Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adding hmpps-github-actions-runner image #68

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .github/workflows/docker-build-push.yml
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ jobs:
- hmpps-localstack
- hmpps-clamav
- hmpps-python-deps
- hmpps-github-actions-runner
mattops marked this conversation as resolved.
Show resolved Hide resolved
permissions:
packages: write
contents: read
Expand Down
1 change: 1 addition & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ These images are built in github actions see `.github/workflows/docker-build-pus
| `hmpps-clamav` | ClamAV base image, see README in folder | <https://github.com/ministryofjustice/hmpps-tools-images/pkgs/container/hmpps-clamav> |
| `hmpps-clamav-freshclammed` | ClamAV image, twice daily updated virus DB, see README in folder | <https://github.com/ministryofjustice/hmpps-tools-images/pkgs/container/hmpps-clamav-freshclammed> |
| `hmpps-python-deps` | Python install with dependencies for running python scripts | <https://github.com/ministryofjustice/hmpps-utility-container-images/pkgs/container/hmpps-python-deps> |
| `hmpps-github-actions-runner` | Github self-hosted runner image for use by hmpps github actions that need to run with CP cluster. | <https://github.com/ministryofjustice/hmpps-utility-container-images/pkgs/container/hmpps-github-actions-runner> |

## Trivy Scan

Expand Down
78 changes: 78 additions & 0 deletions hmpps-github-actions-runner/Dockerfile
Original file line number Diff line number Diff line change
@@ -0,0 +1,78 @@
#checkov:skip=CKV_DOCKER_2:actions/runner does not provider a mechanism for checking the health of the service
FROM public.ecr.aws/ubuntu/ubuntu@sha256:4f5ca1c8b7abe2bd1162e629cafbd824c303b98954b1a168526aca6021f8affe

LABEL org.opencontainers.image.vendor="Ministry of Justice" \
org.opencontainers.image.authors="HMPPS DPS" \
org.opencontainers.image.title="Actions Runner" \
org.opencontainers.image.description="Actions Runner image for HMPPS DPS" \
org.opencontainers.image.url="https://github.com/ministryofjustice/hmpps-utility-container-images"

ENV CONTAINER_USER="runner" \
CONTAINER_UID="10000" \
CONTAINER_GROUP="runner" \
CONTAINER_GID="10000" \
CONTAINER_HOME="/actions-runner" \
DEBIAN_FRONTEND="noninteractive"

# Checked by renovate
ENV ACTIONS_RUNNER_VERSION="2.321.0"

SHELL ["/bin/bash", "-e", "-u", "-o", "pipefail", "-c"]

RUN <<EOF
groupadd \
--gid ${CONTAINER_GID} \
--system \
${CONTAINER_GROUP}

useradd \
--uid ${CONTAINER_UID} \
--gid ${CONTAINER_GROUP} \
--create-home \
${CONTAINER_USER}

mkdir --parents ${CONTAINER_HOME}

chown --recursive ${CONTAINER_USER}:${CONTAINER_GROUP} ${CONTAINER_HOME}

apt-get update

apt-get install --yes --no-install-recommends \
"apt-transport-https" \
"ca-certificates" \
"curl" \
"git" \
"jq" \
"libicu-dev" \
"lsb-release" \
"gcc" \
"libsqlite3-dev" \
"python3" \
"httpie"

apt-get clean

rm -rf /var/lib/apt/lists/*

curl --location "https://github.com/actions/runner/releases/download/v${ACTIONS_RUNNER_VERSION}/actions-runner-linux-x64-${ACTIONS_RUNNER_VERSION}.tar.gz" \
--output "actions-runner-linux-x64-${ACTIONS_RUNNER_VERSION}.tar.gz"

# Validate the checksum
ACTIONS_RUNNER_PKG_SHA=$(curl -s --location "https://github.com/actions/runner/releases/tag/v${ACTIONS_RUNNER_VERSION}" | grep -A10 "SHA-256 Checksums" | grep actions-runner-linux-x64-${ACTIONS_RUNNER_VERSION} | awk -F'[<> ]' '{print $4}')
echo "Release ACTIONS_RUNNER_PKG_SHA : ${ACTIONS_RUNNER_PKG_SHA}"
echo "Downloaded ACTIONS_RUNNER_PKG_SHA: $(sha256sum -b actions-runner-linux-x64-${ACTIONS_RUNNER_VERSION}.tar.gz) | cut -d\ -f1"

echo "${ACTIONS_RUNNER_PKG_SHA}" "actions-runner-linux-x64-${ACTIONS_RUNNER_VERSION}.tar.gz" | /usr/bin/sha256sum --check

tar --extract --gzip --file="actions-runner-linux-x64-${ACTIONS_RUNNER_VERSION}.tar.gz" --directory="${CONTAINER_HOME}"

rm --force "actions-runner-linux-x64-${ACTIONS_RUNNER_VERSION}.tar.gz"
EOF

COPY --chown=nobody:nobody --chmod=0755 src/usr/local/bin/entrypoint.sh /usr/local/bin/entrypoint.sh

USER ${CONTAINER_UID}

WORKDIR ${CONTAINER_HOME}

ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]
57 changes: 57 additions & 0 deletions hmpps-github-actions-runner/src/usr/local/bin/entrypoint.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,57 @@
#!/usr/bin/env bash

set -euo pipefail

ACTIONS_RUNNER_DIRECTORY="/actions-runner"
EPHEMERAL="${EPHEMERAL:-"false"}"

echo "Runner parameters:"
echo " Repository: ${GITHUB_REPOSITORY}"
echo " Runner Name: $(hostname)"
echo " Runner Labels: ${RUNNER_LABELS}"

echo "Obtaining registration token"
getRegistrationToken=$(
curl \
--silent \
--location \
--request "POST" \
--header "X-GitHub-Api-Version: 2022-11-28" \
--header "Authorization: Bearer ${GH_AUTH_TOKEN}" \
https://api.github.com/repos/"${GITHUB_REPOSITORY}"/actions/runners/registration-token | jq -r '.token'
)
export getRegistrationToken

echo "Checking if registration token exists"
if [[ -z "${getRegistrationToken}" ]]; then
echo "Failed to obtain registration token"
exit 1
else
echo "Registration token obtained successfully"
REPO_TOKEN="${getRegistrationToken}"
fi

if [[ "${EPHEMERAL}" == "true" ]]; then
EPHEMERAL_FLAG="--ephemeral"
trap 'echo "Shutting down runner"; exit' SIGINT SIGQUIT SIGTERM INT TERM QUIT
else
EPHEMERAL_FLAG=""
fi

echo "Checking the runner"
bash "${ACTIONS_RUNNER_DIRECTORY}/config.sh" --check --url "https://github.com/${GITHUB_REPOSITORY}" --pat ${GH_AUTH_TOKEN}

echo "Configuring runner"
bash "${ACTIONS_RUNNER_DIRECTORY}/config.sh" ${EPHEMERAL_FLAG} \
--unattended \
--disableupdate \
--url "https://github.com/${GITHUB_REPOSITORY}" \
--token "${REPO_TOKEN}" \
--name "$(hostname)" \
--labels "${RUNNER_LABELS}"

echo "Setting the 'ready' flag for Kubernetes liveness probe"
touch /tmp/runner.ready

echo "Starting runner"
bash "${ACTIONS_RUNNER_DIRECTORY}/run.sh"
Loading