+ "message": "feature: bring back action runners (#14240)\n\nBring back action runners and use them in conjunction with bubble wrap\nto make it impossible to modify the shared cache.\n\nI'm going to enable this through the makefile for folks on the dev team\nto get some beta testing. If all goes well, it should be available for\n3.24.\n\n@anmonteiro I've been told that sandbox-exec offers comparable\nfunctionality on macos. It would be good to have this as an alternative\nto bwrap.\n\n## Work Included\n\n- Add --action-runner and the internal action-runner worker command.\n- Add --sandbox-actions, which runs eligible actions through a\nbubblewrap-wrapped\n worker and protects the shared cache from worker writes.\n- Extend process execution with a path-based runner hook, runner-safe\nmetadata,\n output/capture handling, and parent-owned trace events.\n- Add action eligibility plumbing (Allow_action_runner,\ncan_run_in_action_runner,\nruns_process) for user actions, cram tests, pp/ppx, inline tests, and\nselected\n action extensions.\n- Add RPC protocol/server support for runner ready/exec/cancel requests,\nper-generation lifecycle tracking, disconnect handling, and\nbuild-cancellation\n propagation.\n- Add trace events and inherited trace-fd support for worker lifecycle\nand\n process events.\n- Account for sandbox-actions in rule digests only for actions that\nspawn\n processes.\n- Add black-box coverage for runner execution, failures, disconnects,\n cancellation, watch shutdown, tracing, and sandboxed actions.\n\nSigned-off-by: Rudi Grinberg <me@rgrinberg.com>",
0 commit comments