[CRITICAL] self-hosted label is missing from all scale-set (AutoscalingRunnerSet) runners
#3330
Comments
thesuperzapper
added
bug
|
Hello! Thank you for filing an issue. The maintainers will triage your issue shortly. In the meantime, please take a look at the troubleshooting guide for bug reports. If this is a feature request, please review our contribution guidelines. |
|
@nikola-jokic @Link- this is really a critical issue, and I would like to know your plan to resolve it. |
|
Hey @thesuperzapper, This limitation is by design. Please read this discussion post and feel free to comment on it. The more feedback, the better |
@nikola-jokic I think you may have misunderstood my request, I am not asking for arbitrary labels, just the addition of a common If not, you really need to update the GitHub docs, as they are currently incorrect to say |
|
Hey @thesuperzapper, I knew what you meant |
|
@nikola-jokic that discussion is more generic than this issue, it was about allowing multiple arbitrary labels. Can we please reopen this issue, so people can specifically discuss the idea of re-adding |
|
Hey @thesuperzapper, I mean this scale set label is by design. It is not a bug. If the reason to re-open the issue is to have a discussion, please use discussions for that. I want to point out that it is not more generic. There is a big difference between a single label and multiple labels. If the combination of two labels ( |
|
I'm with @thesuperzapper on this. The idea that the See here: @tmehlinger called it out really well here, and frankly this thread is incredibly dismissive of understanding WHY this is critical. @nebu, is this something you folks can look into? Also: @nikola-jokic I'd highly recommend a different choice of emote. It truly reads quite patronizing to customers who are actively bringing attention to issues, not making requests. |
|
Hey @danmanners, Sorry if it feels that way, I'm not trying to be patronizing. I'm just explaining the current reasoning and saying that the feedback would be much more valuable if it were submitted on the discussion post. I simply kindly asked @thesuperzapper to submit it there. |
|
Personally, I view this as a bug. So I did not think discussions were the appropriate place to raise it. |
Totally agree with this. Adding
Having |
|
I see no other option than to raise this with higher-level people at GitHub, there is clearly some kind of issue here with the GitHub Actions team. @ashtom @kdaigle @mph4 I would like to bring this issue to your attention. The GHA team is refusing to resolve a critical security issue with GHA which could result in self-hosted customer jobs running on public runners. Separately, I find it strange that labels for GitHub Actions Runners have effectively been deprecated without so much as a blog post or migration plan for your enterprise customers, see the comment from @Link- in #2921 (comment). PS: Please understand that I love GitHub, and I only raise this issue because there has clearly been some kind of breakdown within the GHA team, and I would love to continue recommending GHA to my customers. |
|
Hey! As far as a security issue, if you need to scope down to ensure there is no conflict on jobs - you can use the runner group scoping which will achieve exactly the behavior you have highlighted as missing here. i.e. if you create a self-hosted runner in a runner-group called ubuntu-latest, you could add scope for the runner group it's in to the same effect. I will add some feedback onto the other threads relating to the wider ask/other needs to support this by the end of the week! |
|
@nebuk89 runner groups are an enterprise only feature, so not an option in many cases. Even orgs that pay for this enterprise feature often have related projects contained in a separate org which do not have groups enabled. For example, my org is paid but we have a related open source project which is not enterprise. See #2921 (reply in thread) for more info on how this doesn't just impact security, it also impacts availability and reliability. |
|
@nebuk89 separate to the security issue, it's also just kind of crazy to remove I have many customers who have literally thousands of GHA jobs which now need to be updated and re-architected. Even in the simplest case (where they were previously only selecting a single label), they need to update the Also, because you have deprecated runner labels, potentially thousands of GHA jobs need to be re-architected (suboptimally). It's no longer possible to achieve a scoped approach to selecting the kind of runner you want. Previously you could define a scoped list of labels:
And only select the actual criteria that your job needs (which also acts as a form of documentation for the job). Are you really expecting your customers to do a bunch of work because you don't want to implement a feature? Finally, when you make a breaking change to something, you write a blog post, update the documentation, send an email, or really document the fact that there is now a new limitation literally ANYWHERE permanent (more than just a comment on a discussion thread). This is completely aside to the fact that trying to replace the concept of labels with literally a "name" (which is what a single label really is), is frankly ridiculous. |
|
I 100% agree with the comments in this post. GitHub really needs to be made aware of this and the impact it is causing. See my reply on 2921. I offered some solutions that could be used as a workaround. It's really unfortunate that the early adopters of github actions are getting punished for literally following github's own documentation about how you SHOULD use runner labels in an array. This is a massive breaking change that serves no clear benefit as far as I can tell, and only causes problems for enterprise customers who have been using github actions for several years. |
|
Hi all: I lead the Actions product management team at GitHub. We appreciate you raising awareness around the functionality of self-hosted labels for GitHub Actions Runner Controller. Our team is taking a deeper look into your feedback around this issue to determine its risk and severity, and we will follow up once we have an update to share. As a note: we also encourage submissions to our bug bounty program if you believe there is a serious security issue in any of our products. |
|
@juliandunn thank you for taking a closer look! |
|
I have dropped a follow-up post discussing with @juliandunn here: #3340 so we can start to reduce the number of places we are discussing the same items. |
Checks
Controller Version
0.8.3
Deployment Method
Other
Checks
To Reproduce
Describe the bug
Currently, runners managed by the new
AutoscalingRunnerSetdo not have theself-hostedlabel, this is an important security measure that prevents accidentally selecting public GitHub action runners (if I happen to use the same name as an upstream one, e.g.ubuntu-latest)Additionally, this will make it impossible for many organizations to update to use
AutoscalingRunnerSet, as they probably have thousands of workflows that selectruns_on: ["self-hosted", "CUSTOM_LABEL"]given that this is explicitly recommended in the GitHub docs, which say:Furthermore, because
AutoscalingRunnerSetdon't support custom labels, we can't even manually addself-hosted:PS: separate from this issue, is there a particular reason for the regression in the ability to have multiple custom labels?
Describe the expected behavior
Every runner managed by ScaleSets have the
self-hostedlabel, in addition to whatever their custom label it has.Additional Context
N/AController Logs
Runner Pod Logs
The text was updated successfully, but these errors were encountered: