Allow admins to fail jobs without container (actions#1895)

* Allow admins to fail jobs without container * Make method static * Update src/Runner.Common/Constants.cs Co-authored-by: Thomas Boop <52323235+thboop@users.noreply.github.com> * Update src/Runner.Worker/JobExtension.cs Co-authored-by: Thomas Boop <52323235+thboop@users.noreply.github.com> * Update src/Runner.Worker/JobExtension.cs Co-authored-by: Thomas Boop <52323235+thboop@users.noreply.github.com> * Rename env * Add test for throwing when no container but required * Update src/Runner.Worker/JobExtension.cs * Update src/Test/L0/Worker/JobExtensionL0.cs * Update src/Runner.Common/Constants.cs Co-authored-by: Thomas Boop <52323235+thboop@users.noreply.github.com> Co-authored-by: Thomas Boop <52323235+thboop@users.noreply.github.com>
morajlab · Jun 9, 2022 · 9623a44 · 9623a44
1 parent b2e2aa6
commit 9623a44
Show file tree

Hide file tree

Showing 3 changed files with 29 additions and 0 deletions.
diff --git a/src/Runner.Common/Constants.cs b/src/Runner.Common/Constants.cs
@@ -227,6 +227,7 @@ public static class Actions
                 //
                 public static readonly string AllowUnsupportedCommands = "ACTIONS_ALLOW_UNSECURE_COMMANDS";
                 public static readonly string AllowUnsupportedStopCommandTokens = "ACTIONS_ALLOW_UNSECURE_STOPCOMMAND_TOKENS";
+                public static readonly string RequireJobContainer = "ACTIONS_RUNNER_REQUIRE_JOB_CONTAINER";
                 public static readonly string RunnerDebug = "ACTIONS_RUNNER_DEBUG";
                 public static readonly string StepDebug = "ACTIONS_STEP_DEBUG";
                 public static readonly string AllowActionsUseUnsecureNodeVersion = "ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION";

diff --git a/src/Runner.Worker/JobExtension.cs b/src/Runner.Worker/JobExtension.cs
@@ -9,6 +9,7 @@
 using System.Threading.Tasks;
 using GitHub.DistributedTask.Expressions2;
 using GitHub.DistributedTask.ObjectTemplating.Tokens;
+using GitHub.DistributedTask.Pipelines;
 using GitHub.DistributedTask.Pipelines.ContextData;
 using GitHub.DistributedTask.Pipelines.ObjectTemplating;
 using GitHub.DistributedTask.WebApi;
@@ -206,6 +207,7 @@ public async Task<List<IStep>> InitializeJob(IExecutionContext jobContext, Pipel
                     // Evaluate the job container
                     context.Debug("Evaluating job container");
                     var container = templateEvaluator.EvaluateJobContainer(message.JobContainer, jobContext.ExpressionValues, jobContext.ExpressionFunctions);
+                    ValidateJobContainer(container);
                     if (container != null)
                     {
                         jobContext.Global.Container = new Container.ContainerInfo(HostContext, container);
@@ -672,5 +674,13 @@ private Dictionary<int, Process> SnapshotProcesses()
             Trace.Info($"Total accessible running process: {snapshot.Count}.");
             return snapshot;
         }
+
+        private static void ValidateJobContainer(JobContainer container)
+        {
+            if (StringUtil.ConvertToBoolean(Environment.GetEnvironmentVariable(Constants.Variables.Actions.RequireJobContainer)) && container == null)
+            {
+                throw new ArgumentException("Jobs without a job container are forbidden on this runner, please add a 'container:' to your job or contact your self-hosted runner administrator.");
+            }
+        }
     }
 }
diff --git a/src/Test/L0/Worker/JobExtensionL0.cs b/src/Test/L0/Worker/JobExtensionL0.cs
@@ -211,6 +211,24 @@ public async Task JobExtensionBuildPreStepsList()
             }
         }
 
+        [Fact]
+        [Trait("Level", "L0")]
+        [Trait("Category", "Worker")]
+        public async Task JobExtensionBuildFailsWithoutContainerIfRequired()
+        {
+            Environment.SetEnvironmentVariable(Constants.Variables.Actions.RequireJobContainer, "true");
+            using (TestHostContext hc = CreateTestContext())
+            {
+                var jobExtension = new JobExtension();
+                jobExtension.Initialize(hc);
+
+                _actionManager.Setup(x => x.PrepareActionsAsync(It.IsAny<IExecutionContext>(), It.IsAny<IEnumerable<Pipelines.JobStep>>(), It.IsAny<Guid>()))
+                              .Returns(Task.FromResult(new PrepareResult(new List<JobExtensionRunner>() { new JobExtensionRunner(null, "", "prepare1", null), new JobExtensionRunner(null, "", "prepare2", null) }, new Dictionary<Guid, IActionRunner>())));
+
+                await Assert.ThrowsAsync<ArgumentException>(() => jobExtension.InitializeJob(_jobEc, _message));
+            }
+        }
+
         [Fact]
         [Trait("Level", "L0")]
         [Trait("Category", "Worker")]