Introduce jit config runner registration

Author: Tereius

cloudRun.tf

@@ -52,8 +52,12 @@ resource "google_cloud_run_v2_service" "autoscaler" {
         value = var.github_runner_prefix
       }
       env {
-        name  = "RUNNER_GROUP"
-        value = var.github_runner_group
+        name  = "RUNNER_GROUP_NAME"
+        value = var.github_runner_group_name
+      }
+      env {
+        name  = "RUNNER_GROUP_ID"
+        value = var.github_runner_group_id
       }
       env {
         name  = "RUNNER_LABELS"

compute.tf

@@ -40,6 +40,7 @@ resource "google_compute_instance_template" "runner_instance" {
   }
 }
 
+// First parameter has to be the registration token
 resource "google_compute_project_metadata_item" "startup_scripts_register_runner" {
   key   = "startup_script_register_runner"
   value = <<EOT
@@ -49,13 +50,45 @@ apt-get update && apt-get -y install docker.io docker-buildx curl
 useradd -d /home/agent -u 10000 agent
 usermod -aG docker agent
 newgrp docker
-wget -q -O /tmp/agent.tar.gz '${var.github_runner_download_url}'
+curl -s -o /tmp/agent.tar.gz -L '${var.github_runner_download_url}'
 mkdir -p /home/agent
 chown -R agent:agent /home/agent
 pushd /home/agent
 sudo -u agent tar zxf /tmp/agent.tar.gz
 registration_token=$1
-sudo -u agent ./config.sh --unattended --disableupdate --ephemeral --name $(hostname) ${local.runnerLabelInstanceTemplate} --url 'https://github.com/${var.github_organization}' --token $${registration_token} --runnergroup '${var.github_runner_group}' || shutdown now
+sudo -u agent ./config.sh --unattended --disableupdate --ephemeral --name $(hostname) ${local.runnerLabelInstanceTemplate} --url 'https://github.com/${var.github_organization}' --token $${registration_token} --runnergroup '${var.github_runner_group_name}' || shutdown now
+./bin/installdependencies.sh || shutdown now
+./svc.sh install agent || shutdown now
+./svc.sh start || shutdown now
+popd
+rm /tmp/agent.tar.gz
+echo "Setup finished"
+EOT
+}
+
+// First parameter has to be the base64 encoded jit_config
+resource "google_compute_project_metadata_item" "startup_scripts_register_jit_runner" {
+  key   = "startup_script_register_jit_runner"
+  value = <<EOT
+#!/bin/bash
+agent_name=$(hostname)
+echo "Setup of agent '$agent_name' started"
+apt-get update && apt-get -y install docker.io docker-buildx curl jq
+useradd -d /home/agent -u 10000 agent
+usermod -aG docker agent
+newgrp docker
+curl -s -o /tmp/agent.tar.gz -L '${var.github_runner_download_url}'
+mkdir -p /home/agent
+chown -R agent:agent /home/agent
+pushd /home/agent
+sudo -u agent tar zxf /tmp/agent.tar.gz
+encoded_jit_config=$1
+echo -n $encoded_jit_config | base64 -d | jq '.".runner"' -r | base64 -d > .runner
+echo -n $encoded_jit_config | base64 -d | jq '.".credentials"' -r | base64 -d > .credentials
+echo -n $encoded_jit_config | base64 -d | jq '.".credentials_rsaparams"' -r | base64 -d > .credentials_rsaparams
+sed -i 's/{{SvcNameVar}}/actions.runner.${var.github_organization}.$${agent_name}.service/g' bin/systemd.svc.sh.template
+sed -i 's/{{SvcDescription}}/GitHub Actions Runner (${var.github_organization}.$${agent_name})/g' bin/systemd.svc.sh.template
+cp bin/systemd.svc.sh.template ./svc.sh && chmod +x ./svc.sh
 ./bin/installdependencies.sh || shutdown now
 ./svc.sh install agent || shutdown now
 ./svc.sh start || shutdown now

runner-autoscaler/README.md

@@ -19,26 +19,30 @@ Following conditions of the workflow job webhook event have to be fulfilled, so
 
 * The webhook signature is valid (see WEBHOOK_SECRET env).
 * The webhook `action` value equals `completed`.
-* The webhook `workflow_job.runner_group_name` value equals the configured RUNNER_GROUP.
+* The webhook `workflow_job.runner_group_name` value equals the configured RUNNER_GROUP_NAME.
 * **All** labels of the workflow job match the configured RUNNER_LABELS.
 
 ### Configuration
 
 The scaler is configured via the following environment variables:
 
-| Env               | Default                              | Description                                                                                                                                                                           |
-| ----------------- | ------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| ROUTE_WEBHOOK     | /webhook                             | The Cloud Run path that is invoked by the GitHub webhook. Depending on the workflow job, a Cloud Task "delete runner" or "create runner" is enqueued.                                 |
-| ROUTE_DELETE_VM   | /delete_vm                           | The Cloud Run callback path invoked by Cloud Task when a VM instance should be **deleted**. The payload contains the name of the "to be deleted" VM instance.                         |
-| ROUTE_CREATE_VM   | /create_vm                           | The Cloud Run callback path invoked by Cloud Task when a VM instance should be **created**. The payload contains the name of the "to be created" VM instance.                         |
-| WEBHOOK_SECRET    |                                      | The GitHub webhook secret. This is the secret the webhook has been [configured](https://docs.github.com/en/webhooks/using-webhooks/validating-webhook-deliveries) with.               |
-| PROJECT_ID        |                                      | The Google Cloud Project Id.                                                                                                                                                          |
-| ZONE              |                                      | The Google Cloud zone where the VM instance will be created.                                                                                                                          |
-| TASK_QUEUE        |                                      | The relative resource name of the Cloud Task queue.                                                                                                                                   |
-| INSTANCE_TEMPLATE |                                      | The relative resource name of the instance template from which the VM instance will be created.                                                                                       |
-| SECRET_VERSION    |                                      | The relative resource name of the secret version which contains the PAT                                                                                                               |
-| RUNNER_PREFIX     | runner                               | Prefix for the the name of a new VM instance. A random string (10 random lower case characters) will be added to make the name unique: "<prefix>-<random_string>".                    |
-| RUNNER_GROUP      | Default                              | The GitHub runner group where the VM instance is expected to join as a self hosted runner.                                                                                            |
-| RUNNER_LABELS     | self-hosted *(comma separated list)* | Only workflow jobs whose labels match **all** the configured labels will be taken into account. If only one configured label is **not** found in the workflow job it will be ignored. |
-| GITHUB_ORG        |                                      | The name of the GitHub Organization                                                                                                                                                   |
-| PORT              | 8080                                 | To which port the webserver is bound.                                                                                                                                                 |
+| Env               | Default                              | Description                                                                                                                                                                                            |
+| ----------------- | ------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| ROUTE_WEBHOOK     | /webhook                             | The Cloud Run path that is invoked by the GitHub webhook. Depending on the workflow job, a Cloud Task "delete runner" or "create runner" is enqueued.                                                  |
+| ROUTE_DELETE_VM   | /delete_vm                           | The Cloud Run callback path invoked by Cloud Task when a VM instance should be **deleted**. The payload contains the name of the "to be deleted" VM instance.                                          |
+| ROUTE_CREATE_VM   | /create_vm                           | The Cloud Run callback path invoked by Cloud Task when a VM instance should be **created**. The payload contains the name of the "to be created" VM instance.                                          |
+| WEBHOOK_SECRET    |                                      | The GitHub webhook secret. This is the secret the webhook has been [configured](https://docs.github.com/en/webhooks/using-webhooks/validating-webhook-deliveries) with.                                |
+| PROJECT_ID        |                                      | The Google Cloud Project Id.                                                                                                                                                                           |
+| ZONE              |                                      | The Google Cloud zone where the VM instance will be created.                                                                                                                                           |
+| TASK_QUEUE        |                                      | The relative resource name of the Cloud Task queue.                                                                                                                                                    |
+| INSTANCE_TEMPLATE |                                      | The relative resource name of the instance template from which the VM instance will be created.                                                                                                        |
+| SECRET_VERSION    |                                      | The relative resource name of the secret version which contains the PAT                                                                                                                                |
+| RUNNER_PREFIX     | runner                               | Prefix for the the name of a new VM instance. A random string (10 random lower case characters) will be added to make the name unique: "<prefix>-<random_string>".                                     |
+| RUNNER_GROUP_NAME | Default                              | The GitHub runner group name where the VM instance is expected to join as a self hosted runner.                                                                                                        |
+| RUNNER_GROUP_ID   | 0                                    | (optional - but preferred) The GitHub runner group ID where the VM instance is expected to join as a self hosted runner (must be the ID of the **same** runner group with the name RUNNER_GROUP_NAME). |
+| RUNNER_LABELS     | self-hosted *(comma separated list)* | Only workflow jobs whose labels match **all** the configured labels will be taken into account. If only one configured label is **not** found in the workflow job it will be ignored.                  |
+| GITHUB_ORG        |                                      | The name of the GitHub Organization                                                                                                                                                                    |
+| PORT              | 8080                                 | To which port the webserver is bound.                                                                                                                                                                  |
+
+> [!IMPORTANT]
+> If RUNNER_GROUP_ID is set to a value **greater than 0** the VM instance will use a **jit config** to register itself as a GitHub runner. Else the VM instance will use a registration token to register itself as a GitHub runner.

runner-autoscaler/main.go

@@ -38,7 +38,8 @@ func main() {
 	logrus.SetLevel(logrus.InfoLevel)
 
 	labels := strings.Split(getEnvDefault("RUNNER_LABELS", "self-hosted"), ",")
-	runnerGroup := getEnvDefault("RUNNER_GROUP", "Default")
+	runnerGroup := getEnvDefault("RUNNER_GROUP_NAME", "Default")
+	runnerGroupId, _ := strconv.Atoi(getEnvDefault("RUNNER_GROUP_ID", "0"))
 	scaler := pkg.NewAutoscaler(pkg.AutoscalerConfig{
 		RouteWebhook:     getEnvDefault("ROUTE_WEBHOOK", "/webhook"),
 		RouteDeleteVm:    getEnvDefault("ROUTE_DELETE_VM", "/delete_vm"),
@@ -50,7 +51,8 @@ func main() {
 		InstanceTemplate: mustGetEnv("INSTANCE_TEMPLATE"),
 		SecretVersion:    mustGetEnv("SECRET_VERSION"),
 		RunnerPrefix:     getEnvDefault("RUNNER_PREFIX", "runner"),
-		RunnerGroup:      runnerGroup,
+		RunnerGroupName:  runnerGroup,
+		RunnerGroupId:    runnerGroupId,
 		RunnerLabels:     labels,
 		GitHubOrg:        mustGetEnv("GITHUB_ORG"),
 	})

runner-autoscaler/pkg/srv.go

@@ -1,6 +1,7 @@
 package pkg
 
 import (
+	"bytes"
 	"context"
 	"crypto/hmac"
 	"crypto/sha256"
@@ -26,6 +27,7 @@ import (
 	"google.golang.org/protobuf/types/known/timestamppb"
 )
 
+const GITHUB_API_VERSION string = "2022-11-28"
 const SHA_PREFIX string = "sha256="
 const SHA_HEADER string = "x-hub-signature-256"
 const EVENT_HEADER string = "x-github-event"
@@ -34,9 +36,13 @@ const WEBHOOK_PING_EVENT string = "ping"
 const WEBHOOK_JOB_EVENT string = "workflow_job"
 
 const RUNNER_REGISTRATION_TOKEN_ATTR string = "registration_token"
-const RUNNER_STARTUP_SCRIPT_ATTR string = "startup_script_register_runner"
+const RUNNER_JIT_CONFIG_ATTR string = "jit_config"
+
+const RUNNER_SCRIPT_REGISTER_RUNNER_ATTR string = "startup_script_register_runner"         // has to match the global custom metadata in compute.tf
+const RUNNER_SCRIPT_REGISTER_JIT_RUNNER_ATTR string = "startup_script_register_jit_runner" // has to match the global custom metadata in compute.tf
 
 const RUNNER_REGISTER_TOKEN_ORG_ENDPOINT string = "https://api.github.com/orgs/%s/actions/runners/registration-token"
+const RUNNER_JIT_CONFIG_ENDPOINT string = "https://api.github.com/orgs/%s/actions/runners/generate-jitconfig"
 
 type Job struct {
 	Id              int64    `json:"id"`
@@ -148,7 +154,7 @@ func newSecretAccessClient(ctx context.Context) *secretmanager.Client {
 
 var letterRunes = []rune("abcdefghijklmnopqrstuvwxyz")
 
-func randStringRunes(n int) string {
+func RandStringRunes(n int) string {
 
 	b := make([]rune, n)
 	for i := range b {
@@ -305,7 +311,7 @@ func (s *Autoscaler) CreateInstanceFromTemplate(ctx context.Context, instanceNam
 	return nil
 }
 
-func (s *Autoscaler) GenerateRunnerRegistrationToken(ctx context.Context) (string, error) {
+func (s *Autoscaler) readPat(ctx context.Context) (string, error) {
 
 	log.Debugf("About to request GitHub runner registration token using PAT from secret version: %s", s.conf.SecretVersion)
 	secretAccessClient := newSecretAccessClient(ctx)
@@ -320,34 +326,93 @@ func (s *Autoscaler) GenerateRunnerRegistrationToken(ctx context.Context) (strin
 			log.Errorf("The GitHub PAT secret is empty")
 			return "", fmt.Errorf("empty GitHub PAT")
 		} else {
-			if req, err := http.NewRequestWithContext(ctx, "POST", fmt.Sprintf(RUNNER_REGISTER_TOKEN_ORG_ENDPOINT, s.conf.GitHubOrg), nil); err != nil {
-				log.Errorf("Could not create GitHub runner registration token request")
-				return "", fmt.Errorf("failed registration token request")
+			return pat, nil
+		}
+	}
+}
+
+func (s *Autoscaler) GenerateRunnerRegistrationToken(ctx context.Context) (string, error) {
+
+	log.Debugf("About to request GitHub runner registration token using PAT from secret version: %s", s.conf.SecretVersion)
+	secretAccessClient := newSecretAccessClient(ctx)
+	defer secretAccessClient.Close()
+	if pat, err := s.readPat(ctx); err != nil {
+		return "", err
+	} else {
+		if req, err := http.NewRequestWithContext(ctx, "POST", fmt.Sprintf(RUNNER_REGISTER_TOKEN_ORG_ENDPOINT, s.conf.GitHubOrg), nil); err != nil {
+			log.Errorf("Could not create GitHub runner registration token request")
+			return "", fmt.Errorf("failed registration token request")
+		} else {
+			req.Header.Add("Accept", "application/vnd.github+json")
+			req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", pat))
+			req.Header.Add("X-GitHub-Api-Version", GITHUB_API_VERSION)
+			req.Header.Add("User-Agent", "github-runner-autoscaler")
+			if resp, err := http.DefaultClient.Do(req); err != nil {
+				log.Errorf("GitHub runner registration token request failed: %s", err.Error())
+				return "", fmt.Errorf("failed registration token response")
+			} else if resp.StatusCode != 201 {
+				log.Errorf("GitHub runner registration token request unsuccessful: %s", resp.Status)
+				defer resp.Body.Close()
+				return "", fmt.Errorf("failed registration token response")
 			} else {
-				req.Header.Add("Accept", "application/vnd.github+json")
-				req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", pat))
-				req.Header.Add("X-GitHub-Api-Version", "2022-11-28")
-				req.Header.Add("User-Agent", "github-runner-autoscaler")
-				if resp, err := http.DefaultClient.Do(req); err != nil {
-					log.Errorf("GitHub runner registration token request failed: %s", err.Error())
+				defer resp.Body.Close()
+				body, _ := io.ReadAll(resp.Body)
+				payload := map[string]string{}
+				if err := json.Unmarshal(body, &payload); err != nil {
+					log.Errorf("GitHub runner registration token response missing: %s", err.Error())
 					return "", fmt.Errorf("failed registration token response")
-				} else if resp.StatusCode != 201 {
-					log.Errorf("GitHub runner registration token request unsuccessful: %s", resp.Status)
-					defer resp.Body.Close()
+				} else if token, ok := payload["token"]; ok && len(token) > 0 {
+					return token, nil
+				} else {
+					log.Errorf("GitHub runner registration token is empty")
 					return "", fmt.Errorf("failed registration token response")
+				}
+			}
+		}
+	}
+}
+
+func (s *Autoscaler) GenerateRunnerJitConfig(ctx context.Context, runnerName string) (string, error) {
+
+	log.Debugf("About to request GitHub runner jit config using PAT from secret version: %s", s.conf.SecretVersion)
+	secretAccessClient := newSecretAccessClient(ctx)
+	defer secretAccessClient.Close()
+	if pat, err := s.readPat(ctx); err != nil {
+		return "", err
+	} else {
+		reqPayload := map[string]any{}
+		reqPayload["name"] = runnerName
+		reqPayload["runner_group_id"] = s.conf.RunnerGroupId
+		reqPayload["labels"] = s.conf.RunnerLabels
+		reqPayload["work_folder"] = "_work"
+		data, _ := json.Marshal(reqPayload)
+		if req, err := http.NewRequestWithContext(ctx, "POST", fmt.Sprintf(RUNNER_JIT_CONFIG_ENDPOINT, s.conf.GitHubOrg), bytes.NewReader(data)); err != nil {
+			log.Errorf("Could not create GitHub runner jit-config request")
+			return "", fmt.Errorf("failed jit-config request")
+		} else {
+			req.Header.Add("Accept", "application/vnd.github+json")
+			req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", pat))
+			req.Header.Add("X-GitHub-Api-Version", GITHUB_API_VERSION)
+			req.Header.Add("User-Agent", "github-runner-autoscaler")
+			if resp, err := http.DefaultClient.Do(req); err != nil {
+				log.Errorf("GitHub runner jit-config request failed: %s", err.Error())
+				return "", fmt.Errorf("failed jit-config response")
+			} else if resp.StatusCode != 201 {
+				log.Errorf("GitHub runner jit-config request unsuccessful: %s", resp.Status)
+				defer resp.Body.Close()
+				return "", fmt.Errorf("failed jit-config response")
+			} else {
+				defer resp.Body.Close()
+				body, _ := io.ReadAll(resp.Body)
+				payload := map[string]any{}
+				if err := json.Unmarshal(body, &payload); err != nil {
+					log.Errorf("GitHub runner jit-config response missing: %s", err.Error())
+					return "", fmt.Errorf("failed jit-config response")
+				} else if jitConfig, ok := payload["encoded_jit_config"].(string); ok && len(jitConfig) > 0 {
+					return jitConfig, nil
 				} else {
-					defer resp.Body.Close()
-					body, _ := io.ReadAll(resp.Body)
-					payload := map[string]string{}
-					if err := json.Unmarshal(body, &payload); err != nil {
-						log.Errorf("GitHub runner registration token response missing: %s", err.Error())
-						return "", fmt.Errorf("failed registration token response")
-					} else if token, ok := payload["token"]; ok && len(token) > 0 {
-						return token, nil
-					} else {
-						log.Errorf("GitHub runner registration token is empty")
-						return "", fmt.Errorf("failed registration token response")
-					}
+					log.Errorf("GitHub runner jit-config is empty")
+					return "", fmt.Errorf("failed jit-config response")
 				}
 			}
 		}
@@ -392,32 +457,65 @@ func (s *Autoscaler) createCallbackTaskWithToken(ctx context.Context, url, messa
 	return nil
 }
 
+const runner_script_wrapper = `
+#!/bin/bash
+val=$(curl "http://metadata.google.internal/computeMetadata/v1/instance/attributes/%s" -H "Metadata-Flavor: Google")
+curl "http://metadata.google.internal/computeMetadata/v1/project/attributes/%s" -H "Metadata-Flavor: Google" > runner_startup.sh
+chmod +x ./runner_startup.sh
+./runner_startup.sh $val
+rm runner_startup.sh
+`
+
+func (s *Autoscaler) createVmWithRegistrationToken(ctx *gin.Context, instanceName string) {
+	if token, err := s.GenerateRunnerRegistrationToken(ctx); err != nil {
+		ctx.AbortWithError(http.StatusInternalServerError, err)
+	} else {
+		registration_token_attr := fmt.Sprintf("%s_%s", RUNNER_REGISTRATION_TOKEN_ATTR, RandStringRunes(16))
+		if err := s.CreateInstanceFromTemplate(ctx, instanceName, &computepb.Items{
+			Key:   proto.String(registration_token_attr),
+			Value: proto.String(token),
+		}, &computepb.Items{
+			Key:   proto.String("startup-script"),
+			Value: proto.String(fmt.Sprintf(runner_script_wrapper, registration_token_attr, RUNNER_SCRIPT_REGISTER_RUNNER_ATTR)),
+		}); err != nil {
+			ctx.AbortWithError(http.StatusInternalServerError, err)
+		} else {
+			ctx.Status(http.StatusOK)
+		}
+	}
+}
+
+func (s *Autoscaler) createVmWithJitConfig(ctx *gin.Context, instanceName string) {
+	if jitConfig, err := s.GenerateRunnerJitConfig(ctx, instanceName); err != nil {
+		ctx.AbortWithError(http.StatusInternalServerError, err)
+	} else {
+		jit_config_attr := fmt.Sprintf("%s_%s", RUNNER_JIT_CONFIG_ATTR, RandStringRunes(16))
+		if err := s.CreateInstanceFromTemplate(ctx, instanceName, &computepb.Items{
+			Key:   proto.String(jit_config_attr),
+			Value: proto.String(jitConfig),
+		}, &computepb.Items{
+			Key:   proto.String("startup-script"),
+			Value: proto.String(fmt.Sprintf(runner_script_wrapper, jit_config_attr, RUNNER_SCRIPT_REGISTER_JIT_RUNNER_ATTR)),
+		}); err != nil {
+			ctx.AbortWithError(http.StatusInternalServerError, err)
+		} else {
+			ctx.Status(http.StatusOK)
+		}
+	}
+}
+
 func (s *Autoscaler) handleCreateVm(ctx *gin.Context) {
 
 	log.Info("Received create-vm cloud task callback")
 	if data, err := s.verifySignature(ctx); err == nil {
-		if token, err := s.GenerateRunnerRegistrationToken(ctx); err != nil {
-			ctx.AbortWithError(http.StatusInternalServerError, err)
+		if s.conf.RunnerGroupId > 0 {
+			// use jit config
+			log.Info("Using jit config for runner registration")
+			s.createVmWithJitConfig(ctx, string(data))
 		} else {
-			registration_token_attr := fmt.Sprintf("%s_%s", RUNNER_REGISTRATION_TOKEN_ATTR, randStringRunes(16))
-			if err := s.CreateInstanceFromTemplate(ctx, string(data), &computepb.Items{
-				Key:   proto.String(registration_token_attr),
-				Value: proto.String(token),
-			}, &computepb.Items{
-				Key: proto.String("startup-script"),
-				Value: proto.String(fmt.Sprintf(`
-#!/bin/bash
-registration_token=$(curl "http://metadata.google.internal/computeMetadata/v1/instance/attributes/%s" -H "Metadata-Flavor: Google")
-curl "http://metadata.google.internal/computeMetadata/v1/project/attributes/%s" -H "Metadata-Flavor: Google" > runner_startup.sh
-chmod +x ./runner_startup.sh
-./runner_startup.sh $registration_token
-rm runner_startup.sh
-`, registration_token_attr, RUNNER_STARTUP_SCRIPT_ATTR)),
-			}); err != nil {
-				ctx.AbortWithError(http.StatusInternalServerError, err)
-			} else {
-				ctx.Status(http.StatusOK)
-			}
+			// use registration token
+			log.Info("Using registration token for runner registration")
+			s.createVmWithRegistrationToken(ctx, string(data))
 		}
 	}
 }
@@ -452,7 +550,7 @@ func (s *Autoscaler) handleWebhook(ctx *gin.Context) {
 				if payload.Action == QUEUED {
 					if ok, missingLabels := payload.Job.hasAllLabels(s.conf.RunnerLabels); ok {
 						createUrl := createCallbackUrl(ctx, s.conf.RouteCreateVm)
-						if err := s.createCallbackTaskWithToken(ctx, createUrl, fmt.Sprintf("%s-%s", s.conf.RunnerPrefix, randStringRunes(10))); err != nil {
+						if err := s.createCallbackTaskWithToken(ctx, createUrl, fmt.Sprintf("%s-%s", s.conf.RunnerPrefix, RandStringRunes(10))); err != nil {
 							log.Errorf("Can not enqueue create-vm cloud task callback: %s", err.Error())
 							ctx.AbortWithError(http.StatusInternalServerError, err)
 							return
@@ -461,7 +559,7 @@ func (s *Autoscaler) handleWebhook(ctx *gin.Context) {
 						log.Warnf("Webhook requested to start a runner that is missing the label(s) \"%s\" - ignoring", strings.Join(missingLabels, ", "))
 					}
 				} else if payload.Action == COMPLETED {
-					if payload.Job.RunnerGroupName == s.conf.RunnerGroup {
+					if payload.Job.RunnerGroupName == s.conf.RunnerGroupName {
 						if ok, missingLabels := payload.Job.hasAllLabels(s.conf.RunnerLabels); ok {
 							deleteUrl := createCallbackUrl(ctx, s.conf.RouteDeleteVm)
 							if err := s.createCallbackTaskWithToken(ctx, deleteUrl, payload.Job.RunnerName); err != nil {
@@ -473,7 +571,7 @@ func (s *Autoscaler) handleWebhook(ctx *gin.Context) {
 							log.Warnf("Webhook signaled to delete a runner that is missing the label(s) \"%s\" - ignoring", strings.Join(missingLabels, ", "))
 						}
 					} else {
-						log.Warnf("Webhook signaled to delete a runner that does not belong to the expected runner group (expected \"%s\" got \"%s\") - ignoring", s.conf.RunnerGroup, payload.Job.RunnerGroupName)
+						log.Warnf("Webhook signaled to delete a runner that does not belong to the expected runner group (expected \"%s\" got \"%s\") - ignoring", s.conf.RunnerGroupName, payload.Job.RunnerGroupName)
 					}
 				}
 				ctx.Status(http.StatusOK)
@@ -496,7 +594,8 @@ type AutoscalerConfig struct {
 	InstanceTemplate string
 	SecretVersion    string
 	RunnerPrefix     string
-	RunnerGroup      string
+	RunnerGroupName  string
+	RunnerGroupId    int
 	RunnerLabels     []string
 	GitHubOrg        string
 }

runner-autoscaler/test/main_test.go

@@ -34,7 +34,8 @@ func init() {
 		InstanceTemplate: "projects/" + PROJECT_ID + "/global/instanceTemplates/ephemeral-github-runner",
 		SecretVersion:    "projects/" + PROJECT_ID + "/secrets/github-pat-token/versions/latest",
 		RunnerPrefix:     "runner",
-		RunnerGroup:      "Default",
+		RunnerGroupName:  "Default",
+		RunnerGroupId:    1,
 		RunnerLabels:     []string{"self-hosted"},
 		GitHubOrg:        GIT_HUB_ORG,
 	})
@@ -43,7 +44,7 @@ func init() {
 
 func TestWebhookSignature(t *testing.T) {
 
-	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	ctx, cancel := context.WithTimeout(context.Background(), 60*time.Second)
 	defer cancel()
 	req, _ := http.NewRequestWithContext(ctx, "POST", fmt.Sprintf("http://127.0.0.1:%d/webhook", PORT), strings.NewReader("Hello, World!"))
 	req.Header.Add("x-hub-signature-256", "sha256=757107ea0eb2509fc211221cce984b8a37570b6d7586c22c46f4379c8b043e17")
@@ -55,9 +56,18 @@ func TestWebhookSignature(t *testing.T) {
 
 func TestGenerateRunnerRegistrationToken(t *testing.T) {
 
-	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	ctx, cancel := context.WithTimeout(context.Background(), 60*time.Second)
 	defer cancel()
 	token, err := scaler.GenerateRunnerRegistrationToken(ctx)
 	assert.Nil(t, err)
 	assert.NotEmpty(t, token)
 }
+
+func TestGenerateRunnerJitConfig(t *testing.T) {
+
+	ctx, cancel := context.WithTimeout(context.Background(), 60*time.Second)
+	defer cancel()
+	jitConfig, err := scaler.GenerateRunnerJitConfig(ctx, "unit_test_test_runner_"+pkg.RandStringRunes(10))
+	assert.Nil(t, err)
+	assert.NotEmpty(t, jitConfig)
+}

variables.tf

@@ -39,12 +39,18 @@ variable "github_organization" {
   description = "The name of the GitHub organization the runner will join"
 }
 
-variable "github_runner_group" {
+variable "github_runner_group_name" {
   type        = string
   description = "The name of the GitHub runner group the runner will join"
   default     = "Default"
 }
 
+variable "github_runner_group_id" {
+  type        = number
+  description = "The ID of the GitHub runner group the runner will join (must be the same group with name var.github_runner_group_name). If this value is greater 0 then a jit config is used for runner registration. Otherwise a registration token is used!"
+  default     = 0
+}
+
 variable "github_runner_labels" {
   type        = list(string)
   description = "One or multiple labels the runner will be tagged with"