Pin System.Private.Uri in SDK to fix CVEs reported

.devcontainer/devcontainer.json

@@ -4,7 +4,7 @@
   "features": {
     "ghcr.io/devcontainers/features/docker-in-docker:1": {},
     "ghcr.io/devcontainers/features/dotnet": {
-      "version": "6.0.420"
+      "version": "6.0.419"
     },
     "ghcr.io/devcontainers/features/node:1": {
       "version": "16"

images/Dockerfile

@@ -4,9 +4,9 @@ FROM mcr.microsoft.com/dotnet/runtime-deps:6.0-jammy as build
 ARG TARGETOS
 ARG TARGETARCH
 ARG RUNNER_VERSION
-ARG RUNNER_CONTAINER_HOOKS_VERSION=0.6.0
-ARG DOCKER_VERSION=25.0.4
-ARG BUILDX_VERSION=0.13.1
+ARG RUNNER_CONTAINER_HOOKS_VERSION=0.5.1
+ARG DOCKER_VERSION=25.0.2
+ARG BUILDX_VERSION=0.12.1
 
 RUN apt update -y && apt install curl unzip -y
 

releaseNote.md

@@ -1,21 +1,18 @@
 ## What's Changed
-* fix summaries for actions results by @SrRyan in https://github.com/actions/runner/pull/3174
-* Bump runner version to match the latest patch release by @TingluoHuang in https://github.com/actions/runner/pull/3175
-* don't crash listener on getting job exceptions for run-service by @yaananth in https://github.com/actions/runner/pull/3177
-* Remove -f flag in wait when manually trap signal by @nikola-jokic in https://github.com/actions/runner/pull/3182
-* consume new pipelines service url in handlers by @patrickcarnahan in https://github.com/actions/runner/pull/3185
-* Add ability to enforce actions to run on node20 by @takost in https://github.com/actions/runner/pull/3192
-* Bump hook version to 0.6.0 by @nikola-jokic in https://github.com/actions/runner/pull/3203
-* Update dotnet sdk to latest version @6.0.420 by @github-actions in https://github.com/actions/runner/pull/3211
-* Bump docker version and docker buildx version by @nikola-jokic in https://github.com/actions/runner/pull/3208
-* Handle new non-retryable exception type by @thyeggman in https://github.com/actions/runner/pull/3191
-* Always Delete Actions Service Session by @luketomlinson in https://github.com/actions/runner/pull/3214
+* Prepare v2.313.0 Release by @luketomlinson in https://github.com/actions/runner/pull/3137
+* Pass RunnerOS during job acquire. by @TingluoHuang in https://github.com/actions/runner/pull/3140
+* Process `snapshot` tokens by @davidomid in https://github.com/actions/runner/pull/3135
+* Update dotnet sdk to latest version @6.0.419 by @github-actions in https://github.com/actions/runner/pull/3158
+* handle broker run service exception handling by @yaananth in https://github.com/actions/runner/pull/3163
+* Add a retry logic to docker login operation by @enescakir in https://github.com/actions/runner/pull/3089
+* Broker fixes for token refreshes and AccessDeniedException by @luketomlinson in https://github.com/actions/runner/pull/3161
+* Remove USE_BROKER_FLOW by @luketomlinson in https://github.com/actions/runner/pull/3162
+* Refresh Token for BrokerServer by @luketomlinson in https://github.com/actions/runner/pull/3167
+* Better step timeout message. by @TingluoHuang in https://github.com/actions/runner/pull/3166
 
 ## New Contributors
-* @SrRyan made their first contribution in https://github.com/actions/runner/pull/3174
-* @patrickcarnahan made their first contribution in https://github.com/actions/runner/pull/3185
-
-**Full Changelog**: https://github.com/actions/runner/compare/v2.314.1...v2.315.0
+* @davidomid made their first contribution in https://github.com/actions/runner/pull/3135
+* @enescakir made their first contribution in https://github.com/actions/runner/pull/3089
 
 **Full Changelog**: https://github.com/actions/runner/compare/v2.313.0...v2.314.0
 

src/Runner.Listener/MessageListener.cs

@@ -188,12 +188,12 @@ namespace GitHub.Runner.Listener
                 {
                     using (var ts = new CancellationTokenSource(TimeSpan.FromSeconds(30)))
                     {
-                        await _runnerServer.DeleteAgentSessionAsync(_settings.PoolId, _session.SessionId, ts.Token);
-
                         if (_isBrokerSession)
                         {
                             await _brokerServer.DeleteSessionAsync(ts.Token);
+                            return;
                         }
+                        await _runnerServer.DeleteAgentSessionAsync(_settings.PoolId, _session.SessionId, ts.Token);
                     }
                 }
                 else

src/Runner.Worker/ActionManager.cs

@@ -703,12 +703,11 @@ namespace GitHub.Runner.Worker
                 catch (Exception ex) when (!executionContext.CancellationToken.IsCancellationRequested) // Do not retry if the run is cancelled.
                 {
                     // UnresolvableActionDownloadInfoException is a 422 client error, don't retry
-                    // NonRetryableActionDownloadInfoException is an non-retryable exception from Actions
                     // Some possible cases are:
                     // * Repo is rate limited
                     // * Repo or tag doesn't exist, or isn't public
                     // * Policy validation failed
-                    if (attempt < 3 && !(ex is WebApi.UnresolvableActionDownloadInfoException) && !(ex is WebApi.NonRetryableActionDownloadInfoException))
+                    if (attempt < 3 && !(ex is WebApi.UnresolvableActionDownloadInfoException))
                     {
                         executionContext.Output($"Failed to resolve action download info. Error: {ex.Message}");
                         executionContext.Debug(ex.ToString());

src/Sdk/DTWebApi/WebApi/Exceptions.cs

@@ -2498,25 +2498,6 @@ namespace GitHub.DistributedTask.WebApi
         }
     }
 
-    [Serializable]
-    public class NonRetryableActionDownloadInfoException : DistributedTaskException
-    {
-        public NonRetryableActionDownloadInfoException(String message)
-            : base(message)
-        {
-        }
-
-        public NonRetryableActionDownloadInfoException(String message, Exception innerException)
-            : base(message, innerException)
-        {
-        }
-
-        protected NonRetryableActionDownloadInfoException(SerializationInfo info, StreamingContext context)
-            : base(info, context)
-        {
-        }
-    }
-
     [Serializable]
     public sealed class FailedToResolveActionDownloadInfoException : DistributedTaskException
     {

src/Sdk/Sdk.csproj

@@ -21,6 +21,8 @@
         <PackageReference Include="System.Security.Cryptography.Cng" Version="4.4.0" />
         <PackageReference Include="System.Security.Cryptography.Pkcs" Version="4.4.0" />
         <PackageReference Include="System.Security.Cryptography.ProtectedData" Version="4.4.0" />
+        <PackageReference Include="System.Private.Uri" Version="4.3.2" />
+        <PackageReference Include="runtime.unix.System.Private.Uri" Version="4.3.2" />
         <PackageReference Include="Minimatch" Version="2.0.0" />
         <PackageReference Include="YamlDotNet.Signed" Version="5.3.0" />
         <PackageReference Include="System.Net.Http" Version="4.3.4" />

src/Test/L0/Listener/MessageListenerL0.cs

@@ -272,7 +272,7 @@ namespace GitHub.Runner.Common.Tests.Listener
                 //Assert
                 _runnerServer
                     .Verify(x => x.DeleteAgentSessionAsync(
-                        _settings.PoolId, expectedBrokerSession.SessionId, It.IsAny<CancellationToken>()), Times.Once());
+                        _settings.PoolId, expectedSession.SessionId, It.IsAny<CancellationToken>()), Times.Never());
                 _brokerServer
                     .Verify(x => x.DeleteSessionAsync(It.IsAny<CancellationToken>()), Times.Once());
             }

src/dev.sh

@@ -17,7 +17,7 @@ LAYOUT_DIR="$SCRIPT_DIR/../_layout"
 DOWNLOAD_DIR="$SCRIPT_DIR/../_downloads/netcore2x"
 PACKAGE_DIR="$SCRIPT_DIR/../_package"
 DOTNETSDK_ROOT="$SCRIPT_DIR/../_dotnetsdk"
-DOTNETSDK_VERSION="6.0.420"
+DOTNETSDK_VERSION="6.0.419"
 DOTNETSDK_INSTALLDIR="$DOTNETSDK_ROOT/$DOTNETSDK_VERSION"
 RUNNER_VERSION=$(cat runnerversion)
 

src/global.json

@@ -1,5 +1,5 @@
 {
   "sdk": {
-    "version": "6.0.420"
+    "version": "6.0.419"
   }
 }

src/runnerversion

@@ -1 +1 @@
-2.315.0
+2.314.1