Detecting Self-hosted Runners in ListJobsForWorkflowRun

[ramonpetgrave64]

Select Topic Area

Product Feedback

Body

Summary

We would like if the ListJobsForWorkflowRun API also returned information indicating whether a Job was executed on a github-hosted runner or a self-hosted runner.

In this example response from ListJobsForWorkflowRun, where a job has already been completed with a known "runner_id": 1, the API should also return another field similar to "runner_host_type": "self-hosted" or "runner_type": "github-hosted".

{
  "total_count": 1,
  "jobs": [
    {
      "id": 399444496,
      "run_id": 29679449,
      "run_url": "https://api.github.com/repos/octo-org/octo-repo/actions/runs/29679449",
      "node_id": "MDEyOldvcmtmbG93IEpvYjM5OTQ0NDQ5Ng==",
      "head_sha": "f83a356604ae3c5d03e1b46ef4d1ca77d64a90b0",
      "url": "https://api.github.com/repos/octo-org/octo-repo/actions/jobs/399444496",
      "html_url": "https://github.com/octo-org/octo-repo/runs/29679449/jobs/399444496",
      "status": "completed",
      "conclusion": "success",
      "started_at": "2020-01-20T17:42:40Z",
      "completed_at": "2020-01-20T17:44:39Z",
      "name": "build",
      "steps": [
        {
          "name": "Set up job",
          "status": "completed",
          "conclusion": "success",
          "number": 1,
          "started_at": "2020-01-20T09:42:40.000-08:00",
          "completed_at": "2020-01-20T09:42:41.000-08:00"
        },
        ...
        {
          "name": "Complete job",
          "status": "completed",
          "conclusion": "success",
          "number": 17,
          "started_at": "2020-01-20T09:44:39.000-08:00",
          "completed_at": "2020-01-20T09:44:39.000-08:00"
        }
      ],
      "check_run_url": "https://api.github.com/repos/octo-org/octo-repo/check-runs/399444496",
      "labels": [
        "self-hosted",
        "foo",
        "bar"
      ],
      "runner_id": 1,
      "runner_name": "my runner",
      "runner_group_id": 2,
      "runner_group_name": "my runner group",
      "workflow_name": "CI",
      "head_branch": "main"
    }
  ]
}

Background

At slsa-framework/slsa-github-generator, we need our reusable workflows to verify that all other adjacent jobs in the calling workflows were using github-hosted runners, and not self-hosted runners.

slsa-framework/slsa-github-generator#1868

We came up with one way using the available Rest APIs:

1. fetch the list of jobs for the current workflow run
2. fetch the list of self-hosted runners for the repository.
3. Use (1) to compare the runs-on labels with the labels of known self-hosted runners from (2).

However, this method doesn't work in one situation: a repo owner could alter the labels for their self-hosted runners after a Job has been completed, but before our check.

Furthermore, listing self-hosted runners requires a Personal Access Token with Administration:read permissions. Besides the increased complexity of asking our users to supplying PAT to our re-usable workflows, we want to minimize the amount of access needed.

[ramonpetgrave64]

I've since found that the Job logs in "Set up Job" are a good place to look for evidence of self-hosted runners. The logs will have the substring "Machine name:".

• https://github.com/actions/runner/pull/539/files#diff-e10dd2daf26c47f8e2914b189bbbc8043bdcd073c633c9a2d29d67f0ec3b4581R77
• https://github.com/actions/runner/blob/99b464e10200ade9ee2ed20c9b7568c1dabc5d2b/src/Runner.Worker/JobExtension.cs#L83

And you can fetch the logs with gh CLI.

gh run view <run id> --job <Job id> --log

[ramonpetgrave64]

Given this, can we have a more explicit marker in the logs to identify the use of self-hosted runners? Perhaps

Runner type: [github-hosted|self-hosted]

[ramonpetgrave64]

It seems like a new context variable has what I'm looking for some of my use cases. Still, I would like a way for one job to detect the use of self-hosted runners by another job.

https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/accessing-contextual-information-about-workflow-runs#runner-context