Add self-hosted GitHub Actions runner for linux/s390x

[rrschulze]

I’d like to use this issue to get confirmation to add linux/s390x support using self-hosted GitHub Action runners to the project and to clarify related steps.

There is the option to request from IBM support for self-hosted GitHub Actions runners on linux/s390x and to include them into the CI of open-source projects.

Adding this support to the OpenTelemetry project will allow:

• Elevate the platform support of the OpenTelemetry Collector from tier 3 to tier 2
• Add and verify the support of code instrumentation on linux/s390x for various languages.
• Build and verify the demo for linux/s390x

The request of the linux/s390x resources from IBM and configuration will be handled by the Mainframe SIG.

This issue is similar to earlier ones to add support for self-hosted ARM64 GitHub Action runners from CNCF (#1162, #1821).

[svrnm]

Hey @rrschulze, thanks for sharing this option to request s390x runners from IBM and for offering to manage that. The only difference I see is that for actuated there is an official partnership between them and the CNCF/LF, does something similar exist with IBM?

[pleia2]

Hi @svrnm , my team at IBM manages the open source program that grants these VMs. IBM has official partnerships with the CNCF/LF (including participation in the Open Mainframe Project, which is related to that Mainframe SIG), but this open source program for s390x VMs isn't specifically tied to any official partnership. Developers from any open source project can request the resources, the resources are then renewed annually (self-service). I'm happy to answer any questions in case you have a specific concern.

[austinlparker]

Couple questions -

1. Could we see the agreement that these resources are donated under and any licenses, etc.
2. Will the mainframe SIG be willing to work with our security SIG in order to ensure best practices for secrets, etc.
3. We'll probably want to file a ticket with the CNCF service desk to make sure they're aware of these resources from a continuity perspective.

[rrschulze]

@austinlparker please find the answers below.

1. Please see the T&Cs of the service in the attached document (received it from @pleia2 ).
2. The mainframe SIG is still in its early stages and we are still looking for contributors from various vendors, users etc.. Hence, can't make a commitment for the mainframe SIG to directly collaborate with the security SIG at this stage. But I can offer to include the security SIG into our activities to call for volunteers and joined collaboration for security best practices.
3. Agree. In which CNCF repo will the ticket have to go? Do you want me to handle it?

[trask]

@rrschulze if you can answer the questions/concerns raised by these pages, that would probably be enough for the Security SIG to review:

• https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#self-hosted-runner-security
• https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#hardening-for-self-hosted-runners

[trask]

cc @open-telemetry/sig-security-maintainers

[jpkrohling]

I'll bring it to the SIG Security once the requested information is provided here. Feel free to ping me directly as well.

[trask]

for actuated there is an official partnership between them and the CNCF/LF

just an update that the actuated partnership has ended:

https://self-actuated.slack.com/archives/C043BB2NCUW/p1729758519888189

the 1 year pilot program of shared CNCF infrastructure for Arm builds supplied by Ampere has now expired, and projects will have their access removed over the next few days, starting today with etcd-io (boltdb), Falco and OpenTelemetry.