;
 using GitHub.Runner.Sdk;
 
@@ -12,48 +11,64 @@ namespace GitHub.Runner.Listener
 {
     public sealed class CommandSettings
     {
-        private readonly Dictionary<string, string> _envArgs = new Dictionary<string, string>(StringComparer.OrdinalIgnoreCase);
+        private readonly Dictionary<string, string> _envArgs = new(StringComparer.OrdinalIgnoreCase);
         private readonly CommandLineParser _parser;
         private readonly IPromptManager _promptManager;
         private readonly Tracing _trace;
 
-        private readonly string[] validCommands =
+        // Valid flags for all commands
+        private readonly string[] genericOptions =
         {
-            Constants.Runner.CommandLine.Commands.Configure,
-            Constants.Runner.CommandLine.Commands.Remove,
-            Constants.Runner.CommandLine.Commands.Run,
-            Constants.Runner.CommandLine.Commands.Warmup,
-        };
-
-        private readonly string[] validFlags =
-        {
-            Constants.Runner.CommandLine.Flags.Check,
-            Constants.Runner.CommandLine.Flags.Commit,
-            Constants.Runner.CommandLine.Flags.DisableUpdate,
-            Constants.Runner.CommandLine.Flags.Ephemeral,
             Constants.Runner.CommandLine.Flags.Help,
-            Constants.Runner.CommandLine.Flags.Once,
-            Constants.Runner.CommandLine.Flags.Replace,
-            Constants.Runner.CommandLine.Flags.RunAsService,
-            Constants.Runner.CommandLine.Flags.Unattended,
-            Constants.Runner.CommandLine.Flags.Version
+            Constants.Runner.CommandLine.Flags.Version,
+            Constants.Runner.CommandLine.Flags.Commit,
+            Constants.Runner.CommandLine.Flags.Check
         };
 
-        private readonly string[] validArgs =
+        // Valid flags and args for specific command - key: command, value: array of valid flags and args
+        private readonly Dictionary<string, string[]> validOptions = new()
         {
-            Constants.Runner.CommandLine.Args.Auth,
-            Constants.Runner.CommandLine.Args.Labels,
-            Constants.Runner.CommandLine.Args.MonitorSocketAddress,
-            Constants.Runner.CommandLine.Args.Name,
-            Constants.Runner.CommandLine.Args.PAT,
-            Constants.Runner.CommandLine.Args.RunnerGroup,
-            Constants.Runner.CommandLine.Args.StartupType,
-            Constants.Runner.CommandLine.Args.Token,
-            Constants.Runner.CommandLine.Args.Url,
-            Constants.Runner.CommandLine.Args.UserName,
-            Constants.Runner.CommandLine.Args.WindowsLogonAccount,
-            Constants.Runner.CommandLine.Args.WindowsLogonPassword,
-            Constants.Runner.CommandLine.Args.Work
+            // Valid configure flags and args
+            [Constants.Runner.CommandLine.Commands.Configure] = 
+                new string[] 
+                {
+                    Constants.Runner.CommandLine.Flags.DisableUpdate,
+                    Constants.Runner.CommandLine.Flags.Ephemeral,
+                    Constants.Runner.CommandLine.Flags.GenerateServiceConfig,
+                    Constants.Runner.CommandLine.Flags.Replace,
+                    Constants.Runner.CommandLine.Flags.RunAsService,
+                    Constants.Runner.CommandLine.Flags.Unattended,
+                    Constants.Runner.CommandLine.Args.Auth,
+                    Constants.Runner.CommandLine.Args.Labels,
+                    Constants.Runner.CommandLine.Args.MonitorSocketAddress,
+                    Constants.Runner.CommandLine.Args.Name,
+                    Constants.Runner.CommandLine.Args.PAT,
+                    Constants.Runner.CommandLine.Args.RunnerGroup,
+                    Constants.Runner.CommandLine.Args.Token,
+                    Constants.Runner.CommandLine.Args.Url,
+                    Constants.Runner.CommandLine.Args.UserName,
+                    Constants.Runner.CommandLine.Args.WindowsLogonAccount,
+                    Constants.Runner.CommandLine.Args.WindowsLogonPassword,
+                    Constants.Runner.CommandLine.Args.Work
+                },
+            // Valid remove flags and args
+            [Constants.Runner.CommandLine.Commands.Remove] =
+                new string[]
+                {
+                    Constants.Runner.CommandLine.Args.Token,
+                    Constants.Runner.CommandLine.Args.PAT
+                },
+            // Valid run flags and args
+            [Constants.Runner.CommandLine.Commands.Run] =
+                new string[]
+                {
+                    Constants.Runner.CommandLine.Flags.Once,
+                    Constants.Runner.CommandLine.Args.JitConfig,
+                    Constants.Runner.CommandLine.Args.StartupType
+                },
+            // valid warmup flags and args
+            [Constants.Runner.CommandLine.Commands.Warmup] =
+                new string[] { }
         };
 
         // Commands.
@@ -65,11 +80,12 @@ namespace GitHub.Runner.Listener
         // Flags.
         public bool Check => TestFlag(Constants.Runner.CommandLine.Flags.Check);
         public bool Commit => TestFlag(Constants.Runner.CommandLine.Flags.Commit);
+        public bool DisableUpdate => TestFlag(Constants.Runner.CommandLine.Flags.DisableUpdate);
+        public bool Ephemeral => TestFlag(Constants.Runner.CommandLine.Flags.Ephemeral);
+        public bool GenerateServiceConfig => TestFlag(Constants.Runner.CommandLine.Flags.GenerateServiceConfig);
         public bool Help => TestFlag(Constants.Runner.CommandLine.Flags.Help);
         public bool Unattended => TestFlag(Constants.Runner.CommandLine.Flags.Unattended);
         public bool Version => TestFlag(Constants.Runner.CommandLine.Flags.Version);
-        public bool Ephemeral => TestFlag(Constants.Runner.CommandLine.Flags.Ephemeral);
-        public bool DisableUpdate => TestFlag(Constants.Runner.CommandLine.Flags.DisableUpdate);
 
         // Keep this around since customers still relies on it
         public bool RunOnce => TestFlag(Constants.Runner.CommandLine.Flags.Once);
@@ -123,20 +139,51 @@ namespace GitHub.Runner.Listener
         // Validate commandline parser result
         public List<string> Validate()
         {
-            List<string> unknowns = new List<string>();
+            List<string> unknowns = new();
 
             // detect unknown commands
-            unknowns.AddRange(_parser.Commands.Where(x => !validCommands.Contains(x, StringComparer.OrdinalIgnoreCase)));
+            unknowns.AddRange(_parser.Commands.Where(x => !validOptions.Keys.Contains(x, StringComparer.OrdinalIgnoreCase)));
 
-            // detect unknown flags
-            unknowns.AddRange(_parser.Flags.Where(x => !validFlags.Contains(x, StringComparer.OrdinalIgnoreCase)));
-
-            // detect unknown args
-            unknowns.AddRange(_parser.Args.Keys.Where(x => !validArgs.Contains(x, StringComparer.OrdinalIgnoreCase)));
+            if (unknowns.Count == 0)
+            {
+                // detect unknown flags and args for valid commands
+                foreach (var command in _parser.Commands)
+                {
+                    if (validOptions.TryGetValue(command, out string[] options))
+                    {
+                        unknowns.AddRange(_parser.Flags.Where(x => !options.Contains(x, StringComparer.OrdinalIgnoreCase) && !genericOptions.Contains(x, StringComparer.OrdinalIgnoreCase)));
+                        unknowns.AddRange(_parser.Args.Keys.Where(x => !options.Contains(x, StringComparer.OrdinalIgnoreCase)));
+                    }
+                }
+            }
 
             return unknowns;
         }
 
+        public string GetCommandName()
+        {
+            string command = string.Empty;
+
+            if (Configure)
+            {
+                command = Constants.Runner.CommandLine.Commands.Configure;
+            }
+            else if (Remove)
+            {
+                command = Constants.Runner.CommandLine.Commands.Remove;
+            }
+            else if (Run)
+            {
+                command = Constants.Runner.CommandLine.Commands.Run;
+            }
+            else if (Warmup)
+            {
+                command = Constants.Runner.CommandLine.Commands.Warmup;
+            }
+            
+            return command;
+        }
+
         //
         // Interactive flags.
         //
@@ -168,6 +215,12 @@ namespace GitHub.Runner.Listener
                 validator: Validators.AuthSchemeValidator);
         }
 
+        public string GetJitConfig()
+        {
+            return GetArg(
+                name: Constants.Runner.CommandLine.Args.JitConfig);
+        }
+
         public string GetRunnerName()
         {
             return GetArgOrPrompt(

src/Runner.Listener/Configuration/ConfigurationManager.cs

@@ -3,6 +3,7 @@ using GitHub.Runner.Common;
 using GitHub.Runner.Common.Util;
 using GitHub.Runner.Sdk;
 using GitHub.Services.Common;
+using GitHub.Services.Common.Internal;
 using GitHub.Services.OAuth;
 using System;
 using System.Collections.Generic;
@@ -80,12 +81,33 @@ namespace GitHub.Runner.Listener.Configuration
             _term.WriteLine("--------------------------------------------------------------------------------");
 
             Trace.Info(nameof(ConfigureAsync));
+
+            if (command.GenerateServiceConfig)
+            {
+#if OS_LINUX
+                if (!IsConfigured())
+                {
+                    throw new InvalidOperationException("--generateServiceConfig requires that the runner is already configured. For configuring a new runner as a service, run './config.sh'.");
+                }
+
+                RunnerSettings settings = _store.GetSettings();
+
+                Trace.Info($"generate service config for runner: {settings.AgentId}");
+                var controlManager = HostContext.GetService<ILinuxServiceControlManager>();
+                controlManager.GenerateScripts(settings);
+
+                return;
+#else
+                throw new NotSupportedException("--generateServiceConfig is only supported on Linux.");
+#endif
+            }
+
             if (IsConfigured())
             {
                 throw new InvalidOperationException("Cannot configure the runner because it is already configured. To reconfigure the runner, run 'config.cmd remove' or './config.sh remove' first.");
             }
 
-            RunnerSettings runnerSettings = new RunnerSettings();
+            RunnerSettings runnerSettings = new();
 
             // Loop getting url and creds until you can connect
             ICredentialProvider credProvider = null;
@@ -128,7 +150,7 @@ namespace GitHub.Runner.Listener.Configuration
                         // Example githubServerUrl is https://my-ghes
                         var actionsServerUrl = new Uri(runnerSettings.ServerUrl);
                         var githubServerUrl = new Uri(runnerSettings.GitHubUrl);
-                        if (!string.Equals(actionsServerUrl.Authority, githubServerUrl.Authority, StringComparison.OrdinalIgnoreCase))
+                        if (!UriUtility.IsSubdomainOf(actionsServerUrl.Authority, githubServerUrl.Authority))
                         {
                             throw new InvalidOperationException($"GitHub Actions is not properly configured in GHES. GHES url: {runnerSettings.GitHubUrl}, Actions url: {runnerSettings.ServerUrl}.");
                         }
@@ -520,7 +542,7 @@ namespace GitHub.Runner.Listener.Configuration
 
         private TaskAgent CreateNewAgent(string agentName, RSAParameters publicKey, ISet<string> userLabels, bool ephemeral, bool disableUpdate)
         {
-            TaskAgent agent = new TaskAgent(agentName)
+            TaskAgent agent = new(agentName)
             {
                 Authorization = new TaskAgentAuthorization
                 {
@@ -613,32 +635,50 @@ namespace GitHub.Runner.Listener.Configuration
                 throw new ArgumentException($"'{githubUrl}' should point to an org or repository.");
             }
 
-            using (var httpClientHandler = HostContext.CreateHttpClientHandler())
-            using (var httpClient = new HttpClient(httpClientHandler))
+            int retryCount = 0;
+            while(retryCount < 3)
             {
-                var base64EncodingToken = Convert.ToBase64String(Encoding.UTF8.GetBytes($"github:{githubToken}"));
-                HostContext.SecretMasker.AddValue(base64EncodingToken);
-                httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("basic", base64EncodingToken);
-                httpClient.DefaultRequestHeaders.UserAgent.AddRange(HostContext.UserAgents);
-                httpClient.DefaultRequestHeaders.Accept.ParseAdd("application/vnd.github.v3+json");
-
-                var response = await httpClient.PostAsync(githubApiUrl, new StringContent(string.Empty));
-
-                if (response.IsSuccessStatusCode)
+                using (var httpClientHandler = HostContext.CreateHttpClientHandler())
+                using (var httpClient = new HttpClient(httpClientHandler))
                 {
-                    Trace.Info($"Http response code: {response.StatusCode} from 'POST {githubApiUrl}'");
-                    var jsonResponse = await response.Content.ReadAsStringAsync();
-                    return StringUtil.ConvertFromJson<GitHubRunnerRegisterToken>(jsonResponse);
-                }
-                else
-                {
-                    _term.WriteError($"Http response code: {response.StatusCode} from 'POST {githubApiUrl}'");
-                    var errorResponse = await response.Content.ReadAsStringAsync();
-                    _term.WriteError(errorResponse);
-                    response.EnsureSuccessStatusCode();
-                    return null;
+                    var base64EncodingToken = Convert.ToBase64String(Encoding.UTF8.GetBytes($"github:{githubToken}"));
+                    HostContext.SecretMasker.AddValue(base64EncodingToken);
+                    httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("basic", base64EncodingToken);
+                    httpClient.DefaultRequestHeaders.UserAgent.AddRange(HostContext.UserAgents);
+                    httpClient.DefaultRequestHeaders.Accept.ParseAdd("application/vnd.github.v3+json");
+                    
+                    var responseStatus = System.Net.HttpStatusCode.OK;
+                    try
+                    {
+                        var response = await httpClient.PostAsync(githubApiUrl, new StringContent(string.Empty));
+                        responseStatus = response.StatusCode;
+
+                        if (response.IsSuccessStatusCode)
+                        {
+                            Trace.Info($"Http response code: {response.StatusCode} from 'POST {githubApiUrl}'");
+                            var jsonResponse = await response.Content.ReadAsStringAsync();
+                            return StringUtil.ConvertFromJson<GitHubRunnerRegisterToken>(jsonResponse);
+                        }
+                        else
+                        {
+                            _term.WriteError($"Http response code: {response.StatusCode} from 'POST {githubApiUrl}'");
+                            var errorResponse = await response.Content.ReadAsStringAsync();
+                            _term.WriteError(errorResponse);
+                            response.EnsureSuccessStatusCode();
+                        }
+                    }
+                    catch(Exception ex) when (retryCount < 2 && responseStatus != System.Net.HttpStatusCode.NotFound)
+                    {
+                        retryCount++;
+                        Trace.Error($"Failed to get JIT runner token -- Atempt: {retryCount}");
+                        Trace.Error(ex);
+                    }
                 }
+                var backOff = BackoffTimerHelper.GetRandomBackoff(TimeSpan.FromSeconds(1), TimeSpan.FromSeconds(5));
+                Trace.Info($"Retrying in {backOff.Seconds} seconds");
+                await Task.Delay(backOff);
             }
+            return null;
         }
 
         private async Task<GitHubAuthResult> GetTenantCredential(string githubUrl, string githubToken, string runnerEvent)
@@ -654,35 +694,53 @@ namespace GitHub.Runner.Listener.Configuration
                 githubApiUrl = $"{gitHubUrlBuilder.Scheme}://{gitHubUrlBuilder.Host}/api/v3/actions/runner-registration";
             }
 
-            using (var httpClientHandler = HostContext.CreateHttpClientHandler())
-            using (var httpClient = new HttpClient(httpClientHandler))
+            int retryCount = 0;
+            while (retryCount < 3)
             {
-                httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("RemoteAuth", githubToken);
-                httpClient.DefaultRequestHeaders.UserAgent.AddRange(HostContext.UserAgents);
-
-                var bodyObject = new Dictionary<string, string>()
+                using (var httpClientHandler = HostContext.CreateHttpClientHandler())
+                using (var httpClient = new HttpClient(httpClientHandler))
                 {
-                    {"url", githubUrl},
-                    {"runner_event", runnerEvent}
-                };
+                    httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("RemoteAuth", githubToken);
+                    httpClient.DefaultRequestHeaders.UserAgent.AddRange(HostContext.UserAgents);
 
-                var response = await httpClient.PostAsync(githubApiUrl, new StringContent(StringUtil.ConvertToJson(bodyObject), null, "application/json"));
+                    var bodyObject = new Dictionary<string, string>()
+                    {
+                        {"url", githubUrl},
+                        {"runner_event", runnerEvent}
+                    };
 
-                if (response.IsSuccessStatusCode)
-                {
-                    Trace.Info($"Http response code: {response.StatusCode} from 'POST {githubApiUrl}'");
-                    var jsonResponse = await response.Content.ReadAsStringAsync();
-                    return StringUtil.ConvertFromJson<GitHubAuthResult>(jsonResponse);
-                }
-                else
-                {
-                    _term.WriteError($"Http response code: {response.StatusCode} from 'POST {githubApiUrl}'");
-                    var errorResponse = await response.Content.ReadAsStringAsync();
-                    _term.WriteError(errorResponse);
-                    response.EnsureSuccessStatusCode();
-                    return null;
+                    var responseStatus = System.Net.HttpStatusCode.OK;
+                    try
+                    {
+                        var response = await httpClient.PostAsync(githubApiUrl, new StringContent(StringUtil.ConvertToJson(bodyObject), null, "application/json"));
+                        responseStatus = response.StatusCode;
+
+                        if(response.IsSuccessStatusCode)
+                        {
+                            Trace.Info($"Http response code: {response.StatusCode} from 'POST {githubApiUrl}'");
+                            var jsonResponse = await response.Content.ReadAsStringAsync();
+                            return StringUtil.ConvertFromJson<GitHubAuthResult>(jsonResponse);
+                        }
+                        else
+                        {
+                            _term.WriteError($"Http response code: {response.StatusCode} from 'POST {githubApiUrl}'");
+                            var errorResponse = await response.Content.ReadAsStringAsync();
+                            _term.WriteError(errorResponse);
+                            response.EnsureSuccessStatusCode();
+                        }
+                    }
+                    catch(Exception ex) when (retryCount < 2 && responseStatus != System.Net.HttpStatusCode.NotFound)
+                    {
+                        retryCount++;
+                        Trace.Error($"Failed to get tenant credentials -- Atempt: {retryCount}");
+                        Trace.Error(ex);
+                    }
                 }
+                var backOff = BackoffTimerHelper.GetRandomBackoff(TimeSpan.FromSeconds(1), TimeSpan.FromSeconds(5));
+                Trace.Info($"Retrying in {backOff.Seconds} seconds");
+                await Task.Delay(backOff);
             }
+            return null;
         }
     }
 }

src/Runner.Listener/Configuration/CredentialManager.cs

@@ -18,7 +18,7 @@ namespace GitHub.Runner.Listener.Configuration
 
     public class CredentialManager : RunnerService, ICredentialManager
     {
-        public static readonly Dictionary<string, Type> CredentialTypes = new Dictionary<string, Type>(StringComparer.OrdinalIgnoreCase)
+        public static readonly Dictionary<string, Type> CredentialTypes = new(StringComparer.OrdinalIgnoreCase)
         {
             { Constants.Configuration.OAuth, typeof(OAuthCredential)},
             { Constants.Configuration.OAuthAccessToken, typeof(OAuthAccessTokenCredential)},

src/Runner.Listener/Configuration/CredentialProvider.cs

@@ -48,7 +48,7 @@ namespace GitHub.Runner.Listener.Configuration
             ArgUtil.NotNullOrEmpty(token, nameof(token));
 
             trace.Info("token retrieved: {0} chars", token.Length);
-            VssCredentials creds = new VssCredentials(new VssOAuthAccessTokenCredential(token), CredentialPromptType.DoNotPrompt);
+            VssCredentials creds = new(new VssOAuthAccessTokenCredential(token), CredentialPromptType.DoNotPrompt);
             trace.Info("cred created");
 
             return creds;

src/Runner.Listener/Configuration/PromptManager.cs

@@ -1,5 +1,4 @@
 using GitHub.Runner.Common;
-using GitHub.Runner.Common.Util;
 using GitHub.Runner.Sdk;
 using System;
 
@@ -72,7 +71,7 @@ namespace GitHub.Runner.Listener.Configuration
                 {
                     return defaultValue;
                 }
-                else if (isOptional) 
+                else if (isOptional)
                 {
                     return string.Empty;
                 }
@@ -87,11 +86,12 @@ namespace GitHub.Runner.Listener.Configuration
                 // Write the message prompt.
                 _terminal.Write($"{description} ");
 
-                if(!string.IsNullOrEmpty(defaultValue))
+                if (!string.IsNullOrEmpty(defaultValue))
                 {
                     _terminal.Write($"[press Enter for {defaultValue}] ");
                 }
-                else if (isOptional){
+                else if (isOptional)
+                {
                     _terminal.Write($"[press Enter to skip] ");
                 }
 
@@ -112,7 +112,7 @@ namespace GitHub.Runner.Listener.Configuration
                         return string.Empty;
                     }
                 }
-                
+
                 // Return the value if it is not empty and it is valid.
                 // Otherwise try the loop again.
                 if (!string.IsNullOrEmpty(value))

src/Runner.Listener/Configuration/RSAFileKeyManager.cs

@@ -3,7 +3,6 @@ using System;
 using System.IO;
 using System.Security.Cryptography;
 using System.Threading;
-using GitHub.Runner.Common.Util;
 using GitHub.Runner.Common;
 using GitHub.Runner.Sdk;
 

src/Runner.Listener/Configuration/ServiceControlManager.cs

@@ -44,17 +44,16 @@ namespace GitHub.Runner.Listener.Configuration
             }
 
             // For the service name, replace any characters outside of the alpha-numeric set and ".", "_", "-" with "-"
-            Regex regex = new Regex(@"[^0-9a-zA-Z._\-]");
+            Regex regex = new(@"[^0-9a-zA-Z._\-]");
             string repoOrOrgName = regex.Replace(settings.RepoOrOrgName, "-");
 
             serviceName = StringUtil.Format(serviceNamePattern, repoOrOrgName, settings.AgentName);
-
-            if (serviceName.Length > 80)
+            if (serviceName.Length > MaxServiceNameLength)
             {
-                Trace.Verbose($"Calculated service name is too long (> 80 chars). Trying again by calculating a shorter name.");
-
-                int exceededCharLength = serviceName.Length - 80;
-                string repoOrOrgNameSubstring = StringUtil.SubstringPrefix(repoOrOrgName, 45);
+                Trace.Verbose($"Calculated service name is too long (> {MaxServiceNameLength} chars). Trying again by calculating a shorter name.");
+                // Add 5 to add -xxxx random number on the end
+                int exceededCharLength = serviceName.Length - MaxServiceNameLength + 5;
+                string repoOrOrgNameSubstring = StringUtil.SubstringPrefix(repoOrOrgName, MaxRepoOrgCharacters);
 
                 exceededCharLength -= repoOrOrgName.Length - repoOrOrgNameSubstring.Length;
 
@@ -66,6 +65,10 @@ namespace GitHub.Runner.Listener.Configuration
                     runnerNameSubstring = StringUtil.SubstringPrefix(settings.AgentName, settings.AgentName.Length - exceededCharLength);
                 }
 
+                // Lets add a suffix with a random number to reduce the chance of collisions between runner names once we truncate
+                var random = new Random();
+                var num = random.Next(1000, 9999).ToString();
+                runnerNameSubstring +=$"-{num}";
                 serviceName = StringUtil.Format(serviceNamePattern, repoOrOrgNameSubstring, runnerNameSubstring);
             }
 
@@ -73,5 +76,12 @@ namespace GitHub.Runner.Listener.Configuration
 
             Trace.Info($"Service name '{serviceName}' display name '{serviceDisplayName}' will be used for service configuration.");
         }
+        #if (OS_LINUX || OS_OSX)
+            const int MaxServiceNameLength = 150;
+            const int MaxRepoOrgCharacters = 70;
+        #elif OS_WINDOWS
+            const int MaxServiceNameLength = 80;
+            const int MaxRepoOrgCharacters = 45;
+        #endif
     }
 }

src/Runner.Listener/Configuration/SystemdControlManager.cs

@@ -1,4 +1,4 @@
-#if OS_LINUX
+#if OS_LINUX
 using System;
 using System.Collections.Generic;
 using System.IO;
@@ -6,7 +6,6 @@ using System.Linq;
 using System.Text;
 using GitHub.Runner.Common.Util;
 using GitHub.Runner.Common;
-using GitHub.Runner.Sdk;
 
 namespace GitHub.Runner.Listener.Configuration
 {

src/Runner.Listener/JobDispatcher.cs

@@ -27,6 +27,7 @@ namespace GitHub.Runner.Listener
         bool Cancel(JobCancelMessage message);
         Task WaitAsync(CancellationToken token);
         Task ShutdownAsync();
+        event EventHandler<JobStatusEventArgs> JobStatus;
     }
 
     // This implementation of IJobDispatcher is not thread safe.
@@ -36,8 +37,8 @@ namespace GitHub.Runner.Listener
     // and the server will not send another job while this one is still running.
     public sealed class JobDispatcher : RunnerService, IJobDispatcher
     {
-        private static Regex _invalidJsonRegex = new Regex(@"invalid\ Json\ at\ position\ '(\d+)':", RegexOptions.Compiled | RegexOptions.IgnoreCase);
-        private readonly Lazy<Dictionary<long, TaskResult>> _localRunJobResult = new Lazy<Dictionary<long, TaskResult>>();
+        private static Regex _invalidJsonRegex = new(@"invalid\ Json\ at\ position\ '(\d+)':", RegexOptions.Compiled | RegexOptions.IgnoreCase);
+        private readonly Lazy<Dictionary<long, TaskResult>> _localRunJobResult = new();
         private int _poolId;
 
         IConfigurationStore _configurationStore;
@@ -46,14 +47,16 @@ namespace GitHub.Runner.Listener
         private static readonly string _workerProcessName = $"Runner.Worker{IOUtil.ExeExtension}";
 
         // this is not thread-safe
-        private readonly Queue<Guid> _jobDispatchedQueue = new Queue<Guid>();
-        private readonly ConcurrentDictionary<Guid, WorkerDispatcher> _jobInfos = new ConcurrentDictionary<Guid, WorkerDispatcher>();
+        private readonly Queue<Guid> _jobDispatchedQueue = new();
+        private readonly ConcurrentDictionary<Guid, WorkerDispatcher> _jobInfos = new();
 
         // allow up to 30sec for any data to be transmitted over the process channel
         // timeout limit can be overwritten by environment GITHUB_ACTIONS_RUNNER_CHANNEL_TIMEOUT
         private TimeSpan _channelTimeout;
 
-        private TaskCompletionSource<bool> _runOnceJobCompleted = new TaskCompletionSource<bool>();
+        private TaskCompletionSource<bool> _runOnceJobCompleted = new();
+
+        public event EventHandler<JobStatusEventArgs> JobStatus;
 
         public override void Initialize(IHostContext hostContext)
         {
@@ -108,7 +111,7 @@ namespace GitHub.Runner.Listener
                 }
             }
 
-            WorkerDispatcher newDispatch = new WorkerDispatcher(jobRequestMessage.JobId, jobRequestMessage.RequestId);
+            WorkerDispatcher newDispatch = new(jobRequestMessage.JobId, jobRequestMessage.RequestId);
             if (runOnce)
             {
                 Trace.Info("Start dispatcher for one time used runner.");
@@ -285,7 +288,7 @@ namespace GitHub.Runner.Listener
                     {
                         // at this point, the job execution might encounter some dead lock and even not able to be cancelled.
                         // no need to localize the exception string should never happen.
-                        throw new InvalidOperationException($"Job dispatch process for {jobDispatch.JobId} has encountered unexpected error, the dispatch task is not able to be canceled within 45 seconds.");
+                        throw new InvalidOperationException($"Job dispatch process for {jobDispatch.JobId} has encountered unexpected error, the dispatch task is not able to be cancelled within 45 seconds.");
                     }
                 }
                 else
@@ -335,6 +338,11 @@ namespace GitHub.Runner.Listener
             Busy = true;
             try
             {
+                if (JobStatus != null)
+                {
+                    JobStatus(this, new JobStatusEventArgs(TaskAgentStatus.Busy));
+                }
+
                 if (previousJobDispatch != null)
                 {
                     Trace.Verbose($"Make sure the previous job request {previousJobDispatch.JobId} has successfully finished on worker.");
@@ -349,7 +357,7 @@ namespace GitHub.Runner.Listener
                 term.WriteLine($"{DateTime.UtcNow:u}: Running job: {message.JobDisplayName}");
 
                 // first job request renew succeed.
-                TaskCompletionSource<int> firstJobRequestRenewed = new TaskCompletionSource<int>();
+                TaskCompletionSource<int> firstJobRequestRenewed = new();
                 var notification = HostContext.GetService<IJobNotification>();
 
                 // lock renew cancellation token.
@@ -363,7 +371,7 @@ namespace GitHub.Runner.Listener
                     Trace.Info($"Start renew job request {requestId} for job {message.JobId}.");
                     Task renewJobRequest = RenewJobRequestAsync(_poolId, requestId, lockToken, orchestrationId, firstJobRequestRenewed, lockRenewalTokenSource.Token);
 
-                    // wait till first renew succeed or job request is canceled
+                    // wait till first renew succeed or job request is cancelled
                     // not even start worker if the first renew fail
                     await Task.WhenAny(firstJobRequestRenewed.Task, renewJobRequest, Task.Delay(-1, jobRequestCancellationToken));
 
@@ -390,8 +398,8 @@ namespace GitHub.Runner.Listener
                     HostContext.WritePerfCounter($"JobRequestRenewed_{requestId.ToString()}");
 
                     Task<int> workerProcessTask = null;
-                    object _outputLock = new object();
-                    List<string> workerOutput = new List<string>();
+                    object _outputLock = new();
+                    List<string> workerOutput = new();
                     using (var processChannel = HostContext.CreateService<IProcessChannel>())
                     using (var processInvoker = HostContext.CreateService<IProcessInvoker>())
                     {
@@ -650,6 +658,11 @@ namespace GitHub.Runner.Listener
             finally
             {
                 Busy = false;
+                
+                if (JobStatus != null)
+                {
+                    JobStatus(this, new JobStatusEventArgs(TaskAgentStatus.Online));
+                }
             }
         }
 
@@ -704,7 +717,7 @@ namespace GitHub.Runner.Listener
                 {
                     // OperationCanceledException may caused by http timeout or _lockRenewalTokenSource.Cance();
                     // Stop renew only on cancellation token fired.
-                    Trace.Info($"job renew has been canceled, stop renew job request {requestId}.");
+                    Trace.Info($"job renew has been cancelled, stop renew job request {requestId}.");
                     return;
                 }
                 catch (Exception ex)
@@ -762,7 +775,7 @@ namespace GitHub.Runner.Listener
                         }
                         catch (OperationCanceledException) when (token.IsCancellationRequested)
                         {
-                            Trace.Info($"job renew has been canceled, stop renew job request {requestId}.");
+                            Trace.Info($"job renew has been cancelled, stop renew job request {requestId}.");
                         }
                     }
                     else
@@ -923,7 +936,7 @@ namespace GitHub.Runner.Listener
 
             var runnerServer = HostContext.GetService<IRunnerServer>();
             int completeJobRequestRetryLimit = 5;
-            List<Exception> exceptions = new List<Exception>();
+            List<Exception> exceptions = new();
             while (completeJobRequestRetryLimit-- > 0)
             {
                 try
@@ -1026,7 +1039,7 @@ namespace GitHub.Runner.Listener
             public Task WorkerDispatch { get; set; }
             public CancellationTokenSource WorkerCancellationTokenSource { get; private set; }
             public CancellationTokenSource WorkerCancelTimeoutKillTokenSource { get; private set; }
-            private readonly object _lock = new object();
+            private readonly object _lock = new();
 
             public WorkerDispatcher(Guid jobId, long requestId)
             {

src/Runner.Listener/MessageListener.cs

@@ -1,18 +1,18 @@
-using GitHub.DistributedTask.WebApi;
-using GitHub.Runner.Listener.Configuration;
-using GitHub.Services.Common;
 using System;
 using System.Collections.Generic;
+using System.Diagnostics;
+using System.IO;
+using System.Runtime.InteropServices;
+using System.Security.Cryptography;
+using System.Text;
 using System.Threading;
 using System.Threading.Tasks;
-using System.Security.Cryptography;
-using System.IO;
-using System.Text;
-using GitHub.Services.OAuth;
-using System.Diagnostics;
-using System.Runtime.InteropServices;
+using GitHub.DistributedTask.WebApi;
 using GitHub.Runner.Common;
+using GitHub.Runner.Listener.Configuration;
 using GitHub.Runner.Sdk;
+using GitHub.Services.Common;
+using GitHub.Services.OAuth;
 
 namespace GitHub.Runner.Listener
 {
@@ -23,6 +23,7 @@ namespace GitHub.Runner.Listener
         Task DeleteSessionAsync();
         Task<TaskAgentMessage> GetNextMessageAsync(CancellationToken token);
         Task DeleteMessageAsync(TaskAgentMessage message);
+        void OnJobStatus(object sender, JobStatusEventArgs e);
     }
 
     public sealed class MessageListener : RunnerService, IMessageListener
@@ -33,10 +34,13 @@ namespace GitHub.Runner.Listener
         private IRunnerServer _runnerServer;
         private TaskAgentSession _session;
         private TimeSpan _getNextMessageRetryInterval;
+        private bool _accessTokenRevoked = false;
         private readonly TimeSpan _sessionCreationRetryInterval = TimeSpan.FromSeconds(30);
         private readonly TimeSpan _sessionConflictRetryLimit = TimeSpan.FromMinutes(4);
         private readonly TimeSpan _clockSkewRetryLimit = TimeSpan.FromMinutes(30);
-        private readonly Dictionary<string, int> _sessionCreationExceptionTracker = new Dictionary<string, int>();
+        private readonly Dictionary<string, int> _sessionCreationExceptionTracker = new();
+        private TaskAgentStatus runnerStatus = TaskAgentStatus.Online;
+        private CancellationTokenSource _getMessagesTokenSource;
 
         public override void Initialize(IHostContext hostContext)
         {
@@ -111,6 +115,7 @@ namespace GitHub.Runner.Listener
                 catch (TaskAgentAccessTokenExpiredException)
                 {
                     Trace.Info("Runner OAuth token has been revoked. Session creation failed.");
+                    _accessTokenRevoked = true;
                     throw;
                 }
                 catch (Exception ex)
@@ -154,9 +159,33 @@ namespace GitHub.Runner.Listener
         {
             if (_session != null && _session.SessionId != Guid.Empty)
             {
-                using (var ts = new CancellationTokenSource(TimeSpan.FromSeconds(30)))
+                if (!_accessTokenRevoked)
                 {
-                    await _runnerServer.DeleteAgentSessionAsync(_settings.PoolId, _session.SessionId, ts.Token);
+                    using (var ts = new CancellationTokenSource(TimeSpan.FromSeconds(30)))
+                    {
+                        await _runnerServer.DeleteAgentSessionAsync(_settings.PoolId, _session.SessionId, ts.Token);
+                    }
+                }
+                else
+                {
+                    Trace.Warning("Runner OAuth token has been revoked. Skip deleting session.");
+                }
+            }
+        }
+
+        public void OnJobStatus(object sender, JobStatusEventArgs e)
+        {
+            if (StringUtil.ConvertToBoolean(Environment.GetEnvironmentVariable("USE_BROKER_FLOW")))
+            {
+                Trace.Info("Received job status event. JobState: {0}", e.Status);
+                runnerStatus = e.Status;
+                try
+                {
+                    _getMessagesTokenSource?.Cancel();
+                } 
+                catch (ObjectDisposedException)
+                {
+                    Trace.Info("_getMessagesTokenSource is already disposed.");
                 }
             }
         }
@@ -169,18 +198,20 @@ namespace GitHub.Runner.Listener
             bool encounteringError = false;
             int continuousError = 0;
             string errorMessage = string.Empty;
-            Stopwatch heartbeat = new Stopwatch();
+            Stopwatch heartbeat = new();
             heartbeat.Restart();
             while (true)
             {
                 token.ThrowIfCancellationRequested();
                 TaskAgentMessage message = null;
+                _getMessagesTokenSource = CancellationTokenSource.CreateLinkedTokenSource(token);
                 try
                 {
                     message = await _runnerServer.GetAgentMessageAsync(_settings.PoolId,
                                                                 _session.SessionId,
                                                                 _lastMessageId,
-                                                                token);
+                                                                runnerStatus,
+                                                                _getMessagesTokenSource.Token);
 
                     // Decrypt the message body if the session is using encryption
                     message = DecryptMessage(message);
@@ -197,6 +228,11 @@ namespace GitHub.Runner.Listener
                         continuousError = 0;
                     }
                 }
+                catch (OperationCanceledException) when (_getMessagesTokenSource.Token.IsCancellationRequested && !token.IsCancellationRequested)
+                {
+                    Trace.Info("Get messages has been cancelled using local token source. Continue to get messages with new status.");
+                    continue;
+                }
                 catch (OperationCanceledException) when (token.IsCancellationRequested)
                 {
                     Trace.Info("Get next message has been cancelled.");
@@ -205,6 +241,7 @@ namespace GitHub.Runner.Listener
                 catch (TaskAgentAccessTokenExpiredException)
                 {
                     Trace.Info("Runner OAuth token has been revoked. Unable to pull message.");
+                    _accessTokenRevoked = true;
                     throw;
                 }
                 catch (Exception ex)
@@ -251,6 +288,10 @@ namespace GitHub.Runner.Listener
                         await HostContext.Delay(_getNextMessageRetryInterval, token);
                     }
                 }
+                finally 
+                {
+                    _getMessagesTokenSource.Dispose();
+                }
 
                 if (message == null)
                 {

src/Runner.Listener/Program.cs

@@ -1,12 +1,10 @@
 using GitHub.Runner.Common;
-using GitHub.Runner.Common.Util;
 using GitHub.Runner.Sdk;
 using System;
 using System.Globalization;
 using System.IO;
 using System.Reflection;
 using System.Runtime.InteropServices;
-using System.Threading;
 using System.Threading.Tasks;
 
 namespace GitHub.Runner.Listener
@@ -18,7 +16,7 @@ namespace GitHub.Runner.Listener
             // Add environment variables from .env file
             LoadAndSetEnv();
 
-            using (HostContext context = new HostContext("Runner"))
+            using (HostContext context = new("Runner"))
             {
                 return MainAsync(context, args).GetAwaiter().GetResult();
             }
@@ -60,6 +58,18 @@ namespace GitHub.Runner.Listener
                         terminal.WriteLine("This runner version is built for Windows. Please install a correct build for your OS.");
                         return Constants.Runner.ReturnCode.TerminatedError;
                     }
+                    #if ARM64
+                        // A little hacky, but windows gives no way to differentiate between windows 10 and 11.
+                        // By default only 11 supports native x64 app emulation on arm, so we only want to support windows 11
+                        // https://docs.microsoft.com/en-us/windows/arm/overview#build-windows-apps-that-run-on-arm
+                        // Windows 10 and 11 share a MajorVersion, so we also check the build version. Minor for both is 0, so doing < 0 doesn't really make a lot of sense.
+                        if (Environment.OSVersion.Version.Major < Constants.OperatingSystem.Windows11MajorVersion || 
+                            Environment.OSVersion.Version.Build < Constants.OperatingSystem.Windows11BuildVersion)
+                        {
+                            terminal.WriteLine("Win-arm64 runners require windows 11 or later. Please upgrade your operating system.");
+                            return Constants.Runner.ReturnCode.TerminatedError;
+                        }
+                    #endif
                     break;
                 default:
                     terminal.WriteLine($"Running the runner on this platform is not supported. The current platform is {RuntimeInformation.OSDescription} and it was built for {Constants.Runner.Platform.ToString()}.");
@@ -95,7 +105,15 @@ namespace GitHub.Runner.Listener
                 var unknownCommandlines = command.Validate();
                 if (unknownCommandlines.Count > 0)
                 {
-                    terminal.WriteError($"Unrecognized command-line input arguments: '{string.Join(", ", unknownCommandlines)}'. For usage refer to: .\\config.cmd --help or ./config.sh --help");
+                    string commandName = command.GetCommandName();
+                    if (string.IsNullOrEmpty(commandName))
+                    {
+                        terminal.WriteError($"This command does not recognize the command-line input arguments: '{string.Join(", ", unknownCommandlines)}'. For usage refer to: .\\config.cmd --help or ./config.sh --help");
+                    }
+                    else
+                    {
+                        terminal.WriteError($"Unrecognized command-line input arguments for command {commandName}: '{string.Join(", ", unknownCommandlines)}'. For usage refer to: .\\config.cmd --help or ./config.sh --help");
+                    }
                 }
 
                 // Defer to the Runner class to execute the command.

src/Runner.Listener/Runner.Listener.csproj

@@ -3,7 +3,7 @@
   <PropertyGroup>
     <TargetFramework>net6.0</TargetFramework>
     <OutputType>Exe</OutputType>
-    <RuntimeIdentifiers>win-x64;win-x86;linux-x64;linux-arm64;linux-arm;osx-x64</RuntimeIdentifiers>
+    <RuntimeIdentifiers>win-x64;win-x86;linux-x64;linux-arm64;linux-arm;osx-x64;osx-arm64;win-arm64</RuntimeIdentifiers>
     <TargetLatestRuntimePatch>true</TargetLatestRuntimePatch>
     <NoWarn>NU1701;NU1603</NoWarn>
     <Version>$(Version)</Version>
@@ -19,7 +19,7 @@
 
   <ItemGroup>
     <PackageReference Include="Microsoft.Win32.Registry" Version="4.4.0" />
-    <PackageReference Include="Newtonsoft.Json" Version="11.0.2" />
+    <PackageReference Include="Newtonsoft.Json" Version="13.0.1" />
     <PackageReference Include="System.IO.FileSystem.AccessControl" Version="4.4.0" />
     <PackageReference Include="System.Security.Cryptography.ProtectedData" Version="4.4.0" />
     <PackageReference Include="System.ServiceProcess.ServiceController" Version="4.4.0" />

src/Runner.Listener/Runner.cs

@@ -1,17 +1,19 @@
-using GitHub.DistributedTask.WebApi;
-using GitHub.Runner.Listener.Configuration;
 using System;
-using System.Threading;
-using System.Threading.Tasks;
-using GitHub.Services.WebApi;
-using Pipelines = GitHub.DistributedTask.Pipelines;
+using System.Collections.Generic;
 using System.IO;
+using System.Linq;
 using System.Reflection;
 using System.Runtime.CompilerServices;
+using System.Text;
+using System.Threading;
+using System.Threading.Tasks;
+using GitHub.DistributedTask.WebApi;
 using GitHub.Runner.Common;
-using GitHub.Runner.Sdk;
-using System.Linq;
 using GitHub.Runner.Listener.Check;
+using GitHub.Runner.Listener.Configuration;
+using GitHub.Runner.Sdk;
+using GitHub.Services.WebApi;
+using Pipelines = GitHub.DistributedTask.Pipelines;
 
 namespace GitHub.Runner.Listener
 {
@@ -26,7 +28,7 @@ namespace GitHub.Runner.Listener
         private IMessageListener _listener;
         private ITerminal _term;
         private bool _inConfigStage;
-        private ManualResetEvent _completedCommand = new ManualResetEvent(false);
+        private ManualResetEvent _completedCommand = new(false);
 
         public override void Initialize(IHostContext hostContext)
         {
@@ -191,6 +193,30 @@ namespace GitHub.Runner.Listener
                     return Constants.Runner.ReturnCode.Success;
                 }
 
+                var base64JitConfig = command.GetJitConfig();
+                if (!string.IsNullOrEmpty(base64JitConfig))
+                {
+                    try
+                    {
+                        var decodedJitConfig = Encoding.UTF8.GetString(Convert.FromBase64String(base64JitConfig));
+                        var jitConfig = StringUtil.ConvertFromJson<Dictionary<string, string>>(decodedJitConfig);
+                        foreach (var config in jitConfig)
+                        {
+                            var configFile = Path.Combine(HostContext.GetDirectory(WellKnownDirectory.Root), config.Key);
+                            var configContent = Encoding.UTF8.GetString(Convert.FromBase64String(config.Value));
+                            File.WriteAllText(configFile, configContent, Encoding.UTF8);
+                            File.SetAttributes(configFile, File.GetAttributes(configFile) | FileAttributes.Hidden);
+                            Trace.Info($"Save {configContent.Length} chars to '{configFile}'.");
+                        }
+                    }
+                    catch (Exception ex)
+                    {
+                        Trace.Error(ex);
+                        _term.WriteError(ex.Message);
+                        return Constants.Runner.ReturnCode.TerminatedError;
+                    }
+                }
+
                 RunnerSettings settings = configManager.LoadSettings();
 
                 var store = HostContext.GetService<IConfigurationStore>();
@@ -321,6 +347,7 @@ namespace GitHub.Runner.Listener
 
                 // Should we try to cleanup ephemeral runners
                 bool runOnceJobCompleted = false;
+                bool skipSessionDeletion = false;
                 try
                 {
                     var notification = HostContext.GetService<IJobNotification>();
@@ -332,6 +359,8 @@ namespace GitHub.Runner.Listener
                     bool runOnceJobReceived = false;
                     jobDispatcher = HostContext.CreateService<IJobDispatcher>();
 
+                    jobDispatcher.JobStatus += _listener.OnJobStatus;
+
                     while (!HostContext.RunnerShutdownToken.IsCancellationRequested)
                     {
                         TaskAgentMessage message = null;
@@ -407,6 +436,27 @@ namespace GitHub.Runner.Listener
                                 {
                                     autoUpdateInProgress = true;
                                     var runnerUpdateMessage = JsonUtility.FromString<AgentRefreshMessage>(message.Body);
+#if DEBUG
+                                    // Can mock the update for testing
+                                    if (StringUtil.ConvertToBoolean(Environment.GetEnvironmentVariable("GITHUB_ACTIONS_RUNNER_IS_MOCK_UPDATE")))
+                                    {
+
+                                        // The mock_update_messages.json file should be an object with keys being the current version and values being the targeted mock version object
+                                        // Example: { "2.283.2": {"targetVersion":"2.284.1"}, "2.284.1": {"targetVersion":"2.285.0"}}
+                                        var mockUpdatesPath = Path.Combine(HostContext.GetDirectory(WellKnownDirectory.Root), "mock_update_messages.json");
+                                        if (File.Exists(mockUpdatesPath))
+                                        {
+                                            var mockUpdateMessages = JsonUtility.FromString<Dictionary<string, AgentRefreshMessage>>(File.ReadAllText(mockUpdatesPath));
+                                            if (mockUpdateMessages.ContainsKey(BuildConstants.RunnerPackage.Version))
+                                            {
+                                                var mockTargetVersion = mockUpdateMessages[BuildConstants.RunnerPackage.Version].TargetVersion;
+                                                _term.WriteLine($"Mocking update, using version {mockTargetVersion} instead of {runnerUpdateMessage.TargetVersion}");
+                                                Trace.Info($"Mocking update, using version {mockTargetVersion} instead of {runnerUpdateMessage.TargetVersion}");
+                                                runnerUpdateMessage = new AgentRefreshMessage(runnerUpdateMessage.AgentId, mockTargetVersion, runnerUpdateMessage.Timeout);
+                                            }
+                                        }
+                                    }
+#endif
                                     var selfUpdater = HostContext.GetService<ISelfUpdater>();
                                     selfUpdateTask = selfUpdater.SelfUpdate(runnerUpdateMessage, jobDispatcher, false, HostContext.RunnerShutdownToken);
                                     Trace.Info("Refresh message received, kick-off selfupdate background process.");
@@ -435,6 +485,44 @@ namespace GitHub.Runner.Listener
                                     }
                                 }
                             }
+                            // Broker flow
+                            else if (string.Equals(message.MessageType, JobRequestMessageTypes.RunnerJobRequest, StringComparison.OrdinalIgnoreCase))
+                            {
+                                if (autoUpdateInProgress || runOnceJobReceived)
+                                {
+                                    skipMessageDeletion = true;
+                                    Trace.Info($"Skip message deletion for job request message '{message.MessageId}'.");
+                                }
+                                else
+                                {
+                                    var messageRef = StringUtil.ConvertFromJson<RunnerJobRequestRef>(message.Body);
+                                    Pipelines.AgentJobRequestMessage jobRequestMessage = null;
+
+                                    // Create connection
+                                    var credMgr = HostContext.GetService<ICredentialManager>();
+                                    var creds = credMgr.LoadCredentials();
+
+                                    if (string.IsNullOrEmpty(messageRef.RunServiceUrl))
+                                    {
+                                        var actionsRunServer = HostContext.CreateService<IActionsRunServer>();
+                                        await actionsRunServer.ConnectAsync(new Uri(settings.ServerUrl), creds);
+                                        jobRequestMessage = await actionsRunServer.GetJobMessageAsync(messageRef.RunnerRequestId, messageQueueLoopTokenSource.Token);
+                                    }
+                                    else
+                                    {
+                                        var runServer = HostContext.CreateService<IRunServer>();
+                                        await runServer.ConnectAsync(new Uri(messageRef.RunServiceUrl), creds);
+                                        jobRequestMessage = await runServer.GetJobMessageAsync(messageRef.RunnerRequestId, messageQueueLoopTokenSource.Token);
+                                    }
+
+                                    jobDispatcher.Run(jobRequestMessage, runOnce);
+                                    if (runOnce)
+                                    {
+                                        Trace.Info("One time used runner received job message.");
+                                        runOnceJobReceived = true;
+                                    }
+                                }
+                            }
                             else if (string.Equals(message.MessageType, JobCancelMessage.MessageType, StringComparison.OrdinalIgnoreCase))
                             {
                                 var cancelJobMessage = JsonUtility.FromString<JobCancelMessage>(message.Body);
@@ -446,6 +534,14 @@ namespace GitHub.Runner.Listener
                                     Trace.Info($"Skip message deletion for cancellation message '{message.MessageId}'.");
                                 }
                             }
+                            else if (string.Equals(message.MessageType, Pipelines.HostedRunnerShutdownMessage.MessageType, StringComparison.OrdinalIgnoreCase))
+                            {
+                                var HostedRunnerShutdownMessage = JsonUtility.FromString<Pipelines.HostedRunnerShutdownMessage>(message.Body);
+                                skipMessageDeletion = true;
+                                skipSessionDeletion = true;
+                                Trace.Info($"Service requests the hosted runner to shutdown. Reason: '{HostedRunnerShutdownMessage.Reason}'.");
+                                return Constants.Runner.ReturnCode.Success;
+                            }
                             else
                             {
                                 Trace.Error($"Received message {message.MessageId} with unsupported message type {message.MessageType}.");
@@ -476,18 +572,22 @@ namespace GitHub.Runner.Listener
                 {
                     if (jobDispatcher != null)
                     {
+                        jobDispatcher.JobStatus -= _listener.OnJobStatus;
                         await jobDispatcher.ShutdownAsync();
                     }
 
-                    try
+                    if (!skipSessionDeletion)
                     {
-                        await _listener.DeleteSessionAsync();
-                    }
-                    catch (Exception ex) when (runOnce)
-                    {
-                        // ignore exception during delete session for ephemeral runner since the runner might already be deleted from the server side
-                        // and the delete session call will ends up with 401.
-                        Trace.Info($"Ignore any exception during DeleteSession for an ephemeral runner. {ex}");
+                        try
+                        {
+                            await _listener.DeleteSessionAsync();
+                        }
+                        catch (Exception ex) when (runOnce)
+                        {
+                            // ignore exception during delete session for ephemeral runner since the runner might already be deleted from the server side
+                            // and the delete session call will ends up with 401.
+                            Trace.Info($"Ignore any exception during DeleteSession for an ephemeral runner. {ex}");
+                        }
                     }
 
                     messageQueueLoopTokenSource.Dispose();
@@ -539,7 +639,7 @@ Config Options:
  --labels string        Extra labels in addition to the default: 'self-hosted,{Constants.Runner.Platform},{Constants.Runner.PlatformArchitecture}'
  --work string          Relative runner work directory (default {Constants.Path.WorkDirectory})
  --replace              Replace any existing runner with the same name (default false)
- --pat                  GitHub personal access token used for checking network connectivity when executing `.{separator}run.{ext} --check`
+ --pat                  GitHub personal access token with repo scope. Used for checking network connectivity when executing `.{separator}run.{ext} --check`
  --disableupdate        Disable self-hosted runner automatic update to the latest released version`
  --ephemeral            Configure the runner to only take one job and then let the service un-configure the runner after the job finishes (default false)");
 

src/Runner.Listener/RunnerJobRequestRef.cs

@@ -0,0 +1,15 @@
+using System.Runtime.Serialization;
+
+namespace GitHub.Runner.Listener
+{
+    [DataContract]
+    public sealed class RunnerJobRequestRef
+    {
+        [DataMember(Name = "id")]
+        public string Id { get; set; }
+        [DataMember(Name = "runner_request_id")]
+        public string RunnerRequestId { get; set; }
+        [DataMember(Name = "run_service_url")]
+        public string RunServiceUrl { get; set; }
+    }
+}

src/Runner.Listener/SelfUpdater.cs

@@ -12,6 +12,7 @@ using System.Threading;
 using System.Threading.Tasks;
 using GitHub.DistributedTask.WebApi;
 using GitHub.Runner.Common;
+using GitHub.Runner.Common.Util;
 using GitHub.Runner.Sdk;
 using GitHub.Services.Common;
 using GitHub.Services.WebApi;
@@ -31,14 +32,14 @@ namespace GitHub.Runner.Listener
         private static string _platform = BuildConstants.RunnerPackage.PackageName;
         private static string _dotnetRuntime = "dotnetRuntime";
         private static string _externals = "externals";
-        private readonly Dictionary<string, string> _contentHashes = new Dictionary<string, string>();
+        private readonly Dictionary<string, string> _contentHashes = new();
 
         private PackageMetadata _targetPackage;
         private ITerminal _terminal;
         private IRunnerServer _runnerServer;
         private int _poolId;
         private int _agentId;
-        private readonly ConcurrentQueue<string> _updateTrace = new ConcurrentQueue<string>();
+        private readonly ConcurrentQueue<string> _updateTrace = new();
         private Task _cloneAndCalculateContentHashTask;
         private string _dotnetRuntimeCloneDirectory;
         private string _externalsCloneDirectory;
@@ -104,7 +105,7 @@ namespace GitHub.Runner.Listener
                     }
                 }
 
-                await DownloadLatestRunner(token);
+                await DownloadLatestRunner(token, updateMessage.TargetVersion);
                 Trace.Info($"Download latest runner and unzip into runner root.");
 
                 // wait till all running job finish
@@ -130,8 +131,10 @@ namespace GitHub.Runner.Listener
                 // For L0, we will skip execute update script.
                 if (string.IsNullOrEmpty(Environment.GetEnvironmentVariable("_GITHUB_ACTION_EXECUTE_UPDATE_SCRIPT")))
                 {
+                    string flagFile = "update.finished";
+                    IOUtil.DeleteFile(flagFile);
                     // kick off update script
-                    Process invokeScript = new Process();
+                    Process invokeScript = new();
 #if OS_WINDOWS
                     invokeScript.StartInfo.FileName = WhichUtil.Which("cmd.exe", trace: Trace);
                     invokeScript.StartInfo.Arguments = $"/c \"{updateScript}\"";
@@ -188,9 +191,9 @@ namespace GitHub.Runner.Listener
             }
 
             Trace.Info($"Version '{_targetPackage.Version}' of '{_targetPackage.Type}' package available in server.");
-            PackageVersion serverVersion = new PackageVersion(_targetPackage.Version);
+            PackageVersion serverVersion = new(_targetPackage.Version);
             Trace.Info($"Current running runner version is {BuildConstants.RunnerPackage.Version}");
-            PackageVersion runnerVersion = new PackageVersion(BuildConstants.RunnerPackage.Version);
+            PackageVersion runnerVersion = new(BuildConstants.RunnerPackage.Version);
 
             return serverVersion.CompareTo(runnerVersion) > 0;
         }
@@ -206,7 +209,7 @@ namespace GitHub.Runner.Listener
         /// </summary>
         /// <param name="token"></param>
         /// <returns></returns>
-        private async Task DownloadLatestRunner(CancellationToken token)
+        private async Task DownloadLatestRunner(CancellationToken token, string targetVersion)
         {
             string latestRunnerDirectory = Path.Combine(HostContext.GetDirectory(WellKnownDirectory.Work), Constants.Path.UpdateDirectory);
             IOUtil.DeleteDirectory(latestRunnerDirectory, token);
@@ -266,14 +269,57 @@ namespace GitHub.Runner.Listener
 
             try
             {
-                archiveFile = await DownLoadRunner(latestRunnerDirectory, packageDownloadUrl, packageHashValue, token);
+#if DEBUG
+                // Much of the update process (targetVersion, archive) is server-side, this is a way to control it from here for testing specific update scenarios
+                // Add files like 'runner2.281.2.tar.gz' or 'runner2.283.0.zip' (depending on your platform) to your runner root folder
+                // Note that runners still need to be older than the server's runner version in order to receive an 'AgentRefreshMessage' and trigger this update
+                // Wrapped in #if DEBUG as this should not be in the RELEASE build
+                if (StringUtil.ConvertToBoolean(Environment.GetEnvironmentVariable("GITHUB_ACTIONS_RUNNER_IS_MOCK_UPDATE")))
+                {
+                    var waitForDebugger = StringUtil.ConvertToBoolean(Environment.GetEnvironmentVariable("GITHUB_ACTIONS_RUNNER_IS_MOCK_UPDATE_WAIT_FOR_DEBUGGER"));
+                    if (waitForDebugger)
+                    {
+                        int waitInSeconds = 20;
+                        while (!Debugger.IsAttached && waitInSeconds-- > 0)
+                        {
+                            await Task.Delay(1000);
+                        }
+                        Debugger.Break();
+                    }
 
+                    if (_targetPackage.Platform.StartsWith("win"))
+                    {
+                        archiveFile = Path.Combine(HostContext.GetDirectory(WellKnownDirectory.Root), $"runner{targetVersion}.zip");
+                    }
+                    else
+                    {
+                        archiveFile = Path.Combine(HostContext.GetDirectory(WellKnownDirectory.Root), $"runner{targetVersion}.tar.gz");
+                    }
+
+                    if (File.Exists(archiveFile))
+                    {
+                        _updateTrace.Enqueue($"Mocking update with file: '{archiveFile}' and targetVersion: '{targetVersion}', nothing is downloaded");
+                        _terminal.WriteLine($"Mocking update with file: '{archiveFile}' and targetVersion: '{targetVersion}', nothing is downloaded");
+                    }
+                    else
+                    {
+                        archiveFile = null;
+                        _terminal.WriteLine($"Mock runner archive not found at {archiveFile} for target version {targetVersion}, proceeding with download instead");
+                        _updateTrace.Enqueue($"Mock runner archive not found at {archiveFile} for target version {targetVersion}, proceeding with download instead");
+                    }
+                }
+#endif
+                // archiveFile is not null only if we mocked it above
                 if (string.IsNullOrEmpty(archiveFile))
                 {
-                    throw new TaskCanceledException($"Runner package '{packageDownloadUrl}' failed after {Constants.RunnerDownloadRetryMaxAttempts} download attempts");
-                }
+                    archiveFile = await DownLoadRunner(latestRunnerDirectory, packageDownloadUrl, packageHashValue, token);
 
-                await ValidateRunnerHash(archiveFile, packageHashValue);
+                    if (string.IsNullOrEmpty(archiveFile))
+                    {
+                        throw new TaskCanceledException($"Runner package '{packageDownloadUrl}' failed after {Constants.RunnerDownloadRetryMaxAttempts} download attempts");
+                    }
+                    await ValidateRunnerHash(archiveFile, packageHashValue);
+                }
 
                 await ExtractRunnerPackage(archiveFile, latestRunnerDirectory, token);
             }
@@ -430,7 +476,7 @@ namespace GitHub.Runner.Listener
                         long downloadSize = 0;
 
                         //open zip stream in async mode
-                        using (HttpClient httpClient = new HttpClient(HostContext.CreateHttpClientHandler()))
+                        using (HttpClient httpClient = new(HostContext.CreateHttpClientHandler()))
                         {
                             if (!string.IsNullOrEmpty(_targetPackage.Token))
                             {
@@ -440,7 +486,7 @@ namespace GitHub.Runner.Listener
 
                             Trace.Info($"Downloading {packageDownloadUrl}");
 
-                            using (FileStream fs = new FileStream(archiveFile, FileMode.Create, FileAccess.Write, FileShare.None, bufferSize: 4096, useAsync: true))
+                            using (FileStream fs = new(archiveFile, FileMode.Create, FileAccess.Write, FileShare.None, bufferSize: 4096, useAsync: true))
                             using (Stream result = await httpClient.GetStreamAsync(packageDownloadUrl))
                             {
                                 //81920 is the default used by System.IO.Stream.CopyTo and is under the large object heap threshold (85k).
@@ -460,7 +506,7 @@ namespace GitHub.Runner.Listener
                     }
                     catch (OperationCanceledException) when (token.IsCancellationRequested)
                     {
-                        Trace.Info($"Runner download has been canceled.");
+                        Trace.Info($"Runner download has been cancelled.");
                         throw;
                     }
                     catch (Exception ex)
@@ -550,7 +596,7 @@ namespace GitHub.Runner.Listener
                     int exitCode = await processInvoker.ExecuteAsync(extractDirectory, tar, $"-xzf \"{archiveFile}\"", null, token);
                     if (exitCode != 0)
                     {
-                        throw new NotSupportedException($"Can't use 'tar -xzf' extract archive file: {archiveFile}. return code: {exitCode}.");
+                        throw new NotSupportedException($"Can't use 'tar -xzf' to extract archive file: {archiveFile}. return code: {exitCode}.");
                     }
                 }
             }
@@ -761,7 +807,7 @@ namespace GitHub.Runner.Listener
                 IOUtil.CopyDirectory(_externalsCloneDirectory, Path.Combine(downloadDirectory, Constants.Path.ExternalsDirectory), token);
 
                 // try run node.js to see if current node.js works fine after copy over to new location.
-                var nodeVersions = new[] { "node12", "node16" };
+                var nodeVersions = NodeUtil.BuiltInNodeVersions;
                 foreach (var nodeVersion in nodeVersions)
                 {
                     var newNodeBinary = Path.Combine(downloadDirectory, Constants.Path.ExternalsDirectory, nodeVersion, "bin", $"node{IOUtil.ExeExtension}");
@@ -1026,7 +1072,7 @@ namespace GitHub.Runner.Listener
 
             var stopWatch = Stopwatch.StartNew();
             string binDir = HostContext.GetDirectory(WellKnownDirectory.Bin);
-            string node = Path.Combine(HostContext.GetDirectory(WellKnownDirectory.Externals), "node12", "bin", $"node{IOUtil.ExeExtension}");
+            string node = Path.Combine(HostContext.GetDirectory(WellKnownDirectory.Externals), NodeUtil.GetInternalNodeVersion(), "bin", $"node{IOUtil.ExeExtension}");
             string hashFilesScript = Path.Combine(binDir, "hashFiles");
             var hashResult = string.Empty;
 
@@ -1060,6 +1106,8 @@ namespace GitHub.Runner.Listener
                                               arguments: $"\"{hashFilesScript.Replace("\"", "\\\"")}\"",
                                               environment: env,
                                               requireExitCodeZero: false,
+                                              outputEncoding: null,
+                                              killProcessOnCancel: true,
                                               cancellationToken: token);
 
                 if (exitCode != 0)

src/Runner.PluginHost/Program.cs

@@ -1,13 +1,10 @@
-using System;
-using System.Collections.Generic;
+using System;
 using System.Globalization;
 using System.IO;
-using System.Linq;
 using System.Reflection;
 using System.Runtime.Loader;
 using System.Text;
 using System.Threading;
-using System.Threading.Tasks;
 using GitHub.Runner.Sdk;
 using GitHub.DistributedTask.WebApi;
 
@@ -15,7 +12,7 @@ namespace GitHub.Runner.PluginHost
 {
     public static class Program
     {
-        private static CancellationTokenSource tokenSource = new CancellationTokenSource();
+        private static CancellationTokenSource tokenSource = new();
         private static string executingAssemblyLocation = string.Empty;
 
         public static int Main(string[] args)

src/Runner.PluginHost/Runner.PluginHost.csproj

@@ -3,7 +3,7 @@
   <PropertyGroup>
     <TargetFramework>net6.0</TargetFramework>
     <OutputType>Exe</OutputType>
-    <RuntimeIdentifiers>win-x64;win-x86;linux-x64;linux-arm64;linux-arm;osx-x64</RuntimeIdentifiers>
+    <RuntimeIdentifiers>win-x64;win-x86;linux-x64;linux-arm64;linux-arm;osx-x64;osx-arm64;win-arm64</RuntimeIdentifiers>
     <TargetLatestRuntimePatch>true</TargetLatestRuntimePatch>
     <NoWarn>NU1701;NU1603</NoWarn>
     <Version>$(Version)</Version>