Allow job id to be supplied to an ephemeral runner so that it only takes the supplied job id #19784
Unanswered
jj51726-jd
asked this question in
Actions
Replies: 2 comments
-
👍 |
Beta Was this translation helpful? Give feedback.
0 replies
-
+1 to this It's a basic requirement IMHO for any kind of ephemeral runners that are launched in response to jobs being queued For a detailed use-case of what problem this solves, and the gaps with the current model: actions/runner#2147 |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
I am writing an orchestrator for Actions runners running in Docker containers. I want to whitelist specific actions so that they run in privileged containers, and can therefore use Docker in Docker (dind). "Dind" is a security problem if unknown code is allowed to run.
I don't want to allow any action or step to run in a privileged container, only actions whose code is reviewed and approved for privileged containers.
Therefore, I need to be able to specify that a privileged container that I spawn only take the job that it is supposed to take. There is no way to do this, currently, that I am aware of.
To accomplish this, I will need to tell every container which job to take, and I am ok with that. For whitelisted Actions, I want to spawn privileged containers which can do things that other Actions can not, and I want the privileged containers to only take the jobs that require privileged containers.
Beta Was this translation helpful? Give feedback.
All reactions