Merge pull request #1768 from philips-labs/develop

Release

Author: npalm

.github/workflows/release.yml

@@ -92,7 +92,7 @@ jobs:
 
     steps:
       - name: Generate provenance for release
-        uses: philips-labs/slsa-provenance-action@v0.6.0
+        uses: philips-labs/slsa-provenance-action@v0.7.0
         with:
           artifact_path: release-assets
           output_path: 'build.provenance'

README.md

@@ -53,7 +53,7 @@ The moment a GitHub action workflow requiring a `self-hosted` runner is triggere
 
 For receiving the `check_run` or `workflow_job` event by the webhook (lambda), a webhook needs to be created in GitHub. The `workflow_job` is the preferred option, and the `check_run` option will be maintained for backward compatibility. The advantage of the `workflow_job` event is that the runner checks if the received event can run on the configured runners by matching the labels, which avoid instances being scaled up and never used. The following options are available:
 
-- `workflow_job`: **(preferred option)** create a webhook on enterprise, org or app level.
+- `workflow_job`: **(preferred option)** create a webhook on enterprise, org or app level. Select this option for ephemeral runners.
 - `check_run`: create a webhook on enterprise, org, repo or app level. When using the app option, the app needs to be installed to repo's are using the self-hosted runners.
 -  a Webhook needs to be created. The webhook hook can be defined on enterprise, org, repo, or app level. 
 
@@ -402,6 +402,7 @@ In case the setup does not work as intended follow the trace of events:
 | <a name="input_delay_webhook_event"></a> [delay\_webhook\_event](#input\_delay\_webhook\_event) | The number of seconds the event accepted by the webhook is invisible on the queue before the scale up lambda will receive the event. | `number` | `30` | no |
 | <a name="input_enable_cloudwatch_agent"></a> [enable\_cloudwatch\_agent](#input\_enable\_cloudwatch\_agent) | Enabling the cloudwatch agent on the ec2 runner instances, the runner contains default config. Configuration can be overridden via `cloudwatch_config`. | `bool` | `true` | no |
 | <a name="input_enable_ephemeral_runners"></a> [enable\_ephemeral\_runners](#input\_enable\_ephemeral\_runners) | Enable ephemeral runners, runners will only be used once. | `bool` | `false` | no |
+| <a name="input_enable_managed_runner_security_group"></a> [enable\_managed\_runner\_security\_group](#inputenable\_managed\_runner\_security\_group) | Enabling the default managed security group creation. Unmanaged security groups can be specified via `runner_additional_security_group_ids`. | `bool` | `true` | no |
 | <a name="input_enable_organization_runners"></a> [enable\_organization\_runners](#input\_enable\_organization\_runners) | Register runners to organization, instead of repo level | `bool` | `false` | no |
 | <a name="input_enable_ssm_on_runners"></a> [enable\_ssm\_on\_runners](#input\_enable\_ssm\_on\_runners) | Enable to allow access the runner instances for debugging purposes via SSM. Note that this adds additional permissions to the runner instances. | `bool` | `false` | no |
 | <a name="input_enabled_userdata"></a> [enabled\_userdata](#input\_enabled\_userdata) | Should the userdata script be enabled for the runner. Set this to false if you are using your own prebuilt AMI | `bool` | `true` | no |

images/linux-amzn2/github_agent.linux.pkr.hcl

@@ -42,6 +42,12 @@ variable "root_volume_size_gb" {
   default = 8
 }
 
+variable "ebs_delete_on_termination" {
+  description = "Indicates whether the EBS volume is deleted on instance termination."
+  type        = bool
+  default     = true
+}
+
 variable "global_tags" {
   description = "Tags to apply to everything"
   type        = map(string)
@@ -91,9 +97,10 @@ source "amazon-ebs" "githubrunner" {
 
 
   launch_block_device_mappings {
-    device_name = "/dev/xvda"
-    volume_size = "${var.root_volume_size_gb}"
-    volume_type = "gp3"
+    device_name           = "/dev/xvda"
+    volume_size           = "${var.root_volume_size_gb}"
+    volume_type           = "gp3"
+    delete_on_termination = "${var.ebs_delete_on_termination}"
   }
 }
 
@@ -151,4 +158,4 @@ build {
     ]
   }
 
-}
+}

images/ubuntu-focal/github_agent.ubuntu.pkr.hcl

@@ -42,6 +42,12 @@ variable "root_volume_size_gb" {
   default = 8
 }
 
+variable "ebs_delete_on_termination" {
+  description = "Indicates whether the EBS volume is deleted on instance termination."
+  type        = bool
+  default     = true
+}
+
 variable "global_tags" {
   description = "Tags to apply to everything"
   type        = map(string)
@@ -90,9 +96,10 @@ source "amazon-ebs" "githubrunner" {
   )
 
   launch_block_device_mappings {
-    device_name = "/dev/sda1"
-    volume_size = "${var.root_volume_size_gb}"
-    volume_type = "gp3"
+    device_name           = "/dev/sda1"
+    volume_size           = "${var.root_volume_size_gb}"
+    volume_type           = "gp3"
+    delete_on_termination = "${var.ebs_delete_on_termination}"
   }
 }
 
@@ -161,4 +168,4 @@ build {
     ]
   }
 
-}
+}

images/windows-core-2019/github_agent.windows.pkr.hcl

@@ -19,6 +19,12 @@ variable "region" {
   default     = "eu-west-1"
 }
 
+variable "ebs_delete_on_termination" {
+  description = "Indicates whether the EBS volume is deleted on instance termination."
+  type        = bool
+  default     = true
+}
+
 source "amazon-ebs" "githubrunner" {
   ami_name      = "github-runner-windows-core-2019-${formatdate("YYYYMMDDhhmm", timestamp())}"
   communicator  = "winrm"
@@ -43,6 +49,11 @@ source "amazon-ebs" "githubrunner" {
   winrm_port     = 5986
   winrm_use_ssl  = true
   winrm_username = "Administrator"
+
+  launch_block_device_mappings {
+    device_name           = "/dev/sda1"
+    delete_on_termination = "${var.ebs_delete_on_termination}"
+  }
 }
 
 build {
@@ -63,4 +74,4 @@ build {
       action_runner_url = var.action_runner_url
     })]
   }
-}
+}

main.tf

@@ -107,6 +107,7 @@ module "runners" {
   github_app_parameters                = local.github_app_parameters
   enable_organization_runners          = var.enable_organization_runners
   enable_ephemeral_runners             = var.enable_ephemeral_runners
+  enable_managed_runner_security_group = var.enable_managed_runner_security_group
   scale_down_schedule_expression       = var.scale_down_schedule_expression
   minimum_running_time_in_minutes      = var.minimum_running_time_in_minutes
   runner_boot_time_in_minutes          = var.runner_boot_time_in_minutes

modules/runner-binaries-syncer/lambdas/runner-binaries-syncer/package.json

@@ -18,23 +18,23 @@
     "@octokit/rest": "^18.12.0",
     "@trivago/prettier-plugin-sort-imports": "^3.2.0",
     "@types/jest": "^27.4.0",
-    "@types/node": "^17.0.17",
+    "@types/node": "^17.0.18",
     "@types/request": "^2.48.8",
     "@typescript-eslint/eslint-plugin": "^4.33.0",
     "@typescript-eslint/parser": "^4.33.0",
-    "@vercel/ncc": "^0.33.1",
-    "aws-sdk": "^2.1072.0",
+    "@vercel/ncc": "^0.33.3",
+    "aws-sdk": "^2.1075.0",
     "eslint": "^7.32.0",
     "eslint-plugin-prettier": "4.0.0",
-    "jest": "^27.5.0",
+    "jest": "^27.5.1",
     "jest-mock": "^27.5.1",
     "prettier": "2.5.1",
     "ts-jest": "^27.1.3",
     "ts-node-dev": "^1.1.6",
     "typescript": "^4.5.5"
   },
   "dependencies": {
-    "axios": "^0.25.0",
-    "tslog": "^3.3.1"
+    "axios": "^0.26.0",
+    "tslog": "^3.3.2"
   }
 }