-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathgithub-runner-entrypoint.sh
More file actions
174 lines (143 loc) · 5.35 KB
/
github-runner-entrypoint.sh
File metadata and controls
174 lines (143 loc) · 5.35 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
#!/usr/bin/env bash
INTERACTIVE="FALSE"
# Verify some Repo URL and token have been given, otherwise we must be interactive mode.
if [ -n "$GITHUB_REPOSITORY" ] && [ -n "$GITHUB_TOKEN" ]; then
#
# Legacy Container app configuration, with create and destroy agent
#
echo "🌊 start agent configuration"
if [ "$(echo "$INTERACTIVE_MODE" | tr '[:upper:]' '[:lower:]')" == "true" ]; then
INTERACTIVE="TRUE"
fi
# Calculate default configuration values.
GITHUB_REPOSITORY_BANNER="$GITHUB_REPOSITORY"
if [ -z "$GITHUB_REPOSITORY_BANNER" ]; then
export GITHUB_REPOSITORY_BANNER="<empty repository url>"
fi
if [ -z "$RUNNER_NAME" ]; then
RUNNER_NAME="$(hostname)"
export RUNNER_NAME
fi
if [ -z "$WORK_DIR" ]; then
export WORK_DIR=".workdir"
fi
# Calculate runner replacement policy.
REPLACEMENT_POLICY="\n\n\n"
REPLACEMENT_POLICY_LABEL="FALSE"
if [ "$(echo "$REPLACE_EXISTING_RUNNER" | tr '[:upper:]' '[:lower:]')" == "true" ]; then
REPLACEMENT_POLICY="Y\n\n"
REPLACEMENT_POLICY_LABEL="TRUE"
fi
# Configure runner interactively, or with the given replacement policy.
printf "ℹ️ Configuring GitHub Runner for %s\n\t" "$GITHUB_REPOSITORY_BANNER"
printf "ℹ️ Runner Name: %s\n\t" "$RUNNER_NAME"
printf "ℹ️ Working Directory: %s\n\t" "$WORK_DIR"
printf "ℹ️ Replace Existing Runners: %s\n" "$REPLACEMENT_POLICY_LABEL"
# actions-runner is a folder inside the github runner zip
if [ "$INTERACTIVE" == "FALSE" ]; then
echo -ne "$REPLACEMENT_POLICY" | ./config.sh --url "$GITHUB_REPOSITORY" --token "$GITHUB_TOKEN" --name "$RUNNER_NAME" --work "$WORK_DIR" --labels "$LABELS" --disableupdate
else
#<https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners>
./config.sh \
--url "$GITHUB_REPOSITORY" \
--token "$GITHUB_TOKEN" \
--name "$RUNNER_NAME" \
--work "$WORK_DIR" \
--labels "$LABELS" \
--disableupdate
echo "✅ config.sh launched"
fi
# Start the runner.
./run.sh
echo "🚀 Executing GitHub Runner for $GITHUB_REPOSITORY"
elif [ -n "$GITHUB_PAT" ]; then
# Retrieve a short lived runner registration token using the PAT
REGISTRATION_TOKEN="$(curl -X POST -fsSL \
-H 'Accept: application/vnd.github.v3+json' \
-H "Authorization: Bearer $GITHUB_PAT" \
-H 'X-GitHub-Api-Version: 2022-11-28' \
"$REGISTRATION_TOKEN_API_URL" \
| jq -r '.token')"
#<https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners>
./config.sh \
--url "${REPO_URL}" \
--token "${REGISTRATION_TOKEN}" \
--unattended \
--disableupdate \
--ephemeral \
--replace \
--labels "$LABELS" \
&& ./run.sh
export GITHUB_PAT=_REDACTED_
export REGISTRATION_TOKEN=_REDACTED_
elif [ -n "$GITHUB_APP_ID" ] && [ -n "$GITHUB_APP_KEY" ] && [ -n "$GITHUB_APP_INSTALLATION_ID" ] && [ -n "$REGISTRATION_TOKEN_API_URL" ] && [ -n "$REPO_URL" ]; then
app_id="$GITHUB_APP_ID"
pem_path="$(mktemp /tmp/github-app-key.XXXXXX.pem)"
chmod 600 "$pem_path"
trap 'rm -f "$pem_path"' EXIT INT TERM HUP
printf "%s" "$GITHUB_APP_KEY" > "$pem_path"
now=$(date +%s)
iat=$((${now} - 60)) # Issues 60 seconds in the past
exp=$((${now} + 600)) # Expires 10 minutes in the future
b64enc() { openssl base64 | tr -d '=' | tr '/+' '_-' | tr -d '\n'; }
header_json='{
"typ":"JWT",
"alg":"RS256"
}'
# Header encode
header=$( echo -n "${header_json}" | b64enc )
payload_json="{
\"iat\":${iat},
\"exp\":${exp},
\"iss\":\"${app_id}\"
}"
# Payload encode
payload=$( echo -n "${payload_json}" | b64enc )
# Signature
header_payload="${header}"."${payload}"
signature=$(
openssl dgst -sha256 -sign "${pem_path}" \
<(echo -n "${header_payload}") | b64enc
)
# Create JWT
JWT="${header_payload}"."${signature}"
ACCESS_TOKEN="$(curl -fsSL --request POST \
--header 'Accept: application/vnd.github+json' \
--header "Authorization: Bearer $JWT" \
--header 'X-GitHub-Api-Version: 2022-11-28' \
"https://api.github.com/app/installations/$GITHUB_APP_INSTALLATION_ID/access_tokens" \
| jq -r '.token')"
if [ -z "$ACCESS_TOKEN" ] || [ "$ACCESS_TOKEN" = "null" ]; then
echo "❌ Failed to retrieve GitHub App access token"
exit 1
fi
# Retrieve a short lived runner registration token using the ACCESS_TOKEN
REGISTRATION_TOKEN="$(curl -X POST -fsSL \
-H 'Accept: application/vnd.github.v3+json' \
-H "Authorization: Bearer $ACCESS_TOKEN" \
-H 'X-GitHub-Api-Version: 2022-11-28' \
"$REGISTRATION_TOKEN_API_URL" \
| jq -r '.token')"
#<https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners>
./config.sh \
--url "${REPO_URL}" \
--token "${REGISTRATION_TOKEN}" \
--unattended \
--disableupdate \
--ephemeral \
--replace \
--labels "$LABELS" \
&& ./run.sh
export signature=_REDACTED_
export JWT=_REDACTED_
export GITHUB_APP_KEY=_REDACTED_
export ACCESS_TOKEN=_REDACTED_
export REGISTRATION_TOKEN=_REDACTED_
else
echo "❌ No valid authentication method configured."
echo "Please set one of the following:"
echo " - GITHUB_REPOSITORY and GITHUB_TOKEN (legacy)"
echo " - GITHUB_PAT, REGISTRATION_TOKEN_API_URL, and REPO_URL"
echo " - GITHUB_APP_ID, GITHUB_APP_KEY, GITHUB_APP_INSTALLATION_ID, REGISTRATION_TOKEN_API_URL, and REPO_URL"
exit 1
fi