GitHub Actions on Google Cloud Platform

Prerequisites

Development Tools

$ curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/HEAD/install.sh | sh -s -- -b $(go env GOPATH)/bin v1.64.7
go install mvdan.cc/gofumpt@latest
go install github.com/daixiang0/gci@latest

Importing GitHub App Private Key

go run github.com/abcxyz/github-token-minter/cmd/minty@main \
    private-key import \
    -key=${KEY_NAME} \
    -key-ring=${KEY_RING_NAME} \
    -project-id=${PROJECT_ID} \
    -private-key=@${KEY_FILE_NAME}

Setup Steps

GitHub App Creation

You need a GitHub App in your GitHub org.

To do this go to your org settings page: https://github.com/organizations/${YOUR_ORG}/settings/profile

1. Expand Developer settings (last option on left sidebar) and click GitHub Apps.
2. Click "New GitHub App" on top right.
3. Give your App a name and Homepage URL (it doesn't matter what you have there).
4. Note where "Webhook" is. Uncheck "Active" for now, we will configure later.
5. Expand "Repository Permissions". Add following:
   • Actions: Read-only
   • Administration: Read and Write
   • Metadata: Read-Only
6. Expand "Organization Permissions". Add following:
   • Administration: Read and Write # TODO: is this needed?
   • Self-hosted runners: Read and Write
7. Click "Create GitHub App" at bottom of screen.
8. Find your app listed in Developer Settings in your org settings page.
   • Take note of App ID
   • Click Edit
   • Scroll down to almost the bottom for "Private Keys"
   • Click "Generate a private key"
   • A .pem file will be downloaded. This is a secret. Keep it safe.

GitHub App Installation

Now that the GitHub App exists, it needs to be added to your org.

1. Navigate to Org setting page https://github.com/organizations/${YOUR_ORG}/settings/profile
2. Expand Developer settings (last option on left sidebar) and click GitHub Apps.
3. Select Your App
4. On the left bar, select "Install App"
5. Select your org.

Validate JIT Config Locally (Optional)

Prereqs: Sudoless docker installed. Not currently set up to work with GitHub Enterprise Server.

Now we have an app and a .pem key, we should be able to create JIT configs. These are one-time tokens that allow a runner to register itself with GitHub.

test_local.sh is set up for this. You just need to change a few values in the go run command under # Generate JIT Config:

1. Set app-id to the app id found in Step 8. of GitHub App Creation.
2. Set private-key to the path of your .pem file you downloaded.
3. Set org to the name of your GitHub org.
4. Set runner-group-id to the value of your runner group. You can just use 1 which is the default runner group added to each org.

Now run the script. You should see it build the image, then see output for runner startup and finally see it waiting for a request.

If this doesn't happen, something went wrong, you should figure it out before continuing.

Setup GCP Infrastructure

TODO