"oneshot"/ephemeral runners #19
Labels
No Label
kind
bug
kind
build
kind/compatible
kind
dependencies
kind
docs
kind
enhancement
kind
feature
kind
help wanted
kind
proposal
kind
refactor
related
act
related
environment
related
exec
related
gitea
related
workflow
reviewed
confirmed
reviewed
duplicate
reviewed
invalid
reviewed
needs feedback
reviewed
wontfix
reviewed
workaround
No Milestone
No Assignees
4 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: gitea/act_runner#19
Loading…
Reference in New Issue
Block a user
No description provided.
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
A runner would accept one job, run it, then exit.
This would allow for an external runner orchestrator to spin up completely fresh envs for each job (assuming running as non-docker/exec mode), in firecracker/fargate/tart/etc..
serverless runner?
Yeah, that could be one case. Where the orchestrator sees a job has come in and starts a new lambda run with a oneshot agent, and then when job is done agent will quit and lambda will stop.
Two act_runners can connect with the same token to Gitea Actions, while in GitHub Actions this is currently impossible due to session lock.
To reproduce execute
act_runner daemon
twice with the same configuration.For example currently someone can craft a workflow file, which either
bind mount the runner config (container mode)This has been fixedYou are unaffected if the docker daemon and the act_runner has no shared folder containing .runner
Dind in the same container as act_runner is affected.
Finally use the token to receive jobs outside of your infrastructure. All jobs sent to the duplicated instance get access to new job requests and it's secrets.
Only allow to connect one runner with the same token at a time can increase security and make it harder to use the token while the job is running.
Finally ephemeral runners would fix the hole, if Gitea Actions would never send a second job to the runner.
This would be great to have. Along with ephemeral runners and a public API to generate short-lived, single-use runner registration tokens. It would allow us to create orchestration around spinning up/taring down runners.
For GitHub we wrote an auto-scaler that can spin up ephemeral self-hosted runner pools on potentially any IaaS, because we needed VMs/bare metal for runners (initially). I would love to try and add
gitea
as a platform along side GitHub and GitHub enterprise server.