diff --git a/apps/github-runner/README.md b/apps/github-runner/README.md index a2e69dc..f51fbf4 100644 --- a/apps/github-runner/README.md +++ b/apps/github-runner/README.md @@ -12,6 +12,8 @@ All repo-scoped Linux runners use: - `ACCESS_TOKEN` from the `github-runner-token` Secret - `RUN_AS_ROOT=false` - `EPHEMERAL=true` +- `DISABLE_AUTO_UPDATE=true` so the runner does not self-update and exit inside + the immutable Kubernetes pod - `LABELS=self-hosted,linux,fc-build-linux` - writable non-root paths under `/home/runner` for .NET, NuGet, XDG cache, and Actions tool cache @@ -131,3 +133,7 @@ from GitHub Actions and verify it lands on an `rke2-linux-*` runner. value does not change. - `Multi-Attach` volume error: only the Common runner uses a RWO PVC and it must stay single-replica. New multi-replica runners use `emptyDir`. +- Runner pods repeatedly registering, downloading a newer Actions runner, then + exiting with code 4: verify `DISABLE_AUTO_UPDATE=true` is present. The image + translates that into `config.sh --disableupdate`; without it, the Deployment + controller sees the expected self-update exit as CrashLoopBackOff. diff --git a/apps/github-runner/github-runner.yaml b/apps/github-runner/github-runner.yaml index 1ca99f2..4109c9c 100644 --- a/apps/github-runner/github-runner.yaml +++ b/apps/github-runner/github-runner.yaml @@ -195,6 +195,11 @@ spec: # fresh registration occurs. Prevents stale runner accumulation. - name: EPHEMERAL value: "true" + # The runner image must not self-update inside an immutable + # Kubernetes pod. Without this, GitHub runner auto-update exits + # with code 4 and the Deployment falls into CrashLoopBackOff. + - name: DISABLE_AUTO_UPDATE + value: "true" # Labels used by workflow files: runs-on: [self-hosted, linux, fc-build-linux] - name: LABELS value: "self-hosted,linux,fc-build-linux" @@ -366,6 +371,11 @@ spec: value: "/tmp/runner/work" - name: EPHEMERAL value: "true" + # The runner image must not self-update inside an immutable + # Kubernetes pod. Without this, GitHub runner auto-update exits + # with code 4 and the Deployment falls into CrashLoopBackOff. + - name: DISABLE_AUTO_UPDATE + value: "true" - name: LABELS value: "self-hosted,linux,fc-build-linux" - name: HOME @@ -504,6 +514,11 @@ spec: value: "/tmp/runner/work" - name: EPHEMERAL value: "true" + # The runner image must not self-update inside an immutable + # Kubernetes pod. Without this, GitHub runner auto-update exits + # with code 4 and the Deployment falls into CrashLoopBackOff. + - name: DISABLE_AUTO_UPDATE + value: "true" - name: LABELS value: "self-hosted,linux,fc-build-linux" - name: HOME @@ -636,6 +651,11 @@ spec: value: "/tmp/runner/work" - name: EPHEMERAL value: "true" + # The runner image must not self-update inside an immutable + # Kubernetes pod. Without this, GitHub runner auto-update exits + # with code 4 and the Deployment falls into CrashLoopBackOff. + - name: DISABLE_AUTO_UPDATE + value: "true" - name: LABELS value: "self-hosted,linux,fc-build-linux" - name: HOME @@ -768,6 +788,11 @@ spec: value: "/tmp/runner/work" - name: EPHEMERAL value: "true" + # The runner image must not self-update inside an immutable + # Kubernetes pod. Without this, GitHub runner auto-update exits + # with code 4 and the Deployment falls into CrashLoopBackOff. + - name: DISABLE_AUTO_UPDATE + value: "true" - name: LABELS value: "self-hosted,linux,fc-build-linux" - name: HOME @@ -900,6 +925,11 @@ spec: value: "/tmp/runner/work" - name: EPHEMERAL value: "true" + # The runner image must not self-update inside an immutable + # Kubernetes pod. Without this, GitHub runner auto-update exits + # with code 4 and the Deployment falls into CrashLoopBackOff. + - name: DISABLE_AUTO_UPDATE + value: "true" - name: LABELS value: "self-hosted,linux,fc-build-linux" - name: HOME @@ -1035,6 +1065,11 @@ spec: value: "/tmp/runner/work" - name: EPHEMERAL value: "true" + # The runner image must not self-update inside an immutable + # Kubernetes pod. Without this, GitHub runner auto-update exits + # with code 4 and the Deployment falls into CrashLoopBackOff. + - name: DISABLE_AUTO_UPDATE + value: "true" - name: LABELS value: "self-hosted,linux,fc-build-linux" - name: HOME @@ -1167,6 +1202,11 @@ spec: value: "/tmp/runner/work" - name: EPHEMERAL value: "true" + # The runner image must not self-update inside an immutable + # Kubernetes pod. Without this, GitHub runner auto-update exits + # with code 4 and the Deployment falls into CrashLoopBackOff. + - name: DISABLE_AUTO_UPDATE + value: "true" - name: LABELS value: "self-hosted,linux,fc-build-linux" - name: HOME @@ -1299,6 +1339,11 @@ spec: value: "/tmp/runner/work" - name: EPHEMERAL value: "true" + # The runner image must not self-update inside an immutable + # Kubernetes pod. Without this, GitHub runner auto-update exits + # with code 4 and the Deployment falls into CrashLoopBackOff. + - name: DISABLE_AUTO_UPDATE + value: "true" - name: LABELS value: "self-hosted,linux,fc-build-linux" - name: HOME @@ -1431,6 +1476,11 @@ spec: value: "/tmp/runner/work" - name: EPHEMERAL value: "true" + # The runner image must not self-update inside an immutable + # Kubernetes pod. Without this, GitHub runner auto-update exits + # with code 4 and the Deployment falls into CrashLoopBackOff. + - name: DISABLE_AUTO_UPDATE + value: "true" - name: LABELS value: "self-hosted,linux,fc-build-linux" - name: HOME @@ -1565,6 +1615,11 @@ spec: value: "/tmp/runner/work" - name: EPHEMERAL value: "true" + # The runner image must not self-update inside an immutable + # Kubernetes pod. Without this, GitHub runner auto-update exits + # with code 4 and the Deployment falls into CrashLoopBackOff. + - name: DISABLE_AUTO_UPDATE + value: "true" - name: LABELS value: "self-hosted,linux,fc-build-linux" - name: HOME @@ -1699,6 +1754,11 @@ spec: value: "/tmp/runner/work" - name: EPHEMERAL value: "true" + # The runner image must not self-update inside an immutable + # Kubernetes pod. Without this, GitHub runner auto-update exits + # with code 4 and the Deployment falls into CrashLoopBackOff. + - name: DISABLE_AUTO_UPDATE + value: "true" - name: LABELS value: "self-hosted,linux,fc-build-linux" - name: HOME @@ -1838,6 +1898,11 @@ spec: value: "/tmp/runner/work" - name: EPHEMERAL value: "true" + # The runner image must not self-update inside an immutable + # Kubernetes pod. Without this, GitHub runner auto-update exits + # with code 4 and the Deployment falls into CrashLoopBackOff. + - name: DISABLE_AUTO_UPDATE + value: "true" - name: LABELS value: "self-hosted,linux,fc-build-linux" - name: HOME @@ -1972,6 +2037,11 @@ spec: value: "/tmp/runner/work" - name: EPHEMERAL value: "true" + # The runner image must not self-update inside an immutable + # Kubernetes pod. Without this, GitHub runner auto-update exits + # with code 4 and the Deployment falls into CrashLoopBackOff. + - name: DISABLE_AUTO_UPDATE + value: "true" - name: LABELS value: "self-hosted,linux,fc-build-linux" - name: HOME @@ -2106,6 +2176,11 @@ spec: value: "/tmp/runner/work" - name: EPHEMERAL value: "true" + # The runner image must not self-update inside an immutable + # Kubernetes pod. Without this, GitHub runner auto-update exits + # with code 4 and the Deployment falls into CrashLoopBackOff. + - name: DISABLE_AUTO_UPDATE + value: "true" - name: LABELS value: "self-hosted,linux,fc-build-linux" - name: HOME @@ -2240,6 +2315,11 @@ spec: value: "/tmp/runner/work" - name: EPHEMERAL value: "true" + # The runner image must not self-update inside an immutable + # Kubernetes pod. Without this, GitHub runner auto-update exits + # with code 4 and the Deployment falls into CrashLoopBackOff. + - name: DISABLE_AUTO_UPDATE + value: "true" - name: LABELS value: "self-hosted,linux,fc-build-linux" - name: HOME @@ -2373,6 +2453,11 @@ spec: value: "/tmp/runner/work" - name: EPHEMERAL value: "true" + # The runner image must not self-update inside an immutable + # Kubernetes pod. Without this, GitHub runner auto-update exits + # with code 4 and the Deployment falls into CrashLoopBackOff. + - name: DISABLE_AUTO_UPDATE + value: "true" - name: LABELS value: "self-hosted,linux,fc-build-linux" - name: HOME @@ -2507,6 +2592,11 @@ spec: value: "/tmp/runner/work" - name: EPHEMERAL value: "true" + # The runner image must not self-update inside an immutable + # Kubernetes pod. Without this, GitHub runner auto-update exits + # with code 4 and the Deployment falls into CrashLoopBackOff. + - name: DISABLE_AUTO_UPDATE + value: "true" - name: LABELS value: "self-hosted,linux,fc-build-linux" - name: HOME @@ -2640,6 +2730,11 @@ spec: value: "/tmp/runner/work" - name: EPHEMERAL value: "true" + # The runner image must not self-update inside an immutable + # Kubernetes pod. Without this, GitHub runner auto-update exits + # with code 4 and the Deployment falls into CrashLoopBackOff. + - name: DISABLE_AUTO_UPDATE + value: "true" - name: LABELS value: "self-hosted,linux,fc-build-linux" - name: HOME @@ -2773,6 +2868,11 @@ spec: value: "/tmp/runner/work" - name: EPHEMERAL value: "true" + # The runner image must not self-update inside an immutable + # Kubernetes pod. Without this, GitHub runner auto-update exits + # with code 4 and the Deployment falls into CrashLoopBackOff. + - name: DISABLE_AUTO_UPDATE + value: "true" - name: LABELS value: "self-hosted,linux,fc-build-linux" - name: HOME @@ -2906,6 +3006,11 @@ spec: value: "/tmp/runner/work" - name: EPHEMERAL value: "true" + # The runner image must not self-update inside an immutable + # Kubernetes pod. Without this, GitHub runner auto-update exits + # with code 4 and the Deployment falls into CrashLoopBackOff. + - name: DISABLE_AUTO_UPDATE + value: "true" - name: LABELS value: "self-hosted,linux,fc-build-linux" - name: HOME @@ -3039,6 +3144,11 @@ spec: value: "/tmp/runner/work" - name: EPHEMERAL value: "true" + # The runner image must not self-update inside an immutable + # Kubernetes pod. Without this, GitHub runner auto-update exits + # with code 4 and the Deployment falls into CrashLoopBackOff. + - name: DISABLE_AUTO_UPDATE + value: "true" - name: LABELS value: "self-hosted,linux,fc-build-linux" - name: HOME @@ -3172,6 +3282,11 @@ spec: value: "/tmp/runner/work" - name: EPHEMERAL value: "true" + # The runner image must not self-update inside an immutable + # Kubernetes pod. Without this, GitHub runner auto-update exits + # with code 4 and the Deployment falls into CrashLoopBackOff. + - name: DISABLE_AUTO_UPDATE + value: "true" - name: LABELS value: "self-hosted,linux,fc-build-linux" - name: HOME @@ -3306,6 +3421,11 @@ spec: value: "/tmp/runner/work" - name: EPHEMERAL value: "true" + # The runner image must not self-update inside an immutable + # Kubernetes pod. Without this, GitHub runner auto-update exits + # with code 4 and the Deployment falls into CrashLoopBackOff. + - name: DISABLE_AUTO_UPDATE + value: "true" - name: LABELS value: "self-hosted,linux,fc-build-linux" - name: HOME @@ -3440,6 +3560,11 @@ spec: value: "/tmp/runner/work" - name: EPHEMERAL value: "true" + # The runner image must not self-update inside an immutable + # Kubernetes pod. Without this, GitHub runner auto-update exits + # with code 4 and the Deployment falls into CrashLoopBackOff. + - name: DISABLE_AUTO_UPDATE + value: "true" - name: LABELS value: "self-hosted,linux,fc-build-linux" - name: HOME @@ -3574,6 +3699,11 @@ spec: value: "/tmp/runner/work" - name: EPHEMERAL value: "true" + # The runner image must not self-update inside an immutable + # Kubernetes pod. Without this, GitHub runner auto-update exits + # with code 4 and the Deployment falls into CrashLoopBackOff. + - name: DISABLE_AUTO_UPDATE + value: "true" - name: LABELS value: "self-hosted,linux,fc-build-linux" - name: HOME @@ -3708,6 +3838,11 @@ spec: value: "/tmp/runner/work" - name: EPHEMERAL value: "true" + # The runner image must not self-update inside an immutable + # Kubernetes pod. Without this, GitHub runner auto-update exits + # with code 4 and the Deployment falls into CrashLoopBackOff. + - name: DISABLE_AUTO_UPDATE + value: "true" - name: LABELS value: "self-hosted,linux,fc-build-linux" - name: HOME @@ -3842,6 +3977,11 @@ spec: value: "/tmp/runner/work" - name: EPHEMERAL value: "true" + # The runner image must not self-update inside an immutable + # Kubernetes pod. Without this, GitHub runner auto-update exits + # with code 4 and the Deployment falls into CrashLoopBackOff. + - name: DISABLE_AUTO_UPDATE + value: "true" - name: LABELS value: "self-hosted,linux,fc-build-linux" - name: HOME @@ -3975,6 +4115,11 @@ spec: value: "/tmp/runner/work" - name: EPHEMERAL value: "true" + # The runner image must not self-update inside an immutable + # Kubernetes pod. Without this, GitHub runner auto-update exits + # with code 4 and the Deployment falls into CrashLoopBackOff. + - name: DISABLE_AUTO_UPDATE + value: "true" - name: LABELS value: "self-hosted,linux,fc-build-linux" - name: HOME @@ -4109,6 +4254,11 @@ spec: value: "/tmp/runner/work" - name: EPHEMERAL value: "true" + # The runner image must not self-update inside an immutable + # Kubernetes pod. Without this, GitHub runner auto-update exits + # with code 4 and the Deployment falls into CrashLoopBackOff. + - name: DISABLE_AUTO_UPDATE + value: "true" - name: LABELS value: "self-hosted,linux,fc-build-linux" - name: HOME @@ -4247,6 +4397,11 @@ spec: value: "/tmp/runner/work" - name: EPHEMERAL value: "true" + # The runner image must not self-update inside an immutable + # Kubernetes pod. Without this, GitHub runner auto-update exits + # with code 4 and the Deployment falls into CrashLoopBackOff. + - name: DISABLE_AUTO_UPDATE + value: "true" - name: LABELS value: "self-hosted,linux,fc-build-linux" - name: HOME @@ -4386,6 +4541,11 @@ spec: value: "/tmp/runner/work" - name: EPHEMERAL value: "true" + # The runner image must not self-update inside an immutable + # Kubernetes pod. Without this, GitHub runner auto-update exits + # with code 4 and the Deployment falls into CrashLoopBackOff. + - name: DISABLE_AUTO_UPDATE + value: "true" - name: LABELS value: "self-hosted,linux,fc-build-linux" - name: HOME @@ -4521,6 +4681,11 @@ spec: value: "/tmp/runner/work" - name: EPHEMERAL value: "true" + # The runner image must not self-update inside an immutable + # Kubernetes pod. Without this, GitHub runner auto-update exits + # with code 4 and the Deployment falls into CrashLoopBackOff. + - name: DISABLE_AUTO_UPDATE + value: "true" - name: LABELS value: "self-hosted,linux,fc-build-linux" - name: HOME diff --git a/tests/bluejay-infra-lint/FleetManifestLintTests.cs b/tests/bluejay-infra-lint/FleetManifestLintTests.cs index ec12f6d..47011e3 100644 --- a/tests/bluejay-infra-lint/FleetManifestLintTests.cs +++ b/tests/bluejay-infra-lint/FleetManifestLintTests.cs @@ -272,6 +272,7 @@ public sealed class FleetManifestLintTests var container = deployments[expectedRunner.Key].MainContainerMappings().Should().ContainSingle().Subject; EnvValue(container, "REPO_URL").Should().Be(expectedRunner.Value); EnvValue(container, "EPHEMERAL").Should().Be("true"); + EnvValue(container, "DISABLE_AUTO_UPDATE").Should().Be("true", $"{expectedRunner.Key} must not self-update inside immutable Kubernetes runner pods"); EnvValue(container, "LABELS").Should().Be("self-hosted,linux,fc-build-linux"); EnvValue(container, "RUN_AS_ROOT").Should().Be("false"); EnvValue(container, "ACCESS_TOKEN").Should().BeNull("ACCESS_TOKEN must come from github-runner-token Secret, not a literal");