From 45aa16c779f92c7e2fadf78a50b7ea428b257f22 Mon Sep 17 00:00:00 2001
From: Christopher Homberger <christopher.homberger@web.de>
Date: Fri, 12 Sep 2025 17:16:07 +0200
Subject: [PATCH] Add RequireFipsCryptography support for PS256 auth

* legacy auth is still working at the moment, use new if using broker service or the unseen feature flag is on
---
 protocol/task_agent.go                            |  8 +++++++-
 .../compat/actions_runner_compat.go               | 15 +++++++++++++--
 2 files changed, 20 insertions(+), 3 deletions(-)

diff --git a/protocol/task_agent.go b/protocol/task_agent.go
index 395c83a..e817a0e 100644
--- a/protocol/task_agent.go
+++ b/protocol/task_agent.go
@@ -116,7 +116,13 @@ type TaskAgents struct {
 func (taskAgent *TaskAgent) Authorize(c *http.Client, key interface{}) (*VssOAuthTokenResponse, error) {
 	tokenresp := &VssOAuthTokenResponse{}
 	now := time.Now().UTC().Add(-30 * time.Second)
-	token2 := jwt.NewWithClaims(jwt.SigningMethodRS256, jwt.StandardClaims{
+	var method jwt.SigningMethod = jwt.SigningMethodRS256
+	requireFipsCryptography, hasRequireFipsCryptography := taskAgent.Properties.LookupBool("RequireFipsCryptography")
+	serverV2URL, _ := taskAgent.Properties.LookupString("ServerUrlV2")
+	if requireFipsCryptography && hasRequireFipsCryptography || serverV2URL != "" {
+		method = jwt.SigningMethodPS256
+	}
+	token2 := jwt.NewWithClaims(method, jwt.StandardClaims{
 		Subject:   taskAgent.Authorization.ClientID,
 		Issuer:    taskAgent.Authorization.ClientID,
 		Id:        uuid.New().String(),
diff --git a/runnerconfiguration/compat/actions_runner_compat.go b/runnerconfiguration/compat/actions_runner_compat.go
index 6eb9a2c..1c3075d 100644
--- a/runnerconfiguration/compat/actions_runner_compat.go
+++ b/runnerconfiguration/compat/actions_runner_compat.go
@@ -45,8 +45,9 @@ type DotnetCredentials struct {
 }
 
 type DotnetCredentialsData struct {
-	ClientID         string `json:"ClientId"`
-	AuthorizationURL string `json:"AuthorizationUrl"`
+	ClientID                string `json:"ClientId"`
+	AuthorizationURL        string `json:"AuthorizationUrl"`
+	RequireFipsCryptography bool   `json:"RequireFipsCryptography"`
 }
 
 func BytesToBigInt(bytes []byte) *big.Int {
@@ -159,6 +160,12 @@ func ToRunnerInstance(fileAccess ConfigFileAccess) (*runnerconfiguration.RunnerI
 			Value: agent.UseV2Flow,
 		}
 	}
+	if credentials.Data.RequireFipsCryptography {
+		props["RequireFipsCryptography"] = protocol.PropertyValue{
+			Type:  "System.Boolean",
+			Value: credentials.Data.RequireFipsCryptography,
+		}
+	}
 
 	return &runnerconfiguration.RunnerInstance{
 		PoolID: poolID,
@@ -208,11 +215,15 @@ func FromRunnerInstance(instance *runnerconfiguration.RunnerInstance, fileAccess
 	if agent.WorkFolder == "" {
 		agent.WorkFolder = "_work"
 	}
+	requireFipsCryptography, hasRequireFipsCryptography := instance.Agent.Properties.LookupBool("RequireFipsCryptography")
 	credentials := &DotnetCredentials{
 		Scheme: "OAuth",
 		Data: DotnetCredentialsData{
 			ClientID:         instance.Agent.Authorization.ClientID,
 			AuthorizationURL: instance.Agent.Authorization.AuthorizationURL,
+			// serverV2URL != "" means recent GitHub Server that requires recent actions/runner
+			// that has received this bugfix https://github.com/actions/runner/pull/3789
+			RequireFipsCryptography: requireFipsCryptography && hasRequireFipsCryptography || serverV2URL != "",
 		},
 	}
 	if err := fileAccess.Write(".runner", agent); err != nil {