actions-runner-controller icon indicating copy to clipboard operation
actions-runner-controller copied to clipboard
verified publisher icon actions

Old Container Images unmaintained?

Open Punamu opened this issue 1 year ago • 7 comments

First of all, thank you @mumoshu for your work on the old ARC controller.

I am one of the many users of the old ARC controller since we rely on labels on our local GHES deployment.

The relevant discussion has not seen anything but doubling down on a single label solution. At least give the user the option to choose if we want multiple labels or not. https://github.com/actions/actions-runner-controller/discussions/3340

Now to my question, especially, are the old images still maintained since they have not seen actions runner updates or rebuilds in a long time.

Relevant container images:

  • ghcr.io/actions-runner-controller/actions-runner-controller/actions-runner-dind-rootless:ubuntu-22.04 (updated 10 months ago)
  • ghcr.io/actions-runner-controller/actions-runner-controller (v0.27.6; updated 1 year ago)

I am thinking of the following updates on a regular basis:

  • actions-runner-dind-rootless
    • updated actions runner inside the image
    • update to ubuntu 24.04
  • actions-runner-controller
    • dependency updates and rebuilds using the latest go versions (bug and security fixes)

Punamu avatar Feb 05 '25 10:02 Punamu

Hello! Thank you for filing an issue.

The maintainers will triage your issue shortly.

In the meantime, please take a look at the troubleshooting guide for bug reports.

If this is a feature request, please review our contribution guidelines.

github-actions[bot] avatar Feb 05 '25 10:02 github-actions[bot]

Hi,

its been a few weeks and sadly @mumoshu did not respond yet.

@lokesh755 @Link- @TingluoHuang

Sorry to mention you directly but I was hoping you could help me with my questions above?

Looking through the latest community tagged issues it looks like there is no official maintainer: https://github.com/actions/actions-runner-controller/issues?q=is%3Aissue%20state%3Aopen%20label%3Acommunity

To quote from the announcement: https://github.com/actions/actions-runner-controller/discussions/2775

Will continue to be maintained by the community only led by @mumoshu. GitHub will not provide any maintenance or support for these assets.

How is the status on community maintenance?

Punamu avatar Mar 21 '25 13:03 Punamu

+1 we are seeing couple of go/stdlib and go/crypto vulnerability complains, which should've fixed if we can upgrade to use go 1.23+ version. Would be really appreciated.

userqjin avatar Mar 27 '25 15:03 userqjin

Have a peek at https://github.com/actions/actions-runner-controller/pull/3598 -- I've resorted to my own fork with that and a few other minor tweaks to keep things current.

I haven't taken a stab at patching the go vulns yet, but its on my list.

I'm beginning to think the legacy/community-supported version of ARC should be forked off into a standalone project with active maintainers.

BowlesCR avatar May 07 '25 21:05 BowlesCR

Hi @Punamu! First of all, thank you very much for your efforts and patience. Sorry, I tend to be buried in the storm of notifications and easily miss important issues like this one.

I am thinking of the following updates on a regular basis:

Every point made sense to me!

@BowlesCR Awesome job on forking ARC!

I do believe we should fork around a more active maintainer, if necessary. I'll help out with anything there if possible, too.

To be honest, I was assuming everyone had already migrated to the new ARC and that I was no longer needed.

I lack sponsors to work on the legacy ARC these days, and all the companies that were using the legacy ARC I knew have already been migrated to the new ARC. I've also commented on #3598- I'm surprised that there are so many people stuck in the legacy ARC.

Is this the only blocker for all of you? https://github.com/actions/actions-runner-controller/discussions/3340

mumoshu avatar May 16 '25 01:05 mumoshu

Hello, good to hear from you!

I wouldn't say we're "stuck" on ARC -- its been an active choice to stay (and even implement multi-label) due to the limitations discussed in #3340 and in particular my comments. None of these concerns have been met with anything but dismissal by the GH product team (which I realize does not include you). It has also been disheartening to see the long list of RSS issues and PRs going unaddressed. I'm even seeing PRs from maintainers waiting on review for months.

I very much understand your point on lack of sponsorship -- are you the last remaining maintainer of the community side? I'd love to help, but I don't think I have the skills to take it on myself, and the current relationship of RSS and ARC sharing a repo seems to have only handcuffed both sides with intermingled code ownership and documentation.

BowlesCR avatar May 21 '25 04:05 BowlesCR

actions-runner-controller dependency updates and rebuilds using the latest go versions (bug and security fixes)

Protip here: I just poked around and found out the RSS images do still include the ARC binary, which gets rebuilt each time using the same version of golang as RSS. Not active development or true security fixes for ARC itself, but we at least get any fixes from golang and modules.

There's obviously not a new helm chart, but overriding image.tag to gha-runner-scale-set-0.11.0 in the values file ~~seems to work for me so far~~, and has gotten the vuln count way down (canary tag should get them all if you're brave).

Edit: Spoke too soon, I get a mess of exceptions at runtime from anything newer than what's in the chart. Haven't found a way around it yet.

BowlesCR avatar Jun 05 '25 23:06 BowlesCR