Allow job id to be supplied to an ephemeral runner so that it only takes the supplied job id

[jj51726-jd]

I am writing an orchestrator for Actions runners running in Docker containers. I want to whitelist specific actions so that they run in privileged containers, and can therefore use Docker in Docker (dind). "Dind" is a security problem if unknown code is allowed to run.

I don't want to allow any action or step to run in a privileged container, only actions whose code is reviewed and approved for privileged containers.

Therefore, I need to be able to specify that a privileged container that I spawn only take the job that it is supposed to take. There is no way to do this, currently, that I am aware of.

To accomplish this, I will need to tell every container which job to take, and I am ok with that. For whitelisted Actions, I want to spawn privileged containers which can do things that other Actions can not, and I want the privileged containers to only take the jobs that require privileged containers.

[kmaehashi]

👍
There are many other use cases for this feature as discussed in actions/runner#620, actions/runner#2106, and actions/runner#2147.

[alexellis]

+1 to this

It's a basic requirement IMHO for any kind of ephemeral runners that are launched in response to jobs being queued

For a detailed use-case of what problem this solves, and the gaps with the current model: actions/runner#2147