From 4135409e68e4cc5a2440d0d6976e06cd4692b24c Mon Sep 17 00:00:00 2001
From: Thomas Cardonne <t.cardonne@gmail.com>
Date: Sat, 28 Mar 2020 14:58:41 +0100
Subject: [PATCH] Introduce GITHUB_ACCESS_TOKEN (Personnal Access Token) env
 var

---
 README.md                   | 11 ++++++-----
 debian-buster/Dockerfile    |  4 +++-
 debian-buster/entrypoint.sh | 19 +++++++++++++++++--
 docker-compose.yml          |  4 ++--
 4 files changed, 28 insertions(+), 10 deletions(-)

diff --git a/README.md b/README.md
index 07067d951..bc6d1c25b 100644
--- a/README.md
+++ b/README.md
@@ -19,7 +19,7 @@ Use the following command to start listening for jobs:
 ```shell
 docker run -it --name my-runner \
     -e RUNNER_NAME=my-runner \
-    -e RUNNER_TOKEN=token \
+    -e GITHUB_ACCESS_TOKEN=token \
     -e RUNNER_REPOSITORY_URL=https://github.com/... \
     tcardonne/github-runner
 ```
@@ -31,7 +31,7 @@ If you want to use Docker inside your runner (ie, build images in a workflow), y
 ```shell
 docker run -it --name my-runner \
     -e RUNNER_NAME=my-runner \
-    -e RUNNER_TOKEN=token \
+    -e GITHUB_ACCESS_TOKEN=token \
     -e RUNNER_REPOSITORY_URL=https://github.com/... \
     -v /var/run/docker.sock:/var/run/docker.sock \
     tcardonne/github-runner
@@ -49,7 +49,7 @@ services:
       environment:
         RUNNER_NAME: "my-runner"
         RUNNER_REPOSITORY_URL: ${RUNNER_REPOSITORY_URL}
-        RUNNER_TOKEN: ${RUNNER_TOKEN}
+        GITHUB_ACCESS_TOKEN: ${GITHUB_ACCESS_TOKEN}
       volumes:
         - /var/run/docker.sock:/var/run/docker.sock
 ```
@@ -57,7 +57,7 @@ services:
 You can create a `.env` to provide environment variables when using docker-compose :
 ```
 RUNNER_REPOSITORY_URL=https://github.com/your_url/your_repo
-RUNNER_TOKEN=the_runner_token
+GITHUB_ACCESS_TOKEN=the_runner_token
 ```
 
 ## Environment variables
@@ -67,7 +67,8 @@ The following environment variables allows you to control the configuration para
 | Name | Description | Default value |
 |------|---------------|-------------|
 | RUNNER_REPOSITORY_URL | The runner will be linked to this repository URL | Required |
-| RUNNER_TOKEN | Personal Access Token provided by GitHub | Required
+| GITHUB_ACCESS_TOKEN | Personal Access Token created on [your settings page](https://github.com/settings/tokens) with `repo` scole. Used to dynamically fetch a new runner token (recommended). | Required if `RUNNER_TOKEN` is not provided.
+| RUNNER_TOKEN | Runner token provided by GitHub in the Actions page. These tokens are valid for a short period. | Required if `GITHUB_ACCESS_TOKEN` is not provided
 | RUNNER_WORK_DIRECTORY | Runner's work directory | `"_work"`
 | RUNNER_NAME | Name of the runner displayed in the GitHub UI | Hostname of the container
 | RUNNER_REPLACE_EXISTING | `"true"` will replace existing runner with the same name, `"false"` will use a random name if there is conflict | `"true"`
diff --git a/debian-buster/Dockerfile b/debian-buster/Dockerfile
index e001373ee..d382beb29 100644
--- a/debian-buster/Dockerfile
+++ b/debian-buster/Dockerfile
@@ -8,6 +8,7 @@ ENV RUNNER_WORK_DIRECTORY="_work"
 ENV RUNNER_TOKEN=""
 ENV RUNNER_REPOSITORY_URL=""
 ENV RUNNER_ALLOW_RUNASROOT=true
+ENV GITHUB_ACCESS_TOKEN=""
 
 # Labels.
 LABEL maintainer="me@tcardonne.fr" \
@@ -30,7 +31,8 @@ RUN DEBIAN_FRONTEND=noninteractive apt-get update && \
         software-properties-common \
         git \
         sudo \
-        supervisor
+        supervisor \
+        jq
 
 COPY supervisord.conf /etc/supervisor/conf.d/supervisord.conf
 RUN chmod 644 /etc/supervisor/conf.d/supervisord.conf
diff --git a/debian-buster/entrypoint.sh b/debian-buster/entrypoint.sh
index fd4afe73d..b8c928c65 100644
--- a/debian-buster/entrypoint.sh
+++ b/debian-buster/entrypoint.sh
@@ -14,8 +14,8 @@ if [[ -z $RUNNER_WORK_DIRECTORY ]]; then
     export RUNNER_WORK_DIRECTORY="_work"
 fi
 
-if [[ -z $RUNNER_TOKEN ]]; then
-    echo "Error : You need to set the RUNNER_TOKEN environment variable."
+if [[ -z $RUNNER_TOKEN && -z $GITHUB_ACCESS_TOKEN ]]; then
+    echo "Error : You need to set RUNNER_TOKEN (or GITHUB_ACCESS_TOKEN) environment variable."
     exit 1
 fi
 
@@ -36,6 +36,21 @@ fi
 if [[ -f ".runner" ]]; then
     echo "Runner already configured. Skipping config."
 else
+    if [[ -n $GITHUB_ACCESS_TOKEN ]]; then
+        echo "Exchanging the GitHub Access Token with a Runner Token..."
+        _PROTO="$(echo "${RUNNER_REPOSITORY_URL}" | grep :// | sed -e's,^\(.*://\).*,\1,g')"
+        _URL="$(echo "${RUNNER_REPOSITORY_URL/${_PROTO}/}")"
+        _PATH="$(echo "${_URL}" | grep / | cut -d/ -f2-)"
+        _ACCOUNT="$(echo "${_PATH}" | cut -d/ -f1)"
+        _REPO="$(echo "${_PATH}" | cut -d/ -f2)"
+
+        RUNNER_TOKEN="$(curl -XPOST -fsSL \
+            -H "Authorization: token ${GITHUB_ACCESS_TOKEN}" \
+            -H "Accept: application/vnd.github.v3+json" \
+            "https://api.github.com/repos/${_ACCOUNT}/${_REPO}/actions/runners/registration-token" \
+            | jq -r '.token')"
+    fi
+
     ./config.sh \
         --url $RUNNER_REPOSITORY_URL \
         --token $RUNNER_TOKEN \
diff --git a/docker-compose.yml b/docker-compose.yml
index be03ac218..90a6c485b 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -2,10 +2,10 @@ version: "3.7"
 
 services:
     runner:
-      image: tcardonne/github-runner
+      image: tcardonne/github-runner:latest
       environment:
         RUNNER_NAME: "my-runner"
         RUNNER_REPOSITORY_URL: ${RUNNER_REPOSITORY_URL}
-        RUNNER_TOKEN: ${RUNNER_TOKEN}
+        GITHUB_ACCESS_TOKEN: ${GITHUB_ACCESS_TOKEN}
       volumes:
         - /var/run/docker.sock:/var/run/docker.sock
\ No newline at end of file