self-hosted-runner: allow running in private repositories

dscho · dscho · commit 62691497cce0 · 2025-01-17T19:04:01.000+01:00
GitHub's documentation provides a stern warning against registering self-hosted runners on public repositories: https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#self-hosted-runner-security To counter that, we specifically spin up ephemeral self-hosted runners in `git-for-windows/git-for-windows-automation` and have automation to prevent unauthorized people from trying to play games with our runners. However, for testing in separate repositories, this strategy is utterly inconvenient. And unnecessary, when running in a private repository anyway. Except that we need to have a public URL for the post-deployment script. So let's work around that by hard-coding the CI token into that URL. This should be good enough, especially when we scrub the token from the logs (manually, if necessary). Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
diff --git a/.github/workflows/create-azure-self-hosted-runners.yml b/.github/workflows/create-azure-self-hosted-runners.yml
@@ -126,14 +126,21 @@ jobs:
     # https://github.com/actions/runner/issues/475
     - name: Generate Actions Runner token and registration URL
       run: |
+        # We need to URL-encode the user name because it usually is a GitHub App, which means that
+        # it has the suffix `[bot]`. If un-encoded, this would cause a cURL error "bad range in URL"
+        # because it would mistake this for an IPv6 address or something like that.
+        user_pwd="$(jq -n \
+          --arg user '${{ github.actor }}' \
+          --arg pwd '${{ secrets.GITHUB_TOKEN }}' \
+          '$user | @uri + ":" + $pwd')"
         case "$ACTIONS_RUNNER_SCOPE" in
           "org-level")
-            ACTIONS_API_URL="https://api.github.com/repos/$ACTIONS_RUNNER_ORG/actions/runners/registration-token"
-            ACTIONS_RUNNER_REGISTRATION_URL="https://github.com/$ACTIONS_RUNNER_ORG"
+            ACTIONS_API_URL="https://$user_pwd@api.github.com/repos/$ACTIONS_RUNNER_ORG/actions/runners/registration-token"
+            ACTIONS_RUNNER_REGISTRATION_URL="https://$user_pwd@github.com/$ACTIONS_RUNNER_ORG"
             ;;
           "repo-level")
-            ACTIONS_API_URL="https://api.github.com/repos/$ACTIONS_RUNNER_ORG/$ACTIONS_RUNNER_REPO/actions/runners/registration-token"
-            ACTIONS_RUNNER_REGISTRATION_URL="https://github.com/$ACTIONS_RUNNER_ORG/$ACTIONS_RUNNER_REPO"
+            ACTIONS_API_URL="https://$user_pwd@api.github.com/repos/$ACTIONS_RUNNER_ORG/$ACTIONS_RUNNER_REPO/actions/runners/registration-token"
+            ACTIONS_RUNNER_REGISTRATION_URL="https://$user_pwd@github.com/$ACTIONS_RUNNER_ORG/$ACTIONS_RUNNER_REPO"
             ;;
           *)
             echo "Unsupported runner scope: $ACTIONS_RUNNER_SCOPE"
@@ -225,7 +232,7 @@ jobs:
       if: always()
       env:
         CUSTOM_SCRIPT_OUTPUT: ${{ steps.deploy-arm-template.outputs.customScriptInstanceView }}
-      run: echo "$CUSTOM_SCRIPT_OUTPUT" | jq -r '.substatuses[0].message'
+      run: echo "$CUSTOM_SCRIPT_OUTPUT" | jq -r '.substatuses[0].message' | sed 's/${{ secrets.GITHUB_TOKEN }}/***/g'
 
     - name: Deallocate the VM for later use
       if: env.DEALLOCATE_IMMEDIATELY == 'true'
