Syncing with upstream

.devcontainer/devcontainer.json

@@ -4,7 +4,7 @@
   "features": {
     "ghcr.io/devcontainers/features/docker-in-docker:1": {},
     "ghcr.io/devcontainers/features/dotnet": {
-      "version": "8.0.407"
+      "version": "8.0.408"
     },
     "ghcr.io/devcontainers/features/node:1": {
       "version": "20"

.github/copilot-instructions.md

@@ -0,0 +1,25 @@
+## Making changes
+
+### Tests
+
+Whenever possible, changes should be accompanied by non-trivial tests that meaningfully exercise the core functionality of the new code being introduced.
+
+All tests are in the `Test/` directory at the repo root. Fast unit tests are in the `Test/L0` directory and by convention have the suffix `L0.cs`. For example: unit tests for a hypothetical `src/Runner.Worker/Foo.cs` would go in `src/Test/L0/Worker/FooL0.cs`.
+
+Run tests using this command:
+
+```sh
+cd src && ./dev.sh test
+```
+
+### Formatting
+
+After editing .cs files, always format the code using this command:
+
+```sh
+cd src && ./dev.sh format
+```
+
+### Feature Flags
+
+Wherever possible, all changes should be safeguarded by a feature flag; `Features` are declared in [Constants.cs](src/Runner.Common/Constants.cs).

.github/workflows/release.yml

@@ -20,7 +20,6 @@ jobs:
       with:
         github-token: ${{secrets.GITHUB_TOKEN}}
         script: |
-          const core = require('@actions/core')
           const fs = require('fs');
           const runnerVersion = fs.readFileSync('${{ github.workspace }}/src/runnerversion', 'utf8').replace(/\n$/g, '')
           const releaseVersion = fs.readFileSync('${{ github.workspace }}/releaseVersion', 'utf8').replace(/\n$/g, '')
@@ -30,7 +29,7 @@ jobs:
             return
           }
           try {
-            const release = await github.repos.getReleaseByTag({
+            const release = await github.rest.repos.getReleaseByTag({
               owner: '${{ github.event.repository.owner.name }}',
               repo: '${{ github.event.repository.name }}',
               tag: 'v' + runnerVersion
@@ -176,7 +175,6 @@ jobs:
       with:
         github-token: ${{secrets.GITHUB_TOKEN}}
         script: |
-          const core = require('@actions/core')
           const fs = require('fs');
           const runnerVersion = fs.readFileSync('${{ github.workspace }}/src/runnerversion', 'utf8').replace(/\n$/g, '')
           var releaseNote = fs.readFileSync('${{ github.workspace }}/releaseNote.md', 'utf8').replace(/<RUNNER_VERSION>/g, runnerVersion)
@@ -216,7 +214,7 @@ jobs:
 
     # Upload release assets (full runner packages)
     - name: Upload Release Asset (win-x64)
-      uses: actions/[email protected].1
+      uses: actions/[email protected].2
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       with:
@@ -226,7 +224,7 @@ jobs:
         asset_content_type: application/octet-stream
 
     - name: Upload Release Asset (win-arm64)
-      uses: actions/[email protected].1
+      uses: actions/[email protected].2
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       with:
@@ -236,7 +234,7 @@ jobs:
         asset_content_type: application/octet-stream
 
     - name: Upload Release Asset (linux-x64)
-      uses: actions/[email protected].1
+      uses: actions/[email protected].2
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       with:
@@ -246,7 +244,7 @@ jobs:
         asset_content_type: application/octet-stream
 
     - name: Upload Release Asset (osx-x64)
-      uses: actions/[email protected].1
+      uses: actions/[email protected].2
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       with:
@@ -256,7 +254,7 @@ jobs:
         asset_content_type: application/octet-stream
 
     - name: Upload Release Asset (osx-arm64)
-      uses: actions/[email protected].1
+      uses: actions/[email protected].2
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       with:
@@ -266,7 +264,7 @@ jobs:
         asset_content_type: application/octet-stream
 
     - name: Upload Release Asset (linux-arm)
-      uses: actions/[email protected].1
+      uses: actions/[email protected].2
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       with:
@@ -276,7 +274,7 @@ jobs:
         asset_content_type: application/octet-stream
 
     - name: Upload Release Asset (linux-arm64)
-      uses: actions/[email protected].1
+      uses: actions/[email protected].2
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       with:

docs/adrs/0276-problem-matchers.md

@@ -250,6 +250,42 @@ Two problem matchers can be used:
 }
 ```
 
+#### Default from path
+
+The problem matcher can specify a `fromPath` property at the top level, which applies when a specific pattern doesn't provide a value for `fromPath`. This is useful for tools that don't include project file information in their output.
+
+For example, given the following compiler output that doesn't include project file information:
+
+```
+ClassLibrary.cs(16,24): warning CS0612: 'ClassLibrary.Helpers.MyHelper.Name' is obsolete
+```
+
+A problem matcher with a default from path can be used:
+
+```json
+{
+    "problemMatcher": [
+        {
+            "owner": "csc-minimal",
+            "fromPath": "ClassLibrary/ClassLibrary.csproj",
+            "pattern": [
+                {
+                    "regexp": "^(.+)\\((\\d+),(\\d+)\\): (error|warning) (.+): (.*)$",
+                    "file": 1,
+                    "line": 2,
+                    "column": 3,
+                    "severity": 4,
+                    "code": 5,
+                    "message": 6
+                }
+            ]
+        }
+    ]
+}
+```
+
+This ensures that the file is rooted to the correct path when there's not enough information in the error messages to extract a `fromPath`.
+
 #### Mitigate regular expression denial of service (ReDos)
 
 If a matcher exceeds a 1 second timeout when processing a line, retry up to two three times total.

images/Dockerfile

@@ -4,9 +4,9 @@ FROM mcr.microsoft.com/dotnet/runtime-deps:8.0-jammy AS build
 ARG TARGETOS
 ARG TARGETARCH
 ARG RUNNER_VERSION
-ARG RUNNER_CONTAINER_HOOKS_VERSION=0.6.1
-ARG DOCKER_VERSION=28.0.1
-ARG BUILDX_VERSION=0.21.2
+ARG RUNNER_CONTAINER_HOOKS_VERSION=0.7.0
+ARG DOCKER_VERSION=28.1.1
+ARG BUILDX_VERSION=0.23.0
 
 RUN apt update -y && apt install curl unzip -y
 

releaseNote.md

@@ -1,36 +1,37 @@
 ## What's Changed
-* Bump docker/login-action from 2 to 3 by @dependabot in https://github.com/actions/runner/pull/3673
-* Bump actions/stale from 8 to 9 by @dependabot in https://github.com/actions/runner/pull/3554
-* Bump docker/build-push-action from 3 to 6 by @dependabot in https://github.com/actions/runner/pull/3674
-* update node version from 20.18.0 -> 20.18.2 by @aiqiaoy in https://github.com/actions/runner/pull/3682
-* Pass BillingOwnerId through Acquire/Complete calls by @luketomlinson in https://github.com/actions/runner/pull/3689
-* Do not retry CompleteJobAsync for known non-retryable errors by @ericsciple in https://github.com/actions/runner/pull/3696
-* Update dotnet sdk to latest version @8.0.406 by @github-actions in https://github.com/actions/runner/pull/3712
-* Update Dockerfile with new docker and buildx versions by @thboop in https://github.com/actions/runner/pull/3680
-* chore: remove redundant words by @finaltrip in https://github.com/actions/runner/pull/3705
-* fix: actions feedback link is incorrect by @Yaminyam in https://github.com/actions/runner/pull/3165
-* Bump actions/github-script from 0.3.0 to 7.0.1 by @dependabot in https://github.com/actions/runner/pull/3557
-* Docker container provenance by @paveliak in https://github.com/actions/runner/pull/3736
-* Add request-id to http eventsource trace. by @TingluoHuang in https://github.com/actions/runner/pull/3740
-* Update Bocker and Buildx version to mitigate images scanners alerts by @Blizter in https://github.com/actions/runner/pull/3750
-* Fix typo, add invariant culture to timestamp for workflow log reporting by @GhadimiR in https://github.com/actions/runner/pull/3749
-* Create vssconnection to actions service when URL provided. by @TingluoHuang in https://github.com/actions/runner/pull/3751
-* Housekeeping: Update npm packages and node version by @thboop in https://github.com/actions/runner/pull/3752
-* Improve the out-of-date warning message. by @tecimovic in https://github.com/actions/runner/pull/3595
-* Update dotnet sdk to latest version @8.0.407 by @github-actions in https://github.com/actions/runner/pull/3753
-* Exit hosted runner cleanly during deprovisioning. by @TingluoHuang in https://github.com/actions/runner/pull/3755
-* Send annotation title to run-service. by @TingluoHuang in https://github.com/actions/runner/pull/3757
-* Allow server enforce runner settings. by @TingluoHuang in https://github.com/actions/runner/pull/3758
-* Support refresh runner configs with pipelines service. by @TingluoHuang in https://github.com/actions/runner/pull/3706
+* Increase error body max length before truncation by @ericsciple in https://github.com/actions/runner/pull/3762
+* Fix release.yml break by upgrading actions/github-script by @TingluoHuang in https://github.com/actions/runner/pull/3772
+* Small runner code cleanup. by @TingluoHuang in https://github.com/actions/runner/pull/3773
+* Enable hostcontext to track auth migration. by @TingluoHuang in https://github.com/actions/runner/pull/3776
+* Add option in OAuthCred to load authUrlV2. by @TingluoHuang in https://github.com/actions/runner/pull/3777
+* Remove create session with broker in MessageListener. by @TingluoHuang in https://github.com/actions/runner/pull/3782
+* Enable auth migration based on config refresh. by @TingluoHuang in https://github.com/actions/runner/pull/3786
+* Set JWT.alg to PS256 with PssPadding. by @TingluoHuang in https://github.com/actions/runner/pull/3789
+* Enable FIPS by default. by @TingluoHuang in https://github.com/actions/runner/pull/3793
+* Support auth migration using authUrlV2 in Runner/MessageListener. by @TingluoHuang in https://github.com/actions/runner/pull/3787
+* Cleanup feature flag actions_skip_retry_complete_job_upon_known_errors by @ericsciple in https://github.com/actions/runner/pull/3806
+* Update dotnet sdk to latest version @8.0.408 by @github-actions in https://github.com/actions/runner/pull/3808
+* Bump hook to 0.7.0 by @nikola-jokic in https://github.com/actions/runner/pull/3813
+* Allow enable auth migration by default. by @TingluoHuang in https://github.com/actions/runner/pull/3804
+* Do not retry /renewjob on 404 by @ericsciple in https://github.com/actions/runner/pull/3828
+* Bump Microsoft.NET.Test.Sdk from 17.12.0 to 17.13.0 in /src by @dependabot in https://github.com/actions/runner/pull/3719
+* Add copilot-instructions.md by @pje in https://github.com/actions/runner/pull/3810
+* Bump actions/upload-release-asset from 1.0.1 to 1.0.2 by @dependabot in https://github.com/actions/runner/pull/3553
+* Ignore exception during auth migration. by @TingluoHuang in https://github.com/actions/runner/pull/3835
+* feat: default fromPath for problem matchers by @dsanders11 in https://github.com/actions/runner/pull/3802
+* Bump Azure.Storage.Blobs from 12.23.0 to 12.24.0 in /src by @dependabot in https://github.com/actions/runner/pull/3837
+* Bump nodejs version. by @TingluoHuang in https://github.com/actions/runner/pull/3840
+* Feature-flagged support for `JobContext.CheckRunID` by @pje in https://github.com/actions/runner/pull/3811
+* Bump System.ServiceProcess.ServiceController from 8.0.0 to 8.0.1 in /src by @dependabot in https://github.com/actions/runner/pull/3844
+* Bump xunit.runner.visualstudio from 2.5.8 to 2.8.2 in /src by @dependabot in https://github.com/actions/runner/pull/3845
+* Make sure the token's claims are match as expected. by @TingluoHuang in https://github.com/actions/runner/pull/3846
+* Prefer _migrated config on startup by @lokesh755 in https://github.com/actions/runner/pull/3853
+* Update docker and buildx by @TingluoHuang in https://github.com/actions/runner/pull/3854
 
 ## New Contributors
-* @finaltrip made their first contribution in https://github.com/actions/runner/pull/3705
-* @Yaminyam made their first contribution in https://github.com/actions/runner/pull/3165
-* @Blizter made their first contribution in https://github.com/actions/runner/pull/3750
-* @GhadimiR made their first contribution in https://github.com/actions/runner/pull/3749
-* @tecimovic made their first contribution in https://github.com/actions/runner/pull/3595
+* @dsanders11 made their first contribution in https://github.com/actions/runner/pull/3802
 
-**Full Changelog**: https://github.com/actions/runner/compare/v2.322.0...v2.323.0
+**Full Changelog**: https://github.com/actions/runner/compare/v2.323.0...v2.324.0
 
 _Note: Actions Runner follows a progressive release policy, so the latest release might not be available to your enterprise, organization, or repository yet.
 To confirm which version of the Actions Runner you should expect, please view the download instructions for your enterprise, organization, or repository.

src/Misc/externals.sh

@@ -6,7 +6,7 @@ NODE_URL=https://nodejs.org/dist
 NODE_ALPINE_URL=https://github.com/actions/alpine_nodejs/releases/download
 # When you update Node versions you must also create a new release of alpine_nodejs at that updated version.
 # Follow the instructions here: https://github.com/actions/alpine_nodejs?tab=readme-ov-file#getting-started
-NODE20_VERSION="20.19.0"
+NODE20_VERSION="20.19.1"
 
 get_abs_path() {
   # exploits the fact that pwd will print abs path when no args

src/Runner.Common/AuthMigration.cs

@@ -0,0 +1,13 @@
+using System;
+
+namespace GitHub.Runner.Common
+{
+    public class AuthMigrationEventArgs : EventArgs
+    {
+        public AuthMigrationEventArgs(string trace)
+        {
+            Trace = trace;
+        }
+        public string Trace { get; private set; }
+    }
+}

src/Runner.Common/BrokerServer.cs

@@ -37,6 +37,7 @@ public sealed class BrokerServer : RunnerService, IBrokerServer
 
         public async Task ConnectAsync(Uri serverUri, VssCredentials credentials)
         {
+            Trace.Entering();
             _brokerUri = serverUri;
 
             _connection = VssUtil.CreateRawConnection(serverUri, credentials);
@@ -88,7 +89,12 @@ public Task UpdateConnectionIfNeeded(Uri serverUri, VssCredentials credentials)
 
         public Task ForceRefreshConnection(VssCredentials credentials)
         {
-            return ConnectAsync(_brokerUri, credentials);
+            if (!string.IsNullOrEmpty(_brokerUri?.AbsoluteUri))
+            {
+                return ConnectAsync(_brokerUri, credentials);
+            }
+
+            return Task.CompletedTask;
         }
 
         public bool ShouldRetryException(Exception ex)

src/Runner.Common/ConfigurationStore.cs

@@ -116,6 +116,7 @@ public interface IConfigurationStore : IRunnerService
         bool IsConfigured();
         bool IsServiceConfigured();
         bool HasCredentials();
+        bool IsMigratedConfigured();
         CredentialData GetCredentials();
         CredentialData GetMigratedCredentials();
         RunnerSettings GetSettings();
@@ -198,6 +199,14 @@ public bool IsServiceConfigured()
             return serviceConfigured;
         }
 
+        public bool IsMigratedConfigured()
+        {
+            Trace.Info("IsMigratedConfigured()");
+            bool configured = new FileInfo(_migratedConfigFilePath).Exists;
+            Trace.Info("IsMigratedConfigured: {0}", configured);
+            return configured;
+        }
+
         public CredentialData GetCredentials()
         {
             if (_creds == null)

src/Runner.Common/Constants.cs

@@ -155,15 +155,19 @@ public static class ReturnCode
                 public const int RunnerUpdating = 3;
                 public const int RunOnceRunnerUpdating = 4;
                 public const int SessionConflict = 5;
+                // Temporary error code to indicate that the runner configuration has been refreshed
+                // and the runner should be restarted. This is a temporary code and will be removed in the future after
+                // the runner is migrated to runner admin.
+                public const int RunnerConfigurationRefreshed = 6;
             }
 
             public static class Features
             {
                 public static readonly string DiskSpaceWarning = "runner.diskspace.warning";
                 public static readonly string LogTemplateErrorsAsDebugMessages = "DistributedTask.LogTemplateErrorsAsDebugMessages";
-                public static readonly string SkipRetryCompleteJobUponKnownErrors = "actions_skip_retry_complete_job_upon_known_errors";
                 public static readonly string UseContainerPathForTemplate = "DistributedTask.UseContainerPathForTemplate";
                 public static readonly string AllowRunnerContainerHooks = "DistributedTask.AllowRunnerContainerHooks";
+                public static readonly string AddCheckRunIdToJobContext = "actions_add_check_run_id_to_job_context";
             }
 
             public static readonly string InternalTelemetryIssueDataKey = "_internal_telemetry";