Merge pull request #195003 from veehaitch/fix-github-runner-first-start

This commit is contained in:
Bernardo Meurer 2022-10-10 12:35:24 -03:00 committed by GitHub
commit 499748bc04
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -200,46 +200,65 @@ in
${lines} ${lines}
''; '';
currentConfigPath = "$STATE_DIRECTORY/.nixos-current-config.json";
runnerRegistrationConfig = getAttrs [ "name" "tokenFile" "url" "runnerGroup" "extraLabels" "ephemeral" ] cfg; runnerRegistrationConfig = getAttrs [ "name" "tokenFile" "url" "runnerGroup" "extraLabels" "ephemeral" ] cfg;
newConfigPath = builtins.toFile "${svcName}-config.json" (builtins.toJSON runnerRegistrationConfig); newConfigPath = builtins.toFile "${svcName}-config.json" (builtins.toJSON runnerRegistrationConfig);
newConfigTokenFilename = ".new-token"; currentConfigPath = "$STATE_DIRECTORY/.nixos-current-config.json";
newConfigTokenPath= "$STATE_DIRECTORY/.new-token";
currentConfigTokenPath = "$STATE_DIRECTORY/${currentConfigTokenFilename}";
runnerCredFiles = [ runnerCredFiles = [
".credentials" ".credentials"
".credentials_rsaparams" ".credentials_rsaparams"
".runner" ".runner"
]; ];
unconfigureRunner = writeScript "unconfigure" '' unconfigureRunner = writeScript "unconfigure" ''
differs= copy_tokens() {
if [[ "$(ls -A "$STATE_DIRECTORY")" ]]; then
# State directory is not empty
# Set `differs = 1` if current and new runner config differ or if `currentConfigPath` does not exist
${pkgs.diffutils}/bin/diff -q '${newConfigPath}' "${currentConfigPath}" >/dev/null 2>&1 || differs=1
# Also trigger a registration if the token content changed
${pkgs.diffutils}/bin/diff -q \
"$STATE_DIRECTORY"/${currentConfigTokenFilename} \
${escapeShellArg cfg.tokenFile} \
>/dev/null 2>&1 || differs=1
# If .credentials does not exist, assume a previous run de-registered the runner on stop (ephemeral mode)
[[ ! -f "$STATE_DIRECTORY/.credentials" ]] && differs=1
fi
if [[ -n "$differs" ]]; then
echo "Config has changed, removing old runner state."
# In ephemeral mode, the runner deletes the `.credentials` file after de-registering it with GitHub
[[ -f "$STATE_DIRECTORY/.credentials" ]] && echo "The old runner will still appear in the GitHub Actions UI." \
"You have to remove it manually."
find "$STATE_DIRECTORY/" -mindepth 1 -delete
# Copy the configured token file to the state dir and allow the service user to read the file # Copy the configured token file to the state dir and allow the service user to read the file
install --mode=666 ${escapeShellArg cfg.tokenFile} "$STATE_DIRECTORY/${newConfigTokenFilename}" install --mode=666 ${escapeShellArg cfg.tokenFile} "${newConfigTokenPath}"
# Also copy current file to allow for a diff on the next start # Also copy current file to allow for a diff on the next start
install --mode=600 ${escapeShellArg cfg.tokenFile} "$STATE_DIRECTORY/${currentConfigTokenFilename}" install --mode=600 ${escapeShellArg cfg.tokenFile} "${currentConfigTokenPath}"
}
clean_state() {
find "$STATE_DIRECTORY/" -mindepth 1 -delete
copy_tokens
}
diff_config() {
changed=0
# Check for module config changes
[[ -f "${currentConfigPath}" ]] \
&& ${pkgs.diffutils}/bin/diff -q '${newConfigPath}' "${currentConfigPath}" >/dev/null 2>&1 \
|| changed=1
# Also check the content of the token file
[[ -f "${currentConfigTokenPath}" ]] \
&& ${pkgs.diffutils}/bin/diff -q "${currentConfigTokenPath}" ${escapeShellArg cfg.tokenFile} >/dev/null 2>&1 \
|| changed=1
# If the config has changed, remove old state and copy tokens
if [[ "$changed" -eq 1 ]]; then
echo "Config has changed, removing old runner state."
echo "The old runner will still appear in the GitHub Actions UI." \
"You have to remove it manually."
clean_state
fi
}
if [[ "${optionalString cfg.ephemeral "1"}" ]]; then
# In ephemeral mode, we always want to start with a clean state
clean_state
elif [[ "$(ls -A "$STATE_DIRECTORY")" ]]; then
# There are state files from a previous run; diff them to decide if we need a new registration
diff_config
else
# The state directory is entirely empty which indicates a first start
copy_tokens
fi fi
''; '';
configureRunner = writeScript "configure" '' configureRunner = writeScript "configure" ''
if [[ -e "$STATE_DIRECTORY/${newConfigTokenFilename}" ]]; then if [[ -e "${newConfigTokenPath}" ]]; then
echo "Configuring GitHub Actions Runner" echo "Configuring GitHub Actions Runner"
args=( args=(
@ -256,7 +275,7 @@ in
# If the token file contains a PAT (i.e., it starts with "ghp_"), we have to use the --pat option, # If the token file contains a PAT (i.e., it starts with "ghp_"), we have to use the --pat option,
# if it is not a PAT, we assume it contains a registration token and use the --token option # if it is not a PAT, we assume it contains a registration token and use the --token option
token=$(<"$STATE_DIRECTORY/${newConfigTokenFilename}") token=$(<"${newConfigTokenPath}")
if [[ "$token" =~ ^ghp_* ]]; then if [[ "$token" =~ ^ghp_* ]]; then
args+=(--pat "$token") args+=(--pat "$token")
else else
@ -271,7 +290,7 @@ in
rm -rf "$STATE_DIRECTORY/_diag/" rm -rf "$STATE_DIRECTORY/_diag/"
# Cleanup token from config # Cleanup token from config
rm "$STATE_DIRECTORY/${newConfigTokenFilename}" rm "${newConfigTokenPath}"
# Symlink to new config # Symlink to new config
ln -s '${newConfigPath}' "${currentConfigPath}" ln -s '${newConfigPath}' "${currentConfigPath}"
@ -305,8 +324,8 @@ in
WorkingDirectory = runtimeDir; WorkingDirectory = runtimeDir;
InaccessiblePaths = [ InaccessiblePaths = [
# Token file path given in the configuration # Token file path given in the configuration, if visible to the service
cfg.tokenFile "-${cfg.tokenFile}"
# Token file in the state directory # Token file in the state directory
"${stateDir}/${currentConfigTokenFilename}" "${stateDir}/${currentConfigTokenFilename}"
]; ];