-
Notifications
You must be signed in to change notification settings - Fork 136
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[feature] Generator build level #1868
Comments
Follow-up. If we're able to do that, the generator may need to have different buildTypes, one for level 3 and one for level 2 (self-hosted). Or we even call them |
Might be possible to detect |
Great finding, thanks. The API https://docs.github.com/en/rest/actions/workflow-jobs?apiVersion=2022-11-28#get-a-job-for-a-workflow-run--code-samples seems to return the labels, so I think we should be able to list the workflow run's jobs and use the label to identify self vs GH-hosted runners |
we can always fetch the workflows and parse them ourselves if we want |
@ramonpetgrave64 that's an important issue we have not had the time to resolve for a while |
It should also be indicated in the OIDC token at
|
the OIDC token we fetch would happen in the context of the generator, not the calling repository, no? Additional notes for implementation. I think we need to be able to ensure that all (reusable) workflows referenced by the user workflow contain the same runner, not only the workflow that are part of the "call stack". |
It seems like the labels alone are not a good way to detect self-hosted runners. I've done some experimenting and found that you can still target your Jobs for self-hosted runners without explicitly using the label "self-hosted": just label your runners something else. Here I have a self-hosted runner I named "Github Actions" and with a label "ubuntu-latest". I'm going to look more into this: List Jobs for Workflow also returns the runners' IDs, so maybe I could use that with List Self-hosted Runners @laurentsimon I'll have to look more into the OIDC token, too. But I think you're probably right that it would be in the context of the re-usable workflow as it's being executed on a self-hosted runner. |
Is there a way too access the
You're trying to check if a runner if self-hosted. How about checking whether the runner is GitHub-hosted, and treat everything else a self-hosted? Would that be easier? |
the API contains a |
We can't use Example of a github-hosted runner's response:
|
Thanks for the info. In the API doc, I see a response example containing: "labels": [
"self-hosted",
"foo",
"bar"
], Is this not what we need? is it present in the response you get? |
Yes, but those are the labels that the calling workflow job specifies, not necessarily all the labels that a runner possesses. |
I thought it's a requirement for a self-hosted runner to have a label |
|
@laurentsimon I think I explained it a bit better in my PR description #3298 |
Their next paragraph says that the user doesn't necessarily have to specify the label "self-hosted" in order to use the self-hosted runners, neither in the workflow spec nor as a property of the runners themselves.
|
I see. It's really confusing: |
Yes I verified that the user doesn't have to specify |
I've been advised to open a ticket with Gtihub, asking for their ListJobsForWorklfowRun to have fore definitive information to solve our problem. |
The new v1.0 specs, iiuc, no longer has a "provenance" level 3. I think this means the generators would become level 2.
We could probably make them level 3 if the generator is able to check tat the caller workflow uses only GitHub-hosted runners.
Is there a way to do that?
The list of GitHub runners is available at https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners#supported-runners-and-hardware-resources.
Is there an API to retrieve that list at runtime? If so, we could compare it to the list of runners used in the workflow.
There's also this API https://stackoverflow.com/questions/70027430/get-a-list-of-github-runners, which I have not tried. It may require org-level tokens to query
The text was updated successfully, but these errors were encountered: