Skip to content

Commit 9c92e84

Browse files
ChristopherHXChristopherHX
committed
Merge branch 'main' of https://github.com/actions/runner 
2 parents 1c121e8 + 1df72a5 commit 9c92e84

264 files changed

Lines changed: 32998 additions & 887 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

.devcontainer/devcontainer.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@
44
"features": {
55
"ghcr.io/devcontainers/features/docker-in-docker:1": {},
66
"ghcr.io/devcontainers/features/dotnet": {
7-
"version": "8.0.412"
7+
"version": "8.0.417"
88
},
99
"ghcr.io/devcontainers/features/node:1": {
1010
"version": "20"

.github/copilot-instructions.md

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,25 @@
1+
## Making changes
2+
3+
### Tests
4+
5+
Whenever possible, changes should be accompanied by non-trivial tests that meaningfully exercise the core functionality of the new code being introduced.
6+
7+
All tests are in the `Test/` directory at the repo root. Fast unit tests are in the `Test/L0` directory and by convention have the suffix `L0.cs`. For example: unit tests for a hypothetical `src/Runner.Worker/Foo.cs` would go in `src/Test/L0/Worker/FooL0.cs`.
8+
9+
Run tests using this command:
10+
11+
```sh
12+
cd src && ./dev.sh test
13+
```
14+
15+
### Formatting
16+
17+
After editing .cs files, always format the code using this command:
18+
19+
```sh
20+
cd src && ./dev.sh format
21+
```
22+
23+
### Feature Flags
24+
25+
Wherever possible, all changes should be safeguarded by a feature flag; `Features` are declared in [Constants.cs](src/Runner.Common/Constants.cs).

.github/workflows/build.yml

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,9 @@ on:
1515
paths-ignore:
1616
- '**.md'
1717

18+
permissions:
19+
contents: read
20+
1821
jobs:
1922
build:
2023
strategy:
@@ -64,7 +67,7 @@ jobs:
6467

6568
runs-on: ${{ matrix.os }}
6669
steps:
67-
- uses: actions/checkout@v4
70+
- uses: actions/checkout@v6
6871

6972
# Build runner layout
7073
- name: Build & Layout Release
@@ -82,7 +85,7 @@ jobs:
8285
# Upload runner package tar.gz/zip as artifact
8386
- name: Publish Artifact
8487
if: github.event_name != 'pull_request'
85-
uses: actions/upload-artifact@v4
88+
uses: actions/upload-artifact@v6
8689
with:
8790
name: runner-package-${{ matrix.runtime }}
8891
path: |

.github/workflows/codeql.yml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -18,15 +18,15 @@ jobs:
1818

1919
steps:
2020
- name: Checkout repository
21-
uses: actions/checkout@v4
21+
uses: actions/checkout@v6
2222

2323
- uses: actions/setup-dotnet@v4
2424
with:
2525
dotnet-version: 8.0.x
2626

2727
# Initializes the CodeQL tools for scanning.
2828
- name: Initialize CodeQL
29-
uses: github/codeql-action/init@v3
29+
uses: github/codeql-action/init@v4
3030
# Override language selection by uncommenting this and choosing your languages
3131
# with:
3232
# languages: go, javascript, csharp, python, cpp, java
@@ -37,4 +37,4 @@ jobs:
3737
working-directory: src/Runner.Client
3838

3939
- name: Perform CodeQL Analysis
40-
uses: github/codeql-action/analyze@v3
40+
uses: github/codeql-action/analyze@v4

.github/workflows/dependency-check.yml

Lines changed: 211 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,211 @@
1+
name: Dependency Status Check
2+
3+
on:
4+
workflow_dispatch:
5+
inputs:
6+
check_type:
7+
description: "Type of dependency check"
8+
required: false
9+
default: "all"
10+
type: choice
11+
options:
12+
- all
13+
- node
14+
- dotnet
15+
- docker
16+
- npm
17+
schedule:
18+
- cron: "0 11 * * 1" # Weekly on Monday at 11 AM
19+
20+
jobs:
21+
dependency-status:
22+
runs-on: ubuntu-latest
23+
outputs:
24+
node20-status: ${{ steps.check-versions.outputs.node20-status }}
25+
node24-status: ${{ steps.check-versions.outputs.node24-status }}
26+
dotnet-status: ${{ steps.check-versions.outputs.dotnet-status }}
27+
docker-status: ${{ steps.check-versions.outputs.docker-status }}
28+
buildx-status: ${{ steps.check-versions.outputs.buildx-status }}
29+
npm-vulnerabilities: ${{ steps.check-versions.outputs.npm-vulnerabilities }}
30+
open-dependency-prs: ${{ steps.check-prs.outputs.open-dependency-prs }}
31+
steps:
32+
- uses: actions/checkout@v6
33+
- name: Setup Node.js
34+
uses: actions/setup-node@v6
35+
with:
36+
node-version: "20"
37+
38+
- name: Check dependency versions
39+
id: check-versions
40+
run: |
41+
echo "## Dependency Status Report" >> $GITHUB_STEP_SUMMARY
42+
echo "Generated on: $(date)" >> $GITHUB_STEP_SUMMARY
43+
echo "" >> $GITHUB_STEP_SUMMARY
44+
45+
# Check Node versions
46+
if [[ "${{ github.event.inputs.check_type }}" == "all" || "${{ github.event.inputs.check_type }}" == "node" ]]; then
47+
echo "### Node.js Versions" >> $GITHUB_STEP_SUMMARY
48+
49+
VERSIONS_JSON=$(curl -s https://raw.githubusercontent.com/actions/node-versions/main/versions-manifest.json)
50+
LATEST_NODE20=$(echo "$VERSIONS_JSON" | jq -r '.[] | select(.version | startswith("20.")) | .version' | head -1)
51+
LATEST_NODE24=$(echo "$VERSIONS_JSON" | jq -r '.[] | select(.version | startswith("24.")) | .version' | head -1)
52+
53+
CURRENT_NODE20=$(grep "NODE20_VERSION=" src/Misc/externals.sh | cut -d'"' -f2)
54+
CURRENT_NODE24=$(grep "NODE24_VERSION=" src/Misc/externals.sh | cut -d'"' -f2)
55+
56+
NODE20_STATUS="✅ up-to-date"
57+
NODE24_STATUS="✅ up-to-date"
58+
59+
if [ "$CURRENT_NODE20" != "$LATEST_NODE20" ]; then
60+
NODE20_STATUS="⚠️ outdated"
61+
fi
62+
63+
if [ "$CURRENT_NODE24" != "$LATEST_NODE24" ]; then
64+
NODE24_STATUS="⚠️ outdated"
65+
fi
66+
67+
echo "| Version | Current | Latest | Status |" >> $GITHUB_STEP_SUMMARY
68+
echo "|---------|---------|--------|--------|" >> $GITHUB_STEP_SUMMARY
69+
echo "| Node 20 | $CURRENT_NODE20 | $LATEST_NODE20 | $NODE20_STATUS |" >> $GITHUB_STEP_SUMMARY
70+
echo "| Node 24 | $CURRENT_NODE24 | $LATEST_NODE24 | $NODE24_STATUS |" >> $GITHUB_STEP_SUMMARY
71+
echo "" >> $GITHUB_STEP_SUMMARY
72+
73+
echo "node20-status=$NODE20_STATUS" >> $GITHUB_OUTPUT
74+
echo "node24-status=$NODE24_STATUS" >> $GITHUB_OUTPUT
75+
fi
76+
77+
# Check .NET version
78+
if [[ "${{ github.event.inputs.check_type }}" == "all" || "${{ github.event.inputs.check_type }}" == "dotnet" ]]; then
79+
echo "### .NET SDK Version" >> $GITHUB_STEP_SUMMARY
80+
81+
current_dotnet_version=$(jq -r .sdk.version ./src/global.json)
82+
current_major_minor=$(echo "$current_dotnet_version" | cut -d '.' -f 1,2)
83+
latest_dotnet_version=$(curl -sb -H "Accept: application/json" "https://dotnetcli.blob.core.windows.net/dotnet/Sdk/$current_major_minor/latest.version")
84+
85+
DOTNET_STATUS="✅ up-to-date"
86+
if [ "$current_dotnet_version" != "$latest_dotnet_version" ]; then
87+
DOTNET_STATUS="⚠️ outdated"
88+
fi
89+
90+
echo "| Component | Current | Latest | Status |" >> $GITHUB_STEP_SUMMARY
91+
echo "|-----------|---------|--------|--------|" >> $GITHUB_STEP_SUMMARY
92+
echo "| .NET SDK | $current_dotnet_version | $latest_dotnet_version | $DOTNET_STATUS |" >> $GITHUB_STEP_SUMMARY
93+
echo "" >> $GITHUB_STEP_SUMMARY
94+
95+
echo "dotnet-status=$DOTNET_STATUS" >> $GITHUB_OUTPUT
96+
fi
97+
98+
# Check Docker versions
99+
if [[ "${{ github.event.inputs.check_type }}" == "all" || "${{ github.event.inputs.check_type }}" == "docker" ]]; then
100+
echo "### Docker Versions" >> $GITHUB_STEP_SUMMARY
101+
102+
current_docker=$(grep "ARG DOCKER_VERSION=" ./images/Dockerfile | cut -d'=' -f2)
103+
current_buildx=$(grep "ARG BUILDX_VERSION=" ./images/Dockerfile | cut -d'=' -f2)
104+
105+
latest_docker=$(curl -s https://download.docker.com/linux/static/stable/x86_64/ | grep -o 'docker-[0-9]*\.[0-9]*\.[0-9]*\.tgz' | sort -V | tail -n 1 | sed 's/docker-\(.*\)\.tgz/\1/')
106+
latest_buildx=$(curl -s https://api.github.com/repos/docker/buildx/releases/latest | jq -r '.tag_name' | sed 's/^v//')
107+
108+
DOCKER_STATUS="✅ up-to-date"
109+
BUILDX_STATUS="✅ up-to-date"
110+
111+
if [ "$current_docker" != "$latest_docker" ]; then
112+
DOCKER_STATUS="⚠️ outdated"
113+
fi
114+
115+
if [ "$current_buildx" != "$latest_buildx" ]; then
116+
BUILDX_STATUS="⚠️ outdated"
117+
fi
118+
119+
echo "| Component | Current | Latest | Status |" >> $GITHUB_STEP_SUMMARY
120+
echo "|-----------|---------|--------|--------|" >> $GITHUB_STEP_SUMMARY
121+
echo "| Docker | $current_docker | $latest_docker | $DOCKER_STATUS |" >> $GITHUB_STEP_SUMMARY
122+
echo "| Docker Buildx | $current_buildx | $latest_buildx | $BUILDX_STATUS |" >> $GITHUB_STEP_SUMMARY
123+
echo "" >> $GITHUB_STEP_SUMMARY
124+
125+
echo "docker-status=$DOCKER_STATUS" >> $GITHUB_OUTPUT
126+
echo "buildx-status=$BUILDX_STATUS" >> $GITHUB_OUTPUT
127+
fi
128+
129+
# Check npm vulnerabilities
130+
if [[ "${{ github.event.inputs.check_type }}" == "all" || "${{ github.event.inputs.check_type }}" == "npm" ]]; then
131+
echo "### NPM Security Audit" >> $GITHUB_STEP_SUMMARY
132+
133+
cd src/Misc/expressionFunc/hashFiles
134+
npm install --silent
135+
136+
AUDIT_OUTPUT=""
137+
AUDIT_EXIT_CODE=0
138+
# Run npm audit and capture output and exit code
139+
if ! AUDIT_OUTPUT=$(npm audit --json 2>&1); then
140+
AUDIT_EXIT_CODE=$?
141+
fi
142+
143+
# Check if output is valid JSON
144+
if echo "$AUDIT_OUTPUT" | jq . >/dev/null 2>&1; then
145+
VULN_COUNT=$(echo "$AUDIT_OUTPUT" | jq '.metadata.vulnerabilities.total // 0')
146+
# Ensure VULN_COUNT is a number
147+
VULN_COUNT=$(echo "$VULN_COUNT" | grep -o '[0-9]*' | head -1)
148+
VULN_COUNT=${VULN_COUNT:-0}
149+
150+
NPM_STATUS="✅ no vulnerabilities"
151+
if [ "$VULN_COUNT" -gt 0 ] 2>/dev/null; then
152+
NPM_STATUS="⚠️ $VULN_COUNT vulnerabilities found"
153+
154+
# Get vulnerability details
155+
HIGH_VULNS=$(echo "$AUDIT_OUTPUT" | jq '.metadata.vulnerabilities.high // 0')
156+
CRITICAL_VULNS=$(echo "$AUDIT_OUTPUT" | jq '.metadata.vulnerabilities.critical // 0')
157+
158+
echo "| Severity | Count |" >> $GITHUB_STEP_SUMMARY
159+
echo "|----------|-------|" >> $GITHUB_STEP_SUMMARY
160+
echo "| Critical | $CRITICAL_VULNS |" >> $GITHUB_STEP_SUMMARY
161+
echo "| High | $HIGH_VULNS |" >> $GITHUB_STEP_SUMMARY
162+
echo "" >> $GITHUB_STEP_SUMMARY
163+
else
164+
echo "No npm vulnerabilities found ✅" >> $GITHUB_STEP_SUMMARY
165+
echo "" >> $GITHUB_STEP_SUMMARY
166+
fi
167+
else
168+
NPM_STATUS="❌ npm audit failed"
169+
echo "npm audit failed to run or returned invalid JSON ❌" >> $GITHUB_STEP_SUMMARY
170+
echo "Exit code: $AUDIT_EXIT_CODE" >> $GITHUB_STEP_SUMMARY
171+
echo "Output: $AUDIT_OUTPUT" >> $GITHUB_STEP_SUMMARY
172+
echo "" >> $GITHUB_STEP_SUMMARY
173+
fi
174+
175+
echo "npm-vulnerabilities=$NPM_STATUS" >> $GITHUB_OUTPUT
176+
fi
177+
178+
- name: Check for open dependency PRs
179+
id: check-prs
180+
env:
181+
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
182+
run: |
183+
echo "### Open Dependency PRs" >> $GITHUB_STEP_SUMMARY
184+
185+
# Get open PRs with dependency label
186+
OPEN_PRS=$(gh pr list --label "dependencies" --state open --json number,title,url)
187+
PR_COUNT=$(echo "$OPEN_PRS" | jq '. | length')
188+
189+
if [ "$PR_COUNT" -gt 0 ]; then
190+
echo "Found $PR_COUNT open dependency PR(s):" >> $GITHUB_STEP_SUMMARY
191+
echo "" >> $GITHUB_STEP_SUMMARY
192+
echo "$OPEN_PRS" | jq -r '.[] | "- [#\(.number)](\(.url)) \(.title)"' >> $GITHUB_STEP_SUMMARY
193+
else
194+
echo "No open dependency PRs found ✅" >> $GITHUB_STEP_SUMMARY
195+
fi
196+
197+
echo "" >> $GITHUB_STEP_SUMMARY
198+
echo "open-dependency-prs=$PR_COUNT" >> $GITHUB_OUTPUT
199+
200+
- name: Summary
201+
run: |
202+
echo "### Summary" >> $GITHUB_STEP_SUMMARY
203+
echo "- Check for open PRs with the \`dependency\` label before releases" >> $GITHUB_STEP_SUMMARY
204+
echo "- Review and merge dependency updates regularly" >> $GITHUB_STEP_SUMMARY
205+
echo "- Critical vulnerabilities should be addressed immediately" >> $GITHUB_STEP_SUMMARY
206+
echo "" >> $GITHUB_STEP_SUMMARY
207+
echo "**Automated workflows run weekly to check for updates:**" >> $GITHUB_STEP_SUMMARY
208+
echo "- Node.js versions (Mondays at 6 AM)" >> $GITHUB_STEP_SUMMARY
209+
echo "- NPM audit fix (Mondays at 7 AM)" >> $GITHUB_STEP_SUMMARY
210+
echo "- .NET SDK updates (Mondays at midnight)" >> $GITHUB_STEP_SUMMARY
211+
echo "- Docker/Buildx updates (Mondays at midnight)" >> $GITHUB_STEP_SUMMARY

0 commit comments

Comments
 (0)