Runner Role per Repo + Branch #1828
nackerman-nydig
started this conversation in
Ideas
Replies: 1 comment 1 reply
-
Unfortunately there hasn't been any progress at the native runner / GitHub level side of things. This is the relevant issue on the actions/runner repo that needs work on GitHub's end for a clean solution actions/runner#1224. You can however do some enforcement of a workflows ability to assume a role based on repo and branch with OpenID Connect https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services so depending on your environment this may be perfectly fine as a solution. |
Beta Was this translation helpful? Give feedback.
1 reply
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Hello!
Background
Our Github Organization has the following two requirements:
Potential Solution
We are able to configure runners with a pre-job-hook. And in that Hook, we have access to the Environment Variable
GITHUB_REF
. Our plan today is to inspect thisGITHUB_REF
. If theGITHUB_REF
doesnt match the IAM role requested, we'll terminate the WORKFLOW JOB. Otherwise, we allow WORKFLOW JOB execution like normal.Note:
GITHUB_REF
on PR looks likerefs/pull/2/merge
GITHUB_REF
on merge to master/main looks likerefs/heads/main
Given this, we believe we can detect if a runner is running in response to a main/master merge, or a development PR.
Question
Is there a cleaner/nicer way to hit our 2 requirements above than what we've outlined in our potential solution?
This feature request is very similar to our need. Seems like this functionality isnt supported today within ARC, but I wonder if maybe something has changed after 1.5 years.
Thanks :)
Beta Was this translation helpful? Give feedback.
All reactions