From 1ef3232ea03abbadc9ab165d59fea5cca6e3ad44 Mon Sep 17 00:00:00 2001
From: marcel-dempers <aimvec@gmail.com>
Date: Sun, 1 Oct 2023 18:27:03 +1100
Subject: [PATCH] add new github actions updates

---
 github/actions/self-hosted-runner/README.md   | 81 ++++++++++++++++++-
 github/actions/self-hosted-runner/dockerfile  | 60 +++++++-------
 .../actions/self-hosted-runner/entrypoint.sh  |  5 +-
 .../self-hosted-runner/kubernetes.yaml        | 71 ++++++++--------
 4 files changed, 151 insertions(+), 66 deletions(-)

diff --git a/github/actions/self-hosted-runner/README.md b/github/actions/self-hosted-runner/README.md
index a96b9fa..28d6e79 100644
--- a/github/actions/self-hosted-runner/README.md
+++ b/github/actions/self-hosted-runner/README.md
@@ -1,3 +1,82 @@
 # Introduction to GitHub Actions: Self hosted runners
 
-<a href="https://youtu.be/d3isYUrPN7s" title="githubactions"><img src="https://i.ytimg.com/vi/d3isYUrPN7s/hqdefault.jpg" width="20%" alt="introduction to github actions runners" /></a> 
+## Create a kubernetes cluster
+
+In this guide we we''ll need a Kubernetes cluster for testing. Let's create one using [kind](https://kind.sigs.k8s.io/) </br>
+
+```
+kind create cluster --name githubactions --image kindest/node:v1.28.0@sha256:b7a4cad12c197af3ba43202d3efe03246b3f0793f162afb40a33c923952d5b31
+```
+
+Let's test our cluster:
+```
+kubectl get nodes
+NAME                          STATUS   ROLES           AGE     VERSION
+githubactions-control-plane   Ready    control-plane   2m53s   v1.28.0
+```
+
+## Running the Runner in Docker 
+
+We can simply install this directly on to virtual machines , but for this demo, I'd like to run it in Kubernetes inside a container. </br>
+
+### Security notes
+
+* Running in Docker needs high priviledges.
+* Would not recommend to use these on public repositories.
+* Would recommend to always run your CI systems in seperate Kubernetes clusters.
+
+### Creating a Dockerfile
+
+* Installing Docker CLI 
+For this to work we need a `dockerfile` and follow instructions to [Install Docker](https://docs.docker.com/engine/install/debian/).
+I would grab the content and create statements for my `dockerfile` </br>
+
+Now notice that we only install the `docker` CLI. </br> 
+This is because we want our running to be able to run docker commands , but the actual docker server runs elsewhere </br>
+This gives you flexibility to tighten security by running docker on the host itself and potentially run the container runtime in a non-root environment </br>
+
+* Installing Github Actions Runner 
+
+Next up we will need to install the [GitHub actions runner](https://github.com/actions/runner) in our `dockerfile`
+Now to give you a "behind the scenes" of how I usually build my `dockerfile`s, I run a container to test my installs: 
+
+```
+docker build . -t github-runner:latest 
+docker run -it github-runner bash
+```
+
+Next steps:
+
+* Now we can see `docker is installed 
+* To see how a runner is installed, lets go to our repo | runner and click "New self-hosted runner"
+* Try these steps in the container
+* We will needfew dependencies
+* We download the runner
+* TODO
+
+
+Finally lets test the runner in `docker` 
+
+```
+docker run -it -e GITHUB_PERSONAL_TOKEN="" -e GITHUB_OWNER=marcel-dempers -e GITHUB_REPOSITORY=docker-development-youtube-series github-runner
+```
+
+## Deploy to Kubernetes 
+
+Load our github runner image so we dont need to push it to a registry:
+
+```
+kind load docker-image github-runner:latest --name githubactions
+```
+
+Create a kubernetes secret with our github details 
+
+```
+kubectl create ns github
+kubectl -n github create secret generic github-secret `
+  --from-literal GITHUB_OWNER=marcel-dempers `
+  --from-literal GITHUB_REPOSITORY=docker-development-youtube-series `
+  --from-literal GITHUB_PERSONAL_TOKEN=""
+
+kubectl -n github apply -f kubernetes.yaml
+```
\ No newline at end of file
diff --git a/github/actions/self-hosted-runner/dockerfile b/github/actions/self-hosted-runner/dockerfile
index f8c8d0b..457265a 100644
--- a/github/actions/self-hosted-runner/dockerfile
+++ b/github/actions/self-hosted-runner/dockerfile
@@ -1,40 +1,46 @@
-FROM debian:buster
+FROM debian:bookworm-slim
 
-ARG RUNNER_VERSION="2.169.1"
+ARG RUNNER_VERSION="2.302.1"
 
 ENV GITHUB_PERSONAL_TOKEN ""
 ENV GITHUB_OWNER ""
 ENV GITHUB_REPOSITORY ""
 
-RUN apt-get update \
-    && apt-get install -y \
-        curl \
-        sudo \
-        git \
-        jq \
-        tar \
-        gnupg2 \
-        apt-transport-https \
-        ca-certificates  \
-    && apt-get clean \
-    && rm -rf /var/lib/apt/lists/*
+# Install Docker -> https://docs.docker.com/engine/install/debian/
+
+# Add Docker's official GPG key:
+RUN apt-get update && \
+    apt-get install -y ca-certificates curl gnupg
+RUN install -m 0755 -d /etc/apt/keyrings
+RUN curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
+RUN chmod a+r /etc/apt/keyrings/docker.gpg
+
+# Add the repository to Apt sources:
+RUN echo \
+  "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian \
+  "$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | \
+  tee /etc/apt/sources.list.d/docker.list > /dev/null
+RUN apt-get update
+
+# I only install the CLI, we will run docker in another container!
+RUN apt-get install -y docker-ce-cli
+
+# Install the GitHub Actions Runner 
+RUN apt-get update && apt-get install -y sudo jq
 
 RUN useradd -m github && \
-    usermod -aG sudo github && \
-    echo "%sudo ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers
-
-#setup docker runner 
-RUN curl -sSL https://get.docker.com/ | sh
-RUN usermod -aG docker github 
+  usermod -aG sudo github && \
+  echo "%sudo ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers
 
 USER github
-WORKDIR /home/github
+WORKDIR /actions-runner
+RUN curl -Ls https://github.com/actions/runner/releases/download/v${RUNNER_VERSION}/actions-runner-linux-x64-${RUNNER_VERSION}.tar.gz | tar xz \
+  && sudo ./bin/installdependencies.sh
 
-RUN curl -O -L https://github.com/actions/runner/releases/download/v$RUNNER_VERSION/actions-runner-linux-x64-$RUNNER_VERSION.tar.gz
-RUN tar xzf ./actions-runner-linux-x64-$RUNNER_VERSION.tar.gz
-RUN sudo ./bin/installdependencies.sh
+COPY --chown=github:github entrypoint.sh  /actions-runner/entrypoint.sh
+RUN sudo chmod u+x /actions-runner/entrypoint.sh
 
-COPY --chown=github:github entrypoint.sh ./entrypoint.sh
-RUN sudo chmod u+x ./entrypoint.sh
+#working folder for the runner 
+RUN sudo mkdir /work 
 
-ENTRYPOINT ["/home/github/entrypoint.sh"]
\ No newline at end of file
+ENTRYPOINT ["/actions-runner/entrypoint.sh"]
\ No newline at end of file
diff --git a/github/actions/self-hosted-runner/entrypoint.sh b/github/actions/self-hosted-runner/entrypoint.sh
index ba24b57..59d63b2 100644
--- a/github/actions/self-hosted-runner/entrypoint.sh
+++ b/github/actions/self-hosted-runner/entrypoint.sh
@@ -2,14 +2,15 @@
 registration_url="https://api.github.com/repos/${GITHUB_OWNER}/${GITHUB_REPOSITORY}/actions/runners/registration-token"
 echo "Requesting registration URL at '${registration_url}'"
 
-payload=$(curl -sX POST -H "Authorization: token ${GITHUB_PAT}" ${registration_url})
+payload=$(curl -sX POST -H "Authorization: token ${GITHUB_PERSONAL_TOKEN}" ${registration_url})
 export RUNNER_TOKEN=$(echo $payload | jq .token --raw-output)
 
 ./config.sh \
     --name $(hostname) \
     --token ${RUNNER_TOKEN} \
+    -- labels my-runner \
     --url https://github.com/${GITHUB_OWNER}/${GITHUB_REPOSITORY} \
-    --work ${RUNNER_WORKDIR} \
+    --work "/work" \
     --unattended \
     --replace
 
diff --git a/github/actions/self-hosted-runner/kubernetes.yaml b/github/actions/self-hosted-runner/kubernetes.yaml
index 673b354..d4949ab 100644
--- a/github/actions/self-hosted-runner/kubernetes.yaml
+++ b/github/actions/self-hosted-runner/kubernetes.yaml
@@ -1,37 +1,36 @@
-apiVersion: v1
-kind: Secret
-metadata:
-  name: github-secret
-type: Opaque
-data:
-  GITHUB_PERSONAL_TOKEN: XXXXXXXXXXXXXXXXXXXXXXXXX
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: github-runner
-  labels:
-    app: github-runner
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: github-runner
-  template:
-    metadata:
-      labels:
-        app: github-runner
-    spec:
-      containers:
-      - name: github-runner
-        image: aimvector/github-runner:latest
-        env:
-        - name: GITHUB_OWNER
-          value: marcel-dempers
-        - name: GITHUB_REPOSITORY
-          value: docker-development-youtube-series
-        - name: GITHUB_PERSONAL_TOKEN 
-          valueFrom:
-            secretKeyRef:
-              name: github-secret
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: github-runner
+  labels:
+    app: github-runner
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: github-runner
+  template:
+    metadata:
+      labels:
+        app: github-runner
+    spec:
+      containers:
+      - name: github-runner
+        imagePullPolicy: Never #use local kind image
+        image: github-runner:latest
+        env:
+        - name: GITHUB_OWNER
+          valueFrom:
+            secretKeyRef:
+              name: github-secret
+              key: GITHUB_OWNER
+        - name: GITHUB_REPOSITORY
+          valueFrom:
+            secretKeyRef:
+              name: github-secret
+              key: GITHUB_REPOSITORY
+        - name: GITHUB_PERSONAL_TOKEN 
+          valueFrom:
+            secretKeyRef:
+              name: github-secret
               key: GITHUB_PERSONAL_TOKEN
\ No newline at end of file