From 139ae7be819449a57a2f160aee250ff0141ac070 Mon Sep 17 00:00:00 2001 From: Krusty93 Date: Fri, 6 Feb 2026 16:04:07 +0100 Subject: [PATCH 1/4] replace pat with access token --- github-runner-entrypoint.sh | 72 ++++++++++++++++++++++++++++++++++++- 1 file changed, 71 insertions(+), 1 deletion(-) diff --git a/github-runner-entrypoint.sh b/github-runner-entrypoint.sh index e024305..2255086 100644 --- a/github-runner-entrypoint.sh +++ b/github-runner-entrypoint.sh @@ -62,7 +62,7 @@ if [ -n "$GITHUB_REPOSITORY" ] && [ -n "$GITHUB_TOKEN" ]; then ./run.sh echo "🚀 Executing GitHub Runner for $GITHUB_REPOSITORY" -else +elif [ -n "$GITHUB_PAT" ]; then # Retrieve a short lived runner registration token using the PAT REGISTRATION_TOKEN="$(curl -X POST -fsSL \ @@ -86,4 +86,74 @@ else export GITHUB_PAT=_REDACTED_ export REGISTRATION_TOKEN=_REDACTED_ +else + + app_id="$GITHUB_APP_ID" + pem_path="./key.pem" + printf '%b\n' "$GITHUB_APP_KEY" > $pem_path + + now=$(date +%s) + iat=$((${now} - 60)) # Issues 60 seconds in the past + exp=$((${now} + 600)) # Expires 10 minutes in the future + + b64enc() { openssl base64 | tr -d '=' | tr '/+' '_-' | tr -d '\n'; } + + header_json='{ + "typ":"JWT", + "alg":"RS256" + }' + # Header encode + header=$( echo -n "${header_json}" | b64enc ) + + payload_json="{ + \"iat\":${iat}, + \"exp\":${exp}, + \"iss\":\"${app_id}\" + }" + # Payload encode + payload=$( echo -n "${payload_json}" | b64enc ) + + # Signature + header_payload="${header}"."${payload}" + signature=$( + openssl dgst -sha256 -sign "${pem_path}" \ + <(echo -n "${header_payload}") | b64enc + ) + + # Create JWT + JWT="${header_payload}"."${signature}" + + ACCESS_TOKEN="$(curl --request POST \ + --header 'Accept: application/vnd.github+json' \ + --header "Authorization: Bearer $JWT" \ + --header 'X-GitHub-Api-Version: 2022-11-28' \ + "https://api.github.com/app/installations/$GITHUB_APP_INSTALLATION_ID/access_tokens" \ + | jq -r '.token')" + + # Retrieve a short lived runner registration token using the ACCESS_TOKEN + REGISTRATION_TOKEN="$(curl -X POST -fsSL \ + -H 'Accept: application/vnd.github.v3+json' \ + -H "Authorization: Bearer $ACCESS_TOKEN" \ + -H 'X-GitHub-Api-Version: 2022-11-28' \ + "$REGISTRATION_TOKEN_API_URL" \ + | jq -r '.token')" + + # + ./config.sh \ + --url "${REPO_URL}" \ + --token "${REGISTRATION_TOKEN}" \ + --unattended \ + --disableupdate \ + --ephemeral \ + --replace \ + --labels "$LABELS" \ + && ./run.sh + + rm $pem_path + export signature=_REDACTED_ + export JWT=_REDACTED_ + export GITHUB_APP_KEY=_REDACTED_ + export ACCESS_TOKEN=_REDACTED_ + export REGISTRATION_TOKEN=_REDACTED_ + fi From 93402cc1ba75ec480a9d236ba2f44043ea053c9a Mon Sep 17 00:00:00 2001 From: Krusty93 Date: Fri, 13 Feb 2026 11:06:01 +0100 Subject: [PATCH 2/4] add quotes --- github-runner-entrypoint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/github-runner-entrypoint.sh b/github-runner-entrypoint.sh index 2255086..581af68 100644 --- a/github-runner-entrypoint.sh +++ b/github-runner-entrypoint.sh @@ -149,7 +149,7 @@ else --labels "$LABELS" \ && ./run.sh - rm $pem_path + rm "$pem_path" export signature=_REDACTED_ export JWT=_REDACTED_ export GITHUB_APP_KEY=_REDACTED_ From e1e1e13ae2facc50bc66bb40299bee51e40da303 Mon Sep 17 00:00:00 2001 From: Krusty93 Date: Fri, 13 Feb 2026 11:15:32 +0100 Subject: [PATCH 3/4] implement suggestions --- github-runner-entrypoint.sh | 25 ++++++++++++++++++++----- 1 file changed, 20 insertions(+), 5 deletions(-) diff --git a/github-runner-entrypoint.sh b/github-runner-entrypoint.sh index 581af68..46876e5 100644 --- a/github-runner-entrypoint.sh +++ b/github-runner-entrypoint.sh @@ -86,11 +86,13 @@ elif [ -n "$GITHUB_PAT" ]; then export GITHUB_PAT=_REDACTED_ export REGISTRATION_TOKEN=_REDACTED_ -else +elif [ -n "$GITHUB_APP_ID" ] && [ -n "$GITHUB_APP_KEY" ] && [ -n "$GITHUB_APP_INSTALLATION_ID" ] && [ -n "$REGISTRATION_TOKEN_API_URL" ] && [ -n "$REPO_URL" ]; then app_id="$GITHUB_APP_ID" - pem_path="./key.pem" - printf '%b\n' "$GITHUB_APP_KEY" > $pem_path + pem_path="$(mktemp /tmp/github-app-key.XXXXXX.pem)" + chmod 600 "$pem_path" + trap 'rm -f "$pem_path"' EXIT INT TERM HUP + printf '%b\n' "$GITHUB_APP_KEY" > "$pem_path" now=$(date +%s) iat=$((${now} - 60)) # Issues 60 seconds in the past @@ -123,13 +125,18 @@ else # Create JWT JWT="${header_payload}"."${signature}" - ACCESS_TOKEN="$(curl --request POST \ + ACCESS_TOKEN="$(curl -fsSL --request POST \ --header 'Accept: application/vnd.github+json' \ --header "Authorization: Bearer $JWT" \ --header 'X-GitHub-Api-Version: 2022-11-28' \ "https://api.github.com/app/installations/$GITHUB_APP_INSTALLATION_ID/access_tokens" \ | jq -r '.token')" + if [ -z "$ACCESS_TOKEN" ] || [ "$ACCESS_TOKEN" = "null" ]; then + echo "❌ Failed to retrieve GitHub App access token" + exit 1 + fi + # Retrieve a short lived runner registration token using the ACCESS_TOKEN REGISTRATION_TOKEN="$(curl -X POST -fsSL \ -H 'Accept: application/vnd.github.v3+json' \ @@ -149,11 +156,19 @@ else --labels "$LABELS" \ && ./run.sh - rm "$pem_path" export signature=_REDACTED_ export JWT=_REDACTED_ export GITHUB_APP_KEY=_REDACTED_ export ACCESS_TOKEN=_REDACTED_ export REGISTRATION_TOKEN=_REDACTED_ +else + + echo "❌ No valid authentication method configured." + echo "Please set one of the following:" + echo " - GITHUB_REPOSITORY and GITHUB_TOKEN (legacy)" + echo " - GITHUB_PAT, REGISTRATION_TOKEN_API_URL, and REPO_URL" + echo " - GITHUB_APP_ID, GITHUB_APP_KEY, GITHUB_APP_INSTALLATION_ID, REGISTRATION_TOKEN_API_URL, and REPO_URL" + exit 1 + fi From d312956a833aa7618e32f0312bc534cff379afe6 Mon Sep 17 00:00:00 2001 From: Krusty93 Date: Fri, 13 Feb 2026 11:58:07 +0100 Subject: [PATCH 4/4] update trivy action --- .github/workflows/trivy.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 5cdc9c2..940ec83 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -24,13 +24,13 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@1f9a0c22da41e6ebfa534300ef656657ea2c6707 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Setup Docker buildx - uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 - name: Docker meta - uses: docker/metadata-action@dbef88086f6cef02e264edb7dbf63250c17cef6c # v5.5.0 + uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0 id: meta with: images: | @@ -39,7 +39,7 @@ jobs: type=sha,enable=true,format=long - name: Build Docker image - uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 + uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 with: context: . load: true @@ -51,7 +51,7 @@ jobs: platforms: linux/amd64 - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@84384bd6e777ef152729993b8145ea352e9dd3ef # v0.17.0 + uses: aquasecurity/trivy-action@c1824fd6edce30d7ab345a9989de00bbd46ef284 # v0.34.0 with: image-ref: '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:sha-${{ github.sha }}' format: 'sarif' @@ -60,6 +60,6 @@ jobs: timeout: '10m0s' - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@592977e6ae857384aa79bb31e7a1d62d63449ec5 # v2.16.3 + uses: github/codeql-action/upload-sarif@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 # v4.32.2 with: sarif_file: 'trivy-results.sarif'