Run as NETWORK SERVICE on Windows

Having the runner run as the SYSTEM account causes a bunch of weird issues because it's profile directory is under C:\Windows\System32 which is subject to WoW64 folder redirection.

When registered using config.cmd actions-runner registers the service to run as NT AUTHORITY\NETWORK SERVICE which doesn't have this same issue. This changes GARM to also use that same service user which also requires running the service executable in a special "init" mode to register a Event Log Trace Source (without doing this the service silently does nothing).

Author: KBjorndal-VizRT

cloudconfig/templates.go

@@ -533,7 +533,15 @@ function Install-Runner() {
 
 		Update-GarmStatus -CallbackURL $CallbackURL -Message "Creating system service"
 		$SVC_NAME=(gc -raw $serviceNameFile)
-		New-Service -Name "$SVC_NAME" -BinaryPathName "C:\actions-runner\bin\RunnerService.exe" -DisplayName "$SVC_NAME" -Description "GitHub Actions Runner ($SVC_NAME)" -StartupType Automatic
+  		# Run as NT AUTHORITY\NETWORK SERVICE, same as what actions-runner does
+		$servicePrincipal = New-Object System.Security.Principal.SecurityIdentifier([System.Security.Principal.WellKnownSidType]::NetworkServiceSid, $Null)
+		$serviceUser = $servicePrincipal.Translate([System.Security.Principal.NTAccount]).Value
+		$serviceCredential = New-Object System.Management.Automation.PSCredential ($serviceUser, (New-Object System.Security.SecureString))
+
+		# Have the service register itself as an Event Log Trace Source, this needs to run with elevated permissions
+		./bin/RunnerService.exe init
+
+		New-Service -Name "$SVC_NAME" -BinaryPathName "C:\actions-runner\bin\RunnerService.exe" -DisplayName "$SVC_NAME" -Description "GitHub Actions Runner ($SVC_NAME)" -StartupType Automatic -Credential $serviceCredential
 		Start-Service "$SVC_NAME"
 		Set-SystemInfo -CallbackURL $CallbackURL -RunnerDir $runnerDir -BearerToken $Token
 		Update-GarmStatus -Message "runner successfully installed" -CallbackURL $CallbackURL -Status "idle" | Out-Null