{"id":13487111,"url":"https://github.com/redhat-actions/openshift-actions-runner-installer","last_synced_at":"2025-12-15T07:27:15.325Z","repository":{"id":42012519,"uuid":"327242212","full_name":"redhat-actions/openshift-actions-runner-installer","owner":"redhat-actions","description":"GitHub Action to detect and create a self-hosted runner in Kubernetes.","archived":false,"fork":false,"pushed_at":"2022-12-29T13:48:18.000Z","size":726,"stargazers_count":27,"open_issues_count":2,"forks_count":14,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-08-20T22:05:19.824Z","etag":null,"topics":["actions","docker","helm","kubernetes","openshift","self-hosted-runner"],"latest_commit_sha":null,"homepage":"","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/redhat-actions.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2021-01-06T08:04:41.000Z","updated_at":"2025-03-22T05:20:55.000Z","dependencies_parsed_at":"2023-01-04T12:24:44.157Z","dependency_job_id":null,"html_url":"https://github.com/redhat-actions/openshift-actions-runner-installer","commit_stats":{"total_commits":73,"total_committers":5,"mean_commits":14.6,"dds":0.6575342465753424,"last_synced_commit":"8b4d88c1808ced3a39fd0e43f9ce038163fad8a8"},"previous_names":["redhat-actions/self-hosted-runner-installer"],"tags_count":4,"template":false,"template_full_name":null,"purl":"pkg:github/redhat-actions/openshift-actions-runner-installer","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/redhat-actions%2Fopenshift-actions-runner-installer","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/redhat-actions%2Fopenshift-actions-runner-installer/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/redhat-actions%2Fopenshift-actions-runner-installer/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/redhat-actions%2Fopenshift-actions-runner-installer/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/redhat-actions","download_url":"https://codeload.github.com/redhat-actions/openshift-actions-runner-installer/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/redhat-actions%2Fopenshift-actions-runner-installer/sbom","scorecard":{"id":767679,"data":{"date":"2025-08-11","repo":{"name":"github.com/redhat-actions/openshift-actions-runner-installer","commit":"8b4d88c1808ced3a39fd0e43f9ce038163fad8a8"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":3.5,"checks":[{"name":"Code-Review","score":0,"reason":"Found 1/22 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Pinned-Dependencies","score":2,"reason":"dependency not pinned by hash detected -- score normalized to 2","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:10: update your workflow using https://app.stepsecurity.io/secureworkflow/redhat-actions/openshift-actions-runner-installer/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/redhat-actions/openshift-actions-runner-installer/ci.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/redhat-actions/openshift-actions-runner-installer/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:38: update your workflow using https://app.stepsecurity.io/secureworkflow/redhat-actions/openshift-actions-runner-installer/ci.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:44: update your workflow using https://app.stepsecurity.io/secureworkflow/redhat-actions/openshift-actions-runner-installer/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/link_check.yml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/redhat-actions/openshift-actions-runner-installer/link_check.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/link_check.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/redhat-actions/openshift-actions-runner-installer/link_check.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/org_example.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/redhat-actions/openshift-actions-runner-installer/org_example.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/org_example.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/redhat-actions/openshift-actions-runner-installer/org_example.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/org_example.yml:80: update your workflow using https://app.stepsecurity.io/secureworkflow/redhat-actions/openshift-actions-runner-installer/org_example.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/org_example.yml:95: update your workflow using https://app.stepsecurity.io/secureworkflow/redhat-actions/openshift-actions-runner-installer/org_example.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/org_example.yml:107: update your workflow using https://app.stepsecurity.io/secureworkflow/redhat-actions/openshift-actions-runner-installer/org_example.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/repo_example.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/redhat-actions/openshift-actions-runner-installer/repo_example.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/repo_example.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/redhat-actions/openshift-actions-runner-installer/repo_example.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/repo_example.yml:65: update your workflow using https://app.stepsecurity.io/secureworkflow/redhat-actions/openshift-actions-runner-installer/repo_example.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/tear_down_runners.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/redhat-actions/openshift-actions-runner-installer/tear_down_runners.yml/main?enable=pin","Info:   0 out of   8 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of   8 third-party GitHubAction dependencies pinned","Info:   3 out of   3 npmCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/ci.yml:1","Warn: no topLevel permission defined: .github/workflows/dispatched_example.yml:1","Warn: no topLevel permission defined: .github/workflows/link_check.yml:1","Warn: no topLevel permission defined: .github/workflows/org_example.yml:1","Warn: no topLevel permission defined: .github/workflows/repo_example.yml:1","Warn: no topLevel permission defined: .github/workflows/tear_down_runners.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: MIT License: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Security-Policy","score":9,"reason":"security policy file detected","details":["Info: security policy file detected: github.com/redhat-actions/.github/SECURITY.md:1","Info: Found linked content: github.com/redhat-actions/.github/SECURITY.md:1","Warn: One or no descriptive hints of disclosure, vulnerability, and/or timelines in security policy","Info: Found text in security policy: github.com/redhat-actions/.github/SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 9 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Vulnerabilities","score":0,"reason":"12 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GHSA-h5c3-5r3r-rr8q","Warn: Project is vulnerable to: GHSA-rmvr-2pp2-xj38","Warn: Project is vulnerable to: GHSA-xx4v-prfh-6cgc","Warn: Project is vulnerable to: GHSA-v6h2-p8h4-qcjw","Warn: Project is vulnerable to: GHSA-grv7-fg5c-xmjg","Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275","Warn: Project is vulnerable to: GHSA-9c47-m6qq-7p4h","Warn: Project is vulnerable to: GHSA-952p-6rrq-rcjv","Warn: Project is vulnerable to: GHSA-c2qf-rxjj-qqgw","Warn: Project is vulnerable to: GHSA-hc6q-2mpp-qw7j","Warn: Project is vulnerable to: GHSA-4vvj-4cpr-p986","Warn: Project is vulnerable to: GHSA-j8xg-fqg3-53r7"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-23T01:18:34.471Z","repository_id":42012519,"created_at":"2025-08-23T01:18:34.471Z","updated_at":"2025-08-23T01:18:34.471Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":272833294,"owners_count":25000870,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-30T02:00:09.474Z","response_time":77,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["actions","docker","helm","kubernetes","openshift","self-hosted-runner"],"created_at":"2024-07-31T18:00:55.512Z","updated_at":"2025-12-15T07:27:15.238Z","avatar_url":"https://github.com/redhat-actions.png","language":"TypeScript","funding_links":[],"categories":["The matrix (might be better readable on [GitHub pages](https://jonico.github.io/awesome-runners/))"],"sub_categories":["A word about self-hosted action runner images / virtual environments and how to test locally"],"readme":"# OpenShift Actions Runner Installer\n\n[![Install into repository](https://github.com/redhat-actions/openshift-actions-runner-installer/workflows/Install%20into%20repository/badge.svg)](https://github.com/redhat-actions/openshift-actions-runner-installer/actions)\n[![Install into org](https://github.com/redhat-actions/openshift-actions-runner-installer/workflows/Install%20into%20redhat-actions/badge.svg)](https://github.com/redhat-actions/openshift-actions-runner-installer/actions)\n[![CI checks](https://github.com/redhat-actions/openshift-actions-runner-installer/workflows/CI%20Checks/badge.svg)](https://github.com/redhat-actions/openshift-actions-runner-installer/actions)\n[![Link checker](https://github.com/redhat-actions/openshift-actions-runner-installer/workflows/Link%20checker/badge.svg)](https://github.com/redhat-actions/openshift-actions-runner-installer/actions)\n\n[![awesome-runners](https://img.shields.io/badge/listed%20on-awesome--runners-blue.svg)](https://github.com/jonico/awesome-runners)\n[![tag badge](https://img.shields.io/github/v/tag/redhat-actions/openshift-actions-runner-installer)](https://github.com/redhat-actions/openshift-actions-runner-installer/tags)\n[![license badge](https://img.shields.io/github/license/redhat-actions/kn-service-deploy)](./LICENSE)\n\nThe OpenShift Self-Hosted Actions Runner Installer is a GitHub Action to automatically install self-hosted Actions runner containers into a Kubernetes cluster.\n\nThe action uses the [**OpenShift Actions Runner Chart**](https://github.com/redhat-actions/openshift-actions-runner-chart/) to install runners.\n\nBy default, the chart installs the [**OpenShift Actions Runner**](https://github.com/redhat-actions/openshift-actions-runner). The image to use is configurable (see [Inputs](#inputs)).\n\nThis action uses these two projects to make the self-hosted runner installation on Kubernetes as easy as possible.\n\nIf a runner that uses the same image and has any requested labels is already present, the install step will be skipped. This action can be run as a prerequisite step to the \"real\" workflow to ensure the runner a workflow needs is available.\n\nWhile this action, chart and images are developed for and tested on OpenShift, they do not contain any OpenShift specific code. This action should be compatible with any Kubernetes platform.\n\n## Prerequisites\nYou must have access to a Kubernetes cluster. Visit [openshift.com/try](https://www.openshift.com/try) or sign up for our [Developer Sandbox](https://developers.redhat.com/developer-sandbox).\n\nYou must have authenticated to your Kubernetes cluster and set up a Kubernetes config. If you are using OpenShift, you can use [**oc-login**](https://github.com/redhat-actions/oc-login).\n\nYou must have `helm` v3 and either `oc` or `kubectl` installed. You can use the [**OpenShift CLI Installer**](https://github.com/redhat-actions/openshift-cli-installer) to install and cache these tools.\n\nYou do **not** need cluster administrator privileges to deploy the runners and run workloads. However, some images or tools may require special permissions.\n\n\u003ca id=\"example-workflows\"\u003e\u003c/a\u003e\n\n## Example Workflows\nRefer to the [**Repository Example**](./.github/workflows/repo_example.yml) and [**Organization Example**](./.github/workflows/org_example.yml). The Repository example is also an example of using a [`repository_dispatch` event](https://docs.github.com/en/actions/reference/events-that-trigger-workflows#repository_dispatch) to trigger a separate workflow, once the runner is ready.\n\nRemember to [create a secret](https://docs.github.com/en/actions/reference/encrypted-secrets) containing the GitHub PAT as detailed above, and pass it in the `github_pat` input. Below, the secret is named `PAT`.\n\nAll other inputs are optional.\n\n### Minimal Example\n```yaml\nname: OpenShift Self-Hosted Installer Workflow\non: [ push, workflow_dispatch ]\n\njobs:\n  install-runner:\n    runs-on: ubuntu-20.04\n    name: Install runner\n    steps:\n      - name: Install self hosted runner into this repository\n        uses: redhat-actions/openshift-actions-runner-installer@v1\n        with:\n          github_pat: ${{ secrets.PAT }}\n\n  self-hosted-workflow:\n    # Now that the above job has ensured the runner container exists,\n    # we can run our workflow inside it.\n    name: OpenShift Self Hosted Workflow\n    # Add other labels here if you have to filter by a runner type.\n    runs-on: [ self-hosted ]\n    needs: install-runner\n\n    steps:\n      - run: hostname\n      - run: ls -Al\n      # ... etc\n```\n\n\u003ca id=\"inputs\"\u003e\u003c/a\u003e\n\n## Inputs\nThe only required input is the `github_pat`, which is a [Personal Access Token](https://docs.github.com/en/free-pro-team@latest/github/authenticating-to-github/creating-a-personal-access-token), with the appropriate permisions.\n\nThe token must have the `repo` permission scope. For organization runners, the token must also have the `admin:org` scope. Refer to the Runner [README](https://github.com/redhat-actions/openshift-actions-runner#pat-guidelines).\n\nNote that the default workflow token `secrets.GITHUB_TOKEN` does **not** have the permissions required to check for and install self-hosted runners. Refer to [Permissions for the GITHUB_TOKEN](https://docs.github.com/en/actions/reference/authentication-in-a-workflow#permissions-for-the-github_token).\n\n| Input Name | Description | Default |\n| ---------- | ----------- | ------- |\n| github_pat | GitHub Personal access token. Refer to the description above. | **Must be provided**\n| runner_image | Container image to use for the runner. | [`quay.io/redhat-github-actions/runner`](https://quay.io/redhat-github-actions/runner)\n| runner_tag | Tag to use for the runner container image. | `v1` |\n| runner_labels | [Labels](https://docs.github.com/en/actions/hosting-your-own-runners/using-labels-with-self-hosted-runners) to add to the self-hosted runner. Must be comma-separated, spaces after commas optional. | None |\n| runner_location | Repository or organization for the self-hosted runner. | Workflow repository |\n| runner_replicas | Number of replicas of the container to create. Each replica is its own pod, and its own runner. | 1\n| namespace | Optional Kubernetes namespace to pass to all Helm and Kube client comands.  | None |\n| helm_release_name | The Helm release name to use. | Runner location (repo or org) |\n| helm_uninstall_existing | Uninstall any release that matches the `helm_release_name` and `namespace` before running `helm install`. If this is false, and the release exists, the action will fail when the `helm install` fails. | `true` |\n| helm_chart_version | Version of our [Helm Chart](https://github.com/redhat-actions/openshift-actions-runner-chart) to install. | Latest release\n| helm_extra_args | Arbitrary arguments to append to the `helm` command. Refer to the [Chart README](https://github.com/redhat-actions/openshift-actions-runner-chart). \u003cbr\u003eSeparate items by newline. Do not quote the arguments, since `@actions/exec` manages quoting. | None |\n\n## Outputs\n| Output Name | Description |\n| ----------- | ----------- |\n| helm_release_name | The name of the Helm release that was installed.\u003cbr\u003eIf the runners were present and the install was skipped, this value is undefined. |\n| installed | Boolean value indicating if the runners were installed (`true`), or already present (`false`). |\n| runners | JSON-parsable array of the matching runners' names, whether they were installed by this action or already present. |\n\n## Removing runners\n`helm uninstall` is sufficient to remove the runners. As long as the runners terminate gracefully, they will remove themselves from the repository or organization before exiting.\n\nYou can use the `helm_release_name` output to determine the helm release name to uninstall.\n\nRefer to the [tear down example](./.github/workflows/tear_down_runners.yml) and the [organization workflow](./.github/workflows/org_example.yml) for examples.\n\n\u003ca id=\"troubleshooting\"\u003e\u003c/a\u003e\n## Troubleshooting\n\nSee the Troubleshooting sections of [the chart README](https://github.com/redhat-actions/openshift-actions-runner-chart#Troubleshooting), and [the runner README](https://github.com/redhat-actions/openshift-actions-runner#Troubleshooting).\n\nThe most common errors are due to a missing or misconfigured GitHub PAT. Make sure that:\n- The secret was created correctly.\n- The secret is referred to by the correct name in the workflow file.\n- The PAT in the secret has the correct permissions.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fredhat-actions%2Fopenshift-actions-runner-installer","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fredhat-actions%2Fopenshift-actions-runner-installer","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fredhat-actions%2Fopenshift-actions-runner-installer/lists"}