Merge branch 'actions:master' into master

Author: cmiller01

.github/dependabot.yml

@@ -9,3 +9,15 @@ updates:
     directory: "/" # Location of package manifests
     schedule:
       interval: "weekly"
+    groups:
+      gomod:
+        patterns:
+          - "*"
+  - package-ecosystem: github-actions
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    groups:
+      actions:
+        patterns:
+          - "*"

.github/workflows/gha-validate-chart.yaml

@@ -123,3 +123,17 @@ jobs:
         if: steps.list-changed.outputs.changed == 'true'
         run: |
           ct install --config charts/.ci/ct-config-gha.yaml
+  test-chart:
+    name: Test Chart
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
+        with:
+          go-version-file: "go.mod"
+          cache: false
+      - name: Test gha-runner-scale-set
+        run: go test ./charts/gha-runner-scale-set/...
+      - name: Test gha-runner-scale-set-controller
+        run: go test ./charts/gha-runner-scale-set-controller/...

Makefile

@@ -6,7 +6,7 @@ endif
 DOCKER_USER ?= $(shell echo ${DOCKER_IMAGE_NAME} | cut -d / -f1)
 VERSION ?= dev
 COMMIT_SHA = $(shell git rev-parse HEAD)
-RUNNER_VERSION ?= 2.321.0
+RUNNER_VERSION ?= 2.322.0
 TARGETPLATFORM ?= $(shell arch)
 RUNNER_NAME ?= ${DOCKER_USER}/actions-runner
 RUNNER_TAG  ?= ${VERSION}

charts/gha-runner-scale-set-controller/tests/template_test.go

@@ -366,6 +366,7 @@ func TestTemplate_ControllerDeployment_Defaults(t *testing.T) {
 		"--metrics-addr=0",
 		"--listener-metrics-addr=0",
 		"--listener-metrics-endpoint=",
+		"--runner-max-concurrent-reconciles=2",
 	}
 	assert.ElementsMatch(t, expectedArgs, deployment.Spec.Template.Spec.Containers[0].Args)
 
@@ -518,6 +519,7 @@ func TestTemplate_ControllerDeployment_Customize(t *testing.T) {
 		"--listener-metrics-addr=0",
 		"--listener-metrics-endpoint=",
 		"--metrics-addr=0",
+		"--runner-max-concurrent-reconciles=2",
 	}
 
 	assert.ElementsMatch(t, expectArgs, deployment.Spec.Template.Spec.Containers[0].Args)
@@ -646,6 +648,7 @@ func TestTemplate_EnableLeaderElection(t *testing.T) {
 		"--listener-metrics-addr=0",
 		"--listener-metrics-endpoint=",
 		"--metrics-addr=0",
+		"--runner-max-concurrent-reconciles=2",
 	}
 
 	assert.ElementsMatch(t, expectedArgs, deployment.Spec.Template.Spec.Containers[0].Args)
@@ -686,6 +689,7 @@ func TestTemplate_ControllerDeployment_ForwardImagePullSecrets(t *testing.T) {
 		"--listener-metrics-addr=0",
 		"--listener-metrics-endpoint=",
 		"--metrics-addr=0",
+		"--runner-max-concurrent-reconciles=2",
 	}
 
 	assert.ElementsMatch(t, expectedArgs, deployment.Spec.Template.Spec.Containers[0].Args)
@@ -776,6 +780,7 @@ func TestTemplate_ControllerDeployment_WatchSingleNamespace(t *testing.T) {
 		"--listener-metrics-addr=0",
 		"--listener-metrics-endpoint=",
 		"--metrics-addr=0",
+		"--runner-max-concurrent-reconciles=2",
 	}
 
 	assert.ElementsMatch(t, expectedArgs, deployment.Spec.Template.Spec.Containers[0].Args)

charts/gha-runner-scale-set/values.yaml

@@ -2,25 +2,40 @@
 ## ex: https://github.com/myorg/myrepo or https://github.com/myorg
 githubConfigUrl: ""
 
-## githubConfigSecret is the k8s secrets to use when auth with GitHub API.
-## You can choose to use GitHub App or a PAT token
+## githubConfigSecret is the k8s secret information to use when authenticating via the GitHub API.
+## You can choose to supply:
+##   A) a PAT token, 
+##   B) a GitHub App, or 
+##   C) a pre-defined Kubernetes secret.
+## The syntax for each of these variations is documented below.
+## (Variation A) When using a PAT token, the syntax is as follows:
 githubConfigSecret:
-  ### GitHub Apps Configuration
-  ## NOTE: IDs MUST be strings, use quotes
-  #github_app_id: ""
-  #github_app_installation_id: ""
-  #github_app_private_key: |
-
-  ### GitHub PAT Configuration
-  github_token: ""
-## If you have a pre-define Kubernetes secret in the same namespace the gha-runner-scale-set is going to deploy,
-## you can also reference it via `githubConfigSecret: pre-defined-secret`.
-## You need to make sure your predefined secret has all the required secret data set properly.
+  # Example:  
+  # github_token: "ghp_sampleSampleSampleSampleSampleSample"
+  github_token: ""  
+#
+## (Variation B) When using a GitHub App, the syntax is as follows:
+# githubConfigSecret:
+#   # NOTE: IDs MUST be strings, use quotes
+#   github_app_id: ""
+#   github_app_installation_id: ""
+#   github_app_private_key: |
+#      private key line 1
+#      private key line 2
+#      .
+#      .
+#      .
+#      private key line N
+#
+## (Variation C) When using a pre-defined Kubernetes secret in the same namespace that the gha-runner-scale-set is going to deploy,
+## the syntax is as follows:
+# githubConfigSecret: pre-defined-secret
+## Notes on using pre-defined Kubernetes secrets:
+##   You need to make sure your predefined secret has all the required secret data set properly.
 ##   For a pre-defined secret using GitHub PAT, the secret needs to be created like this:
 ##   > kubectl create secret generic pre-defined-secret --namespace=my_namespace --from-literal=github_token='ghp_your_pat'
 ##   For a pre-defined secret using GitHub App, the secret needs to be created like this:
 ##   > kubectl create secret generic pre-defined-secret --namespace=my_namespace --from-literal=github_app_id=123456 --from-literal=github_app_installation_id=654321 --from-literal=github_app_private_key='-----BEGIN CERTIFICATE-----*******'
-# githubConfigSecret: pre-defined-secret
 
 ## proxy can be used to define proxy settings that will be used by the
 ## controller, the listener and the runner of this scale set.

cmd/ghalistener/config/config.go

@@ -46,14 +46,15 @@ func Read(path string) (Config, error) {
 		return Config{}, fmt.Errorf("failed to decode config: %w", err)
 	}
 
-	if err := config.validate(); err != nil {
+	if err := config.Validate(); err != nil {
 		return Config{}, fmt.Errorf("failed to validate config: %w", err)
 	}
 
 	return config, nil
 }
 
-func (c *Config) validate() error {
+// Validate checks the configuration for errors.
+func (c *Config) Validate() error {
 	if len(c.ConfigureUrl) == 0 {
 		return fmt.Errorf("GitHubConfigUrl is not provided")
 	}

cmd/ghalistener/config/config_test.go

@@ -17,7 +17,7 @@ func TestConfigValidationMinMax(t *testing.T) {
 		MaxRunners:                  2,
 		Token:                       "token",
 	}
-	err := config.validate()
+	err := config.Validate()
 	assert.ErrorContains(t, err, "MinRunners '5' cannot be greater than MaxRunners '2", "Expected error about MinRunners > MaxRunners")
 }
 
@@ -28,7 +28,7 @@ func TestConfigValidationMissingToken(t *testing.T) {
 		EphemeralRunnerSetName:      "deployment",
 		RunnerScaleSetId:            1,
 	}
-	err := config.validate()
+	err := config.Validate()
 	expectedError := fmt.Sprintf("GitHub auth credential is missing, token length: '%d', appId: '%d', installationId: '%d', private key length: '%d", len(config.Token), config.AppID, config.AppInstallationID, len(config.AppPrivateKey))
 	assert.ErrorContains(t, err, expectedError, "Expected error about missing auth")
 }
@@ -42,7 +42,7 @@ func TestConfigValidationAppKey(t *testing.T) {
 		EphemeralRunnerSetName:      "deployment",
 		RunnerScaleSetId:            1,
 	}
-	err := config.validate()
+	err := config.Validate()
 	expectedError := fmt.Sprintf("GitHub auth credential is missing, token length: '%d', appId: '%d', installationId: '%d', private key length: '%d", len(config.Token), config.AppID, config.AppInstallationID, len(config.AppPrivateKey))
 	assert.ErrorContains(t, err, expectedError, "Expected error about missing auth")
 }
@@ -58,7 +58,7 @@ func TestConfigValidationOnlyOneTypeOfCredentials(t *testing.T) {
 		EphemeralRunnerSetName:      "deployment",
 		RunnerScaleSetId:            1,
 	}
-	err := config.validate()
+	err := config.Validate()
 	expectedError := fmt.Sprintf("only one GitHub auth method supported at a time. Have both PAT and App auth: token length: '%d', appId: '%d', installationId: '%d', private key length: '%d", len(config.Token), config.AppID, config.AppInstallationID, len(config.AppPrivateKey))
 	assert.ErrorContains(t, err, expectedError, "Expected error about missing auth")
 }
@@ -74,7 +74,7 @@ func TestConfigValidation(t *testing.T) {
 		Token:                       "asdf",
 	}
 
-	err := config.validate()
+	err := config.Validate()
 
 	assert.NoError(t, err, "Expected no error")
 }
@@ -86,7 +86,7 @@ func TestConfigValidationConfigUrl(t *testing.T) {
 		RunnerScaleSetId:            1,
 	}
 
-	err := config.validate()
+	err := config.Validate()
 
 	assert.ErrorContains(t, err, "GitHubConfigUrl is not provided", "Expected error about missing ConfigureUrl")
 }

docs/about-arc.md

@@ -157,7 +157,7 @@ kubectl set env deploy controller-manager -c manager GITHUB_ENTERPRISE_URL=<GHEC
 The project supports being deployed on the various cloud Kubernetes platforms (e.g. EKS), it does not however aim to go beyond that. No cloud specific tooling is bundled in the base runner, this is an active decision to keep the overhead of maintaining the solution manageable.
 
 **Bundled Software**<br />
-The GitHub hosted runners include a large amount of pre-installed software packages. GitHub maintains a list in README files at <https://github.com/actions/virtual-environments/tree/main/images/linux>.
+The GitHub hosted runners include a large amount of pre-installed software packages. GitHub maintains a list in README files at <https://github.com/actions/runner-images/blob/main/images/ubuntu/>.
 
 This solution maintains a few Ubuntu based runner images, these images do not contain all of the software installed on the GitHub runners. The images contain the following subset of packages from the GitHub runners:
 

docs/automatically-scaling-runners.md

@@ -430,6 +430,7 @@ resources:
 - github.com/actions/actions-runner-controller/config//default?ref=v0.22.2
 # Add the below!
 - github.com/actions/actions-runner-controller/config//github-webhook-server?ref=v0.22.2
+```
 
 Finally, you will have to configure an ingress so that you may configure the webhook in github. An example of such ingress can be find below:
 

runner/Makefile

@@ -6,7 +6,7 @@ DIND_ROOTLESS_RUNNER_NAME ?= ${DOCKER_USER}/actions-runner-dind-rootless
 OS_IMAGE ?= ubuntu-22.04
 TARGETPLATFORM ?= $(shell arch)
 
-RUNNER_VERSION ?= 2.321.0
+RUNNER_VERSION ?= 2.322.0
 RUNNER_CONTAINER_HOOKS_VERSION ?= 0.6.2
 DOCKER_VERSION ?= 24.0.7