Unable to use ./config remove --token ... on a just-in-time runner

[jenseng]

Describe the bug
When an ephemeral runner is launched with just-in-time registration, you can't perform deregistration from the runner itself (say, if you want to automatically tear down idle runners after a period of time).

To Reproduce
Steps to reproduce the behavior:

1. Launch a runner with just-in-time registration, e.g. ./run.sh --jitconfig ${encoded_jit_config}
2. Before a job is assigned, generate a runner removal token and run ./config remove --token ${runner_removal_token}
3. See the error

Expected behavior
The runner should be removed

Runner Version and Platform

Version of your runner? 2.310.1

OS of the machine running the runner? Linux

What's not working?

You get the following output and prompt, followed by an error

# Runner removal

How would you like to authenticate? [press Enter for OAuthAccessToken] 

Failed: Removing runner from the server
The user 'System:PublicAccess;aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa' is not authorized to access this resource.

When launching ephemeral runners with a registration token, they can be removed normally:

# Runner removal


√ Runner removed successfully
√ Removed .credentials
√ Removed .runner

Observations and a workaround

I noticed that the .runner file is slightly different between JIT vs registration-token runners. Specifically, a JIT runner has no gitHubUrl entry. I found that by adding this missing entry, the remove command then works as expected.

So if this entry were automatically persisted during registration, it seems that would fix the bug.

[jenseng]

It looks like the runner CLI just writes the .runner file (and others) directly from the decoded jitconfig, so it seems that this might need to be fixed in the service that generates the jitconfig.

[thboop]

Thanks for the report @jenseng . @rentziass is taking a look!

[rentziass]

Thank you so much for the report @jenseng ❤️ I just found the issue: gitHubUrl is never provided by our API, it's instead set by the runner itself during standard configuration. Working on a fix to include that URL in the just-in-time configuration our API returns.

[rentziass]

@jenseng the fix for this should now be generally available! Thanks again for the report, please feel free to reopen this if you're still having issues!

[jaswanthikolla]

For ARSS, I don't think this is fixed. While the server does return GitHubUrl in JIT token , It's not set that in the ACTIONS_RUNNER_INPUT_JITCONFIG. So, I think the reason might be one of the following ( most likely # 1)

• ARSS controller's used generatejitconfig API ( looks like wrapper API on top of regular generate-api) might have been not updated when you guys updated the main API
• ARSS might be not serializing GitHubUrl field while setting it up.

{"AgentId":"64634", 
"AgentName":"arss-runner-uber-xyz-runner-abc", 
"DisableUpdate":"True","Ephemeral":"True","PoolId":"4",
"PoolName":null,
"ServerUrl":"https://pipelinesghubeus21.actions.githubusercontent.com/sometokenORuuid/",
"RunnerScaleSetId":"11", 
"RunnerScaleSetName":"arss-runner-uber", 
"WorkFolder":"_work"}