Pin System.Private.Uri in SDK to fix CVEs reported

Add ability to enforce actions to run on node20 (#3192 )
Add options to enforce actions execute on node20
2025-12-10 12:36:23 +00:00 · 2024-03-15 18:04:56 +01:00 · 2024-03-14 14:12:08 +01:00 · 2024-03-05 11:13:16 -05:00 · 2024-03-04 11:32:21 +01:00 · 2024-02-29 15:39:29 +00:00
10 changed files with 80 additions and 4 deletions
--- a/src/Misc/layoutroot/run.sh
+++ b/src/Misc/layoutroot/run.sh
@@ -38,7 +38,7 @@ runWithManualTrap() {
        cp -f "$DIR"/run-helper.sh.template "$DIR"/run-helper.sh
        "$DIR"/run-helper.sh $* &
        PID=$!
-        wait -f $PID
+        wait $PID
        returnCode=$?
        if [[ $returnCode -eq 2 ]]; then
            echo "Restarting runner..."
@@ -84,4 +84,4 @@ if [[ -z "$RUNNER_MANUALLY_TRAP_SIG" ]]; then
    run $*
 else
    runWithManualTrap $*
-fi
+fi
--- a/src/Runner.Common/Constants.cs
+++ b/src/Runner.Common/Constants.cs
@@ -180,6 +180,9 @@ namespace GitHub.Runner.Common
            public static readonly string DeprecatedNodeVersion = "node16";
            public static readonly string EnforcedNode12DetectedAfterEndOfLife = "The following actions uses node12 which is deprecated and will be forced to run on node16: {0}. For more info: https://github.blog/changelog/2023-06-13-github-actions-all-actions-will-run-on-node16-instead-of-node12-by-default/";
            public static readonly string EnforcedNode12DetectedAfterEndOfLifeEnvVariable = "Node16ForceActionsWarnings";
+            public static readonly string EnforcedNode16DetectedAfterEndOfLife = "The following actions uses Node.js version which is deprecated and will be forced to run on node20: {0}. For more info: https://github.blog/changelog/2024-03-07-github-actions-all-actions-will-run-on-node20-instead-of-node16-by-default/";
+            public static readonly string EnforcedNode16DetectedAfterEndOfLifeEnvVariable = "Node20ForceActionsWarnings";
+
        }

        public static class RunnerEvent
@@ -251,6 +254,7 @@ namespace GitHub.Runner.Common
                public static readonly string RunnerDebug = "ACTIONS_RUNNER_DEBUG";
                public static readonly string StepDebug = "ACTIONS_STEP_DEBUG";
                public static readonly string AllowActionsUseUnsecureNodeVersion = "ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION";
+                public static readonly string ManualForceActionsToNode20 = "FORCE_JAVASCRIPT_ACTIONS_TO_NODE20";
            }

            public static class Agent
@@ -262,6 +266,7 @@ namespace GitHub.Runner.Common
                public static readonly string ForcedActionsNodeVersion = "ACTIONS_RUNNER_FORCE_ACTIONS_NODE_VERSION";
                public static readonly string PrintLogToStdout = "ACTIONS_RUNNER_PRINT_LOG_TO_STDOUT";
                public static readonly string ActionArchiveCacheDirectory = "ACTIONS_RUNNER_ACTION_ARCHIVE_CACHE";
+                public static readonly string ManualForceActionsToNode20 = "FORCE_JAVASCRIPT_ACTIONS_TO_NODE20";
            }

            public static class System
--- a/src/Runner.Listener/Runner.cs
+++ b/src/Runner.Listener/Runner.cs
@@ -567,6 +567,11 @@ namespace GitHub.Runner.Listener
                                            Trace.Info("Job is already acquired, skip this message.");
                                            continue;
                                        }
+                                        catch (Exception ex)
+                                        {
+                                            Trace.Error($"Caught exception from acquiring job message: {ex}");
+                                            continue;
+                                        }
                                    }

                                    jobDispatcher.Run(jobRequestMessage, runOnce);
--- a/src/Runner.Worker/FileCommandManager.cs
+++ b/src/Runner.Worker/FileCommandManager.cs
@@ -244,7 +244,7 @@ namespace GitHub.Runner.Worker
                if (resultsReceiverEndpoint != null)
                {
                    Trace.Info($"Queueing results file ({filePath}) for attachment upload ({attachmentName})");
-                    var stepId = context.Id;
+                    var stepId = context.IsEmbedded ? context.EmbeddedId : context.Id;
                    // Attachments must be added to the parent context (job), not the current context (step)
                    context.Root.QueueSummaryFile(attachmentName, scrubbedFilePath, stepId);
                }
--- a/src/Runner.Worker/Handlers/ContainerActionHandler.cs
+++ b/src/Runner.Worker/Handlers/ContainerActionHandler.cs
@@ -223,6 +223,10 @@ namespace GitHub.Runner.Worker.Handlers
            {
                Environment["ACTIONS_CACHE_URL"] = cacheUrl;
            }
+            if (systemConnection.Data.TryGetValue("PipelinesServiceUrl", out var pipelinesServiceUrl) && !string.IsNullOrEmpty(pipelinesServiceUrl))
+            {
+                Environment["ACTIONS_RUNTIME_URL"] = pipelinesServiceUrl;
+            }
            if (systemConnection.Data.TryGetValue("GenerateIdTokenUrl", out var generateIdTokenUrl) && !string.IsNullOrEmpty(generateIdTokenUrl))
            {
                Environment["ACTIONS_ID_TOKEN_REQUEST_URL"] = generateIdTokenUrl;
--- a/src/Runner.Worker/Handlers/HandlerFactory.cs
+++ b/src/Runner.Worker/Handlers/HandlerFactory.cs
@@ -84,6 +84,45 @@ namespace GitHub.Runner.Worker.Handlers
                    }
                    nodeData.NodeVersion = "node16";
                }
+
+                var localForceActionsToNode20 = StringUtil.ConvertToBoolean(Environment.GetEnvironmentVariable(Constants.Variables.Agent.ManualForceActionsToNode20));
+                executionContext.Global.EnvironmentVariables.TryGetValue(Constants.Variables.Actions.ManualForceActionsToNode20, out var workflowForceActionsToNode20);
+                var enforceNode20Locally = !string.IsNullOrWhiteSpace(workflowForceActionsToNode20) ? StringUtil.ConvertToBoolean(workflowForceActionsToNode20) : localForceActionsToNode20;
+                if (string.Equals(nodeData.NodeVersion, "node16")
+                && ((executionContext.Global.Variables.GetBoolean("DistributedTask.ForceGithubJavascriptActionsToNode20") ?? false) || enforceNode20Locally))
+                {
+                    executionContext.Global.EnvironmentVariables.TryGetValue(Constants.Variables.Actions.AllowActionsUseUnsecureNodeVersion, out var workflowOptOut);
+                    var isWorkflowOptOutSet = !string.IsNullOrWhiteSpace(workflowOptOut);
+                    var isLocalOptOut = StringUtil.ConvertToBoolean(Environment.GetEnvironmentVariable(Constants.Variables.Actions.AllowActionsUseUnsecureNodeVersion));
+                    bool isOptOut = isWorkflowOptOutSet ? StringUtil.ConvertToBoolean(workflowOptOut) : isLocalOptOut;
+
+                    if (!isOptOut)
+                    {
+                        var repoAction = action as Pipelines.RepositoryPathReference;
+                        if (repoAction != null)
+                        {
+                            var warningActions = new HashSet<string>();
+                            if (executionContext.Global.Variables.TryGetValue(Constants.Runner.EnforcedNode16DetectedAfterEndOfLifeEnvVariable, out var node20ForceWarnings))
+                            {
+                                warningActions = StringUtil.ConvertFromJson<HashSet<string>>(node20ForceWarnings);
+                            }
+
+                            string repoActionFullName;
+                            if (string.IsNullOrEmpty(repoAction.Name))
+                            {
+                                repoActionFullName = repoAction.Path; // local actions don't have a 'Name'
+                            }
+                            else
+                            {
+                                repoActionFullName = $"{repoAction.Name}/{repoAction.Path ?? string.Empty}".TrimEnd('/') + $"@{repoAction.Ref}";
+                            }
+
+                            warningActions.Add(repoActionFullName);
+                            executionContext.Global.Variables.Set(Constants.Runner.EnforcedNode16DetectedAfterEndOfLifeEnvVariable, StringUtil.ConvertToJson(warningActions));
+                        }
+                        nodeData.NodeVersion = "node20";
+                    }
+                }
                (handler as INodeScriptActionHandler).Data = nodeData;
            }
            else if (data.ExecutionType == ActionExecutionType.Script)
--- a/src/Runner.Worker/Handlers/NodeScriptActionHandler.cs
+++ b/src/Runner.Worker/Handlers/NodeScriptActionHandler.cs
@@ -58,6 +58,10 @@ namespace GitHub.Runner.Worker.Handlers
            {
                Environment["ACTIONS_CACHE_URL"] = cacheUrl;
            }
+            if (systemConnection.Data.TryGetValue("PipelinesServiceUrl", out var pipelinesServiceUrl) && !string.IsNullOrEmpty(pipelinesServiceUrl))
+            {
+                Environment["ACTIONS_RUNTIME_URL"] = pipelinesServiceUrl;
+            }
            if (systemConnection.Data.TryGetValue("GenerateIdTokenUrl", out var generateIdTokenUrl) && !string.IsNullOrEmpty(generateIdTokenUrl))
            {
                Environment["ACTIONS_ID_TOKEN_REQUEST_URL"] = generateIdTokenUrl;
@@ -114,6 +118,11 @@ namespace GitHub.Runner.Worker.Handlers
            {
                Data.NodeVersion = "node16";
            }
+
+            if (forcedNodeVersion == "node20" && Data.NodeVersion != "node20")
+            {
+                Data.NodeVersion = "node20";
+            }
            var nodeRuntimeVersion = await StepHost.DetermineNodeRuntimeVersion(ExecutionContext, Data.NodeVersion);
            string file = Path.Combine(HostContext.GetDirectory(WellKnownDirectory.Externals), nodeRuntimeVersion, "bin", $"node{IOUtil.ExeExtension}");

--- a/src/Runner.Worker/JobRunner.cs
+++ b/src/Runner.Worker/JobRunner.cs
@@ -298,6 +298,12 @@ namespace GitHub.Runner.Worker
                jobContext.Warning(string.Format(Constants.Runner.EnforcedNode12DetectedAfterEndOfLife, actions));
            }

+            if (jobContext.Global.Variables.TryGetValue(Constants.Runner.EnforcedNode16DetectedAfterEndOfLifeEnvVariable, out var node20ForceWarnings) && (jobContext.Global.Variables.GetBoolean("DistributedTask.ForceGithubJavascriptActionsToNode20") ?? false))
+            {
+                var actions = string.Join(", ", StringUtil.ConvertFromJson<HashSet<string>>(node20ForceWarnings));
+                jobContext.Warning(string.Format(Constants.Runner.EnforcedNode16DetectedAfterEndOfLife, actions));
+            }
+
            await ShutdownQueue(throwOnFailure: false);

            // Make sure to clean temp after file upload since they may be pending fileupload still use the TEMP dir.
@@ -405,6 +411,12 @@ namespace GitHub.Runner.Worker
                jobContext.Warning(string.Format(Constants.Runner.EnforcedNode12DetectedAfterEndOfLife, actions));
            }

+            if (jobContext.Global.Variables.TryGetValue(Constants.Runner.EnforcedNode16DetectedAfterEndOfLifeEnvVariable, out var node20ForceWarnings))
+            {
+                var actions = string.Join(", ", StringUtil.ConvertFromJson<HashSet<string>>(node20ForceWarnings));
+                jobContext.Warning(string.Format(Constants.Runner.EnforcedNode16DetectedAfterEndOfLife, actions));
+            }
+
            try
            {
                var jobQueueTelemetry = await ShutdownQueue(throwOnFailure: true);
--- a/src/Sdk/Sdk.csproj
+++ b/src/Sdk/Sdk.csproj
@@ -21,6 +21,8 @@
        <PackageReference Include="System.Security.Cryptography.Cng" Version="4.4.0" />
        <PackageReference Include="System.Security.Cryptography.Pkcs" Version="4.4.0" />
        <PackageReference Include="System.Security.Cryptography.ProtectedData" Version="4.4.0" />
+        <PackageReference Include="System.Private.Uri" Version="4.3.2" />
+        <PackageReference Include="runtime.unix.System.Private.Uri" Version="4.3.2" />
        <PackageReference Include="Minimatch" Version="2.0.0" />
        <PackageReference Include="YamlDotNet.Signed" Version="5.3.0" />
        <PackageReference Include="System.Net.Http" Version="4.3.4" />
--- a/src/runnerversion
+++ b/src/runnerversion
@@ -1 +1 @@
-2.314.0
+2.314.1
Author	SHA1	Message	Date
Nikola Jokic	0890554c40	Pin System.Private.Uri in SDK to fix CVEs reported	2024-03-15 18:04:56 +01:00
Tatyana Kostromskaya	692d910868	Add ability to enforce actions to run on node20 (#3192 ) Add options to enforce actions execute on node20	2024-03-14 14:12:08 +01:00
Patrick Carnahan	2c8c941622	consume new pipelines service url in handlers (#3185 ) * consume pipelines service url if present updates how the `ACTIONS_RUNTIME_URL` variable is set to utilize a new value, `PipelinesServiceUrl` if present in the endpoint. if this value is not present then the existing system connection endpoint is used to retain backward compatibility. * consume pipelines url updates how the `ACTIONS_RUNTIME_URL` variable is set to utilize a new value, `PipelinesServiceUrl` if present in the endpoint. if this value is not present then the existing system connection endpoint is used to retain backward compatibility.	2024-03-05 11:13:16 -05:00
Nikola Jokic	86d6211c75	Remove -f flag in wait when manually trap signal (#3182 ) * Remove -f flag in wait when manually trap signal * Remove extra empty line	2024-03-04 11:32:21 +01:00
Yashwanth Anantharaju	aa90563cae	don't crash listener on getting job exceptions (#3177 )	2024-02-29 15:39:29 +00:00
Tingluo Huang	4cb3cb2962	Bump runner version to match the latest patch release (#3175 )	2024-02-28 20:08:31 +00:00
Ryan Troost	d7777fd632	fix summaries for actions results (#3174 ) * fix summaries for actions results * remove negative	2024-02-27 15:22:26 -05:00
@@ -1 +1 @@
 .314.0
 .314.1