CNB support added for Heroku FIR

Author: abernicchia-heroku

.dockerignore

@@ -0,0 +1,43 @@
+# Version control
+.git
+.gitignore
+
+# Editor/project files
+.idea/
+.vscode/
+.DS_Store
+Thumbs.db
+ehthumbs.db
+
+# Local/dev tools and caches
+.sfdx/
+.eslintcache
+.act/
+.cursor/
+
+# Logs and debug files
+logs
+*.log
+
+# Environment and secret files
+*.env
+*.dev
+.act
+
+# Documentation and non-runtime files
+app.json
+heroku.yml
+project.toml
+inline-cnb-build.sh
+README.md
+CONTRIBUTING.md
+SECURITY.md
+LICENSE.txt
+CODEOWNERS
+CODE_OF_CONDUCT.md
+
+# Build/test artifacts and images
+images/
+
+# GitHub workflows and configs
+.github/

.gitignore

@@ -39,3 +39,4 @@ $RECYCLE.BIN/
 *.env
 *.dev
 .act
+.cursor/

Dockerfile

@@ -10,6 +10,10 @@ ARG DEBIAN_FRONTEND=noninteractive
 # https://devcenter.heroku.com/articles/build-docker-images-heroku-yml#set-build-time-environment-variables
 ARG RUNNER_VERSION=latest
 
+# this ARG can be overridden changing the heroku.yml, it must be 'x64' (or 'arm64' when supported along with Dockerfile)
+# https://devcenter.heroku.com/articles/build-docker-images-heroku-yml#set-build-time-environment-variables
+ARG RUNNER_ARCH=x64
+
 USER root
 
 # Switch to bash shell.
@@ -66,7 +70,7 @@ WORKDIR ${ACTIONS_DIR}
 
 # Download the latest GitHub Actions runner package.
 COPY install-actions-runner.sh /tmp/install-actions-runner.sh
-RUN sh /tmp/install-actions-runner.sh "$RUNNER_VERSION" && rm -f /tmp/install-actions-runner.sh
+RUN sh /tmp/install-actions-runner.sh "$RUNNER_VERSION" "$RUNNER_ARCH" && rm -f /tmp/install-actions-runner.sh
 
 # ------------------------------------------------------------------------------
 # Copy files and set permissions

README.md

@@ -1,8 +1,8 @@
 ## Heroku-hosted runner for GitHub Actions
 
-This project defines a `Dockerfile` to run a custom Heroku-hosted runner for Github Actions (see also [self-hosted runners](https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners)).
+This project defines a `Dockerfile`/`CNB` to build and run a custom Heroku-hosted runner for Github Actions (see also [self-hosted runners](https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners)).
 
-The runner is hosted on [Heroku as a docker image](https://devcenter.heroku.com/articles/build-docker-images-heroku-yml) via `heroku.yml`.
+The runner is hosted on Heroku as a [docker image](https://devcenter.heroku.com/articles/build-docker-images-heroku-yml) via `heroku.yml` or [OCI image](https://devcenter.heroku.com/articles/buildpacks#cloud-native-buildpacks) via `project.toml`.
 
 ## How it works
 
@@ -102,7 +102,7 @@ This project includes a workflow that can be run manually or automatically sched
 
 To take advantage of the above automation you need to [fork](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/working-with-forks/fork-a-repo) or [mirror](https://docs.github.com/en/repositories/creating-and-managing-repositories/duplicating-a-repository#mirroring-a-repository-in-another-location) this repository to your private organisation's repository and enable workflows run.
 
-If you need to implement version pinning to avoid potential supply chain vulnerabilities, it's possible to configure a specific runner version (see `RUNNER_VERSION` in heroku.yml). In this case you'll have to modify manually the version and run the above mentioned workflow manually and the scheduled workflow execution can be disabled.
+If you need to implement version pinning to avoid potential supply chain vulnerabilities, it's possible to configure a specific runner version (see `RUNNER_VERSION` in heroku.yml/project.toml). In this case you'll have to modify manually the version and run the above mentioned workflow manually and the scheduled workflow execution can be disabled.
 
 Whenever the runner package is downloaded (either the latest or a specific version) the SHA256 checksum is verified, if the computed checksum does not match with the expected one the build fails.
 
@@ -112,10 +112,11 @@ This new release:
 - Uses ephemeral compute to allow [autoscaling](https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners/autoscaling-with-self-hosted-runners#using-ephemeral-runners-for-autoscaling) and [hardening](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#hardening-for-self-hosted-runners) of self-hosted runners. Ephemeral runners are short-lived containers that are executed only once for a single job, providing isolated environments to reduce the risk of data leakage
 - Uses a [base image](https://devcenter.heroku.com/articles/stack) that is curated and maintained by Heroku
 - Logs the self-runner name to manage it from the GitHub dashboard
-- Reduces the Docker image footprint and it's possible to run it as one-off dyn
+- Reduces the Docker/OCI image footprint and it's possible to run it as one-off dyno (Cedar only)
 - Includes all the recent GitHub self-hosted runners features (e.g. labels, groups, ...) and streamlines the configuration and setup
-- Integrates the [Heroku Button](https://www.heroku.com/elements/buttons) to install the runner in one-click
+- Integrates the [Heroku Button](https://www.heroku.com/elements/buttons) to install the runner in one-click (Cedar only)
 - Supports fine-grained GitHub tokens for granular permission control
+- Can be executed on both Heroku Cedar and Heroku Next Generation Platform Fir
 
 ## Security Notes and Recommendations
 Below are summarised some general recommendations to improve security for using GitHub Actions and self-hosted runners, for a complete guide and further details please refer to [Security hardening for GitHub Actions](https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions):
@@ -155,7 +156,6 @@ Below are summarised some general recommendations to improve security for using
 ## Limits and Considerations
 - As the runner image is not based on the [standard GitHub dockerfile](https://github.com/actions/runner/blob/main/images/Dockerfile) then some Actions might not work as expected
 - Currently, it's not possible to run GitHub Actions requiring docker/rootless-docker as they need higher privileges that are not allowed on Heroku dynos for security reasons
-- The runner cannot be executed on [Fir](https://devcenter.heroku.com/changelog-items/3071) yet, requiring an ARM based image
 
 
 ## Credits

heroku.yml

@@ -3,6 +3,7 @@
 build:
   config:
     RUNNER_VERSION: latest
+    RUNNER_ARCH: x64
   docker:
     runner: Dockerfile
 

inline-cnb-build.sh

@@ -0,0 +1,39 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+echo "---> Heroku-hosted runner for GitHub Actions buildpack (CNB style)"
+
+# Set APP_DIR to current working directory (where application source is located during build)
+APP_DIR="$(pwd)"
+
+# remove all the files in the buildpack working directory that are not required for the build
+# Only keep start.sh and install-actions-runner.sh files
+find . -mindepth 1 ! -name "start.sh" ! -name "install-actions-runner.sh" -delete
+
+chmod +x "${APP_DIR}/start.sh"
+
+mkdir -p "${APP_DIR}/actions-runner"
+
+# Use the version from env or default to 'latest'
+RUNNER_VERSION="${RUNNER_VERSION:-latest}"
+
+# Use the architecture from CNB_TARGET_ARCH that can be amd64=>x64 or arm64
+if [[ "${CNB_TARGET_ARCH}" == "amd64" ]]; then
+    RUNNER_ARCH="x64"
+else
+    RUNNER_ARCH="${CNB_TARGET_ARCH:-arm64}"
+fi
+
+# Run the install script
+chmod +x "${APP_DIR}/install-actions-runner.sh"
+cd "${APP_DIR}/actions-runner" && "${APP_DIR}/install-actions-runner.sh" "$RUNNER_VERSION" "$RUNNER_ARCH"
+rm "${APP_DIR}/install-actions-runner.sh"
+
+# Write launch.toml to define the default process
+# The launch.toml must be created in CNB_LAYERS_DIR even when running from workspace
+cat > "${CNB_LAYERS_DIR}/launch.toml" <<EOL
+[[processes]]
+type = "runner"
+command = ["${APP_DIR}/start.sh"]
+default = true
+EOL

install-actions-runner.sh

@@ -12,15 +12,34 @@ validate_version() {
     fi
 }
 
+# Function to validate architecture input
+validate_arch() {
+    local arch="$1"
+    if [[ "$arch" == "x64" || "$arch" == "arm64" ]]; then
+        echo "$arch"
+    else
+        echo "Error: Architecture must be 'x64' or 'arm64'"
+        exit 1
+    fi
+}
+
 # Check if version parameter is provided
 if [ -z "$1" ]; then
     echo "Error: Please provide a version (e.g. 'latest' or '2.320.1')."
-    echo "Usage: $0 <version>"
+    echo "Usage: $0 <version> <arch>"
+    exit 1
+fi
+
+# Check if architecture parameter is provided
+if [ -z "$2" ]; then
+    echo "Error: Please provide the runner architecture ('x64' or 'arm64')."
+    echo "Usage: $0 <version> <arch>"
     exit 1
 fi
 
-# Validate the version input
+# Validate the version and architecture input
 VERSION_INPUT=$(validate_version "$1")
+ARCH_INPUT=$(validate_arch "$2")
 
 # Define the GitHub repository and API endpoint
 if [ "$VERSION_INPUT" == "latest" ]; then
@@ -42,9 +61,9 @@ if [ -z "$RUNNER_VERSION" ]; then
 fi
 echo "Latest version: ${RUNNER_VERSION}"
 
-# Define the asset name (e.g., for Linux x64; adjust as needed)
+# Define the asset name (e.g., for Linux x64 / arm64)
 RUNNER_OS="linux"
-RUNNER_ARCH="x64"
+RUNNER_ARCH="$ARCH_INPUT"
 
 ASSET_NAME="actions-runner-${RUNNER_OS}-${RUNNER_ARCH}-${RUNNER_VERSION}.tar.gz"
 # printf is used to parse RELEASE_JSON as it might contain unescaped control characters (like newlines, tabs, ...)
@@ -88,10 +107,10 @@ else
     fi
 fi
 
-# Extract the runner and install some additional dependencies
+# Extract the runner. The additional dependencies usually required are already included using Heroku stack.
 # https://github.com/actions/runner/blob/main/docs/start/envlinux.md#install-net-core-3x-linux-dependencies
-tar xvfz "${ASSET_NAME}" && ./bin/installdependencies.sh
+tar xvfz "${ASSET_NAME}"
 
 # Clean up
 rm -f "${ASSET_NAME}"
-echo "Cleaned up downloaded file."
+echo "Cleaned up downloaded file." 

project.toml

@@ -0,0 +1,21 @@
+[_]
+schema-version = "0.2"
+
+[[io.buildpacks.group]]
+id = "heroku/github-actions-runner"
+version = "1.0.0"
+
+  [io.buildpacks.group.script]
+  api = "0.11"
+  inline = "./inline-cnb-build.sh"
+
+[build]
+builder = "heroku/builder:24"
+
+[[io.buildpacks.build.env]]
+name='RUNNER_VERSION'
+value='latest'
+
+# to build it locally with pack for arm64/amd64:
+# pack build my-runner-app --builder heroku/builder:24 --platform linux/arm64
+# pack build my-runner-app --builder heroku/builder:24 --platform linux/amd64

start.sh

@@ -2,6 +2,7 @@
 
 # This file inspired by tutorial at
 # https://testdriven.io/blog/github-actions-docker/
+# It selects the runner directory based on the packaging method (Dockerfile or CNB buildpack)
 
 # Requests a temporary token to register a GitHub runner.
 # https://docs.github.com/en/rest/reference/actions#create-a-registration-token-for-an-organization
@@ -15,7 +16,7 @@
 # GitHub access tokens can contain alphanumeric characters (a-z, A-Z, 0-9), underscores (_)
 [[ "${GITHUB_ACCESS_TOKEN}" ]] || { echo "GITHUB_ACCESS_TOKEN is required"; exit 1; }
 [[ "${GITHUB_ACCESS_TOKEN}" =~ ^[a-zA-Z0-9_]+$ ]] || { echo "GITHUB_ACCESS_TOKEN contains invalid characters"; exit 1; }
-# saving it localli before removing the env var (see unset_vars)
+# saving it locally before removing the env var (see unset_vars)
 LOCAL_GITHUB_ACCESS_TOKEN="${GITHUB_ACCESS_TOKEN}"
 
 # HIDDEN_ENV_VARS must only contain a list of space separated Heroku env vars. Those can contain uppercase letters (A-Z), numbers (0-9), underscores (_)
@@ -80,11 +81,19 @@ detachRunner() {
     --token "${GITHUB_REG_TOKEN}"
 }
 
-# Recall that this script is running in our dockerized image on Heroku.
-# Our Dockerfile created a user named 'docker' and the following directory is
-# where it installed the GitHub Actions self-hosting runner package.
-# We now navigate to that directory to start the runner.
-cd "${HOME}"/actions-runner || { echo "error while changing directory to ${HOME}/actions-runner"; exit 1; }
+# Directory selection logic
+# If the installation was done in the Dockerfile, use the Dockerfile path
+# Otherwise, default to CNB path that is in the current working directory
+if [[ -d "${HOME}/actions-runner" ]]; then
+  RUNNER_DIR="${HOME}/actions-runner"
+elif [[ -d "${PWD}/actions-runner" ]]; then
+  RUNNER_DIR="${PWD}/actions-runner"
+else
+  echo "Could not determine runner directory. Neither CNB nor Dockerfile path exists." >&2
+  exit 1
+fi
+
+cd "$RUNNER_DIR" || { echo "error while changing directory to $RUNNER_DIR"; exit 1; }
 
 attachRunner
 
@@ -132,4 +141,4 @@ unset_vars
 PID=$!
 wait $PID
 
-echo "[self-hosted runner] Exiting ..."
+echo "[self-hosted runner] Exiting ..."