Innhold
1???Before ordering
When ordering for an organization under UiO-IT, there will be a requirement for 2FA for all users, and for runners in general, all code that runs must also be signed. You can read more about this under GitHub for IT employees.
After downloading the app to your mobile, you can navigate to https://github.uio.no/settings/two_factor_authentication/setup/intro to set up two-factor authentication. Note that the two-factor authentication on this service is not dependent on/compatible with other two-factor services at UiO, so the two-factor authentication set up in GitHub is only usable within the GitHub service.
Note that you must use SSH authentication for operations against the Git service, in other words, you must use a password-protected SSH key, as HTTP authentication effectively becomes single-factor authentication.
2???Ordering a server for running GitHub runners
If you work at UiO-IT, you can order your own server in virtprov; it should be named gh-runner-<organization-name>.uio.no.
If you do not have access to virtprov, you can order a server for this purpose. There is an online form https://nettskjema.no/a/virtuellserver for this, and then you can send an email to github-support@usit.uio.no so that we can set things up according to our scheme. If you have special needs, such as multiple organizations needing access to the runner, that commits do not need to be signed, etc., it is helpful to specify this. GitHub support will evaluate whether we believe these exceptions can be made from our standard arrangement.
3???Adding keys to a GitHub Actions runner server
On our GitHub Actions runners, a script is set up to check whether a commit is signed with a known and valid SSH/GPG key before Actions jobs run. If the job is not signed with a known SSH/GPG key, it will fail. The solution then is to import your public SSH/GPG key into the runner's SSH/GPG store.
3.1???Adding SSH keys to GitHub Actions runners
The keys are stored in the file gh-runner-$RUNNERSERVER.uio.no:/opt/gh-runner-pgg/ssh_allowed_signers. All owners of such a runner have access to the server with their drift user and can import the necessary SSH keys. First, extract the public key part of your SSH key and upload it to the github actions runner server:
cat ~/.ssh/id_ed25519.pub | ssh user-drift@gh-runner-$RUNNERSERVER.uio.no "cat >> /tmp/username.pub"
Then log in to the server with your drift user and run the following command to import the key you have now and add the email you have set up in your gitconfig:
sudo /opt/gh-runner-scripts/ssh-key-import.sh /tmp/username.pub youruser@uio.no
You should now be ready to use commits signed with your SSH key pair.
3.2???Adding GPG keys to GitHub Actions runners
The keys are stored under gh-runner-$RUNNERSERVER.uio.no:/opt/gh-runner-gpg/pubring.kbx. All owners of such a runner have access to the server with their operational user and can import the necessary GPG keys.
First, extract and upload the GPG key:
gpg --armor --export youremail@usit.uio.no| ssh user-drift@gh-runner-$RUNNERSERVER.uio.no "cat > ~/username.asc"
Then log in to the server with your operational user and run the following command to import the key you have now uploaded:
sudo /opt/gh-runner-scripts/gpg-key-import.sh ~/username.asc
After this, you can either make a new commit or trigger a re-run of the job in the GitHub Actions tab of your repository.