Merge pull request #15 from github-developer/cleanup

imjohnbo · web-flow · commit d1ceda520dae · 2020-08-03T10:57:29.000-04:00
docs: clean up
diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml
@@ -12,11 +12,11 @@ on:
 
 env:
   GITHUB_REPO: ${{ secrets.REPO }} # Should be a private repository, see https://help.github.com/en/actions/hosting-your-own-runners/adding-self-hosted-runners
-  TOKEN: ${{ secrets.TOKEN }} # Personal Access Token used to register and deregister runners. GITHUB_TOKEN isn't good for most use cases because it is only valid for one hour.
+  TOKEN: ${{ secrets.TOKEN }} # Personal Access Token used to register and deregister runners since GITHUB_TOKEN is only valid for one hour.
   GCP_PROJECT: ${{ secrets.GCP_PROJECT }}
   GKE_CLUSTER: self-hosted-runner-test-cluster
   GKE_SECRETS: self-hosted-runner-creds
-  GCP_REGION: us-west1
+  GCP_ZONE: us-west1-a
   IMAGE: self-hosted-runner
 
 jobs:
@@ -30,10 +30,10 @@ jobs:
 
     # Configure Google Cloud credentials
     - name: Configure Google Cloud credentials
-      uses: GoogleCloudPlatform/github-actions/setup-gcloud@master # until 0.2.0 release is available
+      uses: GoogleCloudPlatform/github-actions/setup-gcloud@0.1.3
       with:
-        service_account_email: ${{ secrets.GCP_EMAIL }}
         service_account_key: ${{ secrets.GCP_KEY }}
+        project_id: ${{ secrets.GCP_PROJECT }}
 
     # Insert other testing and linting steps here, eg. container analysis (https://cloud.google.com/container-registry/docs/container-analysis)
 
@@ -55,10 +55,10 @@ jobs:
 
       # Configure Google Cloud credentials
       - name: Configure Google Cloud credentials
-        uses: GoogleCloudPlatform/github-actions/setup-gcloud@master # until 0.2.0 release is available
+        uses: GoogleCloudPlatform/github-actions/setup-gcloud@0.1.3
         with:
-          service_account_email: ${{ secrets.GCP_EMAIL }}
           service_account_key: ${{ secrets.GCP_KEY }}
+          project_id: ${{ secrets.GCP_PROJECT }}
 
       # Use gcloud CLI to configure docker authentication for subsequent push
       - run: |
@@ -71,7 +71,7 @@ jobs:
       # Configure Kubernetes
       - name: Configure Kubernetes
         run: |
-          gcloud container clusters get-credentials $GKE_CLUSTER --region $GCP_REGION --project $GCP_PROJECT
+          gcloud container clusters get-credentials $GKE_CLUSTER --zone $GCP_ZONE
 
       # Push the Docker image to Google Container Registry
       - name: Publish
diff --git a/README.md b/README.md
@@ -2,9 +2,13 @@
 
 > An example configuration and usage of GitHub Actions [self hosted runners](https://help.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners) on [Anthos GKE](https://cloud.google.com/anthos/gke).
 
+![Self Hosted Runner CI/CD ](https://github.com/github-developer/self-hosted-runners-anthos/workflows/.github/workflows/cicd.yml/badge.svg)
+
 A Continuous Integration [job](https://help.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobs) builds the image and publishes it to Google Container Registry, and a Continuous Deployment job deploys it to Google Kubernetes Engine (GKE). The self hosted runners in this cluster are made available to the GitHub repository configured via the `GITHUB_REPO` environment variable below.
 
-⚠️ Note that this use case is considered experimental and _not officially supported by GitHub at this time_. Additionally [it’s recommended](https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners) not to use self-hosted runners on public repositories for a number of security reasons.
+Because a Docker-in-Docker sidecar pod has been used in this project, these self-hosted runners can also run container builds. Though this approach offers build flexibility, it requires a [`privileged` security context](https://github.com/github-developer/self-hosted-runners-anthos/blob/cb2ee160def13ec3fff256ea43804cafe9fb7e20/deployment.yml#L55) and therefore extends the trust boundary to the whole cluster. Extra caution is recommended with this approach or [removing the sidecar](https://github.com/github-developer/self-hosted-runners-anthos/blob/cb2ee160def13ec3fff256ea43804cafe9fb7e20/deployment.yml#L45) if your application doesn’t require container builds.
+
+⚠️ Note that this use case is considered experimental and _not officially supported by GitHub at this time_. Additionally [it’s recommended](https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners) not to use self-hosted runners on public repositories for a number of security reasons. 
 
 ## Setup
 
@@ -42,15 +46,15 @@ gcloud services enable \
 * Create GKE cluster ([docs](https://cloud.google.com/kubernetes-engine/docs/how-to/creating-a-cluster))
 
 ```
-gcloud container clusters create self-hosted-runner-test-cluster --region us-west1 
+gcloud container clusters create self-hosted-runner-test-cluster
 ```
 
 * Register cluster to the environ [docs](https://cloud.google.com/anthos/docs/setup/cloud#gcloud)
 ```
 gcloud container hub memberships register self-hosted-anthos-membership \
-  --project=self-hosted-runner-test-897234 \
-◀ --gke-uri=https://container.googleapis.com/v1/projects/self-hosted-runner-test-897234/locations/us-west1/clusters/self-hosted-runner-test-cluster \ # 
-◀ --service-account-key-file=/path-to/service-account-key.json
+  --project=self-hosted-runner-test-myid \
+  --gke-uri=https://container.googleapis.com/v1/projects/self-hosted-runner-test-myid/locations/us-west1/clusters/self-hosted-runner-test-cluster \
+  --service-account-key-file=/path-to/service-account-key.json
 ```
 
 * Get the credentails for this cluster
@@ -68,7 +72,6 @@ kubectl create secret generic self-hosted-runner-creds \
 
 * Set these as secrets in your GitHub repository:
   * `GCP_PROJECT`: ID of your Google Cloud Platform project, eg. `self-hosted-runner-test-897234`
-  * `GCP_EMAIL`: Service Account email, eg. `runner-admin@self-hosted-runner-test.iam.gserviceaccount.com`
   * `GCP_KEY`: Download your [Service Account JSON credentials](https://cloud.google.com/iam/docs/creating-managing-service-account-keys) and Base64 encode them, eg. output of `cat ~/path/to/my/credentials.json | base64`
   * `TOKEN`: Personal Access Token. From the [documentation](https://developer.github.com/v3/actions/self_hosted_runners/), "Access tokens require `repo scope` for private repos and `public_repo scope` for public repos".
 
diff --git a/script/setup.sh b/script/setup.sh
diff --git a/startup.sh b/startup.sh
@@ -1,16 +1,5 @@
 #!/bin/bash
 
-# Remove runner upon receiving an EXIT signal
-function remove_runner {
-    echo "\nCaught EXIT signal. Removing runner and exiting.\n"
-    REMOVE_TOKEN=$(curl --data "" -H "Authorization: Bearer $TOKEN" https://api.github.com/repos/$GITHUB_REPO/actions/runners/remove-token | jq -r '.token')
-    ./config.sh remove --token $REMOVE_TOKEN
-    exit $?
-}
-
-# Watch for EXIT signal to be able to shut down gracefully
-trap remove_runner EXIT
-
 # Generate
 CONFIG_TOKEN=$(curl --data "" --header "Authorization: Bearer $TOKEN" https://api.github.com/repos/$GITHUB_REPO/actions/runners/registration-token | jq -r '.token')
 
