Norwegian version of this page

Github Action Runners

This page is intended as a guide for what is required for GitHub support to set up a GitHub runner and actions for an organization.

1   Before ordering

When ordering for an organization under UiO-IT, there will be a requirement for 2FA for all users, and for runners in general, all code that runs must also be signed. You can read more about this under GitHub for IT employees.

After downloading the app to your mobile, you can navigate to https://github.uio.no/settings/two_factor_authentication/setup/intro to set up two-factor authentication. Note that the two-factor authentication on this service is not dependent on/compatible with other two-factor services at UiO, so the two-factor authentication set up in GitHub is only usable within the GitHub service.

Note that you must use SSH authentication for operations against the Git service, in other words, you must use a password-protected SSH key, as HTTP authentication effectively becomes single-factor authentication.

2   Ordering a server for running GitHub runners

If you work at UiO-IT, you can order your own server in virtprov; it should be named gh-runner-<organization-name>.uio.no.

If you do not have access to virtprov, you can order a server for this purpose. There is an online form https://nettskjema.no/a/virtuellserver for this, and then you can send an email to github-support@usit.uio.no so that we can set things up according to our scheme. If you have special needs, such as multiple organizations needing access to the runner, that commits do not need to be signed, etc., it is helpful to specify this. GitHub support will evaluate whether we believe these exceptions can be made from our standard arrangement.

3   Adding keys to a GitHub Actions runner server

On our GitHub Actions runners, a script is set up to check whether a commit is signed with a known and valid SSH/GPG key before Actions jobs run. If the job is not signed with a known SSH/GPG key, it will fail. The solution then is to import your public SSH/GPG key into the runner's SSH/GPG store.

3.1   Adding SSH keys to GitHub Actions runners

Create the file /opt/gh-runner-gpg/ssh_signers, owned by root:actions-runner with 750 permissions, containing the public key in the following format:

<email in GitHub> <content of public key>
example@usit.uio.no ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJTULL/jlR82204TULLA11bA1dfCwbqyYr039x8LlmdM example@usit.uio.no
example@usit.uio.no ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJTULL/jlR82204TULLA11bA1dfCwbqyYr039x8LlmdM example@usit.uio.no

Then instruct Git to verify SSH-signed commits with that file in /home/actions-runner/.gitconfig. The file must be owned by actions-runner:

[gpg "ssh"]
        allowedSignersFile = /opt/gh-runner-gpg/ssh_signers

For the initial setup, you must also open in SELinux to give ssh_keygen access to files automatically saved when a job runs. This can be done by creating the file /tmp/sshsign.te (note that the file name must match the module name in the file), which GitHub support can do for you if you are unsure. But for older runners, this hasn't been done:

module sshsign 1.0;

require {
        type initrc_tmp_t;
        type ssh_keygen_t;
        class file open;
}
allow ssh_keygen_t initrc_tmp_t:file open;

Then to create and load the SELinux module:

sudo checkmodule -M -m -o /tmp/sshsign.mod /tmp/sshsign.te
sudo semodule_package -o /tmp/sshsign.pp -m /tmp/sshsign.mod
sudo semodule -i /tmp/sshsign.pp

You should now be ready to use SSH keys with your GitHub Actions runner.

3.2   Adding GPG keys to GitHub Actions runners

The keys are stored under gh-runner-$RUNNERSERVER.uio.no:/opt/gh-runner-gpg/pubring.kbx. All owners of such a runner have access to the server with their operational user and can import the necessary GPG keys.

First, extract and upload the GPG key:

gpg --armor --export youremail@usit.uio.no| ssh user-drift@gh-runner-$RUNNERSERVER.uio.no "cat > ~/username.asc"

Then log in to the server with your operational user and run the following command to import the key you have now uploaded:

sudo /opt/gh-runner-scripts/gpg-key-import.sh  ~/username.asc

After this, you can either make a new commit or trigger a re-run of the job in the GitHub Actions tab of your repository.

By Sjur Hernes
Published Nov. 12, 2024 2:38 PM - Last modified Nov. 27, 2024 9:50 AM