login icon indicating copy to clipboard operation
login copied to clipboard

Published 20 hours ago verified publisher icon Azure

Enhance `pre/post` cleanup by bypassing GitHub-hosted runners

Open MoChilia opened this issue 10 months ago • 4 comments

The purpose of pre/post cleanup is to ensure no Azure account remains active before and after a job containing azure/login. This measure prevents incorrect operations on unexpected Azure accounts and protects against the disclosure of Azure accounts.

However, certain scenarios are ephemeral for only one job and don't need pre/post cleanup. Two main scenarios fall into this category:

  1. GitHub-hosted runners: A GitHub-hosted runner is on a VM that gets re-imaged for every job. Once the job finishes, the VM is automatically decommissioned (see Using a GitHub-hosted runner). Since the VM is ephemeral, we can bypass this scenario to save time for our users. This bypass will be implemented in this PR. To detect whether a runner is GitHub-hosted, I refer to the solution here.
  2. Running an ephemeral container on a self-hosted runner: This scenario, as described in (https://github.com/Azure/login/issues/403#issuecomment-1893945688, involves running a container on a self-hosted runner where az is not pre-installed. We address this scenario by implementing PR https://github.com/Azure/login/pull/407.

With this PR merged, it is assumed that pre/post cleanup will only take effect in scenarios where it is truly required.

  • Close https://github.com/Azure/login/issues/426

MoChilia avatar Apr 09 '24 08:04 MoChilia

Yes please... this would shave a few minutes off every single one of our builds...

HowardvanRooijen avatar Apr 10 '24 14:04 HowardvanRooijen

Thanks for this PR. A note for 2. Running an ephemeral container on a self-hosted runner, my understanding is that #407 will not fix the case of ephemeral self-hosted runners that already have Azure CLI installed.

It might be quite difficult to determine if a job is running on an ephemeral runner. This information is in the runner config, but does not seem to be exposed to the running job. The easiest option would probably be to allow control of this through an action input parameter e.g. disable-cleanup.

maskati avatar Apr 17 '24 15:04 maskati

Let's take the following questions to consideration:

  • Is it a good decision to only bypass GitHub-Hosted runners?
    • Even if we do descide to only bypass GitHub-Hosted runners, is there a better solution than checking the runner's name? Refer to runner-context.
  • Can we make it configurable? E.g. an env variable?

YanaXu avatar Jun 06 '24 02:06 YanaXu

Hi @MoChilia , can we get this patched up and merged? We waste a ton of build time on this.

I agree with Maskati that another input disable-cleanup with a default value of false would be good.

Then, skipping pre and post steps if runner.environment == github-hosted OR disable-cleanup == true image

kylefossum avatar Jun 17 '24 16:06 kylefossum

What's the delay here? This us costing is $$$ and is pure wastage.

damianh avatar Aug 14 '24 09:08 damianh

Any news here? Spending 30 seconds doing this pre job is stupid. Screenshot 2024-09-08 at 10 03 46

phj-incom avatar Sep 08 '24 08:09 phj-incom

We got fed up of waiting, forked the repo and reference the fix in our workflows:

uses: endjin/login@4ae41681a03e0285d0a85d578968b6ba937c23ee     # forked version including hotfix from https://github.com/Azure/login/pull/431

HowardvanRooijen avatar Sep 08 '24 10:09 HowardvanRooijen

Hi @HowardvanRooijen, @phj-incom , @damianh , we're sorry for the late response. We're reconsidering the design. If you're blocked by this issue, please consider fork the repo and take the PR change for a workaround, like @HowardvanRooijen did.

YanaXu avatar Sep 09 '24 07:09 YanaXu

Implement the fix in #484. Close this PR now.

YanaXu avatar Sep 14 '24 08:09 YanaXu