self-hosted-runner: don't use a public IP in a private repository

Security is a game of layers, the less attack surface the better. Signed-off-by: Johannes Schindelin <[email protected]>
git-for-windows · Jan 17, 2025 · ebc7f08 · ebc7f08
1 parent 6269149
commit ebc7f08
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 10 deletions.
diff --git a/.github/workflows/create-azure-self-hosted-runners.yml b/.github/workflows/create-azure-self-hosted-runners.yml
@@ -176,6 +176,8 @@ jobs:
           base64 -w 0 tmp.zip
         )"
 
+        PUBLIC_IP_ADDRESS_NAME1="${{ github.repository_visibility != 'private' && format('{0}-ip', steps.generate-vm-name.outputs.vm_name) || '' }}"
+
         AZURE_ARM_PARAMETERS=$(tr '\n' ' ' <<-END
           githubActionsRunnerRegistrationUrl="$ACTIONS_RUNNER_REGISTRATION_URL"
           githubActionsRunnerToken="$ACTIONS_RUNNER_TOKEN"
@@ -184,7 +186,7 @@ jobs:
           virtualMachineImage="$AZURE_VM_IMAGE"
           virtualMachineName="${{ steps.generate-vm-name.outputs.vm_name }}"
           virtualMachineSize="$AZURE_VM_TYPE"
-          publicIpAddressName1="${{ steps.generate-vm-name.outputs.vm_name }}-ip"
+          publicIpAddressName1="$PUBLIC_IP_ADDRESS_NAME1"
           adminUsername="${{ secrets.AZURE_VM_USERNAME }}"
           adminPassword="${{ secrets.AZURE_VM_PASSWORD }}"
           ephemeral="$EPHEMERAL_RUNNER"

diff --git a/azure-self-hosted-runners/azure-arm-template.json b/azure-self-hosted-runners/azure-arm-template.json
@@ -125,7 +125,14 @@
         "vnetName": "[concat(parameters('virtualMachineName'), '-vnet')]",
         "vnetId": "[resourceId(resourceGroup().name,'Microsoft.Network/virtualNetworks', concat(parameters('virtualMachineName'), '-vnet'))]",
         "subnetRef": "[concat(variables('vnetId'), '/subnets/', parameters('subnetName'))]",
-        "postDeploymentScriptArguments": "[concat('-GitHubActionsRunnerToken ', parameters('githubActionsRunnerToken'), ' -GithubActionsRunnerRegistrationUrl ', parameters('githubActionsRunnerRegistrationUrl'), ' -GithubActionsRunnerName ', parameters('virtualMachineName'), ' -Ephemeral ', parameters('ephemeral'), ' -StopService ', parameters('stopService'), ' -GitHubActionsRunnerPath ', parameters('githubActionsRunnerPath'))]"
+        "postDeploymentScriptArguments": "[concat('-GitHubActionsRunnerToken ', parameters('githubActionsRunnerToken'), ' -GithubActionsRunnerRegistrationUrl ', parameters('githubActionsRunnerRegistrationUrl'), ' -GithubActionsRunnerName ', parameters('virtualMachineName'), ' -Ephemeral ', parameters('ephemeral'), ' -StopService ', parameters('stopService'), ' -GitHubActionsRunnerPath ', parameters('githubActionsRunnerPath'))]",
+        "publicIpAddressName1": "[if(equals(parameters('publicIpAddressName1'), ''), 'dummy', parameters('publicIpAddressName1'))]",
+        "publicIpAddressId": {
+            "id": "[resourceId(resourceGroup().name, 'Microsoft.Network/publicIpAddresses', parameters('publicIpAddressName1'))]",
+            "properties": {
+                "deleteOption": "[parameters('pipDeleteOption')]"
+            }
+        }
     },
     "resources": [
         {
@@ -136,7 +143,7 @@
             "dependsOn": [
                 "[concat('Microsoft.Network/networkSecurityGroups/', variables('nsgName'))]",
                 "[concat('Microsoft.Network/virtualNetworks/', variables('vnetName'))]",
-                "[concat('Microsoft.Network/publicIpAddresses/', parameters('publicIpAddressName1'))]"
+                "[concat('Microsoft.Network/publicIpAddresses/', variables('publicIpAddressName1'))]"
             ],
             "properties": {
                 "ipConfigurations": [
@@ -147,12 +154,7 @@
                                 "id": "[variables('subnetRef')]"
                             },
                             "privateIPAllocationMethod": "Dynamic",
-                            "publicIpAddress": {
-                                "id": "[resourceId(resourceGroup().name, 'Microsoft.Network/publicIpAddresses', parameters('publicIpAddressName1'))]",
-                                "properties": {
-                                    "deleteOption": "[parameters('pipDeleteOption')]"
-                                }
-                            }
+                            "publicIpAddress": "[if(not(equals(parameters('publicIpAddressName1'), '')), variables('publicIpAddressId'), null())]"
                         }
                     }
                 ],
@@ -184,7 +186,8 @@
             }
         },
         {
-            "name": "[parameters('publicIpAddressName1')]",
+            "condition": "[not(equals(parameters('publicIpAddressName1'), ''))]",
+            "name": "[variables('publicIpAddressName1')]",
             "type": "Microsoft.Network/publicIpAddresses",
             "apiVersion": "2020-08-01",
             "location": "[parameters('location')]",