Add a manylinux GHR runner image.

nod-ai · Jan 23, 2024 · d134309 · d134309
1 parent f16e376
commit d134309
Show file tree

Hide file tree

Showing 9 changed files with 1,160 additions and 0 deletions.
diff --git a/.github/workflows/publish_manylinux_ghr_x86_64.yml b/.github/workflows/publish_manylinux_ghr_x86_64.yml
@@ -0,0 +1,45 @@
+name: Publish manylinux_ghr_x86_64 image
+on:
+  workflow_dispatch:
+  push:
+    branches: ['main']
+    paths:
+    - dockerfiles/manylinux_ghr_x86_64.Dockerfile
+    - .github/workflows/publish_manylinux_ghr_x86_64.yml
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: nod-ai/manylinux_ghr_x86_64
+
+jobs:
+  build-and-push-image:
+    runs-on: ubuntu-latest
+    # Sets the permissions granted to the `GITHUB_TOKEN` for the actions in this job.
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+      - name: Log in to the Container registry
+        uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+      # This step uses the `docker/build-push-action` action to build the image, based on your repository's `Dockerfile`. If the build succeeds, it pushes the image to GitHub Packages.
+      # It uses the `context` parameter to define the build's context as the set of files located in the specified path. For more information, see "[Usage](https://github.com/docker/build-push-action#usage)" in the README of the `docker/build-push-action` repository.
+      # It uses the `tags` and `labels` parameters to tag and label the image with the output from the "meta" step.
+      - name: Build and push Docker image
+        uses: docker/build-push-action@f2a1d5e99d037542a71f64918e516c093c6f3fc4
+        with:
+          context: .
+          file: dockerfiles/manylinux_ghr_x86_64.Dockerfile
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
diff --git a/build_tools/install_cmake.sh b/build_tools/install_cmake.sh
@@ -0,0 +1,19 @@
+#!/bin/bash
+# Copyright 2022 The IREE Authors
+#
+# Licensed under the Apache License v2.0 with LLVM Exceptions.
+# See https://llvm.org/LICENSE.txt for license information.
+# SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+
+set -euo pipefail
+
+CMAKE_VERSION="$1"
+
+ARCH="$(uname -m)"
+
+curl --silent --fail --show-error --location \
+    "https://github.com/Kitware/CMake/releases/download/v${CMAKE_VERSION}/cmake-${CMAKE_VERSION}-linux-${ARCH}.sh" \
+    --output cmake-installer.sh
+
+chmod +x cmake-installer.sh
+./cmake-installer.sh --skip-license --prefix=/usr/
diff --git a/docker-github-actions-runner/LICENSE b/docker-github-actions-runner/LICENSE
diff --git a/docker-github-actions-runner/README.md b/docker-github-actions-runner/README.md
@@ -0,0 +1,5 @@
+# GitHub Actions Runner Support
+
+This contains bits and bobs from various places:
+
+* https://github.com/myoung34/docker-github-actions-runner
diff --git a/docker-github-actions-runner/app_token.sh b/docker-github-actions-runner/app_token.sh
@@ -0,0 +1,89 @@
+#!/bin/bash
+#
+# Request an ACCESS_TOKEN to be used by a GitHub APP
+# Environment variable that need to be set up:
+# * APP_ID, the GitHub's app ID
+# * APP_PRIVATE_KEY, the content of GitHub app's private key in PEM format.
+# * APP_LOGIN, the login name used to install GitHub's app
+#
+# https://github.com/orgs/community/discussions/24743#discussioncomment-3245300
+#
+
+set -o pipefail
+
+_GITHUB_HOST=${GITHUB_HOST:="github.com"}
+
+# If URL is not github.com then use the enterprise api endpoint
+if [[ ${GITHUB_HOST} = "github.com" ]]; then
+  URI="https://api.${_GITHUB_HOST}"
+else
+  URI="https://${_GITHUB_HOST}/api/v3"
+fi
+
+API_VERSION=v3
+API_HEADER="Accept: application/vnd.github.${API_VERSION}+json"
+CONTENT_LENGTH_HEADER="Content-Length: 0"
+APP_INSTALLATIONS_URI="${URI}/app/installations"
+
+
+# JWT parameters based off
+# https://docs.github.com/en/developers/apps/building-github-apps/authenticating-with-github-apps#authenticating-as-a-github-app
+#
+# JWT token issuance and expiration parameters
+JWT_IAT_DRIFT=60
+JWT_EXP_DELTA=600
+
+JWT_JOSE_HEADER='{
+    "alg": "RS256",
+    "typ": "JWT"
+}'
+
+
+build_jwt_payload() {
+    now=$(date +%s)
+    iat=$((now - JWT_IAT_DRIFT))
+    jq -c \
+        --arg iat_str "${iat}" \
+        --arg exp_delta_str "${JWT_EXP_DELTA}" \
+        --arg app_id_str "${APP_ID}" \
+    '
+        ($iat_str | tonumber) as $iat
+        | ($exp_delta_str | tonumber) as $exp_delta
+        | ($app_id_str | tonumber) as $app_id
+        | .iat = $iat
+        | .exp = ($iat + $exp_delta)
+        | .iss = $app_id
+    ' <<< "{}" | tr -d '\n'
+}
+
+base64url() {
+    base64 | tr '+/' '-_' | tr -d '=\n'
+}
+
+rs256_sign() {
+    openssl dgst -binary -sha256 -sign <(echo "$1")
+}
+
+request_access_token() {
+    jwt_payload=$(build_jwt_payload)
+    encoded_jwt_parts=$(base64url <<<"${JWT_JOSE_HEADER}").$(base64url <<<"${jwt_payload}")
+    encoded_mac=$(echo -n "${encoded_jwt_parts}" | rs256_sign "${APP_PRIVATE_KEY}" | base64url)
+    generated_jwt="${encoded_jwt_parts}.${encoded_mac}"
+
+    auth_header="Authorization: Bearer ${generated_jwt}"
+
+    app_installations_response=$(curl -sX GET \
+        -H "${auth_header}" \
+        -H "${API_HEADER}" \
+        "${APP_INSTALLATIONS_URI}" \
+    )
+    access_token_url=$(echo "${app_installations_response}" | jq --raw-output '.[] | select (.account.login == "'"${APP_LOGIN}"'" and .app_id  == '"${APP_ID}"') .access_tokens_url')
+    curl -sX POST \
+        -H "${CONTENT_LENGTH_HEADER}" \
+        -H "${auth_header}" \
+        -H "${API_HEADER}" \
+        "${access_token_url}" | \
+        jq --raw-output .token
+}
+
+request_access_token
diff --git a/docker-github-actions-runner/entrypoint.sh b/docker-github-actions-runner/entrypoint.sh
@@ -0,0 +1,203 @@
+#!/usr/bin/dumb-init /bin/bash
+# shellcheck shell=bash
+
+export RUNNER_ALLOW_RUNASROOT=1
+export PATH=${PATH}:/actions-runner
+
+# Un-export these, so that they must be passed explicitly to the environment of
+# any command that needs them.  This may help prevent leaks.
+export -n ACCESS_TOKEN
+export -n RUNNER_TOKEN
+export -n APP_ID
+export -n APP_PRIVATE_KEY
+
+deregister_runner() {
+  echo "Caught SIGTERM. Deregistering runner"
+  if [[ -n "${ACCESS_TOKEN}" ]]; then
+    _TOKEN=$(ACCESS_TOKEN="${ACCESS_TOKEN}" bash /token.sh)
+    RUNNER_TOKEN=$(echo "${_TOKEN}" | jq -r .token)
+  fi
+  ./config.sh remove --token "${RUNNER_TOKEN}"
+  exit
+}
+
+_DISABLE_AUTOMATIC_DEREGISTRATION=${DISABLE_AUTOMATIC_DEREGISTRATION:-false}
+
+_RANDOM_RUNNER_SUFFIX=${RANDOM_RUNNER_SUFFIX:="true"}
+
+_RUNNER_NAME=${RUNNER_NAME:-${RUNNER_NAME_PREFIX:-github-runner}-$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 13 ; echo '')}
+if [[ ${RANDOM_RUNNER_SUFFIX} != "true" ]]; then
+  # In some cases this file does not exist
+  if [[ -f "/etc/hostname" ]]; then
+    # in some cases it can also be empty
+    if [[ $(stat --printf="%s" /etc/hostname) -ne 0 ]]; then
+      _RUNNER_NAME=${RUNNER_NAME:-${RUNNER_NAME_PREFIX:-github-runner}-$(cat /etc/hostname)}
+      echo "RANDOM_RUNNER_SUFFIX is ${RANDOM_RUNNER_SUFFIX}. /etc/hostname exists and has content. Setting runner name to ${_RUNNER_NAME}"
+    else
+      echo "RANDOM_RUNNER_SUFFIX is ${RANDOM_RUNNER_SUFFIX} ./etc/hostname exists but is empty. Not using /etc/hostname."
+    fi
+  else
+    echo "RANDOM_RUNNER_SUFFIX is ${RANDOM_RUNNER_SUFFIX} but /etc/hostname does not exist. Not using /etc/hostname."
+  fi
+fi
+
+_RUNNER_WORKDIR=${RUNNER_WORKDIR:-/_work/${_RUNNER_NAME}}
+_LABELS=${LABELS:-default}
+_RUNNER_GROUP=${RUNNER_GROUP:-Default}
+_GITHUB_HOST=${GITHUB_HOST:="github.com"}
+_RUN_AS_ROOT=${RUN_AS_ROOT:="true"}
+_START_DOCKER_SERVICE=${START_DOCKER_SERVICE:="false"}
+
+# ensure backwards compatibility
+if [[ -z ${RUNNER_SCOPE} ]]; then
+  if [[ ${ORG_RUNNER} == "true" ]]; then
+    echo 'ORG_RUNNER is now deprecated. Please use RUNNER_SCOPE="org" instead.'
+    export RUNNER_SCOPE="org"
+  else
+    export RUNNER_SCOPE="repo"
+  fi
+fi
+
+RUNNER_SCOPE="${RUNNER_SCOPE,,}" # to lowercase
+
+case ${RUNNER_SCOPE} in
+  org*)
+    [[ -z ${ORG_NAME} ]] && ( echo "ORG_NAME required for org runners"; exit 1 )
+    _SHORT_URL="https://${_GITHUB_HOST}/${ORG_NAME}"
+    RUNNER_SCOPE="org"
+    if [[ -n "${APP_ID}" ]] && [[ -z "${APP_LOGIN}" ]]; then
+      APP_LOGIN=${ORG_NAME}
+    fi
+    ;;
+
+  ent*)
+    [[ -z ${ENTERPRISE_NAME} ]] && ( echo "ENTERPRISE_NAME required for enterprise runners"; exit 1 )
+    _SHORT_URL="https://${_GITHUB_HOST}/enterprises/${ENTERPRISE_NAME}"
+    RUNNER_SCOPE="enterprise"
+    ;;
+
+  *)
+    [[ -z ${REPO_URL} ]] && ( echo "REPO_URL required for repo runners"; exit 1 )
+    _SHORT_URL=${REPO_URL}
+    RUNNER_SCOPE="repo"
+    if [[ -n "${APP_ID}" ]] && [[ -z "${APP_LOGIN}" ]]; then
+      APP_LOGIN=${REPO_URL%/*}
+      APP_LOGIN=${APP_LOGIN##*/}
+    fi
+    ;;
+esac
+
+configure_runner() {
+  ARGS=()
+  if [[ -n "${APP_ID}" ]] && [[ -n "${APP_PRIVATE_KEY}" ]] && [[ -n "${APP_LOGIN}" ]]; then
+    if [[ -n "${ACCESS_TOKEN}" ]] || [[ -n "${RUNNER_TOKEN}" ]]; then
+      echo "ERROR: ACCESS_TOKEN or RUNNER_TOKEN provided but are mutually exclusive with APP_ID, APP_PRIVATE_KEY and APP_LOGIN." >&2
+      exit 1
+    fi
+    echo "Obtaining access token for app_id ${APP_ID} and login ${APP_LOGIN}"
+    nl="
+"
+    ACCESS_TOKEN=$(APP_ID="${APP_ID}" APP_PRIVATE_KEY="${APP_PRIVATE_KEY//\\n/${nl}}" APP_LOGIN="${APP_LOGIN}" bash /app_token.sh)
+  elif [[ -n "${APP_ID}" ]] || [[ -n "${APP_PRIVATE_KEY}" ]] || [[ -n "${APP_LOGIN}" ]]; then
+    echo "ERROR: All of APP_ID, APP_PRIVATE_KEY and APP_LOGIN must be specified." >&2
+    exit 1
+  fi
+
+  if [[ -n "${ACCESS_TOKEN}" ]]; then
+    echo "Obtaining the token of the runner"
+    _TOKEN=$(ACCESS_TOKEN="${ACCESS_TOKEN}" bash /token.sh)
+    RUNNER_TOKEN=$(echo "${_TOKEN}" | jq -r .token)
+  fi
+
+  # shellcheck disable=SC2153
+  if [ -n "${EPHEMERAL}" ]; then
+    echo "Ephemeral option is enabled"
+    ARGS+=("--ephemeral")
+  fi
+
+  if [ -n "${DISABLE_AUTO_UPDATE}" ]; then
+    echo "Disable auto update option is enabled"
+    ARGS+=("--disableupdate")
+  fi
+
+  if [ -n "${NO_DEFAULT_LABELS}" ]; then
+    echo "Disable adding the default self-hosted, platform, and architecture labels"
+    ARGS+=("--no-default-labels")
+  fi
+
+  echo "Configuring"
+  ./config.sh \
+      --url "${_SHORT_URL}" \
+      --token "${RUNNER_TOKEN}" \
+      --name "${_RUNNER_NAME}" \
+      --work "${_RUNNER_WORKDIR}" \
+      --labels "${_LABELS}" \
+      --runnergroup "${_RUNNER_GROUP}" \
+      --unattended \
+      --replace \
+      "${ARGS[@]}"
+
+  [[ ! -d "${_RUNNER_WORKDIR}" ]] && mkdir "${_RUNNER_WORKDIR}"
+
+}
+
+
+# Opt into runner reusage because a value was given
+if [[ -n "${CONFIGURED_ACTIONS_RUNNER_FILES_DIR}" ]]; then
+  echo "Runner reusage is enabled"
+
+  # directory exists, copy the data
+  if [[ -d "${CONFIGURED_ACTIONS_RUNNER_FILES_DIR}" ]]; then
+    echo "Copying previous data"
+    cp -p -r "${CONFIGURED_ACTIONS_RUNNER_FILES_DIR}/." "/actions-runner"
+  fi
+
+  if [ -f "/actions-runner/.runner" ]; then
+    echo "The runner has already been configured"
+  else
+    configure_runner
+  fi
+else
+  echo "Runner reusage is disabled"
+  configure_runner
+fi
+
+if [[ -n "${CONFIGURED_ACTIONS_RUNNER_FILES_DIR}" ]]; then
+  echo "Reusage is enabled. Storing data to ${CONFIGURED_ACTIONS_RUNNER_FILES_DIR}"
+  # Quoting (even with double-quotes) the regexp brokes the copying
+  cp -p -r "/actions-runner/_diag" "/actions-runner/svc.sh" /actions-runner/.[^.]* "${CONFIGURED_ACTIONS_RUNNER_FILES_DIR}"
+fi
+
+if [[ ${_DISABLE_AUTOMATIC_DEREGISTRATION} == "false" ]]; then
+  trap deregister_runner SIGINT SIGQUIT SIGTERM INT TERM QUIT
+fi
+
+# Start docker service if needed (e.g. for docker-in-docker)
+if [[ ${_START_DOCKER_SERVICE} == "true" ]]; then
+  echo "Starting docker service"
+  _PREFIX=""
+  [[ ${_RUN_AS_ROOT} != "true" ]] && _PREFIX="sudo"
+  ${_PREFIX} service docker start
+fi
+
+# Container's command (CMD) execution as runner user
+
+
+if [[ ${_RUN_AS_ROOT} == "true" ]]; then
+  if [[ $(id -u) -eq 0 ]]; then
+    "$@"
+  else
+    echo "ERROR: RUN_AS_ROOT env var is set to true but the user has been overridden and is not running as root, but UID '$(id -u)'"
+    exit 1
+  fi
+else
+  if [[ $(id -u) -eq 0 ]]; then
+    [[ -n "${CONFIGURED_ACTIONS_RUNNER_FILES_DIR}" ]] && chown -R runner "${CONFIGURED_ACTIONS_RUNNER_FILES_DIR}"
+    chown -R runner "${_RUNNER_WORKDIR}" /actions-runner
+    # The toolcache is not recursively chowned to avoid recursing over prepulated tooling in derived docker images
+    chown runner /opt/hostedtoolcache/
+    /usr/sbin/gosu runner "$@"
+  else
+    "$@"
+  fi
+fi
diff --git a/docker-github-actions-runner/install_actions.sh b/docker-github-actions-runner/install_actions.sh
@@ -0,0 +1,13 @@
+#!/bin/bash -ex
+GH_RUNNER_VERSION=$1
+TARGETPLATFORM=$2
+
+export TARGET_ARCH="x64"
+if [[ $TARGETPLATFORM == "linux/arm64" ]]; then
+  export TARGET_ARCH="arm64"
+fi
+curl -L "https://github.com/actions/runner/releases/download/v${GH_RUNNER_VERSION}/actions-runner-linux-${TARGET_ARCH}-${GH_RUNNER_VERSION}.tar.gz" > actions.tar.gz
+tar -zxf actions.tar.gz
+rm -f actions.tar.gz
+./bin/installdependencies.sh
+mkdir /_work