feat(ibmcloud): add GitHub Actions runner support for IBM Power and IBM Z#831
Open
deekay2310 wants to merge 13 commits into
Open
feat(ibmcloud): add GitHub Actions runner support for IBM Power and IBM Z#831deekay2310 wants to merge 13 commits into
deekay2310 wants to merge 13 commits into
Conversation
📝 WalkthroughWalkthroughThis PR adds GitHub Actions self-hosted runner provisioning for IBM Cloud PowerVS and Z systems. It introduces ChangesGitHub Actions runner multiarch support on IBM Cloud
🎯 3 (Moderate) | ⏱️ ~20 minutes 🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
🧹 Nitpick comments (1)
pkg/provider/ibmcloud/action/ibm-z/ibm-z_test.go (1)
40-55: 💤 Low valueConsider adding a test case for GitHub runner provisioning.
The existing tests verify GitLab runner and otelcol integration but don't cover the new GitHub Actions runner path. A test case calling
izUserData(nil, "", " #!/bin/bash\n echo gh")and verifyinginstall-ghrunner.shappears in the decoded output would increase confidence in the template rendering.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@pkg/provider/ibmcloud/action/ibm-z/ibm-z_test.go` around lines 40 - 55, Add a new unit test to cover the GitHub Actions runner path: create a test (e.g., TestIzUserData_githubRunner) that calls izUserData(nil, "", " #!/bin/bash\n echo gh") and fails if izUserData returns an error; decode the output with decodeIzOutput(t, out) and assert the resulting cfg contains "install-ghrunner.sh" (and optionally that it includes any expected runcmd/write_files lines). Use the same helpers and style as TestIzUserData_noRunner so the new test lives alongside it and verifies the template renders the GitHub runner installer.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@pkg/integrations/github/snippet-linux-ppc64le.sh`:
- Around line 4-7: The RunnerImageRepo value risks executing arbitrary code
because it's embedded into snippet-linux-ppc64le.sh and snippet-linux-s390x.sh
(git clone {{ .RunnerImageRepo }} then bash -c '. scripts/vm.sh ...'); update
cmd/mapt/cmd/params/params.go and pkg/integrations/github/ghrunner.go to enforce
a safe trust model: either restrict the --ghactions-runner-image-repo flag to
admin-only (check caller permissions where flags are parsed/used in params.go),
add validation/allowlist logic in ghrunner.go to validate RunnerImageRepo
against a configured set of allowed hostnames/URLs before embedding into the
snippet, and if neither is possible add clear documentation and runtime warning
logs wherever RunnerImageRepo is accepted (and sanitize inputs to prevent
local-path/ssh/git-protocol abuses); reference the symbols RunnerImageRepo,
cmd/mapt/cmd/params/params.go, pkg/integrations/github/ghrunner.go, and the two
snippet files when making the change.
In `@pkg/integrations/github/snippet-linux-s390x.sh`:
- Around line 4-7: The template embeds an untrusted RunnerImageRepo directly
into shell commands (git clone {{ .RunnerImageRepo }} ... and bash -c '.
scripts/vm.sh ...'), which allows arbitrary repo URLs to be executed; fix by
enforcing validation or admin-only restriction where RunnerImageRepo is set:
implement a validateRunnerImageRepo(url) check for HTTPS scheme, host ==
"github.com" (or other approved host), and an allowlist of specific owner/repo
patterns (reject raw strings, file://, ssh, or IP hosts), call this validation
where the --ghactions-runner-image-repo flag is parsed and refuse/exit on
invalid values, and then continue to render RunnerImageRepo into
pkg/integrations/github/snippet-linux-s390x.sh only after validation (also
consider quoting the variable in the git clone command and running git clone
--depth=1 to limit exposure); alternatively restrict the flag to trusted
administrators and document the requirement for approved repositories.
---
Nitpick comments:
In `@pkg/provider/ibmcloud/action/ibm-z/ibm-z_test.go`:
- Around line 40-55: Add a new unit test to cover the GitHub Actions runner
path: create a test (e.g., TestIzUserData_githubRunner) that calls
izUserData(nil, "", " #!/bin/bash\n echo gh") and fails if izUserData
returns an error; decode the output with decodeIzOutput(t, out) and assert the
resulting cfg contains "install-ghrunner.sh" (and optionally that it includes
any expected runcmd/write_files lines). Use the same helpers and style as
TestIzUserData_noRunner so the new test lives alongside it and verifies the
template renders the GitHub runner installer.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Enterprise
Run ID: 0708cbed-1d28-4c34-b06b-76c3e58bcb05
📒 Files selected for processing (14)
cmd/mapt/cmd/ibmcloud/hosts/ibm-power.gocmd/mapt/cmd/ibmcloud/hosts/ibm-z.gocmd/mapt/cmd/params/params.gopkg/integrations/github/ghrunner.gopkg/integrations/github/snippet-linux-ppc64le.shpkg/integrations/github/snippet-linux-s390x.shpkg/integrations/github/types.gopkg/integrations/integrations.gopkg/provider/ibmcloud/action/ibm-power/cloud-configpkg/provider/ibmcloud/action/ibm-power/ibm-power.gopkg/provider/ibmcloud/action/ibm-power/ibm-power_test.gopkg/provider/ibmcloud/action/ibm-z/cloud-configpkg/provider/ibmcloud/action/ibm-z/ibm-z.gopkg/provider/ibmcloud/action/ibm-z/ibm-z_test.go
adrianriobo
changed the title
- Quote the URL in snippet git clone commands to prevent shell injection - Add --depth=1 to limit clone exposure and speed up provisioning - Validate that only HTTPS URLs are accepted for the runner image repo Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The upstream configure-limits.sh appends duplicate pam_limits.so entries to system-auth and password-auth, causing sshd to drop connections before sending its banner. Deduplicate PAM entries and restart sshd after build. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…snippet Adds a background monitor that logs sshd status every 30s during the runner build to identify what breaks SSH. After build completion, dumps full sshd diagnostics (config test, journal, host key perms, crypto policies, PAM config) and attempts repair. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…nostics The upstream configure-system.sh runs chmod -R 777 /usr/share which makes /usr/share/empty.sshd (sshd's privilege separation directory) world-writable. sshd refuses to start when this directory is not owned by root or is world-writable. Fix by restoring 755 after the build. Also adds sshd watchdog logging with COS upload so diagnostics are accessible even when SSH is broken. COS credentials are passed through cloud-config template variables. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
On RHEL 9/ppc64le, dotnet installs to /usr/lib64/dotnet via dnf, not /opt/dotnet. The GH runner is self-contained (uses ./bin/Runner.Listener) and does not need DOTNET_ROOT. The chown on /opt/dotnet caused cloud-init to fail after a successful build. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
deekay2310
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Integrate the existing pkg/integrations/github framework into the IBM Cloud providers so that
mapt ibmcloud ibm-power createandmapt ibmcloud ibm-z createcan provision VMs that auto-register as ephemeral GitHub Actions self-hosted runners.Since no official runner binaries exist for ppc64le/s390x, arch-specific setup scripts clone action-runner-image-pz and build the runner from source on the target VM. A new --ghactions-runner-image-repo flag controls which repo is cloned (defaults to deekay2310 fork until the RHEL script merges to github.com/IBM/action-runner-image-pz).