Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update runner version, dependencies and .trivyignore #99

Merged
merged 2 commits into from
Sep 21, 2022
Merged

Update runner version, dependencies and .trivyignore #99

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
ed72cca
Update version and dependencies
ben-harvey Sep 20, 2022
761b979
Update .trivyignore
ben-harvey Sep 21, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions .github/workflows/pre-commit.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,5 +7,5 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/setup-python@v3
- uses: pre-commit/action@v2.0.3
- uses: actions/setup-python@v4.1.0
- uses: pre-commit/action@v3.0.0
18 changes: 5 additions & 13 deletions .trivyignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,17 +1,9 @@
# accept the risk of the internal Node.JS libraries used by the runner.
CVE-2021-3807
CVE-2020-8116
CVE-2020-7788
CVE-2021-3918
CVE-2019-16776
CVE-2020-7754
CVE-2021-23343
CVE-2021-27290
CVE-2021-32803
CVE-2021-32804
CVE-2021-37701
CVE-2021-37712
CVE-2021-37713
CVE-2020-7774
CVE-2019-16775
CVE-2021-44906
CVE-2022-29244
# accept the risk of internal dotnet-core dependencies for the runner
CVE-2018-8292
CVE-2019-0981
CVE-2019-0980
4 changes: 2 additions & 2 deletions Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@
FROM ubuntu:20.04
FROM ubuntu:22.04

ARG DEBIAN_FRONTEND=noninteractive
ARG RUNUSER=runner
ARG RUNGROUP=runner

ARG ACTIONS_VERSION="2.292.0"
ARG ACTIONS_VERSION="2.296.2"

COPY build.sh /tmp

Expand Down
27 changes: 9 additions & 18 deletions entrypoint.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,28 +11,19 @@ REGISTRATION_TOKEN=$(curl -s -X POST \

UNIQUE_ID=$(uuidgen)

# Register the runner
# Register the runner:
# - disable updates since we manage them manually via the container image
# - https://docs.github.com/en/actions/hosting-your-own-runners/autoscaling-with-self-hosted-runners#controlling-runner-software-updates-on-self-hosted-runners
# - register as an ephemeral runner
# - https://docs.github.com/en/actions/hosting-your-own-runners/autoscaling-with-self-hosted-runners#using-ephemeral-runners-for-autoscaling
./config.sh \
--unattended \
--url "https://github.com/${REPO_OWNER}/${REPO_NAME}" \
--token "${REGISTRATION_TOKEN}" \
--name "${UNIQUE_ID}" \
--work ../work-dir \
--replace
--replace \
--disableupdate \
--ephemeral

cleanup() {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does the --ephemeral flag replace the need for this old cleanup code, or was there something else that deprecated this?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep!

Github is deprecating the --once flag for the run script and replacing it with the --ephemeral flag for the configure script. Runners that are configured as ephemeral are automatically de-registered by GitHub, so we can safely remove the cleanup step from our entrypoint script (I also didn't think it was necessary to clean up any folders upon exit since the whole container is torn down at this point)

# give the job a second to finish
sleep 1
# Deregister the runner from github
REGISTRATION_TOKEN=$(curl -s -XPOST \
-H "Authorization: token ${PERSONAL_ACCESS_TOKEN}" \
"https://api.github.com/repos/${REPO_OWNER}/${REPO_NAME}/actions/runners/registration-token" | jq -r .token)
./config.sh remove --token "${REGISTRATION_TOKEN}"

# Remove our runner work dir to clean up after ourselves
rm -rf ../work-dir
}

# Run cleanup upon exit. exit upon one job ran
trap cleanup EXIT
./run.sh --once
./run.sh