feat: create runner scripts for macos

edersonbrilhante · edersonbrilhante · commit 92fe748da0a3 · 2026-01-13T19:06:52.000+01:00
diff --git a/modules/runners/main.tf b/modules/runners/main.tf
@@ -26,19 +26,19 @@ locals {
   default_userdata_template = {
     "windows" = "${path.module}/templates/user-data.ps1"
     "linux"   = "${path.module}/templates/user-data.sh"
-    "osx"     = "${path.module}/templates/user-data.sh"
+    "osx"     = "${path.module}/templates/user-data-osx.sh"
   }
 
   userdata_install_runner = {
     "windows" = "${path.module}/templates/install-runner.ps1"
     "linux"   = "${path.module}/templates/install-runner.sh"
-    "osx"     = "${path.module}/templates/install-runner.sh"
+    "osx"     = "${path.module}/templates/install-runner-osx.sh"
   }
 
   userdata_start_runner = {
     "windows" = "${path.module}/templates/start-runner.ps1"
     "linux"   = "${path.module}/templates/start-runner.sh"
-    "osx"     = "${path.module}/templates/start-runner.sh"
+    "osx"     = "${path.module}/templates/start-runner-osx.sh"
   }
 
   # Handle AMI configuration
diff --git a/modules/runners/templates/install-runner-osx.sh b/modules/runners/templates/install-runner-osx.sh
@@ -0,0 +1,60 @@
+# shellcheck shell=bash
+
+## install the runner (macOS)
+
+s3_location=${S3_LOCATION_RUNNER_DISTRIBUTION}
+architecture=${RUNNER_ARCHITECTURE}
+
+if [ -z "$RUNNER_TARBALL_URL" ] && [ -z "$s3_location" ]; then
+  echo "Neither RUNNER_TARBALL_URL or s3_location are set"
+  exit 1
+fi
+
+file_name="actions-runner.tar.gz"
+
+echo "Setting up GH Actions runner tool cache"
+mkdir -p /opt/hostedtoolcache
+
+echo "Creating actions-runner directory for the GH Action installation"
+sudo mkdir -p /opt/actions-runner
+cd /opt/actions-runner || exit 1
+
+if [[ -n "$RUNNER_TARBALL_URL" ]]; then
+  echo "Downloading the GH Action runner from $RUNNER_TARBALL_URL to $file_name"
+  curl -s -o "$file_name" -L "$RUNNER_TARBALL_URL"
+else
+  echo "Retrieving REGION from AWS API"
+  token="$(curl -s -f -X PUT "http://169.254.169.254/latest/api/token" \
+    -H "X-aws-ec2-metadata-token-ttl-seconds: 180")"
+
+  region="$(curl -s -f -H "X-aws-ec2-metadata-token: $token" \
+    http://169.254.169.254/latest/dynamic/instance-identity/document | jq -r .region)"
+  echo "Retrieved REGION from AWS API ($region)"
+
+  echo "Downloading the GH Action runner from s3 bucket $s3_location"
+  aws s3 cp "$s3_location" "$file_name" --region "$region" --no-progress
+fi
+
+echo "Un-tar action runner"
+tar xzf "./$file_name"
+echo "Delete tar file"
+rm -rf "$file_name"
+
+os_name=$(sw_vers -productName 2>/dev/null || echo "macOS")
+os_version=$(sw_vers -productVersion 2>/dev/null || echo "unknown")
+arch_name=$(uname -m)
+
+echo "OS: $os_name $os_version ($arch_name)"
+
+if ! command -v brew >/dev/null 2>&1; then
+  echo "Homebrew not found; skipping dependency installation via brew"
+else
+  echo "Homebrew detected; install any macOS-specific dependencies here if needed"
+  # Example: brew install jq awscli
+fi
+
+user_name="${RUNNER_USER:-ec2-user}"
+
+echo "Set file ownership of action runner"
+sudo chown -R "$user_name":"$user_name" /opt/actions-runner
+sudo chown -R "$user_name":"$user_name" /opt/hostedtoolcache
diff --git a/modules/runners/templates/start-runner-osx.sh b/modules/runners/templates/start-runner-osx.sh
@@ -0,0 +1,196 @@
+#!/bin/bash
+
+set -euo pipefail
+
+# macOS variant of start-runner.sh
+
+tag_instance_with_runner_id() {
+  echo "Checking for .runner file to extract agent ID"
+
+  if [[ ! -f "/opt/actions-runner/.runner" ]]; then
+    echo "Warning: .runner file not found"
+    return 0
+  fi
+
+  echo "Found .runner file, extracting agent ID"
+  local agent_id
+  agent_id=$(jq -r '.agentId' /opt/actions-runner/.runner 2>/dev/null || echo "")
+
+  if [[ -z "$agent_id" || "$agent_id" == "null" ]]; then
+    echo "Warning: Could not extract agent ID from .runner file"
+    return 0
+  fi
+
+  echo "Tagging instance with GitHub runner agent ID: $agent_id"
+  if aws ec2 create-tags \
+    --region "$region" \
+    --resources "$instance_id" \
+    --tags Key=ghr:github_runner_id,Value="$agent_id"; then
+    echo "Successfully tagged instance with agent ID: $agent_id"
+    return 0
+  else
+    echo "Warning: Failed to tag instance with agent ID"
+    return 0
+  fi
+}
+
+cleanup() {
+  local exit_code="$1"
+
+  if [ "$exit_code" -ne 0 ]; then
+    echo "ERROR: runner-start-failed with exit code $exit_code"
+  fi
+
+  if [ "$agent_mode" = "ephemeral" ] || [ "$exit_code" -ne 0 ]; then
+    echo "Terminating instance"
+    aws ec2 terminate-instances \
+      --instance-ids "$instance_id" \
+      --region "$region" || true
+  fi
+}
+
+trap 'cleanup $?' EXIT
+
+echo "Retrieving TOKEN from AWS API"
+token=$(curl -f -X PUT "http://169.254.169.254/latest/api/token" \
+  -H "X-aws-ec2-metadata-token-ttl-seconds: 180" || true)
+if [ -z "$token" ]; then
+  retrycount=0
+  until [ -n "$token" ]; do
+    echo "Failed to retrieve token. Retrying in 5 seconds."
+    sleep 5
+    token=$(curl -f -X PUT "http://169.254.169.254/latest/api/token" \
+      -H "X-aws-ec2-metadata-token-ttl-seconds: 180" || true)
+    retrycount=$((retrycount + 1))
+    if [ $retrycount -gt 40 ]; then
+      break
+    fi
+  done
+fi
+
+region=$(curl -f -H "X-aws-ec2-metadata-token: $token" \
+  http://169.254.169.254/latest/dynamic/instance-identity/document | jq -r .region)
+echo "Retrieved REGION from AWS API ($region)"
+
+instance_id=$(curl -f -H "X-aws-ec2-metadata-token: $token" \
+  http://169.254.169.254/latest/meta-data/instance-id)
+echo "Retrieved INSTANCE_ID from AWS API ($instance_id)"
+
+availability_zone=$(curl -f -H "X-aws-ec2-metadata-token: $token" \
+  http://169.254.169.254/latest/meta-data/placement/availability-zone)
+
+environment=$(curl -f -H "X-aws-ec2-metadata-token: $token" \
+  http://169.254.169.254/latest/meta-data/tags/instance/ghr:environment || echo "")
+ssm_config_path=$(curl -f -H "X-aws-ec2-metadata-token: $token" \
+  http://169.254.169.254/latest/meta-data/tags/instance/ghr:ssm_config_path || echo "")
+runner_name_prefix=$(curl -f -H "X-aws-ec2-metadata-token: $token" \
+  http://169.254.169.254/latest/meta-data/tags/instance/ghr:runner_name_prefix || echo "")
+
+echo "Retrieved ghr:environment tag - ($environment)"
+echo "Retrieved ghr:ssm_config_path tag - ($ssm_config_path)"
+echo "Retrieved ghr:runner_name_prefix tag - ($runner_name_prefix)"
+
+parameters=$(aws ssm get-parameters-by-path \
+  --path "$ssm_config_path" \
+  --region "$region" \
+  --query "Parameters[*].{Name:Name,Value:Value}")
+echo "Retrieved parameters from AWS SSM ($parameters)"
+
+run_as=$(echo "$parameters" | jq -r '.[] | select(.Name == "'$ssm_config_path'/run_as") | .Value')
+echo "Retrieved /$ssm_config_path/run_as parameter - ($run_as)"
+
+agent_mode=$(echo "$parameters" | jq -r '.[] | select(.Name == "'$ssm_config_path'/agent_mode") | .Value')
+echo "Retrieved /$ssm_config_path/agent_mode parameter - ($agent_mode)"
+
+disable_default_labels=$(echo "$parameters" | jq -r '.[] | select(.Name == "'$ssm_config_path'/disable_default_labels") | .Value')
+echo "Retrieved /$ssm_config_path/disable_default_labels parameter - ($disable_default_labels)"
+
+enable_jit_config=$(echo "$parameters" | jq -r '.[] | select(.Name == "'$ssm_config_path'/enable_jit_config") | .Value')
+echo "Retrieved /$ssm_config_path/enable_jit_config parameter - ($enable_jit_config)"
+
+token_path=$(echo "$parameters" | jq -r '.[] | select(.Name == "'$ssm_config_path'/token_path") | .Value')
+echo "Retrieved /$ssm_config_path/token_path parameter - ($token_path)"
+
+echo "Get GH Runner config from AWS SSM"
+config=$(aws ssm get-parameter \
+  --name "$token_path"/"$instance_id" \
+  --with-decryption \
+  --region "$region" | jq -r ".Parameter | .Value")
+
+while [[ -z "$config" ]]; do
+  echo "Waiting for GH Runner config to become available in AWS SSM"
+  sleep 1
+  config=$(aws ssm get-parameter \
+    --name "$token_path"/"$instance_id" \
+    --with-decryption \
+    --region "$region" | jq -r ".Parameter | .Value")
+done
+
+echo "Delete GH Runner token from AWS SSM"
+aws ssm delete-parameter --name "$token_path"/"$instance_id" --region "$region"
+
+if [ -z "$run_as" ]; then
+  echo "No user specified, using default ec2-user account"
+  run_as="ec2-user"
+fi
+
+if [[ "$run_as" == "root" ]]; then
+  echo "run_as is set to root - export RUNNER_ALLOW_RUNASROOT=1"
+  export RUNNER_ALLOW_RUNASROOT=1
+fi
+
+sudo chown -R "$run_as" /opt/actions-runner
+
+info_arch=$(uname -m)
+info_os=$(sw_vers -productName 2>/dev/null || echo "macOS")
+info_ver=$(sw_vers -productVersion 2>/dev/null || echo "unknown")
+
+tee /opt/actions-runner/.setup_info <<EOL
+[
+  {
+    "group": "Operating System",
+    "detail": "Distribution: $info_os $info_ver\nArchitecture: $info_arch"
+  },
+  {
+    "group": "EC2",
+    "detail": "Instance id: $instance_id\nAvailability zone: $availability_zone"
+  }
+]
+EOL
+
+echo "Starting runner as user $run_as"
+
+cd /opt/actions-runner || exit 1
+
+if [[ "$enable_jit_config" == "false" || $agent_mode != "ephemeral" ]]; then
+  echo "Configure GH Runner as user $run_as"
+  if [[ "$disable_default_labels" == "true" ]]; then
+    extra_flags="--no-default-labels"
+  else
+    extra_flags=""
+  fi
+
+  sudo --preserve-env=RUNNER_ALLOW_RUNASROOT -u "$run_as" -- ./config.sh \
+    $extra_flags \
+    --unattended \
+    --name "$runner_name_prefix$instance_id" \
+    --work "_work" $config
+
+  tag_instance_with_runner_id
+fi
+
+if [[ $agent_mode = "ephemeral" ]]; then
+  echo "Starting the runner in ephemeral mode"
+
+  if [[ "$enable_jit_config" == "true" ]]; then
+    echo "Starting with JIT config"
+    sudo --preserve-env=RUNNER_ALLOW_RUNASROOT -u "$run_as" -- ./run.sh --jitconfig $config
+  else
+    echo "Starting without JIT config"
+    sudo --preserve-env=RUNNER_ALLOW_RUNASROOT -u "$run_as" -- ./run.sh
+  fi
+  echo "Runner has finished"
+else
+  echo "Starting the runner in persistent mode (foreground)"
+  sudo --preserve-env=RUNNER_ALLOW_RUNASROOT -u "$run_as" -- ./run.sh
+fi
diff --git a/modules/runners/templates/user-data-osx.sh b/modules/runners/templates/user-data-osx.sh
@@ -0,0 +1,43 @@
+#!/bin/bash -e
+
+exec > >(tee /var/log/user-data.log | logger -t user-data -s 2>/dev/console) 2>&1
+
+# macOS user-data for GitHub Actions runners
+
+set +x
+
+%{ if enable_debug_logging }
+set -x
+%{ endif }
+
+${pre_install}
+
+# On macOS we don't use dnf; assume base image has required tools
+# Optionally use brew here if needed
+if command -v brew >/dev/null 2>&1; then
+  echo "Homebrew detected; you can install extra dependencies via brew if needed"
+fi
+
+user_name=ec2-user
+
+${install_runner}
+
+${post_install}
+
+# Register runner job hooks
+# Ref: https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners/running-scripts-before-or-after-a-job
+%{ if hook_job_started != "" }
+cat > /opt/actions-runner/hook_job_started.sh <<'EOF'
+${hook_job_started}
+EOF
+echo ACTIONS_RUNNER_HOOK_JOB_STARTED=/opt/actions-runner/hook_job_started.sh | tee -a /opt/actions-runner/.env
+%{ endif }
+
+%{ if hook_job_completed != "" }
+cat > /opt/actions-runner/hook_job_completed.sh <<'EOF'
+${hook_job_completed}
+EOF
+echo ACTIONS_RUNNER_HOOK_JOB_COMPLETED=/opt/actions-runner/hook_job_completed.sh | tee -a /opt/actions-runner/.env
+%{ endif }
+
+${start_runner}
