From a3360fccaa9cdb2a7b592df7d7787b2574ba618e Mon Sep 17 00:00:00 2001 From: tomoya-kawaguchi Date: Sat, 31 Aug 2024 11:40:54 +0900 Subject: [PATCH 1/3] chore: unset configuration environment variables if flag is set --- entrypoint.sh | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/entrypoint.sh b/entrypoint.sh index 09ec25d1..03049fed 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -57,6 +57,7 @@ _RUNNER_GROUP=${RUNNER_GROUP:-Default} _GITHUB_HOST=${GITHUB_HOST:="github.com"} _RUN_AS_ROOT=${RUN_AS_ROOT:="true"} _START_DOCKER_SERVICE=${START_DOCKER_SERVICE:="false"} +_UNSET_CONFIG_VARS=${UNSET_CONFIG_VARS:="false"} # ensure backwards compatibility if [[ -z ${RUNNER_SCOPE} ]]; then @@ -151,6 +152,33 @@ configure_runner() { } +unset_config_vars() { + echo "Unsetting configuration environment variables" + unset RUN_AS_ROOT + unset RUNNER_NAME + unset RUNNER_NAME_PREFIX + unset RANDOM_RUNNER_SUFFIX + unset ACCESS_TOKEN + unset APP_ID + unset APP_PRIVATE_KEY + unset APP_LOGIN + unset RUNNER_SCOPE + unset ORG_NAME + unset ENTERPRISE_NAME + unset LABELS + unset REPO_URL + unset RUNNER_TOKEN + unset RUNNER_WORKDIR + unset RUNNER_GROUP + unset GITHUB_HOST + unset DISABLE_AUTOMATIC_DEREGISTRATION + unset CONFIGURED_ACTIONS_RUNNER_FILES_DIR + unset EPHEMERAL + unset DISABLE_AUTO_UPDATE + unset START_DOCKER_SERVICE + unset NO_DEFAULT_LABELS + unset UNSET_CONFIG_VARS +} # Opt into runner reusage because a value was given if [[ -n "${CONFIGURED_ACTIONS_RUNNER_FILES_DIR}" ]]; then @@ -204,6 +232,11 @@ if [[ ${_START_DOCKER_SERVICE} == "true" ]]; then fi fi +# Unset configuration environment variables if the flag is set +if [[ ${_UNSET_CONFIG_VARS} == "true" ]]; then + unset_config_vars +fi + # Container's command (CMD) execution as runner user From bf069ba26b62fcf09f59a57580127d86b3b68a84 Mon Sep 17 00:00:00 2001 From: tomoya-kawaguchi Date: Sat, 31 Aug 2024 11:44:01 +0900 Subject: [PATCH 2/3] docs: add UNSET_CONFIG_VARS settings --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index ac2144fb..9a23e2cb 100644 --- a/README.md +++ b/README.md @@ -73,7 +73,7 @@ These containers are built via Github actions that [copy the dockerfile](https:/ | `NO_DEFAULT_LABELS` | Optional environment variable to disable adding the default self-hosted, platform, and architecture labels to the runner. Any value is considered truthy and will disable them. | | `DEBUG_ONLY` | Optional boolean to print debug output but not run any actual registration or runner commands. Used in CI and testing. Default: false | | `DEBUG_OUTPUT` | Optional boolean to print additional debug output. Default: false | - +| `UNSET_CONFIG_VARS` | Optional flag to unset all configuration environment variables after runner setup but before starting the runner. This prevents these variables from leaking into the workflow environment. Set to 'true' to enable. Defaults to 'false' for backward compatibility. | ## Tests ## From 35c099d07e380fe4111fb1e0085ad575609650d2 Mon Sep 17 00:00:00 2001 From: tomoya-kawaguchi Date: Sat, 31 Aug 2024 11:44:30 +0900 Subject: [PATCH 3/3] chore: use local var --- entrypoint.sh | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/entrypoint.sh b/entrypoint.sh index 03049fed..cf0ed65c 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -58,6 +58,7 @@ _GITHUB_HOST=${GITHUB_HOST:="github.com"} _RUN_AS_ROOT=${RUN_AS_ROOT:="true"} _START_DOCKER_SERVICE=${START_DOCKER_SERVICE:="false"} _UNSET_CONFIG_VARS=${UNSET_CONFIG_VARS:="false"} +_CONFIGURED_ACTIONS_RUNNER_FILES_DIR=${CONFIGURED_ACTIONS_RUNNER_FILES_DIR:-""} # ensure backwards compatibility if [[ -z ${RUNNER_SCOPE} ]]; then @@ -181,13 +182,13 @@ unset_config_vars() { } # Opt into runner reusage because a value was given -if [[ -n "${CONFIGURED_ACTIONS_RUNNER_FILES_DIR}" ]]; then +if [[ -n "${_CONFIGURED_ACTIONS_RUNNER_FILES_DIR}" ]]; then echo "Runner reusage is enabled" # directory exists, copy the data - if [[ -d "${CONFIGURED_ACTIONS_RUNNER_FILES_DIR}" ]]; then + if [[ -d "${_CONFIGURED_ACTIONS_RUNNER_FILES_DIR}" ]]; then echo "Copying previous data" - cp -p -r "${CONFIGURED_ACTIONS_RUNNER_FILES_DIR}/." "/actions-runner" + cp -p -r "${_CONFIGURED_ACTIONS_RUNNER_FILES_DIR}/." "/actions-runner" fi if [ -f "/actions-runner/.runner" ]; then @@ -205,10 +206,10 @@ else fi fi -if [[ -n "${CONFIGURED_ACTIONS_RUNNER_FILES_DIR}" ]]; then - echo "Reusage is enabled. Storing data to ${CONFIGURED_ACTIONS_RUNNER_FILES_DIR}" +if [[ -n "${_CONFIGURED_ACTIONS_RUNNER_FILES_DIR}" ]]; then + echo "Reusage is enabled. Storing data to ${_CONFIGURED_ACTIONS_RUNNER_FILES_DIR}" # Quoting (even with double-quotes) the regexp brokes the copying - cp -p -r "/actions-runner/_diag" "/actions-runner/svc.sh" /actions-runner/.[^.]* "${CONFIGURED_ACTIONS_RUNNER_FILES_DIR}" + cp -p -r "/actions-runner/_diag" "/actions-runner/svc.sh" /actions-runner/.[^.]* "${_CONFIGURED_ACTIONS_RUNNER_FILES_DIR}" fi @@ -268,7 +269,7 @@ if [[ ${_RUN_AS_ROOT} == "true" ]]; then fi else if [[ $(id -u) -eq 0 ]]; then - [[ -n "${CONFIGURED_ACTIONS_RUNNER_FILES_DIR}" ]] && chown -R runner "${CONFIGURED_ACTIONS_RUNNER_FILES_DIR}" + [[ -n "${_CONFIGURED_ACTIONS_RUNNER_FILES_DIR}" ]] && chown -R runner "${_CONFIGURED_ACTIONS_RUNNER_FILES_DIR}" chown -R runner "${_RUNNER_WORKDIR}" /actions-runner # The toolcache is not recursively chowned to avoid recursing over prepulated tooling in derived docker images chown runner /opt/hostedtoolcache/