self-hosted-runner: pass the post-deployment script without a URL

When running this workflow in a private repository, providing a public
URL to the post-deployment script simply would not work.

It is not even possible to use the `GITHUB_TOKEN` to construct an
`Invoke-WebRequest` call: The `GITHUB_TOKEN` lacks the permission to
access the resource.

So let's just pass this post-deployment script as a parameter.

Since it is somewhat large-ish, weighing 14kB, let's compress it. And
since the compressed file is binary and cannot easily be passed around,
let's Base64-encode it. The result is still somewhat large (5.6kB) but
at least this works and still leaves some room for additional stuff to
be put into the post-deployment script.

Signed-off-by: Johannes Schindelin <[email protected]>

Author: dscho

.github/workflows/create-azure-self-hosted-runners.yml

@@ -42,8 +42,6 @@ env:
   ACTIONS_RUNNER_REPO: "${{ github.event.inputs.runner_repo || github.event.repository.name }}"
   DEALLOCATE_IMMEDIATELY: ${{ github.event.inputs.deallocate_immediately }}
   EPHEMERAL_RUNNER: ${{ github.event.inputs.ephemeral }}
-  # This has to be a public URL that the VM can access after creation
-  POST_DEPLOYMENT_SCRIPT_URL: https://raw.githubusercontent.com/${{ github.repository }}/${{ github.ref }}/azure-self-hosted-runners/post-deployment-script.ps1
   # Note that you'll need "p" (arm64 processor) and ideally "d" (local temp disk). The number 4 stands for 4 CPU-cores.
   # For a convenient overview of all arm64 VM types, see e.g. https://azureprice.net/?_cpuArchitecture=Arm64
   AZURE_VM_TYPE: Standard_D4plds_v5
@@ -161,10 +159,21 @@ jobs:
           ACTIONS_RUNNER_PATH="D:\a"
         fi
 
+        # Zip up and Base64-encode the post-deployment script; We used to provide a public URL
+        # for that script instead, but that does not work in private repositories (and we could
+        # not even use the `GITHUB_TOKEN` to access the file because it lacks the necessary
+        # scope to read repository contents).
+        POST_DEPLOYMENT_SCRIPT_ZIP_BASE64="$(
+          cd azure-self-hosted-runners &&
+          zip -9 tmp.zip post-deployment-script.ps1 >&2 &&
+          base64 -w 0 tmp.zip
+        )"
+
         AZURE_ARM_PARAMETERS=$(tr '\n' ' ' <<-END
           githubActionsRunnerRegistrationUrl="$ACTIONS_RUNNER_REGISTRATION_URL"
           githubActionsRunnerToken="$ACTIONS_RUNNER_TOKEN"
-          postDeploymentPsScriptUrl="$POST_DEPLOYMENT_SCRIPT_URL"
+          postDeploymentScriptZipBase64="$POST_DEPLOYMENT_SCRIPT_ZIP_BASE64"
+          postDeploymentScriptFileName="post-deployment-script.ps1"
           virtualMachineImage="$AZURE_VM_IMAGE"
           virtualMachineName="${{ steps.generate-vm-name.outputs.vm_name }}"
           virtualMachineSize="$AZURE_VM_TYPE"
@@ -216,7 +225,7 @@ jobs:
       if: always()
       env:
         CUSTOM_SCRIPT_OUTPUT: ${{ steps.deploy-arm-template.outputs.customScriptInstanceView }}
-      run: echo "$CUSTOM_SCRIPT_OUTPUT" | jq -r '.substatuses[0].message' 
+      run: echo "$CUSTOM_SCRIPT_OUTPUT" | jq -r '.substatuses[0].message'
 
     - name: Deallocate the VM for later use
       if: env.DEALLOCATE_IMMEDIATELY == 'true'

azure-self-hosted-runners/azure-arm-template.json

@@ -22,11 +22,18 @@
                 "description": "Path to the Actions Runner. Keep this path short to prevent Long Path issues, e.g. D:\\a"
             }
         },
-        "postDeploymentPsScriptUrl": {
+        "postDeploymentScriptZipBase64": {
             "type": "string",
             "minLength": 6,
             "metadata": {
-                "description": "URL to the post-deployment PowerShell script. E.g. https://raw.githubusercontent.com/git-for-windows/git-for-windows-automation/main/azure-self-hosted-runners/post-deployment-script.ps1"
+                "description": "Base64-encoded .zip file containing the post-deployment script"
+            }
+        },
+        "postDeploymentScriptFileName": {
+            "type": "string",
+            "minLength": 6,
+            "metadata": {
+                "description": "File name of the post-deployment script"
             }
         },
         "computerName": {
@@ -118,10 +125,6 @@
         "vnetName": "[concat(parameters('virtualMachineName'), '-vnet')]",
         "vnetId": "[resourceId(resourceGroup().name,'Microsoft.Network/virtualNetworks', concat(parameters('virtualMachineName'), '-vnet'))]",
         "subnetRef": "[concat(variables('vnetId'), '/subnets/', parameters('subnetName'))]",
-        "UriFileNamePieces": "[split(parameters('postDeploymentPsScriptUrl'), '/')]",
-        "firstFileNameString": "[variables('UriFileNamePieces')[sub(length(variables('UriFileNamePieces')), 1)]]",
-        "firstFileNameBreakString": "[split(variables('firstFileNameString'), '?')]",
-        "firstFileName": "[variables('firstFileNameBreakString')[0]]",
         "postDeploymentScriptArguments": "[concat('-GitHubActionsRunnerToken ', parameters('githubActionsRunnerToken'), ' -GithubActionsRunnerRegistrationUrl ', parameters('githubActionsRunnerRegistrationUrl'), ' -GithubActionsRunnerName ', parameters('virtualMachineName'), ' -Ephemeral ', parameters('ephemeral'), ' -StopService ', parameters('stopService'), ' -GitHubActionsRunnerPath ', parameters('githubActionsRunnerPath'))]"
     },
     "resources": [
@@ -269,11 +272,8 @@
                 "type": "CustomScriptExtension",
                 "typeHandlerVersion": "1.9",
                 "autoUpgradeMinorVersion": true,
-                "settings": {
-                    "fileUris": "[split(parameters('postDeploymentPsScriptUrl'), ' ')]"
-                },
                 "protectedSettings": {
-                    "commandToExecute": "[concat('powershell -ExecutionPolicy Unrestricted -File ', variables('firstFileName'), ' ', variables('postDeploymentScriptArguments'))]"
+                    "commandToExecute": "[concat('powershell -ExecutionPolicy Unrestricted -Command \"[System.IO.File]::WriteAllBytes(\\\"tmp.zip\\\", [System.Convert]::FromBase64String(\\\"', parameters('postDeploymentScriptZipBase64'), '\\\")); Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory(\\\"tmp.zip\\\", \\\".\\\"); & .\\', parameters('postDeploymentScriptFileName'), ' ', variables('postDeploymentScriptArguments'), '\"')]"
                 }
             }
         }