bluejay/bluejay-infra
1
0
Fork 0
Code Issues Pull Requests 15 Actions Packages Projects Releases Wiki Activity

fix(runners): disable self-update in k8s pods

Browse Source
This commit is contained in:
Andrew Stoltz
2026-06-11 14:57:00 -05:00
parent 9674a9555e
commit a4c9e44a36
3 changed files with 172 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
apps/github-runner/README.md
View File

@@ -12,6 +12,8 @@ All repo-scoped Linux runners use:
- `ACCESS_TOKEN` from the `github-runner-token` Secret
- `RUN_AS_ROOT=false`
- `EPHEMERAL=true`
- `DISABLE_AUTO_UPDATE=true` so the runner does not self-update and exit inside
the immutable Kubernetes pod
- `LABELS=self-hosted,linux,fc-build-linux`
- writable non-root paths under `/home/runner` for .NET, NuGet, XDG cache, and
Actions tool cache
@@ -131,3 +133,7 @@ from GitHub Actions and verify it lands on an `rke2-linux-*` runner.
value does not change.
- `Multi-Attach` volume error: only the Common runner uses a RWO PVC and it must
stay single-replica. New multi-replica runners use `emptyDir`.
- Runner pods repeatedly registering, downloading a newer Actions runner, then
exiting with code 4: verify `DISABLE_AUTO_UPDATE=true` is present. The image
translates that into `config.sh --disableupdate`; without it, the Deployment
controller sees the expected self-update exit as CrashLoopBackOff.

165
apps/github-runner/github-runner.yaml
View File

@@ -195,6 +195,11 @@ spec:
# fresh registration occurs. Prevents stale runner accumulation.
- name: EPHEMERAL
value: "true"
# The runner image must not self-update inside an immutable
# Kubernetes pod. Without this, GitHub runner auto-update exits
# with code 4 and the Deployment falls into CrashLoopBackOff.
- name: DISABLE_AUTO_UPDATE
value: "true"
# Labels used by workflow files: runs-on: [self-hosted, linux, fc-build-linux]
- name: LABELS
value: "self-hosted,linux,fc-build-linux"
@@ -366,6 +371,11 @@ spec:
value: "/tmp/runner/work"
- name: EPHEMERAL
value: "true"
# The runner image must not self-update inside an immutable
# Kubernetes pod. Without this, GitHub runner auto-update exits
# with code 4 and the Deployment falls into CrashLoopBackOff.
- name: DISABLE_AUTO_UPDATE
value: "true"
- name: LABELS
value: "self-hosted,linux,fc-build-linux"
- name: HOME
@@ -504,6 +514,11 @@ spec:
value: "/tmp/runner/work"
- name: EPHEMERAL
value: "true"
# The runner image must not self-update inside an immutable
# Kubernetes pod. Without this, GitHub runner auto-update exits
# with code 4 and the Deployment falls into CrashLoopBackOff.
- name: DISABLE_AUTO_UPDATE
value: "true"
- name: LABELS
value: "self-hosted,linux,fc-build-linux"
- name: HOME
@@ -636,6 +651,11 @@ spec:
value: "/tmp/runner/work"
- name: EPHEMERAL
value: "true"
# The runner image must not self-update inside an immutable
# Kubernetes pod. Without this, GitHub runner auto-update exits
# with code 4 and the Deployment falls into CrashLoopBackOff.
- name: DISABLE_AUTO_UPDATE
value: "true"
- name: LABELS
value: "self-hosted,linux,fc-build-linux"
- name: HOME
@@ -768,6 +788,11 @@ spec:
value: "/tmp/runner/work"
- name: EPHEMERAL
value: "true"
# The runner image must not self-update inside an immutable
# Kubernetes pod. Without this, GitHub runner auto-update exits
# with code 4 and the Deployment falls into CrashLoopBackOff.
- name: DISABLE_AUTO_UPDATE
value: "true"
- name: LABELS
value: "self-hosted,linux,fc-build-linux"
- name: HOME
@@ -900,6 +925,11 @@ spec:
value: "/tmp/runner/work"
- name: EPHEMERAL
value: "true"
# The runner image must not self-update inside an immutable
# Kubernetes pod. Without this, GitHub runner auto-update exits
# with code 4 and the Deployment falls into CrashLoopBackOff.
- name: DISABLE_AUTO_UPDATE
value: "true"
- name: LABELS
value: "self-hosted,linux,fc-build-linux"
- name: HOME
@@ -1035,6 +1065,11 @@ spec:
value: "/tmp/runner/work"
- name: EPHEMERAL
value: "true"
# The runner image must not self-update inside an immutable
# Kubernetes pod. Without this, GitHub runner auto-update exits
# with code 4 and the Deployment falls into CrashLoopBackOff.
- name: DISABLE_AUTO_UPDATE
value: "true"
- name: LABELS
value: "self-hosted,linux,fc-build-linux"
- name: HOME
@@ -1167,6 +1202,11 @@ spec:
value: "/tmp/runner/work"
- name: EPHEMERAL
value: "true"
# The runner image must not self-update inside an immutable
# Kubernetes pod. Without this, GitHub runner auto-update exits
# with code 4 and the Deployment falls into CrashLoopBackOff.
- name: DISABLE_AUTO_UPDATE
value: "true"
- name: LABELS
value: "self-hosted,linux,fc-build-linux"
- name: HOME
@@ -1299,6 +1339,11 @@ spec:
value: "/tmp/runner/work"
- name: EPHEMERAL
value: "true"
# The runner image must not self-update inside an immutable
# Kubernetes pod. Without this, GitHub runner auto-update exits
# with code 4 and the Deployment falls into CrashLoopBackOff.
- name: DISABLE_AUTO_UPDATE
value: "true"
- name: LABELS
value: "self-hosted,linux,fc-build-linux"
- name: HOME
@@ -1431,6 +1476,11 @@ spec:
value: "/tmp/runner/work"
- name: EPHEMERAL
value: "true"
# The runner image must not self-update inside an immutable
# Kubernetes pod. Without this, GitHub runner auto-update exits
# with code 4 and the Deployment falls into CrashLoopBackOff.
- name: DISABLE_AUTO_UPDATE
value: "true"
- name: LABELS
value: "self-hosted,linux,fc-build-linux"
- name: HOME
@@ -1565,6 +1615,11 @@ spec:
value: "/tmp/runner/work"
- name: EPHEMERAL
value: "true"
# The runner image must not self-update inside an immutable
# Kubernetes pod. Without this, GitHub runner auto-update exits
# with code 4 and the Deployment falls into CrashLoopBackOff.
- name: DISABLE_AUTO_UPDATE
value: "true"
- name: LABELS
value: "self-hosted,linux,fc-build-linux"
- name: HOME
@@ -1699,6 +1754,11 @@ spec:
value: "/tmp/runner/work"
- name: EPHEMERAL
value: "true"
# The runner image must not self-update inside an immutable
# Kubernetes pod. Without this, GitHub runner auto-update exits
# with code 4 and the Deployment falls into CrashLoopBackOff.
- name: DISABLE_AUTO_UPDATE
value: "true"
- name: LABELS
value: "self-hosted,linux,fc-build-linux"
- name: HOME
@@ -1838,6 +1898,11 @@ spec:
value: "/tmp/runner/work"
- name: EPHEMERAL
value: "true"
# The runner image must not self-update inside an immutable
# Kubernetes pod. Without this, GitHub runner auto-update exits
# with code 4 and the Deployment falls into CrashLoopBackOff.
- name: DISABLE_AUTO_UPDATE
value: "true"
- name: LABELS
value: "self-hosted,linux,fc-build-linux"
- name: HOME
@@ -1972,6 +2037,11 @@ spec:
value: "/tmp/runner/work"
- name: EPHEMERAL
value: "true"
# The runner image must not self-update inside an immutable
# Kubernetes pod. Without this, GitHub runner auto-update exits
# with code 4 and the Deployment falls into CrashLoopBackOff.
- name: DISABLE_AUTO_UPDATE
value: "true"
- name: LABELS
value: "self-hosted,linux,fc-build-linux"
- name: HOME
@@ -2106,6 +2176,11 @@ spec:
value: "/tmp/runner/work"
- name: EPHEMERAL
value: "true"
# The runner image must not self-update inside an immutable
# Kubernetes pod. Without this, GitHub runner auto-update exits
# with code 4 and the Deployment falls into CrashLoopBackOff.
- name: DISABLE_AUTO_UPDATE
value: "true"
- name: LABELS
value: "self-hosted,linux,fc-build-linux"
- name: HOME
@@ -2240,6 +2315,11 @@ spec:
value: "/tmp/runner/work"
- name: EPHEMERAL
value: "true"
# The runner image must not self-update inside an immutable
# Kubernetes pod. Without this, GitHub runner auto-update exits
# with code 4 and the Deployment falls into CrashLoopBackOff.
- name: DISABLE_AUTO_UPDATE
value: "true"
- name: LABELS
value: "self-hosted,linux,fc-build-linux"
- name: HOME
@@ -2373,6 +2453,11 @@ spec:
value: "/tmp/runner/work"
- name: EPHEMERAL
value: "true"
# The runner image must not self-update inside an immutable
# Kubernetes pod. Without this, GitHub runner auto-update exits
# with code 4 and the Deployment falls into CrashLoopBackOff.
- name: DISABLE_AUTO_UPDATE
value: "true"
- name: LABELS
value: "self-hosted,linux,fc-build-linux"
- name: HOME
@@ -2507,6 +2592,11 @@ spec:
value: "/tmp/runner/work"
- name: EPHEMERAL
value: "true"
# The runner image must not self-update inside an immutable
# Kubernetes pod. Without this, GitHub runner auto-update exits
# with code 4 and the Deployment falls into CrashLoopBackOff.
- name: DISABLE_AUTO_UPDATE
value: "true"
- name: LABELS
value: "self-hosted,linux,fc-build-linux"
- name: HOME
@@ -2640,6 +2730,11 @@ spec:
value: "/tmp/runner/work"
- name: EPHEMERAL
value: "true"
# The runner image must not self-update inside an immutable
# Kubernetes pod. Without this, GitHub runner auto-update exits
# with code 4 and the Deployment falls into CrashLoopBackOff.
- name: DISABLE_AUTO_UPDATE
value: "true"
- name: LABELS
value: "self-hosted,linux,fc-build-linux"
- name: HOME
@@ -2773,6 +2868,11 @@ spec:
value: "/tmp/runner/work"
- name: EPHEMERAL
value: "true"
# The runner image must not self-update inside an immutable
# Kubernetes pod. Without this, GitHub runner auto-update exits
# with code 4 and the Deployment falls into CrashLoopBackOff.
- name: DISABLE_AUTO_UPDATE
value: "true"
- name: LABELS
value: "self-hosted,linux,fc-build-linux"
- name: HOME
@@ -2906,6 +3006,11 @@ spec:
value: "/tmp/runner/work"
- name: EPHEMERAL
value: "true"
# The runner image must not self-update inside an immutable
# Kubernetes pod. Without this, GitHub runner auto-update exits
# with code 4 and the Deployment falls into CrashLoopBackOff.
- name: DISABLE_AUTO_UPDATE
value: "true"
- name: LABELS
value: "self-hosted,linux,fc-build-linux"
- name: HOME
@@ -3039,6 +3144,11 @@ spec:
value: "/tmp/runner/work"
- name: EPHEMERAL
value: "true"
# The runner image must not self-update inside an immutable
# Kubernetes pod. Without this, GitHub runner auto-update exits
# with code 4 and the Deployment falls into CrashLoopBackOff.
- name: DISABLE_AUTO_UPDATE
value: "true"
- name: LABELS
value: "self-hosted,linux,fc-build-linux"
- name: HOME
@@ -3172,6 +3282,11 @@ spec:
value: "/tmp/runner/work"
- name: EPHEMERAL
value: "true"
# The runner image must not self-update inside an immutable
# Kubernetes pod. Without this, GitHub runner auto-update exits
# with code 4 and the Deployment falls into CrashLoopBackOff.
- name: DISABLE_AUTO_UPDATE
value: "true"
- name: LABELS
value: "self-hosted,linux,fc-build-linux"
- name: HOME
@@ -3306,6 +3421,11 @@ spec:
value: "/tmp/runner/work"
- name: EPHEMERAL
value: "true"
# The runner image must not self-update inside an immutable
# Kubernetes pod. Without this, GitHub runner auto-update exits
# with code 4 and the Deployment falls into CrashLoopBackOff.
- name: DISABLE_AUTO_UPDATE
value: "true"
- name: LABELS
value: "self-hosted,linux,fc-build-linux"
- name: HOME
@@ -3440,6 +3560,11 @@ spec:
value: "/tmp/runner/work"
- name: EPHEMERAL
value: "true"
# The runner image must not self-update inside an immutable
# Kubernetes pod. Without this, GitHub runner auto-update exits
# with code 4 and the Deployment falls into CrashLoopBackOff.
- name: DISABLE_AUTO_UPDATE
value: "true"
- name: LABELS
value: "self-hosted,linux,fc-build-linux"
- name: HOME
@@ -3574,6 +3699,11 @@ spec:
value: "/tmp/runner/work"
- name: EPHEMERAL
value: "true"
# The runner image must not self-update inside an immutable
# Kubernetes pod. Without this, GitHub runner auto-update exits
# with code 4 and the Deployment falls into CrashLoopBackOff.
- name: DISABLE_AUTO_UPDATE
value: "true"
- name: LABELS
value: "self-hosted,linux,fc-build-linux"
- name: HOME
@@ -3708,6 +3838,11 @@ spec:
value: "/tmp/runner/work"
- name: EPHEMERAL
value: "true"
# The runner image must not self-update inside an immutable
# Kubernetes pod. Without this, GitHub runner auto-update exits
# with code 4 and the Deployment falls into CrashLoopBackOff.
- name: DISABLE_AUTO_UPDATE
value: "true"
- name: LABELS
value: "self-hosted,linux,fc-build-linux"
- name: HOME
@@ -3842,6 +3977,11 @@ spec:
value: "/tmp/runner/work"
- name: EPHEMERAL
value: "true"
# The runner image must not self-update inside an immutable
# Kubernetes pod. Without this, GitHub runner auto-update exits
# with code 4 and the Deployment falls into CrashLoopBackOff.
- name: DISABLE_AUTO_UPDATE
value: "true"
- name: LABELS
value: "self-hosted,linux,fc-build-linux"
- name: HOME
@@ -3975,6 +4115,11 @@ spec:
value: "/tmp/runner/work"
- name: EPHEMERAL
value: "true"
# The runner image must not self-update inside an immutable
# Kubernetes pod. Without this, GitHub runner auto-update exits
# with code 4 and the Deployment falls into CrashLoopBackOff.
- name: DISABLE_AUTO_UPDATE
value: "true"
- name: LABELS
value: "self-hosted,linux,fc-build-linux"
- name: HOME
@@ -4109,6 +4254,11 @@ spec:
value: "/tmp/runner/work"
- name: EPHEMERAL
value: "true"
# The runner image must not self-update inside an immutable
# Kubernetes pod. Without this, GitHub runner auto-update exits
# with code 4 and the Deployment falls into CrashLoopBackOff.
- name: DISABLE_AUTO_UPDATE
value: "true"
- name: LABELS
value: "self-hosted,linux,fc-build-linux"
- name: HOME
@@ -4247,6 +4397,11 @@ spec:
value: "/tmp/runner/work"
- name: EPHEMERAL
value: "true"
# The runner image must not self-update inside an immutable
# Kubernetes pod. Without this, GitHub runner auto-update exits
# with code 4 and the Deployment falls into CrashLoopBackOff.
- name: DISABLE_AUTO_UPDATE
value: "true"
- name: LABELS
value: "self-hosted,linux,fc-build-linux"
- name: HOME
@@ -4386,6 +4541,11 @@ spec:
value: "/tmp/runner/work"
- name: EPHEMERAL
value: "true"
# The runner image must not self-update inside an immutable
# Kubernetes pod. Without this, GitHub runner auto-update exits
# with code 4 and the Deployment falls into CrashLoopBackOff.
- name: DISABLE_AUTO_UPDATE
value: "true"
- name: LABELS
value: "self-hosted,linux,fc-build-linux"
- name: HOME
@@ -4521,6 +4681,11 @@ spec:
value: "/tmp/runner/work"
- name: EPHEMERAL
value: "true"
# The runner image must not self-update inside an immutable
# Kubernetes pod. Without this, GitHub runner auto-update exits
# with code 4 and the Deployment falls into CrashLoopBackOff.
- name: DISABLE_AUTO_UPDATE
value: "true"
- name: LABELS
value: "self-hosted,linux,fc-build-linux"
- name: HOME

1
tests/bluejay-infra-lint/FleetManifestLintTests.cs
View File

@@ -272,6 +272,7 @@ public sealed class FleetManifestLintTests
var container = deployments[expectedRunner.Key].MainContainerMappings().Should().ContainSingle().Subject;
EnvValue(container, "REPO_URL").Should().Be(expectedRunner.Value);
EnvValue(container, "EPHEMERAL").Should().Be("true");
EnvValue(container, "DISABLE_AUTO_UPDATE").Should().Be("true", $"{expectedRunner.Key} must not self-update inside immutable Kubernetes runner pods");
EnvValue(container, "LABELS").Should().Be("self-hosted,linux,fc-build-linux");
EnvValue(container, "RUN_AS_ROOT").Should().Be("false");
EnvValue(container, "ACCESS_TOKEN").Should().BeNull("ACCESS_TOKEN must come from github-runner-token Secret, not a literal");