Change the auth challenge 401 to be verbose trace. (#2021)

* fix: GITHUB_ENV in composite

* fix L0 Test

docs/checks/actions.md

@@ -15,7 +15,7 @@ Make sure the runner has access to actions service for GitHub.com or GitHub Ente
     ```
     curl -v https://api.github.com/api/v3/zen
     curl -v https://vstoken.actions.githubusercontent.com/_apis/health
-    curl -v https://pipelines.actions.githubusercontent/_apis/health
+    curl -v https://pipelines.actions.githubusercontent.com/_apis/health
     ```
 
 - For GitHub Enterprise Server

docs/checks/git.md

@@ -20,11 +20,30 @@ The test also set environment variable `GIT_TRACE=1` and `GIT_CURL_VERBOSE=1` be
 
 ## How to fix the issue?
 
-### 1. Check the common network issue
+### 1. Check global and system git config
+
+If you are having issues connecting to the server, check your global and system git config for any unexpected authentication headers. You might be seeing an error like:
+
+```
+fatal: unable to access 'https://github.com/actions/checkout/': The requested URL returned error: 400
+```
+
+The following commands can be used to check for unexpected authentication headers:
+
+```
+$ git config --global --list | grep extraheader
+http.extraheader=AUTHORIZATION: unexpected_auth_header
+
+$ git config --system --list | grep extraheader
+```
+
+The following command can be used to remove the above value: `git config --global --unset http.extraheader`
+
+### 2. Check the common network issue
   
   > Please check the [network doc](./network.md)
 
-### 2. SSL certificate related issue
+### 3. SSL certificate related issue
 
   If you are seeing `SSL Certificate problem:` in the log, it means the `git` can't connect to the GitHub server due to SSL handshake failure.
   > Please check the [SSL cert doc](./sslcert.md)

docs/start/envlinux.md

@@ -34,7 +34,7 @@ The `installdependencies.sh` script should install all required dependencies on
 
 Debian based OS (Debian, Ubuntu, Linux Mint)
 
-- liblttng-ust0
+- liblttng-ust1 or liblttng-ust0
 - libkrb5-3
 - zlib1g
 - libssl1.1, libssl1.0.2 or libssl1.0.0

releaseNote.md

@@ -1,11 +1,11 @@
 ## Features
-- Allow self-hosted runner admins to fail jobs that don't have a job container (#1895)
-- Experimental: Self-hosted runner admins can now use scripts to customize the container invocation in the runner (#1853)
+- Added support for a JIT runner config (#1925)
+- Added `ACTIONS_RUNNER_FORCE_ACTIONS_NODE_VERSION` env option to force actions to run on a specific node version (#1913)
 ## Bugs
-- Fixed an issue where a Job Hook would fail to execute if the shell path contains a space on Windows (#1826)
+- Fixed a bug where container hooks passed in path as a string rather then an array of strings (#1948)
 
 ## Misc
-- Handle new `HostedRunnerShutdownMessage` to shutdown hosted runners faster (#1922)
+- Minor cleanup of error messages when running container hooks (#1949)
 
 ## Windows x64
 We recommend configuring the runner in a root folder of the Windows drive (e.g. "C:\actions-runner"). This will help avoid issues related to service identity folder permissions and long file path restrictions on Windows.

src/Misc/layoutbin/installdependencies.sh

@@ -66,7 +66,7 @@ then
             fi
         fi
 
-        $apt_get update && $apt_get install -y liblttng-ust0 libkrb5-3 zlib1g
+        $apt_get update && $apt_get install -y libkrb5-3 zlib1g
         if [ $? -ne 0 ]
         then
             echo "'$apt_get' failed with exit code '$?'"
@@ -94,6 +94,14 @@ then
             fi
         }
 
+        apt_get_with_fallbacks liblttng-ust1 liblttng-ust0
+        if [ $? -ne 0 ]
+        then
+            echo "'$apt_get' failed with exit code '$?'"
+            print_errormessage
+            exit 1
+        fi
+
         apt_get_with_fallbacks libssl1.1$ libssl1.0.2$ libssl1.0.0$
         if [ $? -ne 0 ]
         then

src/Runner.Common/Constants.cs

@@ -90,6 +90,7 @@ namespace GitHub.Runner.Common
                 public static class Args
                 {
                     public static readonly string Auth = "auth";
+                    public static readonly string JitConfig = "jitconfig";
                     public static readonly string Labels = "labels";
                     public static readonly string MonitorSocketAddress = "monitorsocketaddress";
                     public static readonly string Name = "name";
@@ -241,6 +242,7 @@ namespace GitHub.Runner.Common
 
                 // Set this env var to "node12" to downgrade the node version for internal functions (e.g hashfiles). This does NOT affect the version of node actions.
                 public static readonly string ForcedInternalNodeVersion = "ACTIONS_RUNNER_FORCED_INTERNAL_NODE_VERSION"; 
+                public static readonly string ForcedActionsNodeVersion = "ACTIONS_RUNNER_FORCE_ACTIONS_NODE_VERSION"; 
             }
 
             public static class System

src/Runner.Common/RunServer.cs

@@ -17,7 +17,7 @@ namespace GitHub.Runner.Common
     {
         Task ConnectAsync(Uri serverUrl, VssCredentials credentials);
 
-        Task<AgentJobRequestMessage> GetJobMessageAsync(string id);
+        Task<AgentJobRequestMessage> GetJobMessageAsync(string id, CancellationToken token);
     }
 
     public sealed class RunServer : RunnerService, IRunServer
@@ -67,10 +67,40 @@ namespace GitHub.Runner.Common
             }
         }
 
-        public Task<AgentJobRequestMessage> GetJobMessageAsync(string id)
+        public Task<AgentJobRequestMessage> GetJobMessageAsync(string id, CancellationToken cancellationToken)
         {
             CheckConnection();
-            return _taskAgentClient.GetJobMessageAsync(id);
+            var jobMessage = RetryRequest<AgentJobRequestMessage>(async () =>
+                                                    {
+                                                        return await _taskAgentClient.GetJobMessageAsync(id, cancellationToken);
+                                                    }, cancellationToken);
+            return jobMessage;
+        }
+
+        private async Task<T> RetryRequest<T>(Func<Task<T>> func,
+                                              CancellationToken cancellationToken,
+                                              int maxRetryAttemptsCount = 5
+                                             )
+        {
+            var retryCount = 0;
+            while (true)
+            {
+                retryCount++;
+                cancellationToken.ThrowIfCancellationRequested();
+                try
+                {
+                    return await func();
+                }
+                // TODO: Add handling of non-retriable exceptions: https://github.com/github/actions-broker/issues/122
+                catch (Exception ex) when (retryCount < maxRetryAttemptsCount)
+                {
+                    Trace.Error("Catch exception during get full job message");
+                    Trace.Error(ex);
+                    var backOff = BackoffTimerHelper.GetRandomBackoff(TimeSpan.FromSeconds(5), TimeSpan.FromSeconds(15));
+                    Trace.Warning($"Back off {backOff.TotalSeconds} seconds before next retry. {maxRetryAttemptsCount - retryCount} attempt left.");
+                    await Task.Delay(backOff, cancellationToken);
+                }
+            }
         }
     }
 }

src/Runner.Common/Runner.Common.csproj

@@ -16,7 +16,7 @@
 
   <ItemGroup>
     <PackageReference Include="Microsoft.Win32.Registry" Version="4.4.0" />
-    <PackageReference Include="Newtonsoft.Json" Version="11.0.2" />
+    <PackageReference Include="Newtonsoft.Json" Version="13.0.1" />
     <PackageReference Include="System.Security.Cryptography.ProtectedData" Version="4.4.0" />
     <PackageReference Include="System.Text.Encoding.CodePages" Version="4.4.0" />
     <PackageReference Include="System.Threading.Channels" Version="4.4.0" />

src/Runner.Common/Util/NodeUtil.cs

@@ -15,8 +15,14 @@ namespace GitHub.Runner.Common.Util
 
         public static string GetInternalNodeVersion()
         {
-            var forcedNodeVersion = Environment.GetEnvironmentVariable(Constants.Variables.Agent.ForcedInternalNodeVersion);
-            return !string.IsNullOrEmpty(forcedNodeVersion) && BuiltInNodeVersions.Contains(forcedNodeVersion) ? forcedNodeVersion : _defaultNodeVersion;
+            var forcedInternalNodeVersion = Environment.GetEnvironmentVariable(Constants.Variables.Agent.ForcedInternalNodeVersion);
+            var isForcedInternalNodeVersion = !string.IsNullOrEmpty(forcedInternalNodeVersion) && BuiltInNodeVersions.Contains(forcedInternalNodeVersion);
+
+            if (isForcedInternalNodeVersion)
+            {
+                return forcedInternalNodeVersion;
+            }
+            return _defaultNodeVersion;
         }
     }
 }

src/Runner.Listener/CommandSettings.cs

@@ -63,6 +63,7 @@ namespace GitHub.Runner.Listener
                 new string[]
                 {
                     Constants.Runner.CommandLine.Flags.Once,
+                    Constants.Runner.CommandLine.Args.JitConfig,
                     Constants.Runner.CommandLine.Args.StartupType
                 },
             // valid warmup flags and args
@@ -213,6 +214,12 @@ namespace GitHub.Runner.Listener
                 validator: Validators.AuthSchemeValidator);
         }
 
+        public string GetJitConfig()
+        {
+            return GetArg(
+                name: Constants.Runner.CommandLine.Args.JitConfig);
+        }
+
         public string GetRunnerName()
         {
             return GetArgOrPrompt(

src/Runner.Listener/Runner.Listener.csproj

@@ -19,7 +19,7 @@
 
   <ItemGroup>
     <PackageReference Include="Microsoft.Win32.Registry" Version="4.4.0" />
-    <PackageReference Include="Newtonsoft.Json" Version="11.0.2" />
+    <PackageReference Include="Newtonsoft.Json" Version="13.0.1" />
     <PackageReference Include="System.IO.FileSystem.AccessControl" Version="4.4.0" />
     <PackageReference Include="System.Security.Cryptography.ProtectedData" Version="4.4.0" />
     <PackageReference Include="System.ServiceProcess.ServiceController" Version="4.4.0" />

src/Runner.Listener/Runner.cs

@@ -1,9 +1,11 @@
 using System;
 using System.Collections.Generic;
 using System.IO;
+using System.IO.Compression;
 using System.Linq;
 using System.Reflection;
 using System.Runtime.CompilerServices;
+using System.Text;
 using System.Threading;
 using System.Threading.Tasks;
 using GitHub.DistributedTask.WebApi;
@@ -192,6 +194,30 @@ namespace GitHub.Runner.Listener
                     return Constants.Runner.ReturnCode.Success;
                 }
 
+                var base64JitConfig = command.GetJitConfig();
+                if (!string.IsNullOrEmpty(base64JitConfig))
+                {
+                    try
+                    {
+                        var decodedJitConfig = Encoding.UTF8.GetString(Convert.FromBase64String(base64JitConfig));
+                        var jitConfig = StringUtil.ConvertFromJson<Dictionary<string, string>>(decodedJitConfig);
+                        foreach (var config in jitConfig)
+                        {
+                            var configFile = Path.Combine(HostContext.GetDirectory(WellKnownDirectory.Root), config.Key);
+                            var configContent = Encoding.UTF8.GetString(Convert.FromBase64String(config.Value));
+                            File.WriteAllText(configFile, configContent, Encoding.UTF8);
+                            File.SetAttributes(configFile, File.GetAttributes(configFile) | FileAttributes.Hidden);
+                            Trace.Info($"Save {configContent.Length} chars to '{configFile}'.");
+                        }
+                    }
+                    catch (Exception ex)
+                    {
+                        Trace.Error(ex);
+                        _term.WriteError(ex.Message);
+                        return Constants.Runner.ReturnCode.TerminatedError;
+                    }
+                }
+
                 RunnerSettings settings = configManager.LoadSettings();
 
                 var store = HostContext.GetService<IConfigurationStore>();
@@ -474,10 +500,9 @@ namespace GitHub.Runner.Listener
                                     var credMgr = HostContext.GetService<ICredentialManager>();
                                     var creds = credMgr.LoadCredentials();
 
-                                    // todo: add retries https://github.com/github/actions-broker/issues/49
                                     var runServer = HostContext.CreateService<IRunServer>();
                                     await runServer.ConnectAsync(new Uri(settings.ServerUrl), creds);
-                                    var jobMessage = await runServer.GetJobMessageAsync(messageRef.RunnerRequestId);
+                                    var jobMessage = await runServer.GetJobMessageAsync(messageRef.RunnerRequestId, messageQueueLoopTokenSource.Token);
 
                                     jobDispatcher.Run(jobMessage, runOnce);
                                     if (runOnce)
@@ -602,7 +627,7 @@ Config Options:
  --labels string        Extra labels in addition to the default: 'self-hosted,{Constants.Runner.Platform},{Constants.Runner.PlatformArchitecture}'
  --work string          Relative runner work directory (default {Constants.Path.WorkDirectory})
  --replace              Replace any existing runner with the same name (default false)
- --pat                  GitHub personal access token used for checking network connectivity when executing `.{separator}run.{ext} --check`
+ --pat                  GitHub personal access token with repo scope. Used for checking network connectivity when executing `.{separator}run.{ext} --check`
  --disableupdate        Disable self-hosted runner automatic update to the latest released version`
  --ephemeral            Configure the runner to only take one job and then let the service un-configure the runner after the job finishes (default false)");
 

src/Runner.Worker/Container/ContainerHooks/ContainerHookManager.cs

@@ -101,7 +101,7 @@ namespace GitHub.Runner.Worker.Container.ContainerHooks
                     EntryPointArgs = entryPointArgs.Split(' ').Select(arg => arg.Trim()),
                     EntryPoint = entryPoint,
                     EnvironmentVariables = environmentVariables,
-                    PrependPath = prependPath,
+                    PrependPath = context.Global.PrependPath.Reverse<string>(),
                     WorkingDirectory = workingDirectory,
                 },
                 State = context.Global.ContainerHookState
@@ -174,8 +174,7 @@ namespace GitHub.Runner.Worker.Container.ContainerHooks
             }
             catch (Exception ex)
             {
-                Trace.Error(ex);
-                throw new Exception($"Custom container implementation failed with error: {ex.Message} Please contact your self hosted runner administrator.", ex);
+                throw new Exception($"Executing the custom container implementation failed. Please contact your self hosted runner administrator.", ex);
             }
         }
 

src/Runner.Worker/Container/ContainerHooks/HookInput.cs

@@ -44,7 +44,7 @@ namespace GitHub.Runner.Worker.Container.ContainerHooks
         public IEnumerable<string> EntryPointArgs { get; set; }
         public string EntryPoint { get; set; }
         public IDictionary<string, string> EnvironmentVariables { get; set; }
-        public string PrependPath { get; set; }
+        public IEnumerable<string> PrependPath { get; set; }
         public string WorkingDirectory { get; set; }
         public bool IsRequireAlpineInResponse() => false;
     }

src/Runner.Worker/ExecutionContext.cs

@@ -67,6 +67,8 @@ namespace GitHub.Runner.Worker
 
         bool IsEmbedded { get; }
 
+        List<string> StepEnvironmentOverrides { get; }
+
         ExecutionContext Root { get; }
 
         // Initialize
@@ -237,6 +239,8 @@ namespace GitHub.Runner.Worker
             }
         }
 
+        public List<string> StepEnvironmentOverrides { get; } = new List<string>();
+
         public override void Initialize(IHostContext hostContext)
         {
             base.Initialize(hostContext);

src/Runner.Worker/Handlers/CompositeActionHandler.cs

@@ -266,7 +266,11 @@ namespace GitHub.Runner.Worker.Handlers
 #endif
                     foreach (var pair in dict)
                     {
-                        envContext[pair.Key] = pair.Value;
+                        // Skip global env, otherwise we merge an outdated global env
+                        if (ExecutionContext.StepEnvironmentOverrides.Contains(pair.Key))
+                        {
+                            envContext[pair.Key] = pair.Value;
+                        }
                     }
                 }
 
@@ -275,11 +279,13 @@ namespace GitHub.Runner.Worker.Handlers
                     if (step is IActionRunner actionStep)
                     {
                         // Evaluate and merge embedded-step env
+                        step.ExecutionContext.StepEnvironmentOverrides.AddRange(ExecutionContext.StepEnvironmentOverrides);
                         var templateEvaluator = step.ExecutionContext.ToPipelineTemplateEvaluator();
                         var actionEnvironment = templateEvaluator.EvaluateStepEnvironment(actionStep.Action.Environment, step.ExecutionContext.ExpressionValues, step.ExecutionContext.ExpressionFunctions, Common.Util.VarUtil.EnvironmentVariableKeyComparer);
                         foreach (var env in actionEnvironment)
                         {
                             envContext[env.Key] = new StringContextData(env.Value ?? string.Empty);
+                            step.ExecutionContext.StepEnvironmentOverrides.Add(env.Key);
                         }
                     }
                 }

src/Runner.Worker/Handlers/NodeScriptActionHandler.cs

@@ -8,6 +8,7 @@ using GitHub.DistributedTask.Pipelines.ContextData;
 using GitHub.DistributedTask.WebApi;
 using GitHub.Runner.Common;
 using GitHub.Runner.Sdk;
+using GitHub.Runner.Common.Util;
 using GitHub.Runner.Worker.Container;
 using GitHub.Runner.Worker.Container.ContainerHooks;
 
@@ -104,6 +105,12 @@ namespace GitHub.Runner.Worker.Handlers
                 Data.NodeVersion = "node16";
             }
 #endif
+            string forcedNodeVersion = System.Environment.GetEnvironmentVariable(Constants.Variables.Agent.ForcedActionsNodeVersion);
+
+            if (forcedNodeVersion == "node16" && Data.NodeVersion != "node16")
+            {
+                Data.NodeVersion = "node16";
+            }
             var nodeRuntimeVersion = await StepHost.DetermineNodeRuntimeVersion(ExecutionContext, Data.NodeVersion);
             string file = Path.Combine(HostContext.GetDirectory(WellKnownDirectory.Externals), nodeRuntimeVersion, "bin", $"node{IOUtil.ExeExtension}");
 

src/Runner.Worker/StepsRunner.cs

@@ -112,6 +112,7 @@ namespace GitHub.Runner.Worker
                         foreach (var env in actionEnvironment)
                         {
                             envContext[env.Key] = new StringContextData(env.Value ?? string.Empty);
+                            step.ExecutionContext.StepEnvironmentOverrides.Add(env.Key);
                         }
                     }
                     catch (Exception ex)

src/Sdk/Common/Common/Diagnostics/VssHttpEventSource.cs

@@ -351,6 +351,18 @@ namespace GitHub.Services.Common.Diagnostics
             }
         }
 
+        [NonEvent]
+        public void AuthenticationFailedOnFirstRequest(
+            VssTraceActivity activity,
+            HttpResponseMessage response)
+        {
+            if (IsEnabled())
+            {
+                SetActivityId(activity);
+                WriteMessageEvent((Int32)response.StatusCode, response.Headers.ToString(), this.AuthenticationFailedOnFirstRequest);
+            }
+        }
+
         [NonEvent]
         public void IssuedTokenProviderCreated(
             VssTraceActivity activity,
@@ -451,7 +463,7 @@ namespace GitHub.Services.Common.Diagnostics
         [NonEvent]
         public void IssuedTokenInvalidated(
             VssTraceActivity activity,
-            IssuedTokenProvider provider, 
+            IssuedTokenProvider provider,
             IssuedToken token)
         {
             if (IsEnabled())
@@ -813,7 +825,7 @@ namespace GitHub.Services.Common.Diagnostics
         [Event(31, Keywords = Keywords.Authentication, Level = EventLevel.Warning, Task = Tasks.Authentication, Opcode = EventOpcode.Info, Message = "Retrieving an AAD auth token took a long time ({0} seconds)")]
         public void AuthorizationDelayed(string timespan)
         {
-            if(IsEnabled(EventLevel.Warning, Keywords.Authentication))
+            if (IsEnabled(EventLevel.Warning, Keywords.Authentication))
             {
                 WriteEvent(31, timespan);
             }
@@ -828,6 +840,17 @@ namespace GitHub.Services.Common.Diagnostics
             }
         }
 
+        [Event(33, Keywords = Keywords.Authentication, Level = EventLevel.Verbose, Task = Tasks.HttpRequest, Message = "Authentication failed on first request with status code {0}.%n{1}")]
+        private void AuthenticationFailedOnFirstRequest(
+            Int32 statusCode,
+            String headers)
+        {
+            if (IsEnabled(EventLevel.Verbose, Keywords.Authentication))
+            {
+                WriteEvent(33, statusCode, headers);
+            }
+        }
+
         /// <summary>
         /// Sets the activity ID of the current thread.
         /// </summary>

src/Sdk/Common/Common/VssHttpMessageHandler.cs

@@ -251,7 +251,14 @@ namespace GitHub.Services.Common
 
                         // Invalidate the token and ensure that we have the correct token provider for the challenge
                         // which we just received
-                        VssHttpEventSource.Log.AuthenticationFailed(traceActivity, response);
+                        if (retries < m_maxAuthRetries)
+                        {
+                            VssHttpEventSource.Log.AuthenticationFailed(traceActivity, response);
+                        }
+                        else
+                        {
+                            VssHttpEventSource.Log.AuthenticationFailedOnFirstRequest(traceActivity, response);
+                        }
 
                         if (provider != null)
                         {

src/Sdk/PipelinesWebApi/UnknownEnumJsonConverter.cs

@@ -2,6 +2,7 @@
 using System.Linq;
 using Newtonsoft.Json;
 using Newtonsoft.Json.Converters;
+using Newtonsoft.Json.Serialization;
 
 namespace GitHub.Actions.Pipelines.WebApi
 {
@@ -9,7 +10,7 @@ namespace GitHub.Actions.Pipelines.WebApi
     {
         public UnknownEnumJsonConverter()
         {
-            this.CamelCaseText = true;
+            this.NamingStrategy = new CamelCaseNamingStrategy();
         }
 
         public override bool CanConvert(Type objectType)

src/Sdk/Sdk.csproj

@@ -14,7 +14,7 @@
 
     <ItemGroup>
         <PackageReference Include="Microsoft.Win32.Registry" Version="4.4.0" />
-        <PackageReference Include="Newtonsoft.Json" Version="11.0.2" />
+        <PackageReference Include="Newtonsoft.Json" Version="13.0.1" />
         <PackageReference Include="Microsoft.AspNet.WebApi.Client" Version="5.2.4" />
         <PackageReference Include="System.IdentityModel.Tokens.Jwt" Version="5.2.1" />
         <PackageReference Include="System.Security.Cryptography.Cng" Version="4.4.0" />

src/Sdk/WebApi/WebApi/VssJsonMediaTypeFormatter.cs

@@ -84,7 +84,7 @@ namespace GitHub.Services.WebApi
             if (!enumsAsNumbers)
             {
                 // Serialze enums as camelCased string values
-                this.SerializerSettings.Converters.Add(new StringEnumConverter { CamelCaseText = true });
+                this.SerializerSettings.Converters.Add(new StringEnumConverter { NamingStrategy = new CamelCaseNamingStrategy() });
             }
 
             if (useMsDateFormat)

src/Test/L0/Worker/StepsRunnerL0.cs

@@ -622,6 +622,7 @@ namespace GitHub.Runner.Common.Tests.Worker
                     _stepContext.SetOutcome("", stepContext.Object.ContextName, (stepContext.Object.Outcome ?? stepContext.Object.Result ?? TaskResult.Succeeded).ToActionResult());
                     _stepContext.SetConclusion("", stepContext.Object.ContextName, (stepContext.Object.Result ?? TaskResult.Succeeded).ToActionResult());
                 });
+            stepContext.Setup(x => x.StepEnvironmentOverrides).Returns(new List<string>());
 
             stepContext.Setup(x => x.UpdateGlobalStepsContext()).Callback(() =>
             {

src/runnerversion

@@ -1 +1 @@
-2.293.0
+2.294.0