feat: runner refactoring (#6)

mmorini-dxc · micdes-pagopa · web-flow · commit 74bd8d6f7207 · 2025-04-23T14:21:21.000+02:00
Co-authored-by: Michele De Simone &lt;106953981+micdes-pagopa@users.noreply.github.com&gt;
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -46,17 +46,34 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Build and push Docker image
-        id: docker_build_push
+      - name: Build and push Docker image (minimal)
+        id: docker_build_push_minimal
         if: steps.release.outputs.new_release_published == 'true'
         # from https://github.com/docker/build-push-action/commits/master
         uses: docker/build-push-action@c56af957549030174b10d6867f20e78cfd7debc5
         with:
           context: .
+          file: Dockerfile.minimal
           push: true
           tags: |
             ghcr.io/${{ github.repository }}:latest
-            ghcr.io/${{ github.repository }}:v${{ steps.release.outputs.new_release_version }}
+            ghcr.io/${{ github.repository }}:v${{ steps.release.outputs.new_release_version }}-minimal
+          labels: |
+            maintainer=https://pagopa.it
+            org.opencontainers.image.source=https://github.com/${{ github.repository }}
+
+      - name: Build and push Docker image (full)
+        id: docker_build_push_full
+        if: steps.release.outputs.new_release_published == 'true'
+        # from https://github.com/docker/build-push-action/commits/master
+        uses: docker/build-push-action@c56af957549030174b10d6867f20e78cfd7debc5
+        with:
+          context: .
+          file: Dockerfile.full
+          push: true
+          tags: |
+            ghcr.io/${{ github.repository }}:latest-full
+            ghcr.io/${{ github.repository }}:v${{ steps.release.outputs.new_release_version }}-full
           labels: |
             maintainer=https://pagopa.it
             org.opencontainers.image.source=https://github.com/${{ github.repository }}
diff --git a/Dockerfile.full b/Dockerfile.full
@@ -1,21 +1,13 @@
-FROM ubuntu:22.04@sha256:a8fe6fd30333dc60fc5306982a7c51385c2091af1e0ee887166b40a905691fd0
+# runner v2.323.0: https://github.com/actions/runner/pkgs/container/actions-runner
+FROM ghcr.io/actions/actions-runner@sha256:831a2607a2618e4b79d9323b4c72330f3861768a061c2b92a845e9d214d80e5b
 
 ARG KUBECTL_VERSION=1.25.16
 
-RUN apt-get update && apt-get install -y curl zip unzip jq ca-certificates curl wget apt-transport-https lsb-release gnupg git gettext-base
+USER root
 
-# Create a folder
-RUN mkdir actions-runner
-WORKDIR /actions-runner
+# Already installed in base image: curl, jq1.6, git 2.49.0
+RUN apt-get update && apt-get install -y zip unzip ca-certificates wget apt-transport-https lsb-release gnupg gettext-base 
 
-RUN GITHUB_RUNNER_VERSION="2.323.0" && \
-    GITHUB_RUNNER_VERSION_SHA="0dbc9bf5a58620fc52cb6cc0448abcca964a8d74b5f39773b7afcad9ab691e19" && \
-    curl -o actions-runner-linux-x64-${GITHUB_RUNNER_VERSION}.tar.gz -L https://github.com/actions/runner/releases/download/v${GITHUB_RUNNER_VERSION}/actions-runner-linux-x64-${GITHUB_RUNNER_VERSION}.tar.gz && \
-    echo "${GITHUB_RUNNER_VERSION_SHA}  actions-runner-linux-x64-${GITHUB_RUNNER_VERSION}.tar.gz" | sha256sum -c && \
-    tar xzf ./actions-runner-linux-x64-${GITHUB_RUNNER_VERSION}.tar.gz && \
-    rm actions-runner-linux-x64-${GITHUB_RUNNER_VERSION}.tar.gz
-
-RUN	bash bin/installdependencies.sh
 
 # install AWS cli from https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html
 WORKDIR /tmp
@@ -59,26 +51,27 @@ RUN gpg --verify awscliv2.sig awscliv2.zip
 
 RUN unzip -q awscliv2.zip && ./aws/install
 RUN rm -rf "aws*"
+RUN aws --version
 
 # install kubectl from https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/#install-kubectl-on-linux
-
 RUN curl -LO https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/amd64/kubectl
 RUN curl -LO https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/amd64/kubectl.sha256
 RUN echo "$(cat kubectl.sha256)  kubectl" | sha256sum --check
 RUN mv kubectl /usr/local/bin/ && chmod +x /usr/local/bin/kubectl
+RUN kubectl version --output=yaml --client
 
 # install helm from https://helm.sh/docs/intro/install/#from-apt-debianubuntu
-
 RUN curl https://baltocdn.com/helm/signing.asc | apt-key add - && \
     echo "deb https://baltocdn.com/helm/stable/debian/ all main" | tee /etc/apt/sources.list.d/helm-stable-debian.list
 
-RUN apt-get update && apt-get -y install helm
+RUN apt-get update && apt list helm && apt-get -y install helm=3.17.2-1
+RUN helm version
 
 # install mongosh from https://www.mongodb.com/try/download/shell
-
 RUN curl -O https://downloads.mongodb.com/compass/mongodb-mongosh_1.6.1_amd64.deb
 RUN apt-get install -y ./mongodb-mongosh_1.6.1_amd64.deb
 RUN rm ./mongodb-mongosh_1.6.1_amd64.deb
+RUN mongosh --version
 
 # install NodeJS 18-x
 RUN mkdir -p /etc/apt/keyrings
@@ -90,22 +83,16 @@ RUN node -v
 
 # Install yq
 RUN curl -L https://github.com/mikefarah/yq/releases/download/v4.35.2/yq_linux_amd64 -o /usr/local/bin/yq && chmod +x /usr/local/bin/yq
-# Verify yq installation
 RUN yq --version
 
-RUN useradd github && \
-    mkdir -p /home/github && \
-    chown -R github:github /home/github && \
-    chown -R github:github /actions-runner
-
-WORKDIR /home/github
+# container home is /home/runner
+# "runner" user is created in base image, has permissions on container home
+# "docker" group is created in base image
+WORKDIR /home/runner
 
-COPY killProcess.sh ./killProcess.sh
-RUN chmod +x ./killProcess.sh
+USER runner
 
-COPY entrypoint.sh ./entrypoint.sh
+COPY --chown=runner: ./scripts/entrypoint.sh ./entrypoint.sh
 RUN chmod +x ./entrypoint.sh
 
-USER github
-
-ENTRYPOINT ["/home/github/entrypoint.sh"]
+ENTRYPOINT ["/home/runner/entrypoint.sh"]
diff --git a/Dockerfile.minimal b/Dockerfile.minimal
@@ -0,0 +1,19 @@
+# runner v2.323.0: https://github.com/actions/runner/pkgs/container/actions-runner
+FROM ghcr.io/actions/actions-runner@sha256:831a2607a2618e4b79d9323b4c72330f3861768a061c2b92a845e9d214d80e5b
+
+USER root
+
+# Already installed in base image: curl, jq1.6, git 2.49.0
+RUN apt-get update && apt-get install -y zip unzip ca-certificates wget apt-transport-https lsb-release gnupg gettext-base 
+
+# container home is /home/runner
+# "runner" user is created in base image, has permissions on container home
+# "docker" group is created in base image
+WORKDIR /home/runner
+
+USER runner
+
+COPY --chown=runner: ./scripts/entrypoint.sh ./entrypoint.sh
+RUN chmod +x ./entrypoint.sh
+
+ENTRYPOINT ["/home/runner/entrypoint.sh"]
diff --git a/entrypoint.sh b/entrypoint.sh
diff --git a/scripts/entrypoint.sh b/scripts/entrypoint.sh
@@ -0,0 +1,80 @@
+#!/usr/bin/env bash
+
+INTERACTIVE="FALSE"
+if [ "$(echo $INTERACTIVE_MODE | tr '[:upper:]' '[:lower:]')" == "true" ]; then
+	INTERACTIVE="TRUE"
+fi
+
+# Verify some Repo URL and token have been given, otherwise we must be interactive mode.
+if [ -z "$GITHUB_REPOSITORY_URL" ] || [ -z "$GITHUB_PAT" ] || [ -z "$GITHUB_REPOSITORY_NAME" ] || [ -z "$RUNNER_NAME" ]; then
+	if [ "$INTERACTIVE" == "FALSE" ]; then
+		echo "GITHUB_REPOSITORY_URL, GITHUB_PAT, GITHUB_REPOSITORY_NAME and RUNNER_NAME cannot be empty"
+		exit 1
+	fi
+fi
+
+ADDITIONAL_ARGS=""
+
+if [[ -n "${RUNNER_LABELS:-}" ]]; then
+	# Must not start or end with a comma
+    if [[ "$RUNNER_LABELS" == ,* || "$RUNNER_LABELS" == *, ]]; then
+        echo "Error: RUNNER_LABELS must not start or end with a comma"
+        exit 1
+    fi
+
+    # Must not contain any whitespace
+    if [[ "$RUNNER_LABELS" =~ [[:space:]] ]]; then
+        echo "Error: RUNNER_LABELS must not contain spaces"
+        exit 1
+    fi
+
+    ADDITIONAL_ARGS="$ADDITIONAL_ARGS --no-default-labels --labels ${RUNNER_LABELS} "
+fi
+
+if [[ -n "${REPLACE_EXISTING_RUNNER_NAME:-}" ]]; then
+    case "$REPLACE_EXISTING_RUNNER_NAME" in
+    true)
+		ADDITIONAL_ARGS="$ADDITIONAL_ARGS --replace"
+        ;;
+    *)
+        echo "Error: REPLACE_EXISTING_RUNNER_NAME must be 'true' or 'false' if set, got: '$REPLACE_EXISTING_RUNNER_NAME'"
+        exit 1
+        ;;
+    esac
+fi
+
+if [[ -n "${WORK_DIR:-}" ]]; then
+	ADDITIONAL_ARGS="$ADDITIONAL_ARGS --work $WORK_DIR"
+fi
+
+# Calculate default configuration values.
+GITHUB_REPOSITORY_BANNER="$GITHUB_REPOSITORY_URL"
+if [ -z "$GITHUB_REPOSITORY_BANNER" ]; then
+	export GITHUB_REPOSITORY_BANNER="<empty repository url>"
+fi
+
+
+echo "Requesting registration token..."
+
+REGISTRATION_TOKEN=$(curl -s \
+  --http1.1 \
+  -X POST \
+  -H "Accept: application/vnd.github+json" \
+  -H "Authorization: Bearer ${GITHUB_PAT}" \
+  https://api.github.com/repos/${GITHUB_REPOSITORY_NAME}/actions/runners/registration-token | jq ".token" -r)
+
+
+printf "Configuring GitHub Runner for $GITHUB_REPOSITORY_BANNER\n"
+printf "\tRunner Name: $RUNNER_NAME\n\tAdditional args: $ADDITIONAL_ARGS\n"
+
+if [ "$INTERACTIVE" == "FALSE" ]; then
+	printf "Running in non-interactive mode\n"
+	. $HOME/config.sh --name $RUNNER_NAME --url $GITHUB_REPOSITORY_URL --token $REGISTRATION_TOKEN $ADDITIONAL_ARGS --unattended
+else
+	. $HOME/config.sh --name $RUNNER_NAME --url $GITHUB_REPOSITORY_URL --token $REGISTRATION_TOKEN $ADDITIONAL_ARGS
+fi
+
+# Start the runner.
+printf "Executing GitHub Runner for $GITHUB_REPOSITORY_NAME\n"
+
+bash $HOME/run.sh
diff --git a/scripts/killProcess.sh b/scripts/killProcess.sh
