Bump version, add OS support, bugfixes and more

github-runner/defaults.yaml

@@ -1,6 +1,5 @@
 github-runner:
-  version: '2.284.0'
+  version: '2.321.0'
   base_url: 'https://github.com/actions/runner/releases/download'
   script_suffix: 'sh'
   package_url: ''
-  package_suffix: 'tar.gz'

github-runner/init.sls

@@ -1,31 +1,98 @@
 {%- from "github-runner/map.jinja" import github_runner_settings with context %}
 
+Create ghrunner user:
+  user.present:
+    - name: ghrunner
+    - fullname: GitHub Runner
+    - home: {{ github_runner_settings.install_dir }}
+    - createhome: False
+    - system: True
+{%- if github_runner_settings.kernel == "Linux" %}
+    - usergroup: True
+{%- endif %}
+
 "GitHub Runner Software":
   file.directory:
     - name: {{ github_runner_settings.install_dir }}
-    - makedirs: true
+    - user: ghrunner
+    - group: ghrunner
+    - mode: '0750'
+    - makedirs: True
+    - require:
+      - user: Create ghrunner user
   archive.extracted:
     - name: {{ github_runner_settings.install_dir }}
     - source: {{ github_runner_settings.package_url }}
+{%- if github_runner_settings.package_hash %}
     - source_hash: sha256={{ github_runner_settings.package_hash }}
+{%- endif %}
+    - user: ghrunner
+    - group: ghrunner
+    - unless: test -f /opt/github/actions-runner/run.sh
     - require:
       - file: "GitHub Runner Software"
   cmd.run:
-    - name: {{ github_runner_settings.install_dir }}/config.{{ github_runner_settings.script_suffix }} --unattended --url {{ github_runner_settings.repo_url }} --token ${{ github_runner_settings.repo_token }}
+    - name: >-
+        {{ github_runner_settings.install_dir }}/config.{{
+          github_runner_settings.script_suffix
+        }}
+        --unattended --url {{ github_runner_settings.repo_url }}
+        --token {{ github_runner_settings.repo_token }}
+        --labels {{ ','.join(github_runner_settings.labels) }}
+{%- if "runnergroup" in github_runner_settings %}
+        --runnergroup {{ github_runner_settings.runnergroup }}
+{%- endif %}
+    - runas: ghrunner
+    - cwd: {{ github_runner_settings.install_dir }}
     - require:
       - archive: "GitHub Runner Software"
-    - creates: {{ github_runner_settings.install_dir }}/svc.{{ github_runner_settings.script_suffix }}
+    - creates:
+        - {{ github_runner_settings.install_dir }}/.credentials
+        - {{ github_runner_settings.install_dir }}/.runner
+        - {{ github_runner_settings.install_dir }}/svc.{{
+            github_runner_settings.script_suffix
+          }}
+
+# We use cmd instead of file built-in state because that only supports
+# octal encoding (issue #32681).
+# https://github.com/saltstack/salt/issues/32681
+"Secure {{ github_runner_settings.install_dir }}":
+  cmd.run:
+    - name: >-
+        chown -R ghrunner:ghrunner {{ github_runner_settings.install_dir }} &&
+        chmod -R u=rwX,g=rX,o-rwx {{ github_runner_settings.install_dir }}
+    - onchanges:
+      - cmd: "GitHub Runner Software"
 
 "GitHub Runner Service":
-  service.runner:
-    - name: {{ github_runner_settings.service_name }}
-    - enable: true
+  cmd.run:
+    - name: >-
+        {{ github_runner_settings.install_dir }}/svc.{{
+          github_runner_settings.script_suffix
+        }} install ghrunner
+    - cwd: {{ github_runner_settings.install_dir }}
+    - creates: {{ github_runner_settings.install_dir }}/.service
+    - require:
+      - cmd: "GitHub Runner Software"
+      - cmd: "Secure {{ github_runner_settings.install_dir }}"
+
+"Enable GitHub Runner Service":
+{%- if salt["file.file_exists"](github_runner_settings.install_dir ~ '/.service') %}
+  service.running:
+    - name: {{
+        salt['cmd.run'](
+          "cat '" ~ github_runner_settings.install_dir ~ "/.service'"
+        )
+      }}
+    - enable: True
     - require:
-      - archive: "GitHub Runner Software"
       - cmd: "GitHub Runner Service"
+{%- else %}
   cmd.run:
-    - name: {{ github_runner_settings.install_dir}}/svc.{{ github_runner_settings.script_suffix }} install
+    - name: >-
+        SERVICE=$(cat {{ github_runner_settings.install_dir }}/.service);
+        systemctl enable $SERVICE;
+        systemctl start $SERVICE
     - require:
-      - file: {{ github_runner_settings.install_dir }}/svc.{{ github_runner_settings.script_suffix }}
-    - watch:
-      - cmd: "GitHub Runner Software"
+      - cmd: "GitHub Runner Service"
+{%- endif %}

github-runner/map.jinja

@@ -1,17 +1,19 @@
 # -*- coding: utf-8 -*-
 # vim: ft=jinja
-{%- import_yaml 'github-runner/defaults.yaml as defaults %}
 
-{# merge os specific defaults over our defaults #}
-{% import_yaml 'github-runner/osmap.yaml' as osmap %}
-{% set osmap = salt['grains.filter_by'](osmap, grain='kernel') or {} %}
-{% do salt['defaults.merge'](defaults['github-runner'], osmap) %}
+{%- import_yaml "github-runner/defaults.yaml" as defaults %}
 
-{# Allow custom imports to reduce pillar load on the master #}
+{#- Merge os specific defaults over our defaults #}
+{%- from "github-runner/osmap.jinja" import osmap with context %}
+{%- do salt['defaults.merge'](defaults['github-runner'], osmap) %}
+
+{#- Allow custom imports to reduce pillar load on the master #}
 {%- set import_file = salt['pillar.get']('github-runner:defaults', '') %}
 {%- if import_file != '' %}
   {%- set custom_defaults = {} %}
-  {%- set import_type = import_file|lower|regex_match('.*\.(json|ya?ml|jinja)$') %}
+  {%-
+    set import_type = import_file|lower|regex_match('.*\.(json|ya?ml|jinja)$')
+  %}
   {%- if import_type|length > 0 %}
     {%- if import_type[0] in ['json'] %}
       {%- import_json import_file as custom_defaults %}
@@ -24,15 +26,60 @@
   {%- do salt['defaults.merge'](defaults, custom_defaults) %}
 {%- endif %}
 
-{# While we try to encourage usage of custom defaults within the state tree, we
-   want to be flexible enough to support pillar overrides for any setting #}
-{%- set github_runner_settings = salt['pillar.get']('github-runner', defaults['github-runner'], merge=True) %}
+{#-
+ # While we try to encourage usage of custom defaults within the state
+ # tree, we want to be flexible enough to support pillar overrides for
+ # any setting
+#}
+{%-
+  set github_runner_settings = salt['pillar.get'](
+    'github-runner', defaults['github-runner'],
+    merge=True,
+  )
+%}
 
 {%- if github_runner_settings.package_url|length == 0 %}
-  {%- set arch = salt['grains.get']('osarch', grains['cpuarch'])|lower %}
-  {%- set kernel = salt['grains.get']('kernel')|lower %}
+  {%- set cpuarch_grain = salt['grains.get']('osarch', grains['cpuarch']) %}
+  {%- set arch = cpuarch_grain|lower %}
+  {%- if arch in ("amd64", "x86_64") %}
+  {%- set arch = "x64" %}
+  {%- elif arch == "aarch64" %}
+  {%- set arch = "arm64" %}
+  {%- elif arch in ("armhf", "armv7l")  %}
+  {%- set arch = "arm" %}
+  {%- endif %}
+
+  {%- set kernel_grain = salt['grains.get']('kernel') %}
+  {%- set kernel = kernel_grain|lower %}
+  {%- set package_suffix = "tar.gz" %}
+  {%- if kernel == "MacOS" %}
+  {%- set kernel = "osx" %}
+  {%- elif kernel == "Windows" %}
+  {%- set kernel = "win" %}
+  {%- set package_suffix = "zip" %}
+  {%- endif %}
+  {%- do github_runner_settings.update({'kernel': kernel }) %}
+
+  {%-
+    set package_hash = github_runner_settings.get('package_hashes', {}).get(
+      arch
+    )
+  %}
+  {%- do github_runner_settings.update({'package_hash': package_hash }) %}
+
+  {%- if "labels" not in github_runner_settings %}
+  {%- do github_runner_settings.update({'labels': []}) %}
+  {%- endif %}
+  {%- do github_runner_settings.labels.append(cpuarch_grain) %}
+  {%- do github_runner_settings.labels.append(kernel_grain) %}
+
   {%- set version = github_runner_settings.version %}
-  {%- set package_suffix = github_runner_settings.package_suffix %}
-  {%- set package_url = '{{ github_runner_settings.base_url }}/v{{ version }}/actions-runner-{{ kernel }}{{ arch }}-{{ version }}.{{ package_suffix }}' %}
+
+  {%- set download_loc = github_runner_settings.base_url ~ '/v' ~ version %}
+  {%-
+    set package_name = 'actions-runner-' ~ kernel ~ '-' ~ arch ~ '-' ~
+      version ~ '.' ~ package_suffix
+  %}
+  {%- set package_url = download_loc ~ '/' ~ package_name %}
   {%- do github_runner_settings.update({'package_url': package_url }) %}
 {%- endif %}

github-runner/osmap.jinja

@@ -1,11 +1,35 @@
 # -*- coding: utf-8 -*-
-# vim: ft=yaml
----
+# vim: ft=jinja
 
-Linux:
-  script_suffix: sh
-  install_dir: /opt/github/actions-runner
-
-Windows:
-  script_suffix: cmd
-  install_dir: 'C:/github/actions-runner'
+{%-
+  set osmap = salt['grains.filter_by'](
+    {
+      'MacOS': {
+        'install_dir': '/opt/github/actions-runner',
+        'package_hashes': {
+          'arm64': 'fbee07e42a134645d4f04f8146b0a3d0b3c948f0d6b2b9fa61f4318c1192ff79',
+          'x68': 'b2c91416b3e4d579ae69fc2c381fc50dbda13f1b3fcc283187e2c75d1b173072',
+         },
+        'script_suffix': 'sh',
+      },
+      'Linux': {
+        'install_dir': '/opt/github/actions-runner',
+        'package_hashes': {
+          'x64': 'ba46ba7ce3a4d7236b16fbe44419fb453bc08f866b24f04d549ec89f1722a29e',
+          'arm': '2b96a4991ebf2b2076908a527a1a13db590217f9375267b5dd95f0300dde432b',
+          'arm64': '62cc5735d63057d8d07441507c3d6974e90c1854bdb33e9c8b26c0da086336e1',
+        },
+        'script_suffix': 'sh',
+      },
+      'Windows': {
+        'install_dir': 'C:/github/actions-runner',
+        'package_hashes': {
+          'x64': '88d754da46f4053aec9007d172020c1b75ab2e2049c08aef759b643316580bbc',
+          'arm64': '22df5a32a65a55e43dab38a200d4f72be0f9f5ce1839f5ad34e689a0d3ff0fb7',
+        },
+        'script_suffix': 'cmd',
+      },
+    },
+    grain='kernel',
+  ) or {}
+%}

pillar.example

@@ -1,23 +1,52 @@
 ---
 github-runner:
-  # You can specify the GitHub Runner version, the default value is shown.
-  # This should never need to be set unless you are hosting custom builds
-  # of the GitHub runner. Don't do that.
-  version: '2.284.0'
-  # One would only need change this if hosting custom builds
-  base_url: 'https://github.com/actions/runner/releases/download'
-  # POSIX systems represent the most common denominator for installation
-  # platforms, so those defaults are used, Windows platforms will be
-  # detected when processing map.jinja, so no worries.
-  script_suffix: 'sh'
-  package_url: ''
-  package_suffix: 'tar.gz'
-  # The above settings show their defaults which will be over-ridden by
-  # the map.jinja so this need never be dealt with, unless you ignored
-  # my previous advice.
-
-  # You may want to tune the installation directory, which you can thusly
-  install_dir: "/some/dir/I/really/want/to/use"
-
-  # If you wish to be extra careful you can specify the hash of the download
-  package_hash: "b4af45bc61ea3e531b9d124e9b8c21759267724cd72543a7aa943a389f1e6ec8"
+  ## Required
+
+  # Add your token from GitHub.
+  repo_token: ''
+
+  # Add your GitHub account/org URL. eg. 'https://github.com/sitepoint'
+  repo_url: ''
+
+  ## The following settings are optional. Defaults are commented out.
+
+  # Add any additional labels to the runner that you like. The values
+  # of the `cpuarch` and and `kernel` grains will always be added
+  # automatically.
+  # https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners/using-labels-with-self-hosted-runners#programmatically-assign-labels
+  #labels:
+  #  - arm64
+  #  - Linux
+
+  # If you wish to use an existing runner group (other than
+  # "default"), it can be set here.
+  #runnergroup: rt-runnergroup
+
+  # You can specify the GitHub Runner version. Note that the runner
+  # will automatically update itself as needed, so setting this is
+  # generally not required.
+  #version: '2.321.0'
+
+  # The SHA256 hash of the downloaded runner package, which is OS-specific.
+  #
+  # MacOS:
+  #package_hash: 'b2c91416b3e4d579ae69fc2c381fc50dbda13f1b3fcc283187e2c75d1b173072'
+  # Linux:
+  #package_hash: 'ba46ba7ce3a4d7236b16fbe44419fb453bc08f866b24f04d549ec89f1722a29e'
+  # Windows:
+  #package_hash: '88d754da46f4053aec9007d172020c1b75ab2e2049c08aef759b643316580bbc'
+
+  # One would only need change this if hosting custom builds.
+  #base_url: 'https://github.com/actions/runner/releases/download'
+
+  # If unset, the package download URL is automatically determined
+  # based on kernel, architecture and version.
+  #package_url: ''
+
+  # You can override the installation path default (which is
+  # OS-specific).
+  #
+  # MacOS / Linux:
+  #install_dir: '/opt/github/actions-runner'
+  # Windows:
+  #install_dir: 'C:/github/actions-runner'