Just-in-time runners for enterprises?

[gabriel-samfira]

Select Topic Area

Question

Body

Hi folks!

The just-in-time runners are an amazingly useful feature, but even though the blog post and the security guide mentions that this feature may be available for enterprises, I don't see enterprises being documented for this feature:

https://docs.github.com/en/rest/actions/self-hosted-runners?apiVersion=2022-11-28

Can JIT runners be created for enterprises/GHES?

Thanks!

[ChristopherHX]

I cannot find anything, which maps the api endpoints to GHES versions. They seem to add new apis to the versioned api of last year, maybe as long they do not make breaking changes to the Api.

Can JIT runners be created for enterprises/GHES?

You can use the actions/runner itself (on linux/macos hosts, windows encrypts a file that makes it less trivial) to create a similar JIT token, otherwise wait for the GHES release.

I try to explain the format

It is a base64 encoded json structure

{
  ".runner": "base64 of .runner file content",
  ".credentials": "base64 of .credentials file content",
  ".credentials_rsaparams": "base64 of .credentials_rsaparams file content"
}

Using your own --no-default-labels(v2.305, currently master only) it is possible to create the file using the same token as the rest api. Without that flag the default labels might be incorrect.

rm .runner # allow to repeat it with a single runner app
./config.sh --unattended --ephemeral --no-default-labels ...
# now create the base64 json by reading the three files created after configure

[gabriel-samfira]

I see. I was able to find references to JIT runners for enterprises in the github swagger definitions but only for GHEC, not GHES. So I think you're right. This will probably be added in a future GHES release. I'll wait until it reaches all channels before updating to this.

Thanks!

[ChristopherHX]

@gabriel-samfira I found the GHES version number it is 3.10.0 it still takes a while.

I expected that the openapi docs have a docs feature flag, but only the security hardening page had used the feature flag.

https://github.com/github/docs/blob/2299de398c32b0e86a196b64618c7078616f5832/data/features/actions-single-use-tokens.yml#L4

I hope they improve the docs.

[gabriel-samfira]

In regards to creating the credentials_rsaparams on Windows, it seems that they are encrypted using the usual windows crypto stack. From PowerShell you can encrypt it like so: https://github.com/cloudbase/garm-provider-common/blob/main/cloudconfig/templates.go#L449-L453

[ChristopherHX]

My own golang actions runner implemention can now create jitconfig tokens like a drop in replacement for the actions api until GHES 3.10.0.

It uses the same api as actions/runner, but reimplemented in golang.

Using the tool might be even more secure, because your RSA private key is never transfered over the internet

# Using runner token
jitconfig="$(github-act-runner configure --ephemeral --disableupdate --no-default-labels --labels <comma seperated labels> --url <registration url> --token <token> --work _work --print-jitconfig --unattended)"
# Using a personal access token / GitHub App installation token
jitconfig="$(github-act-runner configure --ephemeral --disableupdate --no-default-labels --labels <comma seperated labels> --url <registration url> --pat <pat> --work _work --print-jitconfig --unattended)"

You find the tool here

[gabriel-samfira]

Thus is cool! Thanks!