Merge branch 'main' into repo-sync

content/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners.md

@@ -13,7 +13,7 @@ versions:
 type: tutorial
 shortTitle: Add self-hosted runners
 ---
- 
+
 {% data reusables.actions.enterprise-github-hosted-runners %}
 
 You can add a self-hosted runner to a repository, an organization, or an enterprise.
@@ -38,6 +38,12 @@ You can set up automation to scale the number of self-hosted runners. For more i
 
 {% endif %}
 
+{% ifversion actions-single-use-tokens %}
+
+You can register ephemeral runners that perform a single job before the registration is cleaned up by using just-in-time runner registration. For more information, see "[AUTOTITLE](/actions/security-guides/security-hardening-for-github-actions#using-just-in-time-runners)."
+
+{% endif %}
+
 ## Prerequisites
 
 {% data reusables.actions.self-hosted-runners-prerequisites %}

content/actions/hosting-your-own-runners/managing-self-hosted-runners/autoscaling-with-self-hosted-runners.md

@@ -11,7 +11,7 @@ versions:
   ghae: '*'
 type: overview
 ---
- 
+
 {% data reusables.actions.enterprise-github-hosted-runners %}
 
 ## About autoscaling
@@ -60,6 +60,12 @@ The {% data variables.product.prodname_actions %} service will then automaticall
 
 {% endnote %}
 
+{% ifversion actions-single-use-tokens %}
+
+Alternatively, you can create ephemeral, just-in-time runners using the REST API. For more information, see "[AUTOTITLE](/rest/actions#self-hosted-runners)."
+
+{% endif %}
+
 {% ifversion fpt or ghec or ghes > 3.4 or ghae %}
 
 ## Controlling runner software updates on self-hosted runners

content/actions/hosting-your-own-runners/managing-self-hosted-runners/removing-self-hosted-runners.md

@@ -13,16 +13,20 @@ versions:
 type: tutorial
 shortTitle: Remove self-hosted runners
 ---
- 
+
 {% data reusables.actions.enterprise-github-hosted-runners %}
 
 ## Removing a runner from a repository
 
 {% note %}
 
-**Note:** {% data reusables.actions.self-hosted-runner-removal-impact %}
+**Notes:**
 
-{% data reusables.actions.self-hosted-runner-auto-removal %}
+- {% data reusables.actions.self-hosted-runner-removal-impact %}
+- {% data reusables.actions.self-hosted-runner-auto-removal %}
+{%- ifversion actions-single-use-tokens %}
+- {% data reusables.actions.jit-runner-removal %}
+{%- endif %}
 
 {% endnote %}
 
@@ -39,9 +43,13 @@ To remove a self-hosted runner from a user repository you must be the repository
 
 {% note %}
 
-**Note:** {% data reusables.actions.self-hosted-runner-removal-impact %}
+**Notes:**
 
-{% data reusables.actions.self-hosted-runner-auto-removal %}
+- {% data reusables.actions.self-hosted-runner-removal-impact %}
+- {% data reusables.actions.self-hosted-runner-auto-removal %}
+{%- ifversion actions-single-use-tokens %}
+- {% data reusables.actions.jit-runner-removal %}
+{%- endif %}
 
 {% endnote %}
 
@@ -62,10 +70,13 @@ If you use {% data variables.product.prodname_ghe_cloud %}, you can also remove
 {% ifversion ghec or ghes or ghae %}
 {% note %}
 
-**Note:** {% data reusables.actions.self-hosted-runner-removal-impact %}
-
-{% data reusables.actions.self-hosted-runner-auto-removal %}
+**Notes:**
 
+- {% data reusables.actions.self-hosted-runner-removal-impact %}
+- {% data reusables.actions.self-hosted-runner-auto-removal %}
+{%- ifversion actions-single-use-tokens %}
+- {% data reusables.actions.jit-runner-removal %}
+{%- endif %}
 {% endnote %}
 
 To remove a self-hosted runner from an enterprise, you must be an enterprise owner. We recommend that you also have access to the self-hosted runner machine. For information about how to remove a self-hosted runner with the REST API, see the enterprise endpoints in the [{% data variables.product.prodname_actions %} REST API](/rest/actions#self-hosted-runners).

content/actions/security-guides/security-hardening-for-github-actions.md

@@ -14,7 +14,7 @@ type: overview
 topics:
   - Security
 ---
- 
+
 {% data reusables.actions.enterprise-github-hosted-runners %}
 
 ## Overview
@@ -323,6 +323,26 @@ You should also consider the environment of the self-hosted runner machines:
 
 Some customers might attempt to partially mitigate these risks by implementing systems that automatically destroy the self-hosted runner after each job execution. However, this approach might not be as effective as intended, as there is no way to guarantee that a self-hosted runner only runs one job. Some jobs will use secrets as command-line arguments which can be seen by another job running on the same runner, such as `ps x -w`. This can lead to secret leakages.
 
+{% ifversion actions-single-use-tokens %}
+
+### Using just-in-time runners
+
+To improve runner registration security, you can use the REST API to create ephemeral, just-in-time (JIT) runners. These self-hosted runners perform at most one job before being automatically removed from the repository, organization, or enterprise. For more information about configuring JIT runners, see "[AUTOTITLE](/rest/actions/self-hosted-runners#create-configuration-for-a-just-in-time-runner-for-an-organization)."
+
+{% note %}
+
+**Note:** Re-using hardware to host JIT runners can risk exposing information from the environment. Use automation to ensure the JIT runner uses a clean environment. For more information, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/autoscaling-with-self-hosted-runners#using-ephemeral-runners-for-autoscaling)."
+
+{% endnote %}
+
+Once you have the config file from the REST API response, you can pass it to the runner at startup.
+
+```shell
+./run.sh --jitconfig ${encoded_jit_config}
+```
+
+{% endif %}
+
 ### Planning your management strategy for self-hosted runners
 
 A self-hosted runner can be added to various levels in your {% data variables.product.prodname_dotcom %} hierarchy: the enterprise, organization, or repository level. This placement determines who will be able to manage the runner:

data/features/actions-single-use-tokens.yml

@@ -0,0 +1,6 @@
+# Issue 9102 and a Hubber-contirbution PR /docs-internal/pull/36758
+# Documentation for single-use registration tokens and just-in-time runners
+versions:
+  fpt: '*'
+  ghec: '*'
+  ghes: '>=3.10'

data/reusables/actions/jit-runner-removal.md

@@ -0,0 +1 @@
+Just-in-time (JIT) runners can only run a single job. If JIT runners never run a job, they will automatically be removed. To remove a JIT runner before automatic removal, you can remove it you must remove the JIT runner on {% data variables.location.product_location %}.

data/reusables/actions/self-hosted-runner-auto-removal.md

@@ -1,6 +1,6 @@
-{%- ifversion fpt or ghec or ghes > 3.6 %}
-A self-hosted runner is automatically removed from {% data variables.product.product_name %} if it has not connected to {% data variables.product.prodname_actions %} for more than 14 days.  
-An ephemeral self-hosted runner is automatically removed from {% data variables.product.product_name %} if it has not connected to {% data variables.product.prodname_actions %} for more than 1 day.  
-{%- elsif ghae or ghes < 3.7 %}
-A self-hosted runner is automatically removed from {% data variables.product.product_name %} if it has not connected to {% data variables.product.prodname_actions %} for more than 30 days.  
-{%- endif %}
+{% ifversion fpt or ghec or ghes > 3.6 %}
+A self-hosted runner is automatically removed from {% data variables.product.product_name %} if it has not connected to {% data variables.product.prodname_actions %} for more than 14 days. An ephemeral self-hosted runner is automatically removed from {% data variables.product.product_name %} if it has not connected to {% data variables.product.prodname_actions %} for more than 1 day.
+
+{% elsif ghae or ghes < 3.7 %}
+A self-hosted runner is automatically removed from {% data variables.product.product_name %} if it has not connected to {% data variables.product.prodname_actions %} for more than 30 days.
+{% endif %}