From 0d7918d4a2abe005e07c72dee0300f14269e0bcc Mon Sep 17 00:00:00 2001
From: Nathan Klick <nathan@swirldslabs.com>
Date: Tue, 30 Jul 2024 10:49:59 -0500
Subject: [PATCH 01/29] chore: adds a standard code ownership configuration

Signed-off-by: Nathan Klick <nathan@swirldslabs.com>
---
 .github/CODEOWNERS | 43 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 43 insertions(+)
 create mode 100644 .github/CODEOWNERS

diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
new file mode 100644
index 0000000..0ed90c0
--- /dev/null
+++ b/.github/CODEOWNERS
@@ -0,0 +1,43 @@
+###################################
+##### Global Protection Rule ######
+###################################
+# NOTE: This rule is overriden by the more specific rules below. This is the catch-all rule for all files not covered by the more specific rules below.
+*                                               @hashgraph/release-engineering-managers @hashgraph/product-security
+
+############################
+#####  Project Files  ######
+############################
+
+/legacy/                                        @hashgraph/release-engineering-managers @hashgraph/product-security
+
+#########################
+#####  Core Files  ######
+#########################
+
+# NOTE: Must be placed last to ensure enforcement over all other rules
+
+# Protection Rules for Github Configuration Files and Actions Workflows
+/.github/                                       @hashgraph/release-engineering-managers
+/.github/workflows/                             @hashgraph/release-engineering-managers @hashgraph/product-security @hashgraph/devops-ci
+
+
+# Codacy Tool Configurations
+/config/                                        @hashgraph/release-engineering-managers
+.remarkrc                                       @hashgraph/release-engineering-managers
+
+# Semantic Release Configuration
+.releaserc                                      @hashgraph/release-engineering-managers
+
+# Self-protection for root CODEOWNERS files (this file should not exist and should definitely require approval)
+/CODEOWNERS                                     @hashgraph/release-engineering-managers
+
+# Protect the repository root files
+/README.md                                      @hashgraph/release-engineering-managers
+**/LICENSE                                      @hashgraph/release-engineering-managers
+
+# CodeCov configuration
+**/codecov.yml                                  @hashgraph/release-engineering-managers
+
+# Git Ignore definitions
+**/.gitignore                                   @hashgraph/release-engineering-managers
+**/.gitignore.*                                 @hashgraph/release-engineering-managers

From 9b70015eeca61515dbca19d3cf972df7be7cd584 Mon Sep 17 00:00:00 2001
From: Nathan Klick <nathan@swirldslabs.com>
Date: Tue, 30 Jul 2024 10:50:35 -0500
Subject: [PATCH 02/29] build: adds a standard dependabot configuration

Signed-off-by: Nathan Klick <nathan@swirldslabs.com>
---
 .github/dependabot.yml | 7 +++++++
 1 file changed, 7 insertions(+)
 create mode 100644 .github/dependabot.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..10256a1
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,7 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    open-pull-requests-limit: 10

From 0179e91d20dd18f283604a045561fe888abb6555 Mon Sep 17 00:00:00 2001
From: Nathan Klick <nathan@swirldslabs.com>
Date: Tue, 30 Jul 2024 10:50:48 -0500
Subject: [PATCH 03/29] chore: adds a standard pull request template

Signed-off-by: Nathan Klick <nathan@swirldslabs.com>
---
 .github/pull_request_template.md | 9 +++++++++
 1 file changed, 9 insertions(+)
 create mode 100644 .github/pull_request_template.md

diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
new file mode 100644
index 0000000..d5aaddc
--- /dev/null
+++ b/.github/pull_request_template.md
@@ -0,0 +1,9 @@
+## Description
+
+This pull request changes the following:
+
+* TBD
+
+### Related Issues
+
+* Closes #

From 56a9a7af5ac6059073c91f0b7167897a51e11dd7 Mon Sep 17 00:00:00 2001
From: Nathan Klick <nathan@swirldslabs.com>
Date: Tue, 30 Jul 2024 10:51:09 -0500
Subject: [PATCH 04/29] chore: update git ignore configuration to match
 standards

Signed-off-by: Nathan Klick <nathan@swirldslabs.com>
---
 .gitignore | 818 +++++++++++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 802 insertions(+), 16 deletions(-)

diff --git a/.gitignore b/.gitignore
index 2cbc1ad..0468d22 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,16 +1,802 @@
-# Cache objects
-packer_cache/
-
-# Crash log
-crash.log
-
-# https://www.packer.io/guides/hcl/variables
-# Exclude all .pkrvars.hcl files, which are likely to contain sensitive data, 
-# such as password, private keys, and other secrets. These should not be part of 
-# version control as they are data points which are potentially sensitive and 
-# subject to change depending on the environment.
-#
-*.pkrvars.hcl
-
-# For built boxes
-*.box
+########################################################################################################################
+# Autogenerated Definitions
+########################################################################################################################
+
+### NotepadPP template
+# Notepad++ backups #
+*.bak
+
+### MonoDevelop template
+#User Specific
+*.userprefs
+*.usertasks
+
+#Mono Project Files
+*.pidb
+*.resources
+test-results/
+
+### Xcode template
+## User settings
+xcuserdata/
+
+## Xcode 8 and earlier
+*.xcscmblueprint
+*.xccheckout
+
+### Diff template
+*.patch
+*.diff
+
+### Eclipse template
+.metadata
+bin/
+tmp/
+*.tmp
+*.bak
+*.swp
+*~.nib
+local.properties
+.settings/
+.loadpath
+.recommenders
+
+# External tool builders
+.externalToolBuilders/
+
+# Locally stored "Eclipse launch configurations"
+*.launch
+
+# PyDev specific (Python IDE for Eclipse)
+*.pydevproject
+
+# CDT-specific (C/C++ Development Tooling)
+.cproject
+
+# CDT- autotools
+.autotools
+
+# Java annotation processor (APT)
+.factorypath
+
+# PDT-specific (PHP Development Tools)
+.buildpath
+
+# sbteclipse plugin
+.target
+
+# Tern plugin
+.tern-project
+
+# TeXlipse plugin
+.texlipse
+
+# STS (Spring Tool Suite)
+.springBeans
+
+# Code Recommenders
+.recommenders/
+
+# Annotation Processing
+.apt_generated/
+.apt_generated_test/
+
+# Scala IDE specific (Scala & Java development for Eclipse)
+.cache-main
+.scala_dependencies
+.worksheet
+
+# Uncomment this line if you wish to ignore the project description file.
+# Typically, this file would be tracked if it contains build/dependency configurations:
+#.project
+
+### Backup template
+*.bak
+*.gho
+*.ori
+*.orig
+*.tmp
+
+### Windows template
+# Windows thumbnail cache files
+Thumbs.db
+Thumbs.db:encryptable
+ehthumbs.db
+ehthumbs_vista.db
+
+# Dump file
+*.stackdump
+
+# Folder config file
+[Dd]esktop.ini
+
+# Recycle Bin used on file shares
+$RECYCLE.BIN/
+
+# Windows Installer files
+*.cab
+*.msi
+*.msix
+*.msm
+*.msp
+
+# Windows shortcuts
+*.lnk
+
+### KDevelop4 template
+*.kdev4
+.kdev4/
+
+### Vagrant template
+# General
+.vagrant/
+
+# Log files (if you are creating logs in debug mode, uncomment this)
+# *.log
+
+### OpenSSL template
+# OpenSSL-related files best not committed
+
+## Certificate Authority
+*.ca
+
+## Certificate
+*.crt
+
+## Certificate Sign Request
+*.csr
+
+## Certificate
+*.der
+
+## Key database file
+*.kdb
+
+## OSCP request data
+*.org
+
+## PKCS #12
+*.p12
+
+## PEM-encoded certificate data
+*.pem
+
+## Random number seed
+*.rnd
+
+## SSLeay data
+*.ssleay
+
+## S/MIME message
+*.smime
+
+### NetBeans template
+**/nbproject/private/
+**/nbproject/Makefile-*.mk
+**/nbproject/Package-*.bash
+build/
+nbbuild/
+dist/
+nbdist/
+.nb-gradle/
+
+### MicrosoftOffice template
+*.tmp
+
+# Word temporary
+~$*.doc*
+
+# Word Auto Backup File
+Backup of *.doc*
+
+# Excel temporary
+~$*.xls*
+
+# Excel Backup File
+*.xlk
+
+# PowerPoint temporary
+~$*.ppt*
+
+# Visio autosave temporary files
+*.~vsd*
+
+### JetBrains template
+# Covers JetBrains IDEs: IntelliJ, RubyMine, PhpStorm, AppCode, PyCharm, CLion, Android Studio, WebStorm and Rider
+# Reference: https://intellij-support.jetbrains.com/hc/en-us/articles/206544839
+
+# User-specific stuff
+.idea/**/workspace.xml
+.idea/**/tasks.xml
+.idea/**/usage.statistics.xml
+.idea/**/dictionaries
+.idea/**/shelf
+
+# AWS User-specific
+.idea/**/aws.xml
+
+# Generated files
+.idea/**/contentModel.xml
+
+# Sensitive or high-churn files
+.idea/**/dataSources/
+.idea/**/dataSources.ids
+.idea/**/dataSources.local.xml
+.idea/**/sqlDataSources.xml
+.idea/**/dynamic.xml
+.idea/**/uiDesigner.xml
+.idea/**/dbnavigator.xml
+
+# Gradle
+.idea/**/gradle.xml
+.idea/**/libraries
+
+# Gradle and Maven with auto-import
+# When using Gradle or Maven with auto-import, you should exclude module files,
+# since they will be recreated, and may cause churn.  Uncomment if using
+# auto-import.
+# .idea/artifacts
+# .idea/compiler.xml
+# .idea/jarRepositories.xml
+# .idea/modules.xml
+# .idea/*.iml
+# .idea/modules
+# *.iml
+# *.ipr
+
+.idea/
+
+# CMake
+cmake-build-*/
+
+# Mongo Explorer plugin
+.idea/**/mongoSettings.xml
+
+# File-based project format
+*.iws
+
+# IntelliJ
+out/
+
+# mpeltonen/sbt-idea plugin
+.idea_modules/
+
+# JIRA plugin
+atlassian-ide-plugin.xml
+
+# Cursive Clojure plugin
+.idea/replstate.xml
+
+# SonarLint plugin
+.idea/sonarlint/
+
+# Crashlytics plugin (for Android Studio and IntelliJ)
+com_crashlytics_export_strings.xml
+crashlytics.properties
+crashlytics-build.properties
+fabric.properties
+
+# Editor-based Rest Client
+.idea/httpRequests
+
+# Android studio 3.1+ serialized cache file
+.idea/caches/build_file_checksums.ser
+
+### Linux template
+*~
+
+# temporary files which can be created if a process still has a handle open of a deleted file
+.fuse_hidden*
+
+# KDE directory preferences
+.directory
+
+# Linux trash folder which might appear on any partition or disk
+.Trash-*
+
+# .nfs files are created when an open file is removed but is still being accessed
+.nfs*
+
+### VisualStudio template
+## Ignore Visual Studio temporary files, build results, and
+## files generated by popular Visual Studio add-ons.
+##
+## Get latest from https://github.com/github/gitignore/blob/main/VisualStudio.gitignore
+
+# User-specific files
+*.rsuser
+*.suo
+*.user
+*.userosscache
+*.sln.docstates
+
+# User-specific files (MonoDevelop/Xamarin Studio)
+*.userprefs
+
+# Mono auto generated files
+mono_crash.*
+
+# Build results
+[Dd]ebug/
+[Dd]ebugPublic/
+[Rr]elease/
+[Rr]eleases/
+x64/
+x86/
+[Ww][Ii][Nn]32/
+[Aa][Rr][Mm]/
+[Aa][Rr][Mm]64/
+bld/
+[Bb]in/
+[Oo]bj/
+[Ll]og/
+[Ll]ogs/
+
+# Visual Studio 2015/2017 cache/options directory
+.vs/
+# Uncomment if you have tasks that create the project's static files in wwwroot
+#wwwroot/
+
+# Visual Studio 2017 auto generated files
+Generated\ Files/
+
+# MSTest test Results
+[Tt]est[Rr]esult*/
+[Bb]uild[Ll]og.*
+
+# NUnit
+*.VisualState.xml
+TestResult.xml
+nunit-*.xml
+
+# Build Results of an ATL Project
+[Dd]ebugPS/
+[Rr]eleasePS/
+dlldata.c
+
+# Benchmark Results
+BenchmarkDotNet.Artifacts/
+
+# .NET Core
+project.lock.json
+project.fragment.lock.json
+artifacts/
+
+# ASP.NET Scaffolding
+ScaffoldingReadMe.txt
+
+# StyleCop
+StyleCopReport.xml
+
+# Files built by Visual Studio
+*_i.c
+*_p.c
+*_h.h
+*.ilk
+*.meta
+*.obj
+*.iobj
+*.pch
+*.pdb
+*.ipdb
+*.pgc
+*.pgd
+*.rsp
+*.sbr
+*.tlb
+*.tli
+*.tlh
+*.tmp
+*.tmp_proj
+*_wpftmp.csproj
+*.log
+*.tlog
+*.vspscc
+*.vssscc
+.builds
+*.pidb
+*.svclog
+*.scc
+
+# Chutzpah Test files
+_Chutzpah*
+
+# Visual C++ cache files
+ipch/
+*.aps
+*.ncb
+*.opendb
+*.opensdf
+*.sdf
+*.cachefile
+*.VC.db
+*.VC.VC.opendb
+
+# Visual Studio profiler
+*.psess
+*.vsp
+*.vspx
+*.sap
+
+# Visual Studio Trace Files
+*.e2e
+
+# TFS 2012 Local Workspace
+$tf/
+
+# Guidance Automation Toolkit
+*.gpState
+
+# ReSharper is a .NET coding add-in
+_ReSharper*/
+*.[Rr]e[Ss]harper
+*.DotSettings.user
+
+# TeamCity is a build add-in
+_TeamCity*
+
+# DotCover is a Code Coverage Tool
+*.dotCover
+
+# AxoCover is a Code Coverage Tool
+.axoCover/*
+!.axoCover/settings.json
+
+# Coverlet is a free, cross platform Code Coverage Tool
+coverage*.json
+coverage*.xml
+coverage*.info
+
+# Visual Studio code coverage results
+*.coverage
+*.coveragexml
+
+# NCrunch
+_NCrunch_*
+.*crunch*.local.xml
+nCrunchTemp_*
+
+# MightyMoose
+*.mm.*
+AutoTest.Net/
+
+# Web workbench (sass)
+.sass-cache/
+
+# Installshield output folder
+[Ee]xpress/
+
+# DocProject is a documentation generator add-in
+DocProject/buildhelp/
+DocProject/Help/*.HxT
+DocProject/Help/*.HxC
+DocProject/Help/*.hhc
+DocProject/Help/*.hhk
+DocProject/Help/*.hhp
+DocProject/Help/Html2
+DocProject/Help/html
+
+# Click-Once directory
+publish/
+
+# Publish Web Output
+*.[Pp]ublish.xml
+*.azurePubxml
+# Note: Comment the next line if you want to checkin your web deploy settings,
+# but database connection strings (with potential passwords) will be unencrypted
+*.pubxml
+*.publishproj
+
+# Microsoft Azure Web App publish settings. Comment the next line if you want to
+# checkin your Azure Web App publish settings, but sensitive information contained
+# in these scripts will be unencrypted
+PublishScripts/
+
+# NuGet Packages
+*.nupkg
+# NuGet Symbol Packages
+*.snupkg
+# The packages folder can be ignored because of Package Restore
+**/[Pp]ackages/*
+# except build/, which is used as an MSBuild target.
+!**/[Pp]ackages/build/
+# Uncomment if necessary however generally it will be regenerated when needed
+#!**/[Pp]ackages/repositories.config
+# NuGet v3's project.json files produces more ignorable files
+*.nuget.props
+*.nuget.targets
+
+# Microsoft Azure Build Output
+csx/
+*.build.csdef
+
+# Microsoft Azure Emulator
+ecf/
+rcf/
+
+# Windows Store app package directories and files
+AppPackages/
+BundleArtifacts/
+Package.StoreAssociation.xml
+_pkginfo.txt
+*.appx
+*.appxbundle
+*.appxupload
+
+# Visual Studio cache files
+# files ending in .cache can be ignored
+*.[Cc]ache
+# but keep track of directories ending in .cache
+!?*.[Cc]ache/
+
+# Others
+ClientBin/
+~$*
+*~
+*.dbmdl
+*.dbproj.schemaview
+*.jfm
+*.pfx
+*.publishsettings
+orleans.codegen.cs
+
+# Including strong name files can present a security risk
+# (https://github.com/github/gitignore/pull/2483#issue-259490424)
+#*.snk
+
+# Since there are multiple workflows, uncomment next line to ignore bower_components
+# (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
+#bower_components/
+
+# RIA/Silverlight projects
+Generated_Code/
+
+# Backup & report files from converting an old project file
+# to a newer Visual Studio version. Backup files are not needed,
+# because we have git ;-)
+_UpgradeReport_Files/
+Backup*/
+UpgradeLog*.XML
+UpgradeLog*.htm
+ServiceFabricBackup/
+*.rptproj.bak
+
+# SQL Server files
+*.mdf
+*.ldf
+*.ndf
+
+# Business Intelligence projects
+*.rdl.data
+*.bim.layout
+*.bim_*.settings
+*.rptproj.rsuser
+*- [Bb]ackup.rdl
+*- [Bb]ackup ([0-9]).rdl
+*- [Bb]ackup ([0-9][0-9]).rdl
+
+# Microsoft Fakes
+FakesAssemblies/
+
+# GhostDoc plugin setting file
+*.GhostDoc.xml
+
+# Node.js Tools for Visual Studio
+.ntvs_analysis.dat
+node_modules/
+
+# Visual Studio 6 build log
+*.plg
+
+# Visual Studio 6 workspace options file
+*.opt
+
+# Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
+*.vbw
+
+# Visual Studio 6 auto-generated project file (contains which files were open etc.)
+*.vbp
+
+# Visual Studio 6 workspace and project file (working project files containing files to include in project)
+*.dsw
+*.dsp
+
+# Visual Studio 6 technical files
+*.ncb
+*.aps
+
+# Visual Studio LightSwitch build output
+**/*.HTMLClient/GeneratedArtifacts
+**/*.DesktopClient/GeneratedArtifacts
+**/*.DesktopClient/ModelManifest.xml
+**/*.Server/GeneratedArtifacts
+**/*.Server/ModelManifest.xml
+_Pvt_Extensions
+
+# Paket dependency manager
+.paket/paket.exe
+paket-files/
+
+# FAKE - F# Make
+.fake/
+
+# CodeRush personal settings
+.cr/personal
+
+# Python Tools for Visual Studio (PTVS)
+__pycache__/
+*.pyc
+
+# Cake - Uncomment if you are using it
+# tools/**
+# !tools/packages.config
+
+# Tabs Studio
+*.tss
+
+# Telerik's JustMock configuration file
+*.jmconfig
+
+# BizTalk build output
+*.btp.cs
+*.btm.cs
+*.odx.cs
+*.xsd.cs
+
+# OpenCover UI analysis results
+OpenCover/
+
+# Azure Stream Analytics local run output
+ASALocalRun/
+
+# MSBuild Binary and Structured Log
+*.binlog
+
+# NVidia Nsight GPU debugger configuration file
+*.nvuser
+
+# MFractors (Xamarin productivity tool) working folder
+.mfractor/
+
+# Local History for Visual Studio
+.localhistory/
+
+# Visual Studio History (VSHistory) files
+.vshistory/
+
+# BeatPulse healthcheck temp database
+healthchecksdb
+
+# Backup folder for Package Reference Convert tool in Visual Studio 2017
+MigrationBackup/
+
+# Ionide (cross platform F# VS Code tools) working folder
+.ionide/
+
+# Fody - auto-generated XML schema
+FodyWeavers.xsd
+
+# VS Code files for those working on multiple tools
+.vscode/*
+!.vscode/settings.json
+!.vscode/tasks.json
+!.vscode/launch.json
+!.vscode/extensions.json
+*.code-workspace
+
+# Local History for Visual Studio Code
+.history/
+
+# Windows Installer files from build outputs
+*.cab
+*.msi
+*.msix
+*.msm
+*.msp
+
+# JetBrains Rider
+*.sln.iml
+
+### LibreOffice template
+# LibreOffice locks
+.~lock.*#
+
+### Vim template
+# Swap
+[._]*.s[a-v][a-z]
+!*.svg  # comment out if you don't need vector files
+[._]*.sw[a-p]
+[._]s[a-rt-v][a-z]
+[._]ss[a-gi-z]
+[._]sw[a-p]
+
+# Session
+Session.vim
+Sessionx.vim
+
+# Temporary
+.netrwhist
+*~
+# Auto-generated tag files
+tags
+# Persistent undo
+[._]*.un~
+
+### Dropbox template
+# Dropbox settings and caches
+.dropbox
+.dropbox.attr
+.dropbox.cache
+
+### Archives template
+# It's better to unpack these files and commit the raw source because
+# git has its own built in compression methods.
+*.7z
+*.jar
+*.rar
+*.zip
+*.gz
+*.gzip
+*.tgz
+*.bzip
+*.bzip2
+*.bz2
+*.xz
+*.lzma
+*.cab
+*.xar
+
+# Packing-only formats
+*.iso
+*.tar
+
+# Package management formats
+*.dmg
+*.xpi
+*.gem
+*.egg
+*.deb
+*.rpm
+*.msi
+*.msm
+*.msp
+*.txz
+
+### Patch template
+*.orig
+*.rej
+
+### macOS template
+# General
+.DS_Store
+.AppleDouble
+.LSOverride
+
+# Icon must end with two \r
+Icon
+
+# Thumbnails
+._*
+
+# Files that might appear in the root of a volume
+.DocumentRevisions-V100
+.fseventsd
+.Spotlight-V100
+.TemporaryItems
+.Trashes
+.VolumeIcon.icns
+.com.apple.timemachine.donotpresent
+
+# Directories potentially created on remote AFP share
+.AppleDB
+.AppleDesktop
+Network Trash Folder
+Temporary Items
+.apdisk
+
+### GPG template
+secring.*
+
+########################################################################################################################
+# User Specified Definitions
+########################################################################################################################

From adcc5fc34335a310b9f202566646b701b5faf5f3 Mon Sep 17 00:00:00 2001
From: Nathan Klick <nathan@swirldslabs.com>
Date: Tue, 30 Jul 2024 10:51:21 -0500
Subject: [PATCH 05/29] chore: update the readme documentation

Signed-off-by: Nathan Klick <nathan@swirldslabs.com>
---
 README.md | 28 ++++++++++++++++++++++++++--
 1 file changed, 26 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 91b9ac1..bbf43e3 100644
--- a/README.md
+++ b/README.md
@@ -1,2 +1,26 @@
-# runner-images
-Custom Github Actions runner base images.
+# Hedera Runner Images
+
+This repository contains customized versions of the [Actions Runner Controller](https://github.com/actions/actions-runner-controller)
+container images along with customized build process to automatically build and publish them to the GitHub Container Registry.
+
+## :warning: Restrictions on Contributions
+
+Contributions from forked repositories are not accepted. All pull requests initiated from a forked repository will be 
+automatically closed. 
+
+## Support
+
+If you have a question on how to use the product, please see our [support guide](https://github.com/hashgraph/.github/blob/main/SUPPORT.md).
+
+## Contributing
+
+Contributions are restricted to trusted maintainers.
+
+## Code of Conduct
+
+This project is governed by the [Contributor Covenant Code of Conduct](https://github.com/hashgraph/.github/blob/main/CODE_OF_CONDUCT.md). By participating, you are
+expected to uphold this code of conduct.
+
+## License
+
+[Apache License 2.0](LICENSE)

From 2cabe5516d32bfbbc379719b51588cd1535c9f20 Mon Sep 17 00:00:00 2001
From: Nathan Klick <nathan@swirldslabs.com>
Date: Tue, 30 Jul 2024 10:51:45 -0500
Subject: [PATCH 06/29] chore: import the runner container definitions from the
 ARC upstream

Signed-off-by: Nathan Klick <nathan@swirldslabs.com>
---
 legacy/runner/.dockerignore                   |   2 +
 legacy/runner/Makefile                        | 161 ++++++++++++++++
 legacy/runner/VERSION                         |   2 +
 ...nner-dind-rootless.ubuntu-20.04.dockerfile | 157 +++++++++++++++
 ...nner-dind-rootless.ubuntu-22.04.dockerfile | 135 +++++++++++++
 ...ctions-runner-dind.ubuntu-20.04.dockerfile | 144 ++++++++++++++
 ...ctions-runner-dind.ubuntu-22.04.dockerfile | 120 ++++++++++++
 .../actions-runner.ubuntu-20.04.dockerfile    | 137 +++++++++++++
 .../actions-runner.ubuntu-22.04.dockerfile    | 114 +++++++++++
 legacy/runner/docker-shim.sh                  |  17 ++
 legacy/runner/entrypoint-dind-rootless.sh     |  56 ++++++
 legacy/runner/entrypoint-dind.sh              |  75 ++++++++
 legacy/runner/entrypoint.sh                   |  30 +++
 legacy/runner/graceful-stop.sh                |  99 ++++++++++
 .../hooks/job-completed.d/update-status       |   4 +
 legacy/runner/hooks/job-completed.sh          |  12 ++
 .../runner/hooks/job-started.d/update-status  |   4 +
 legacy/runner/hooks/job-started.sh            |  12 ++
 legacy/runner/logger.sh                       |  73 +++++++
 legacy/runner/startup.sh                      | 180 ++++++++++++++++++
 legacy/runner/update-status                   |  52 +++++
 legacy/runner/wait.sh                         |  17 ++
 22 files changed, 1603 insertions(+)
 create mode 100644 legacy/runner/.dockerignore
 create mode 100644 legacy/runner/Makefile
 create mode 100644 legacy/runner/VERSION
 create mode 100644 legacy/runner/actions-runner-dind-rootless.ubuntu-20.04.dockerfile
 create mode 100644 legacy/runner/actions-runner-dind-rootless.ubuntu-22.04.dockerfile
 create mode 100644 legacy/runner/actions-runner-dind.ubuntu-20.04.dockerfile
 create mode 100644 legacy/runner/actions-runner-dind.ubuntu-22.04.dockerfile
 create mode 100644 legacy/runner/actions-runner.ubuntu-20.04.dockerfile
 create mode 100644 legacy/runner/actions-runner.ubuntu-22.04.dockerfile
 create mode 100755 legacy/runner/docker-shim.sh
 create mode 100644 legacy/runner/entrypoint-dind-rootless.sh
 create mode 100755 legacy/runner/entrypoint-dind.sh
 create mode 100755 legacy/runner/entrypoint.sh
 create mode 100644 legacy/runner/graceful-stop.sh
 create mode 100755 legacy/runner/hooks/job-completed.d/update-status
 create mode 100755 legacy/runner/hooks/job-completed.sh
 create mode 100755 legacy/runner/hooks/job-started.d/update-status
 create mode 100644 legacy/runner/hooks/job-started.sh
 create mode 100755 legacy/runner/logger.sh
 create mode 100755 legacy/runner/startup.sh
 create mode 100755 legacy/runner/update-status
 create mode 100644 legacy/runner/wait.sh

diff --git a/legacy/runner/.dockerignore b/legacy/runner/.dockerignore
new file mode 100644
index 0000000..f3e36c5
--- /dev/null
+++ b/legacy/runner/.dockerignore
@@ -0,0 +1,2 @@
+*.dockerfile
+Makefile
diff --git a/legacy/runner/Makefile b/legacy/runner/Makefile
new file mode 100644
index 0000000..f08ac6b
--- /dev/null
+++ b/legacy/runner/Makefile
@@ -0,0 +1,161 @@
+DOCKER_USER ?= summerwind
+DOCKER ?= docker
+DEFAULT_RUNNER_NAME ?= ${DOCKER_USER}/actions-runner
+DIND_RUNNER_NAME ?= ${DOCKER_USER}/actions-runner-dind
+DIND_ROOTLESS_RUNNER_NAME ?= ${DOCKER_USER}/actions-runner-dind-rootless
+OS_IMAGE ?= ubuntu-22.04
+TARGETPLATFORM ?= $(shell arch)
+
+RUNNER_VERSION ?= 2.318.0
+RUNNER_CONTAINER_HOOKS_VERSION ?= 0.6.1
+DOCKER_VERSION ?= 24.0.7
+
+# default list of platforms for which multiarch image is built
+ifeq (${PLATFORMS}, )
+	export PLATFORMS="linux/amd64,linux/arm64"
+endif
+
+# if IMG_RESULT is unspecified, by default the image will be pushed to registry
+ifeq (${IMG_RESULT}, load)
+	export PUSH_ARG="--load"
+    # if load is specified, image will be built only for the build machine architecture.
+    export PLATFORMS="local"
+else ifeq (${IMG_RESULT}, cache)
+	# if cache is specified, image will only be available in the build cache, it won't be pushed or loaded
+	# therefore no PUSH_ARG will be specified
+else
+	export PUSH_ARG="--push"
+endif
+
+check-target-platform:
+# Handle target platform variants.
+# arch command on OS X reports "i386" for Intel CPUs regardless of bitness
+ifeq ($(TARGETPLATFORM), $(filter $(TARGETPLATFORM), x86_64 x64 amd64 i386 linux/amd64))
+  TARGETPLATFORM = linux/amd64
+else ifeq ($(TARGETPLATFORM), $(filter $(TARGETPLATFORM), arm64 aarch64 linux/arm64))
+  TARGETPLATFORM = linux/arm64
+else
+  $(warning Unsupported target platform $(TARGETPLATFORM))
+  $(error Supported target platforms: linux/amd64 and linux/arm64)
+endif
+
+docker-build-set: check-target-platform
+	${DOCKER} build \
+	  --build-arg TARGETPLATFORM=${TARGETPLATFORM} \
+	  --build-arg RUNNER_VERSION=${RUNNER_VERSION} \
+	  --build-arg RUNNER_CONTAINER_HOOKS_VERSION=${RUNNER_CONTAINER_HOOKS_VERSION} \
+	  --build-arg DOCKER_VERSION=${DOCKER_VERSION} \
+	  -f actions-runner.${OS_IMAGE}.dockerfile \
+	  -t ${DEFAULT_RUNNER_NAME}:${OS_IMAGE} .
+	${DOCKER} build \
+	  --build-arg TARGETPLATFORM=${TARGETPLATFORM} \
+	  --build-arg RUNNER_VERSION=${RUNNER_VERSION} \
+	  --build-arg RUNNER_CONTAINER_HOOKS_VERSION=${RUNNER_CONTAINER_HOOKS_VERSION} \
+	  --build-arg DOCKER_VERSION=${DOCKER_VERSION} \
+	  -f actions-runner-dind.${OS_IMAGE}.dockerfile \
+	  -t ${DIND_RUNNER_NAME}:${OS_IMAGE} .
+	${DOCKER} build \
+	  --build-arg TARGETPLATFORM=${TARGETPLATFORM} \
+	  --build-arg RUNNER_VERSION=${RUNNER_VERSION} \
+	  --build-arg DOCKER_VERSION=${DOCKER_VERSION} \
+	  -f actions-runner-dind-rootless.${OS_IMAGE}.dockerfile \
+	  -t "${DIND_ROOTLESS_RUNNER_NAME}:${OS_IMAGE}" .
+
+docker-build-default: check-target-platform
+	${DOCKER} build \
+	  --build-arg TARGETPLATFORM=${TARGETPLATFORM} \
+	  --build-arg RUNNER_VERSION=${RUNNER_VERSION} \
+	  --build-arg RUNNER_CONTAINER_HOOKS_VERSION=${RUNNER_CONTAINER_HOOKS_VERSION} \
+	  --build-arg DOCKER_VERSION=${DOCKER_VERSION} \
+	  -f actions-runner.${OS_IMAGE}.dockerfile \
+	  -t ${DEFAULT_RUNNER_NAME}:${OS_IMAGE} .
+
+docker-build-dind: check-target-platform
+	${DOCKER} build \
+	  --build-arg TARGETPLATFORM=${TARGETPLATFORM} \
+	  --build-arg RUNNER_VERSION=${RUNNER_VERSION} \
+	  --build-arg RUNNER_CONTAINER_HOOKS_VERSION=${RUNNER_CONTAINER_HOOKS_VERSION} \
+	  --build-arg DOCKER_VERSION=${DOCKER_VERSION} \
+	  -f actions-runner-dind.${OS_IMAGE}.dockerfile \
+	  -t ${DIND_RUNNER_NAME}:${OS_IMAGE} .
+
+docker-push-default:
+	${DOCKER} push "${DEFAULT_RUNNER_NAME}:${OS_IMAGE}"
+
+docker-push-dind:
+	${DOCKER} push "${DIND_RUNNER_NAME}:${OS_IMAGE}"
+
+docker-push-set:
+	${DOCKER} push "${DEFAULT_RUNNER_NAME}:${OS_IMAGE}"
+	${DOCKER} push "${DIND_RUNNER_NAME}:${OS_IMAGE}"
+	${DOCKER} push "${DIND_ROOTLESS_RUNNER_NAME}:${OS_IMAGE}"
+
+docker-buildx-set:
+	export DOCKER_CLI_EXPERIMENTAL=enabled ;\
+    export DOCKER_BUILDKIT=1
+	@if ! docker buildx ls | grep -q container-builder; then\
+	  docker buildx create --platform ${PLATFORMS} --name container-builder --use;\
+	fi
+	${DOCKER} buildx build --platform ${PLATFORMS} \
+	  --build-arg RUNNER_VERSION=${RUNNER_VERSION} \
+	  --build-arg RUNNER_CONTAINER_HOOKS_VERSION=${RUNNER_CONTAINER_HOOKS_VERSION} \
+	  --build-arg DOCKER_VERSION=${DOCKER_VERSION} \
+	  -f actions-runner.${OS_IMAGE}.dockerfile \
+	  -t "${DEFAULT_RUNNER_NAME}:${OS_IMAGE}" \
+	  . ${PUSH_ARG}
+	${DOCKER} buildx build --platform ${PLATFORMS} \
+	  --build-arg RUNNER_VERSION=${RUNNER_VERSION} \
+	  --build-arg RUNNER_CONTAINER_HOOKS_VERSION=${RUNNER_CONTAINER_HOOKS_VERSION} \
+	  --build-arg DOCKER_VERSION=${DOCKER_VERSION} \
+	  -f actions-runner-dind.${OS_IMAGE}.dockerfile \
+	  -t "${DIND_RUNNER_NAME}:${OS_IMAGE}" \
+	  . ${PUSH_ARG}
+	${DOCKER} buildx build --platform ${PLATFORMS} \
+	  --build-arg RUNNER_VERSION=${RUNNER_VERSION} \
+	  --build-arg RUNNER_CONTAINER_HOOKS_VERSION=${RUNNER_CONTAINER_HOOKS_VERSION} \
+	  --build-arg DOCKER_VERSION=${DOCKER_VERSION} \
+	  -f actions-runner-dind-rootless.${OS_IMAGE}.dockerfile \
+	  -t "${DIND_ROOTLESS_RUNNER_NAME}:${OS_IMAGE}" \
+	  . ${PUSH_ARG}
+
+docker-buildx-default:
+	export DOCKER_CLI_EXPERIMENTAL=enabled ;\
+    export DOCKER_BUILDKIT=1
+	@if ! docker buildx ls | grep -q container-builder; then\
+	  docker buildx create --platform ${PLATFORMS} --name container-builder --use;\
+	fi
+	${DOCKER} buildx build --platform ${PLATFORMS} \
+	  --build-arg RUNNER_VERSION=${RUNNER_VERSION} \
+	  --build-arg RUNNER_CONTAINER_HOOKS_VERSION=${RUNNER_CONTAINER_HOOKS_VERSION} \
+	  --build-arg DOCKER_VERSION=${DOCKER_VERSION} \
+	  -f actions-runner.${OS_IMAGE}.dockerfile \
+	  -t "${DEFAULT_RUNNER_NAME}:${OS_IMAGE}" \
+	  . ${PUSH_ARG}
+
+docker-buildx-dind:
+	export DOCKER_CLI_EXPERIMENTAL=enabled ;\
+    export DOCKER_BUILDKIT=1
+	@if ! docker buildx ls | grep -q container-builder; then\
+	  docker buildx create --platform ${PLATFORMS} --name container-builder --use;\
+	fi
+	${DOCKER} buildx build --platform ${PLATFORMS} \
+	  --build-arg RUNNER_VERSION=${RUNNER_VERSION} \
+	  --build-arg RUNNER_CONTAINER_HOOKS_VERSION=${RUNNER_CONTAINER_HOOKS_VERSION} \
+	  --build-arg DOCKER_VERSION=${DOCKER_VERSION} \
+	  -f actions-runner-dind.${OS_IMAGE}.dockerfile \
+	  -t "${DIND_RUNNER_NAME}:${OS_IMAGE}" \
+	  . ${PUSH_ARG}
+
+docker-buildx-dind-rootless:
+	export DOCKER_CLI_EXPERIMENTAL=enabled ;\
+    export DOCKER_BUILDKIT=1
+	@if ! docker buildx ls | grep -q container-builder; then\
+	  docker buildx create --platform ${PLATFORMS} --name container-builder --use;\
+	fi
+	${DOCKER} buildx build --platform ${PLATFORMS} \
+	  --build-arg RUNNER_VERSION=${RUNNER_VERSION} \
+	  --build-arg RUNNER_CONTAINER_HOOKS_VERSION=${RUNNER_CONTAINER_HOOKS_VERSION} \
+	  --build-arg DOCKER_VERSION=${DOCKER_VERSION} \
+	  -f actions-runner-dind-rootless.${OS_IMAGE}.dockerfile \
+	  -t "${DIND_ROOTLESS_RUNNER_NAME}:${OS_IMAGE}" \
+	  . ${PUSH_ARG}
diff --git a/legacy/runner/VERSION b/legacy/runner/VERSION
new file mode 100644
index 0000000..b370e97
--- /dev/null
+++ b/legacy/runner/VERSION
@@ -0,0 +1,2 @@
+RUNNER_VERSION=2.318.0
+RUNNER_CONTAINER_HOOKS_VERSION=0.6.1
\ No newline at end of file
diff --git a/legacy/runner/actions-runner-dind-rootless.ubuntu-20.04.dockerfile b/legacy/runner/actions-runner-dind-rootless.ubuntu-20.04.dockerfile
new file mode 100644
index 0000000..1e65c8b
--- /dev/null
+++ b/legacy/runner/actions-runner-dind-rootless.ubuntu-20.04.dockerfile
@@ -0,0 +1,157 @@
+FROM ubuntu:20.04
+
+ARG TARGETPLATFORM
+ARG RUNNER_VERSION
+ARG RUNNER_CONTAINER_HOOKS_VERSION
+# Docker and Docker Compose arguments
+ENV CHANNEL=stable
+ARG DOCKER_COMPOSE_VERSION=v2.23.0
+ARG DUMB_INIT_VERSION=1.2.5
+
+# Other arguments
+ARG DEBUG=false
+
+ENV DEBIAN_FRONTEND=noninteractive
+
+# Use 1001 for compatibility with GitHub-hosted runners
+ARG RUNNER_UID=1000
+
+RUN apt-get update -y \
+    && apt-get install -y software-properties-common \
+    && add-apt-repository -y ppa:git-core/ppa \
+    && apt-get update -y \
+    && apt-get install -y --no-install-recommends \
+    build-essential \
+    curl \
+    ca-certificates \
+    dnsutils \
+    ftp \
+    git \
+    iproute2 \
+    iputils-ping \
+    iptables \
+    jq \
+    libunwind8 \
+    locales \
+    netcat \
+    net-tools \
+    openssh-client \
+    parallel \
+    python3-pip \
+    rsync \
+    shellcheck \
+    software-properties-common \
+    sudo \
+    telnet \
+    time \
+    tzdata \
+    uidmap \
+    unzip \
+    upx \
+    wget \
+    zip \
+    zstd \
+    && ln -sf /usr/bin/python3 /usr/bin/python \
+    && ln -sf /usr/bin/pip3 /usr/bin/pip \
+    && rm -rf /var/lib/apt/lists/*
+
+# Download latest git-lfs version
+RUN curl -s https://packagecloud.io/install/repositories/github/git-lfs/script.deb.sh | bash && \
+    apt-get install -y --no-install-recommends git-lfs
+
+# Runner user
+RUN adduser --disabled-password --gecos "" --uid $RUNNER_UID runner
+
+ENV HOME=/home/runner
+
+# Set-up subuid and subgid so that "--userns-remap=default" works
+RUN set -eux; \
+    addgroup --system dockremap; \
+    adduser --system --ingroup dockremap dockremap; \
+    echo 'dockremap:165536:65536' >> /etc/subuid; \
+    echo 'dockremap:165536:65536' >> /etc/subgid
+
+RUN export ARCH=$(echo ${TARGETPLATFORM} | cut -d / -f2) \
+    && if [ "$ARCH" = "arm64" ]; then export ARCH=aarch64 ; fi \
+    && if [ "$ARCH" = "amd64" ] || [ "$ARCH" = "i386" ]; then export ARCH=x86_64 ; fi \
+    && curl -fLo /usr/bin/dumb-init https://github.com/Yelp/dumb-init/releases/download/v${DUMB_INIT_VERSION}/dumb-init_${DUMB_INIT_VERSION}_${ARCH} \
+    && chmod +x /usr/bin/dumb-init
+
+ENV RUNNER_ASSETS_DIR=/runnertmp
+RUN export ARCH=$(echo ${TARGETPLATFORM} | cut -d / -f2) \
+    && if [ "$ARCH" = "amd64" ] || [ "$ARCH" = "x86_64" ] || [ "$ARCH" = "i386" ]; then export ARCH=x64 ; fi \
+    && mkdir -p "$RUNNER_ASSETS_DIR" \
+    && cd "$RUNNER_ASSETS_DIR" \
+    && curl -fLo runner.tar.gz https://github.com/actions/runner/releases/download/v${RUNNER_VERSION}/actions-runner-linux-${ARCH}-${RUNNER_VERSION}.tar.gz \
+    && tar xzf ./runner.tar.gz \
+    && rm runner.tar.gz \
+    && ./bin/installdependencies.sh \
+    && mv ./externals ./externalstmp \
+    # libyaml-dev is required for ruby/setup-ruby action.
+    # It is installed after installdependencies.sh and before removing /var/lib/apt/lists
+    # to avoid rerunning apt-update on its own.
+    && apt-get install -y libyaml-dev \
+    && rm -rf /var/lib/apt/lists/*
+
+ENV RUNNER_TOOL_CACHE=/opt/hostedtoolcache
+RUN mkdir /opt/hostedtoolcache \
+    && chgrp runner /opt/hostedtoolcache \
+    && chmod g+rwx /opt/hostedtoolcache
+
+RUN cd "$RUNNER_ASSETS_DIR" \
+    && curl -fLo runner-container-hooks.zip https://github.com/actions/runner-container-hooks/releases/download/v${RUNNER_CONTAINER_HOOKS_VERSION}/actions-runner-hooks-k8s-${RUNNER_CONTAINER_HOOKS_VERSION}.zip \
+    && unzip ./runner-container-hooks.zip -d ./k8s \
+    && rm -f runner-container-hooks.zip
+
+# Make the rootless runner directory executable
+RUN mkdir /run/user/$RUNNER_UID \
+    && chown runner:runner /run/user/$RUNNER_UID \
+    && chmod a+x /run/user/$RUNNER_UID
+
+# We place the scripts in `/usr/bin` so that users who extend this image can
+# override them with scripts of the same name placed in `/usr/local/bin`.
+COPY entrypoint-dind-rootless.sh startup.sh logger.sh graceful-stop.sh update-status /usr/bin/
+RUN chmod +x /usr/bin/entrypoint-dind-rootless.sh /usr/bin/startup.sh
+
+# Copy the docker shim which propagates the docker MTU to underlying networks
+# to replace the docker binary in the PATH.
+COPY docker-shim.sh /usr/local/bin/docker
+
+# Configure hooks folder structure.
+COPY hooks /etc/arc/hooks/
+
+# Add the Python "User Script Directory" to the PATH
+ENV PATH="${PATH}:${HOME}/.local/bin:/home/runner/bin"
+ENV ImageOS=ubuntu20
+ENV DOCKER_HOST=unix:///run/user/$RUNNER_UID/docker.sock
+ENV XDG_RUNTIME_DIR=/run/user/$RUNNER_UID
+
+RUN echo "PATH=${PATH}" > /etc/environment \
+    && echo "ImageOS=${ImageOS}" >> /etc/environment \
+    && echo "DOCKER_HOST=${DOCKER_HOST}" >> /etc/environment \
+    && echo "XDG_RUNTIME_DIR=${XDG_RUNTIME_DIR}" >> /etc/environment
+
+# No group definition, as that makes it harder to run docker.
+USER runner
+
+# This will install docker under $HOME/bin according to the content of the script
+RUN export SKIP_IPTABLES=1 \
+    && curl -fsSL https://get.docker.com/rootless | sh \
+    && /home/runner/bin/docker -v
+
+RUN export ARCH=$(echo ${TARGETPLATFORM} | cut -d / -f2) \
+    && if [ "$ARCH" = "arm64" ]; then export ARCH=aarch64 ; fi \
+    && if [ "$ARCH" = "amd64" ] || [ "$ARCH" = "i386" ]; then export ARCH=x86_64 ; fi \
+    && mkdir -p /home/runner/.docker/cli-plugins \
+    && curl -fLo /home/runner/.docker/cli-plugins/docker-compose https://github.com/docker/compose/releases/download/${DOCKER_COMPOSE_VERSION}/docker-compose-linux-${ARCH} \
+    && chmod +x /home/runner/.docker/cli-plugins/docker-compose \
+    && ln -s /home/runner/.docker/cli-plugins/docker-compose /home/runner/bin/docker-compose \
+    && which docker-compose \
+    && docker compose version
+
+# Create folder structure here to avoid permission issues
+# when mounting the daemon.json file from a configmap.
+RUN mkdir -p /home/runner/.config/docker
+
+ENTRYPOINT ["/bin/bash", "-c"]
+CMD ["entrypoint-dind-rootless.sh"]
diff --git a/legacy/runner/actions-runner-dind-rootless.ubuntu-22.04.dockerfile b/legacy/runner/actions-runner-dind-rootless.ubuntu-22.04.dockerfile
new file mode 100644
index 0000000..0639ccd
--- /dev/null
+++ b/legacy/runner/actions-runner-dind-rootless.ubuntu-22.04.dockerfile
@@ -0,0 +1,135 @@
+FROM ubuntu:22.04
+
+ARG TARGETPLATFORM
+ARG RUNNER_VERSION
+ARG RUNNER_CONTAINER_HOOKS_VERSION
+# Docker and Docker Compose arguments
+ENV CHANNEL=stable
+ARG DOCKER_COMPOSE_VERSION=v2.23.0
+ARG DUMB_INIT_VERSION=1.2.5
+ARG RUNNER_USER_UID=1001
+
+# Other arguments
+ARG DEBUG=false
+
+RUN test -n "$TARGETPLATFORM" || (echo "TARGETPLATFORM must be set" && false)
+
+ENV DEBIAN_FRONTEND=noninteractive
+RUN apt-get update -y \
+    && apt-get install -y software-properties-common \
+    && add-apt-repository -y ppa:git-core/ppa \
+    && apt-get update -y \
+    && apt-get install -y --no-install-recommends \
+    curl \
+    ca-certificates \
+    git \
+    iproute2 \
+    iptables \
+    jq \
+    sudo \
+    uidmap \
+    unzip \
+    zip \
+    fuse-overlayfs \
+    && rm -rf /var/lib/apt/lists/*
+
+# Download latest git-lfs version
+RUN curl -s https://packagecloud.io/install/repositories/github/git-lfs/script.deb.sh | bash && \
+    apt-get install -y --no-install-recommends git-lfs
+
+# Runner user
+RUN adduser --disabled-password --gecos "" --uid $RUNNER_USER_UID runner
+
+ENV HOME=/home/runner
+
+# Set-up subuid and subgid so that "--userns-remap=default" works
+RUN set -eux; \
+    addgroup --system dockremap; \
+    adduser --system --ingroup dockremap dockremap; \
+    echo 'dockremap:165536:65536' >> /etc/subuid; \
+    echo 'dockremap:165536:65536' >> /etc/subgid
+
+RUN export ARCH=$(echo ${TARGETPLATFORM} | cut -d / -f2) \
+    && if [ "$ARCH" = "arm64" ]; then export ARCH=aarch64 ; fi \
+    && if [ "$ARCH" = "amd64" ] || [ "$ARCH" = "i386" ]; then export ARCH=x86_64 ; fi \
+    && curl -fLo /usr/bin/dumb-init https://github.com/Yelp/dumb-init/releases/download/v${DUMB_INIT_VERSION}/dumb-init_${DUMB_INIT_VERSION}_${ARCH} \
+    && chmod +x /usr/bin/dumb-init
+
+ENV RUNNER_ASSETS_DIR=/runnertmp
+RUN export ARCH=$(echo ${TARGETPLATFORM} | cut -d / -f2) \
+    && if [ "$ARCH" = "amd64" ] || [ "$ARCH" = "x86_64" ] || [ "$ARCH" = "i386" ]; then export ARCH=x64 ; fi \
+    && mkdir -p "$RUNNER_ASSETS_DIR" \
+    && cd "$RUNNER_ASSETS_DIR" \
+    && curl -fLo runner.tar.gz https://github.com/actions/runner/releases/download/v${RUNNER_VERSION}/actions-runner-linux-${ARCH}-${RUNNER_VERSION}.tar.gz \
+    && tar xzf ./runner.tar.gz \
+    && rm runner.tar.gz \
+    && ./bin/installdependencies.sh \
+    && mv ./externals ./externalstmp \
+    # libyaml-dev is required for ruby/setup-ruby action.
+    # It is installed after installdependencies.sh and before removing /var/lib/apt/lists
+    # to avoid rerunning apt-update on its own.
+    && apt-get install -y libyaml-dev \
+    && rm -rf /var/lib/apt/lists/*
+
+ENV RUNNER_TOOL_CACHE=/opt/hostedtoolcache
+RUN mkdir /opt/hostedtoolcache \
+    && chgrp runner /opt/hostedtoolcache \
+    && chmod g+rwx /opt/hostedtoolcache
+
+RUN cd "$RUNNER_ASSETS_DIR" \
+    && curl -fLo runner-container-hooks.zip https://github.com/actions/runner-container-hooks/releases/download/v${RUNNER_CONTAINER_HOOKS_VERSION}/actions-runner-hooks-k8s-${RUNNER_CONTAINER_HOOKS_VERSION}.zip \
+    && unzip ./runner-container-hooks.zip -d ./k8s \
+    && rm -f runner-container-hooks.zip
+
+# Make the rootless runner directory executable
+RUN mkdir /run/user/1000 \
+    && chown runner:runner /run/user/1000 \
+    && chmod a+x /run/user/1000
+
+# We place the scripts in `/usr/bin` so that users who extend this image can
+# override them with scripts of the same name placed in `/usr/local/bin`.
+COPY entrypoint-dind-rootless.sh startup.sh logger.sh graceful-stop.sh update-status /usr/bin/
+RUN chmod +x /usr/bin/entrypoint-dind-rootless.sh /usr/bin/startup.sh
+
+# Copy the docker shim which propagates the docker MTU to underlying networks
+# to replace the docker binary in the PATH.
+COPY docker-shim.sh /usr/local/bin/docker
+
+# Configure hooks folder structure.
+COPY hooks /etc/arc/hooks/
+
+# Add the Python "User Script Directory" to the PATH
+ENV PATH="${PATH}:${HOME}/.local/bin:/home/runner/bin"
+ENV ImageOS=ubuntu22
+ENV DOCKER_HOST=unix:///run/user/1000/docker.sock
+ENV XDG_RUNTIME_DIR=/run/user/1000
+
+RUN echo "PATH=${PATH}" > /etc/environment \
+    && echo "ImageOS=${ImageOS}" >> /etc/environment \
+    && echo "DOCKER_HOST=${DOCKER_HOST}" >> /etc/environment \
+    && echo "XDG_RUNTIME_DIR=${XDG_RUNTIME_DIR}" >> /etc/environment
+
+# No group definition, as that makes it harder to run docker.
+USER runner
+
+# This will install docker under $HOME/bin according to the content of the script
+RUN export SKIP_IPTABLES=1 \
+    && curl -fsSL https://get.docker.com/rootless | sh \
+    && /home/runner/bin/docker -v
+
+RUN export ARCH=$(echo ${TARGETPLATFORM} | cut -d / -f2) \
+    && if [ "$ARCH" = "arm64" ]; then export ARCH=aarch64 ; fi \
+    && if [ "$ARCH" = "amd64" ] || [ "$ARCH" = "i386" ]; then export ARCH=x86_64 ; fi \
+    && mkdir -p /home/runner/.docker/cli-plugins \
+    && curl -fLo /home/runner/.docker/cli-plugins/docker-compose https://github.com/docker/compose/releases/download/${DOCKER_COMPOSE_VERSION}/docker-compose-linux-${ARCH} \
+    && chmod +x /home/runner/.docker/cli-plugins/docker-compose \
+    && ln -s /home/runner/.docker/cli-plugins/docker-compose /home/runner/bin/docker-compose \
+    && which docker-compose \
+    && docker compose version
+
+# Create folder structure here to avoid permission issues
+# when mounting the daemon.json file from a configmap.
+RUN mkdir -p /home/runner/.config/docker
+
+ENTRYPOINT ["/bin/bash", "-c"]
+CMD ["entrypoint-dind-rootless.sh"]
diff --git a/legacy/runner/actions-runner-dind.ubuntu-20.04.dockerfile b/legacy/runner/actions-runner-dind.ubuntu-20.04.dockerfile
new file mode 100644
index 0000000..5213004
--- /dev/null
+++ b/legacy/runner/actions-runner-dind.ubuntu-20.04.dockerfile
@@ -0,0 +1,144 @@
+FROM ubuntu:20.04
+
+ARG TARGETPLATFORM
+ARG RUNNER_VERSION
+ARG RUNNER_CONTAINER_HOOKS_VERSION
+# Docker and Docker Compose arguments
+ARG CHANNEL=stable
+ARG DOCKER_VERSION=24.0.7
+ARG DOCKER_COMPOSE_VERSION=v2.23.0
+ARG DUMB_INIT_VERSION=1.2.5
+
+# Use 1001 and 121 for compatibility with GitHub-hosted runners
+ARG RUNNER_UID=1000
+ARG DOCKER_GID=1001
+
+ENV DEBIAN_FRONTEND=noninteractive
+RUN apt-get update -y \
+    && apt-get install -y software-properties-common \
+    && add-apt-repository -y ppa:git-core/ppa \
+    && apt-get update -y \
+    && apt-get install -y --no-install-recommends \
+    build-essential \
+    curl \
+    ca-certificates \
+    dnsutils \
+    ftp \
+    git \
+    iproute2 \
+    iputils-ping \
+    iptables \
+    jq \
+    libunwind8 \
+    locales \
+    netcat \
+    net-tools \
+    openssh-client \
+    parallel \
+    python3-pip \
+    rsync \
+    shellcheck \
+    software-properties-common \
+    sudo \
+    telnet \
+    time \
+    tzdata \
+    unzip \
+    upx \
+    wget \
+    zip \
+    zstd \
+    && ln -sf /usr/bin/python3 /usr/bin/python \
+    && ln -sf /usr/bin/pip3 /usr/bin/pip \
+    && rm -rf /var/lib/apt/lists/*
+
+# Download latest git-lfs version
+RUN curl -s https://packagecloud.io/install/repositories/github/git-lfs/script.deb.sh | bash && \
+    apt-get install -y --no-install-recommends git-lfs
+
+# Runner user
+RUN adduser --disabled-password --gecos "" --uid $RUNNER_UID runner \
+    && groupadd docker --gid $DOCKER_GID \
+    && usermod -aG sudo runner \
+    && usermod -aG docker runner \
+    && echo "%sudo   ALL=(ALL:ALL) NOPASSWD:ALL" > /etc/sudoers \
+    && echo "Defaults env_keep += \"DEBIAN_FRONTEND\"" >> /etc/sudoers
+
+ENV HOME=/home/runner
+
+RUN export ARCH=$(echo ${TARGETPLATFORM} | cut -d / -f2) \
+    && if [ "$ARCH" = "arm64" ]; then export ARCH=aarch64 ; fi \
+    && if [ "$ARCH" = "amd64" ] || [ "$ARCH" = "i386" ]; then export ARCH=x86_64 ; fi \
+    && curl -fLo /usr/bin/dumb-init https://github.com/Yelp/dumb-init/releases/download/v${DUMB_INIT_VERSION}/dumb-init_${DUMB_INIT_VERSION}_${ARCH} \
+    && chmod +x /usr/bin/dumb-init
+
+ENV RUNNER_ASSETS_DIR=/runnertmp
+RUN export ARCH=$(echo ${TARGETPLATFORM} | cut -d / -f2) \
+    && if [ "$ARCH" = "amd64" ] || [ "$ARCH" = "x86_64" ] || [ "$ARCH" = "i386" ]; then export ARCH=x64 ; fi \
+    && mkdir -p "$RUNNER_ASSETS_DIR" \
+    && cd "$RUNNER_ASSETS_DIR" \
+    && curl -fLo runner.tar.gz https://github.com/actions/runner/releases/download/v${RUNNER_VERSION}/actions-runner-linux-${ARCH}-${RUNNER_VERSION}.tar.gz \
+    && tar xzf ./runner.tar.gz \
+    && rm -f runner.tar.gz \
+    && ./bin/installdependencies.sh \
+    # libyaml-dev is required for ruby/setup-ruby action.
+    # It is installed after installdependencies.sh and before removing /var/lib/apt/lists
+    # to avoid rerunning apt-update on its own.
+    && apt-get install -y libyaml-dev \
+    && rm -rf /var/lib/apt/lists/*
+
+ENV RUNNER_TOOL_CACHE=/opt/hostedtoolcache
+RUN mkdir /opt/hostedtoolcache \
+    && chgrp docker /opt/hostedtoolcache \
+    && chmod g+rwx /opt/hostedtoolcache
+
+RUN cd "$RUNNER_ASSETS_DIR" \
+    && curl -fLo runner-container-hooks.zip https://github.com/actions/runner-container-hooks/releases/download/v${RUNNER_CONTAINER_HOOKS_VERSION}/actions-runner-hooks-k8s-${RUNNER_CONTAINER_HOOKS_VERSION}.zip \
+    && unzip ./runner-container-hooks.zip -d ./k8s \
+    && rm -f runner-container-hooks.zip
+
+RUN set -vx; \
+    export ARCH=$(echo ${TARGETPLATFORM} | cut -d / -f2) \
+    && if [ "$ARCH" = "arm64" ]; then export ARCH=aarch64 ; fi \
+    && if [ "$ARCH" = "amd64" ] || [ "$ARCH" = "i386" ]; then export ARCH=x86_64 ; fi \
+    && curl -fLo docker.tgz https://download.docker.com/linux/static/${CHANNEL}/${ARCH}/docker-${DOCKER_VERSION}.tgz \
+    && tar zxvf docker.tgz \
+    && install -o root -g root -m 755 docker/* /usr/bin/ \
+    && rm -rf docker docker.tgz
+
+RUN export ARCH=$(echo ${TARGETPLATFORM} | cut -d / -f2) \
+    && if [ "$ARCH" = "arm64" ]; then export ARCH=aarch64 ; fi \
+    && if [ "$ARCH" = "amd64" ] || [ "$ARCH" = "i386" ]; then export ARCH=x86_64 ; fi \
+    && mkdir -p /usr/libexec/docker/cli-plugins \
+    && curl -fLo /usr/libexec/docker/cli-plugins/docker-compose https://github.com/docker/compose/releases/download/${DOCKER_COMPOSE_VERSION}/docker-compose-linux-${ARCH} \
+    && chmod +x /usr/libexec/docker/cli-plugins/docker-compose \
+    && ln -s /usr/libexec/docker/cli-plugins/docker-compose /usr/bin/docker-compose \
+    && which docker-compose \
+    && docker compose version
+
+# We place the scripts in `/usr/bin` so that users who extend this image can
+# override them with scripts of the same name placed in `/usr/local/bin`.
+COPY entrypoint-dind.sh startup.sh logger.sh wait.sh graceful-stop.sh update-status /usr/bin/
+RUN chmod +x /usr/bin/entrypoint-dind.sh /usr/bin/startup.sh
+
+# Copy the docker shim which propagates the docker MTU to underlying networks
+# to replace the docker binary in the PATH.
+COPY docker-shim.sh /usr/local/bin/docker
+
+# Configure hooks folder structure.
+COPY hooks /etc/arc/hooks/
+
+VOLUME /var/lib/docker
+
+# Add the Python "User Script Directory" to the PATH
+ENV PATH="${PATH}:${HOME}/.local/bin"
+ENV ImageOS=ubuntu20
+
+RUN echo "PATH=${PATH}" > /etc/environment \
+    && echo "ImageOS=${ImageOS}" >> /etc/environment
+
+# No group definition, as that makes it harder to run docker.
+USER runner
+
+ENTRYPOINT ["/bin/bash", "-c"]
+CMD ["entrypoint-dind.sh"]
diff --git a/legacy/runner/actions-runner-dind.ubuntu-22.04.dockerfile b/legacy/runner/actions-runner-dind.ubuntu-22.04.dockerfile
new file mode 100644
index 0000000..9e9ec86
--- /dev/null
+++ b/legacy/runner/actions-runner-dind.ubuntu-22.04.dockerfile
@@ -0,0 +1,120 @@
+FROM ubuntu:22.04
+
+ARG TARGETPLATFORM
+ARG RUNNER_VERSION
+ARG RUNNER_CONTAINER_HOOKS_VERSION
+# Docker and Docker Compose arguments
+ARG CHANNEL=stable
+ARG DOCKER_VERSION=24.0.7
+ARG DOCKER_COMPOSE_VERSION=v2.23.0
+ARG DUMB_INIT_VERSION=1.2.5
+ARG RUNNER_USER_UID=1001
+ARG DOCKER_GROUP_GID=121
+
+ENV DEBIAN_FRONTEND=noninteractive
+RUN apt-get update -y \
+    && apt-get install -y software-properties-common \
+    && add-apt-repository -y ppa:git-core/ppa \
+    && apt-get update -y \
+    && apt-get install -y --no-install-recommends \
+    curl \
+    ca-certificates \
+    git \
+    iptables \
+    jq \
+    software-properties-common \
+    sudo \
+    unzip \
+    zip \
+    && rm -rf /var/lib/apt/lists/*
+
+# Download latest git-lfs version
+RUN curl -s https://packagecloud.io/install/repositories/github/git-lfs/script.deb.sh | bash && \
+    apt-get install -y --no-install-recommends git-lfs
+
+# Runner user
+RUN adduser --disabled-password --gecos "" --uid $RUNNER_USER_UID runner \
+    && groupadd docker --gid $DOCKER_GROUP_GID \
+    && usermod -aG sudo runner \
+    && usermod -aG docker runner \
+    && echo "%sudo   ALL=(ALL:ALL) NOPASSWD:ALL" > /etc/sudoers \
+    && echo "Defaults env_keep += \"DEBIAN_FRONTEND\"" >> /etc/sudoers
+
+ENV HOME=/home/runner
+
+RUN export ARCH=$(echo ${TARGETPLATFORM} | cut -d / -f2) \
+    && if [ "$ARCH" = "arm64" ]; then export ARCH=aarch64 ; fi \
+    && if [ "$ARCH" = "amd64" ] || [ "$ARCH" = "i386" ]; then export ARCH=x86_64 ; fi \
+    && curl -fLo /usr/bin/dumb-init https://github.com/Yelp/dumb-init/releases/download/v${DUMB_INIT_VERSION}/dumb-init_${DUMB_INIT_VERSION}_${ARCH} \
+    && chmod +x /usr/bin/dumb-init
+
+ENV RUNNER_ASSETS_DIR=/runnertmp
+RUN export ARCH=$(echo ${TARGETPLATFORM} | cut -d / -f2) \
+    && if [ "$ARCH" = "amd64" ] || [ "$ARCH" = "x86_64" ] || [ "$ARCH" = "i386" ]; then export ARCH=x64 ; fi \
+    && mkdir -p "$RUNNER_ASSETS_DIR" \
+    && cd "$RUNNER_ASSETS_DIR" \
+    && curl -fLo runner.tar.gz https://github.com/actions/runner/releases/download/v${RUNNER_VERSION}/actions-runner-linux-${ARCH}-${RUNNER_VERSION}.tar.gz \
+    && tar xzf ./runner.tar.gz \
+    && rm -f runner.tar.gz \
+    && ./bin/installdependencies.sh \
+    # libyaml-dev is required for ruby/setup-ruby action.
+    # It is installed after installdependencies.sh and before removing /var/lib/apt/lists
+    # to avoid rerunning apt-update on its own.
+    && apt-get install -y libyaml-dev \
+    && rm -rf /var/lib/apt/lists/*
+
+ENV RUNNER_TOOL_CACHE=/opt/hostedtoolcache
+RUN mkdir /opt/hostedtoolcache \
+    && chgrp docker /opt/hostedtoolcache \
+    && chmod g+rwx /opt/hostedtoolcache
+
+RUN cd "$RUNNER_ASSETS_DIR" \
+    && curl -fLo runner-container-hooks.zip https://github.com/actions/runner-container-hooks/releases/download/v${RUNNER_CONTAINER_HOOKS_VERSION}/actions-runner-hooks-k8s-${RUNNER_CONTAINER_HOOKS_VERSION}.zip \
+    && unzip ./runner-container-hooks.zip -d ./k8s \
+    && rm -f runner-container-hooks.zip
+
+RUN set -vx; \
+    export ARCH=$(echo ${TARGETPLATFORM} | cut -d / -f2) \
+    && if [ "$ARCH" = "arm64" ]; then export ARCH=aarch64 ; fi \
+    && if [ "$ARCH" = "amd64" ] || [ "$ARCH" = "i386" ]; then export ARCH=x86_64 ; fi \
+    && curl -fLo docker.tgz https://download.docker.com/linux/static/${CHANNEL}/${ARCH}/docker-${DOCKER_VERSION}.tgz \
+    && tar zxvf docker.tgz \
+    && install -o root -g root -m 755 docker/* /usr/bin/ \
+    && rm -rf docker docker.tgz
+
+RUN export ARCH=$(echo ${TARGETPLATFORM} | cut -d / -f2) \
+    && if [ "$ARCH" = "arm64" ]; then export ARCH=aarch64 ; fi \
+    && if [ "$ARCH" = "amd64" ] || [ "$ARCH" = "i386" ]; then export ARCH=x86_64 ; fi \
+    && mkdir -p /usr/libexec/docker/cli-plugins \
+    && curl -fLo /usr/libexec/docker/cli-plugins/docker-compose https://github.com/docker/compose/releases/download/${DOCKER_COMPOSE_VERSION}/docker-compose-linux-${ARCH} \
+    && chmod +x /usr/libexec/docker/cli-plugins/docker-compose \
+    && ln -s /usr/libexec/docker/cli-plugins/docker-compose /usr/bin/docker-compose \
+    && which docker-compose \
+    && docker compose version
+
+# We place the scripts in `/usr/bin` so that users who extend this image can
+# override them with scripts of the same name placed in `/usr/local/bin`.
+COPY entrypoint-dind.sh startup.sh logger.sh wait.sh graceful-stop.sh update-status /usr/bin/
+RUN chmod +x /usr/bin/entrypoint-dind.sh /usr/bin/startup.sh
+
+# Copy the docker shim which propagates the docker MTU to underlying networks
+# to replace the docker binary in the PATH.
+COPY docker-shim.sh /usr/local/bin/docker
+
+# Configure hooks folder structure.
+COPY hooks /etc/arc/hooks/
+
+VOLUME /var/lib/docker
+
+# Add the Python "User Script Directory" to the PATH
+ENV PATH="${PATH}:${HOME}/.local/bin"
+ENV ImageOS=ubuntu22
+
+RUN echo "PATH=${PATH}" > /etc/environment \
+    && echo "ImageOS=${ImageOS}" >> /etc/environment
+
+# No group definition, as that makes it harder to run docker.
+USER runner
+
+ENTRYPOINT ["/bin/bash", "-c"]
+CMD ["entrypoint-dind.sh"]
diff --git a/legacy/runner/actions-runner.ubuntu-20.04.dockerfile b/legacy/runner/actions-runner.ubuntu-20.04.dockerfile
new file mode 100644
index 0000000..142ca3a
--- /dev/null
+++ b/legacy/runner/actions-runner.ubuntu-20.04.dockerfile
@@ -0,0 +1,137 @@
+FROM ubuntu:20.04
+
+ARG TARGETPLATFORM
+ARG RUNNER_VERSION
+ARG RUNNER_CONTAINER_HOOKS_VERSION
+# Docker and Docker Compose arguments
+ARG CHANNEL=stable
+ARG DOCKER_VERSION=24.0.7
+ARG DOCKER_COMPOSE_VERSION=v2.23.0
+ARG DUMB_INIT_VERSION=1.2.5
+
+# Use 1001 and 121 for compatibility with GitHub-hosted runners
+ARG RUNNER_UID=1000
+ARG DOCKER_GID=1001
+
+ENV DEBIAN_FRONTEND=noninteractive
+RUN apt-get update -y \
+    && apt-get install -y software-properties-common \
+    && add-apt-repository -y ppa:git-core/ppa \
+    && apt-get update -y \
+    && apt-get install -y --no-install-recommends \
+    build-essential \
+    curl \
+    ca-certificates \
+    dnsutils \
+    ftp \
+    git \
+    iproute2 \
+    iputils-ping \
+    jq \
+    libunwind8 \
+    locales \
+    netcat \
+    openssh-client \
+    parallel \
+    python3-pip \
+    rsync \
+    shellcheck \
+    sudo \
+    telnet \
+    time \
+    tzdata \
+    unzip \
+    upx \
+    wget \
+    zip \
+    zstd \
+    && ln -sf /usr/bin/python3 /usr/bin/python \
+    && ln -sf /usr/bin/pip3 /usr/bin/pip \
+    && rm -rf /var/lib/apt/lists/*
+
+# Download latest git-lfs version
+RUN curl -s https://packagecloud.io/install/repositories/github/git-lfs/script.deb.sh | bash && \
+    apt-get install -y --no-install-recommends git-lfs
+
+RUN adduser --disabled-password --gecos "" --uid $RUNNER_UID runner \
+    && groupadd docker --gid $DOCKER_GID \
+    && usermod -aG sudo runner \
+    && usermod -aG docker runner \
+    && echo "%sudo   ALL=(ALL:ALL) NOPASSWD:ALL" > /etc/sudoers \
+    && echo "Defaults env_keep += \"DEBIAN_FRONTEND\"" >> /etc/sudoers
+
+ENV HOME=/home/runner
+
+RUN export ARCH=$(echo ${TARGETPLATFORM} | cut -d / -f2) \
+    && if [ "$ARCH" = "arm64" ]; then export ARCH=aarch64 ; fi \
+    && if [ "$ARCH" = "amd64" ] || [ "$ARCH" = "i386" ]; then export ARCH=x86_64 ; fi \
+    && curl -fLo /usr/bin/dumb-init https://github.com/Yelp/dumb-init/releases/download/v${DUMB_INIT_VERSION}/dumb-init_${DUMB_INIT_VERSION}_${ARCH} \
+    && chmod +x /usr/bin/dumb-init
+
+ENV RUNNER_ASSETS_DIR=/runnertmp
+RUN export ARCH=$(echo ${TARGETPLATFORM} | cut -d / -f2) \
+    && if [ "$ARCH" = "amd64" ] || [ "$ARCH" = "x86_64" ] || [ "$ARCH" = "i386" ]; then export ARCH=x64 ; fi \
+    && mkdir -p "$RUNNER_ASSETS_DIR" \
+    && cd "$RUNNER_ASSETS_DIR" \
+    && curl -fLo runner.tar.gz https://github.com/actions/runner/releases/download/v${RUNNER_VERSION}/actions-runner-linux-${ARCH}-${RUNNER_VERSION}.tar.gz \
+    && tar xzf ./runner.tar.gz \
+    && rm runner.tar.gz \
+    && ./bin/installdependencies.sh \
+    && mv ./externals ./externalstmp \
+    # libyaml-dev is required for ruby/setup-ruby action.
+    # It is installed after installdependencies.sh and before removing /var/lib/apt/lists
+    # to avoid rerunning apt-update on its own.
+    && apt-get install -y libyaml-dev \
+    && rm -rf /var/lib/apt/lists/*
+
+ENV RUNNER_TOOL_CACHE=/opt/hostedtoolcache
+RUN mkdir /opt/hostedtoolcache \
+    && chgrp docker /opt/hostedtoolcache \
+    && chmod g+rwx /opt/hostedtoolcache
+
+RUN cd "$RUNNER_ASSETS_DIR" \
+    && curl -fLo runner-container-hooks.zip https://github.com/actions/runner-container-hooks/releases/download/v${RUNNER_CONTAINER_HOOKS_VERSION}/actions-runner-hooks-k8s-${RUNNER_CONTAINER_HOOKS_VERSION}.zip \
+    && unzip ./runner-container-hooks.zip -d ./k8s \
+    && rm -f runner-container-hooks.zip
+
+RUN set -vx; \
+    export ARCH=$(echo ${TARGETPLATFORM} | cut -d / -f2) \
+    && if [ "$ARCH" = "arm64" ]; then export ARCH=aarch64 ; fi \
+    && if [ "$ARCH" = "amd64" ] || [ "$ARCH" = "i386" ]; then export ARCH=x86_64 ; fi \
+    && curl -fLo docker.tgz https://download.docker.com/linux/static/${CHANNEL}/${ARCH}/docker-${DOCKER_VERSION}.tgz \
+    && tar zxvf docker.tgz \
+    && install -o root -g root -m 755 docker/docker /usr/bin/docker \
+    && rm -rf docker docker.tgz
+
+RUN export ARCH=$(echo ${TARGETPLATFORM} | cut -d / -f2) \
+    && if [ "$ARCH" = "arm64" ]; then export ARCH=aarch64 ; fi \
+    && if [ "$ARCH" = "amd64" ] || [ "$ARCH" = "i386" ]; then export ARCH=x86_64 ; fi \
+    && mkdir -p /usr/libexec/docker/cli-plugins \
+    && curl -fLo /usr/libexec/docker/cli-plugins/docker-compose https://github.com/docker/compose/releases/download/${DOCKER_COMPOSE_VERSION}/docker-compose-linux-${ARCH} \
+    && chmod +x /usr/libexec/docker/cli-plugins/docker-compose \
+    && ln -s /usr/libexec/docker/cli-plugins/docker-compose /usr/bin/docker-compose \
+    && which docker-compose \
+    && docker compose version
+
+# We place the scripts in `/usr/bin` so that users who extend this image can
+# override them with scripts of the same name placed in `/usr/local/bin`.
+COPY entrypoint.sh startup.sh logger.sh graceful-stop.sh update-status /usr/bin/
+
+# Copy the docker shim which propagates the docker MTU to underlying networks
+# to replace the docker binary in the PATH.
+COPY docker-shim.sh /usr/local/bin/docker
+
+# Configure hooks folder structure.
+COPY hooks /etc/arc/hooks/
+
+# Add the Python "User Script Directory" to the PATH
+ENV PATH="${PATH}:${HOME}/.local/bin/"
+ENV ImageOS=ubuntu20
+
+RUN echo "PATH=${PATH}" > /etc/environment \
+    && echo "ImageOS=${ImageOS}" >> /etc/environment
+
+USER runner
+
+ENTRYPOINT ["/bin/bash", "-c"]
+CMD ["entrypoint.sh"]
diff --git a/legacy/runner/actions-runner.ubuntu-22.04.dockerfile b/legacy/runner/actions-runner.ubuntu-22.04.dockerfile
new file mode 100644
index 0000000..a8d31e3
--- /dev/null
+++ b/legacy/runner/actions-runner.ubuntu-22.04.dockerfile
@@ -0,0 +1,114 @@
+FROM ubuntu:22.04
+
+ARG TARGETPLATFORM
+ARG RUNNER_VERSION
+ARG RUNNER_CONTAINER_HOOKS_VERSION
+# Docker and Docker Compose arguments
+ARG CHANNEL=stable
+ARG DOCKER_VERSION=24.0.7
+ARG DOCKER_COMPOSE_VERSION=v2.23.0
+ARG DUMB_INIT_VERSION=1.2.5
+ARG RUNNER_USER_UID=1001
+ARG DOCKER_GROUP_GID=121
+
+ENV DEBIAN_FRONTEND=noninteractive
+RUN apt-get update -y \
+    && apt-get install -y software-properties-common \
+    && add-apt-repository -y ppa:git-core/ppa \
+    && apt-get update -y \
+    && apt-get install -y --no-install-recommends \
+    curl \
+    ca-certificates \
+    git \
+    jq \
+    sudo \
+    unzip \
+    zip \
+    && rm -rf /var/lib/apt/lists/*
+
+# Download latest git-lfs version
+RUN curl -s https://packagecloud.io/install/repositories/github/git-lfs/script.deb.sh | bash && \
+    apt-get install -y --no-install-recommends git-lfs
+
+RUN adduser --disabled-password --gecos "" --uid $RUNNER_USER_UID runner \
+    && groupadd docker --gid $DOCKER_GROUP_GID \
+    && usermod -aG sudo runner \
+    && usermod -aG docker runner \
+    && echo "%sudo   ALL=(ALL:ALL) NOPASSWD:ALL" > /etc/sudoers \
+    && echo "Defaults env_keep += \"DEBIAN_FRONTEND\"" >> /etc/sudoers
+
+ENV HOME=/home/runner
+
+RUN export ARCH=$(echo ${TARGETPLATFORM} | cut -d / -f2) \
+    && if [ "$ARCH" = "arm64" ]; then export ARCH=aarch64 ; fi \
+    && if [ "$ARCH" = "amd64" ] || [ "$ARCH" = "i386" ]; then export ARCH=x86_64 ; fi \
+    && curl -fLo /usr/bin/dumb-init https://github.com/Yelp/dumb-init/releases/download/v${DUMB_INIT_VERSION}/dumb-init_${DUMB_INIT_VERSION}_${ARCH} \
+    && chmod +x /usr/bin/dumb-init
+
+ENV RUNNER_ASSETS_DIR=/runnertmp
+RUN export ARCH=$(echo ${TARGETPLATFORM} | cut -d / -f2) \
+    && if [ "$ARCH" = "amd64" ] || [ "$ARCH" = "x86_64" ] || [ "$ARCH" = "i386" ]; then export ARCH=x64 ; fi \
+    && mkdir -p "$RUNNER_ASSETS_DIR" \
+    && cd "$RUNNER_ASSETS_DIR" \
+    && curl -fLo runner.tar.gz https://github.com/actions/runner/releases/download/v${RUNNER_VERSION}/actions-runner-linux-${ARCH}-${RUNNER_VERSION}.tar.gz \
+    && tar xzf ./runner.tar.gz \
+    && rm runner.tar.gz \
+    && ./bin/installdependencies.sh \
+    && mv ./externals ./externalstmp \
+    # libyaml-dev is required for ruby/setup-ruby action.
+    # It is installed after installdependencies.sh and before removing /var/lib/apt/lists
+    # to avoid rerunning apt-update on its own.
+    && apt-get install -y libyaml-dev \
+    && rm -rf /var/lib/apt/lists/*
+
+ENV RUNNER_TOOL_CACHE=/opt/hostedtoolcache
+RUN mkdir /opt/hostedtoolcache \
+    && chgrp docker /opt/hostedtoolcache \
+    && chmod g+rwx /opt/hostedtoolcache
+
+RUN cd "$RUNNER_ASSETS_DIR" \
+    && curl -fLo runner-container-hooks.zip https://github.com/actions/runner-container-hooks/releases/download/v${RUNNER_CONTAINER_HOOKS_VERSION}/actions-runner-hooks-k8s-${RUNNER_CONTAINER_HOOKS_VERSION}.zip \
+    && unzip ./runner-container-hooks.zip -d ./k8s \
+    && rm -f runner-container-hooks.zip
+
+RUN set -vx; \
+    export ARCH=$(echo ${TARGETPLATFORM} | cut -d / -f2) \
+    && if [ "$ARCH" = "arm64" ]; then export ARCH=aarch64 ; fi \
+    && if [ "$ARCH" = "amd64" ] || [ "$ARCH" = "i386" ]; then export ARCH=x86_64 ; fi \
+    && curl -fLo docker.tgz https://download.docker.com/linux/static/${CHANNEL}/${ARCH}/docker-${DOCKER_VERSION}.tgz \
+    && tar zxvf docker.tgz \
+    && install -o root -g root -m 755 docker/docker /usr/bin/docker \
+    && rm -rf docker docker.tgz
+
+RUN export ARCH=$(echo ${TARGETPLATFORM} | cut -d / -f2) \
+    && if [ "$ARCH" = "arm64" ]; then export ARCH=aarch64 ; fi \
+    && if [ "$ARCH" = "amd64" ] || [ "$ARCH" = "i386" ]; then export ARCH=x86_64 ; fi \
+    && mkdir -p /usr/libexec/docker/cli-plugins \
+    && curl -fLo /usr/libexec/docker/cli-plugins/docker-compose https://github.com/docker/compose/releases/download/${DOCKER_COMPOSE_VERSION}/docker-compose-linux-${ARCH} \
+    && chmod +x /usr/libexec/docker/cli-plugins/docker-compose \
+    && ln -s /usr/libexec/docker/cli-plugins/docker-compose /usr/bin/docker-compose \
+    && which docker-compose \
+    && docker compose version
+
+# We place the scripts in `/usr/bin` so that users who extend this image can
+# override them with scripts of the same name placed in `/usr/local/bin`.
+COPY entrypoint.sh startup.sh logger.sh graceful-stop.sh update-status /usr/bin/
+
+# Copy the docker shim which propagates the docker MTU to underlying networks
+# to replace the docker binary in the PATH.
+COPY docker-shim.sh /usr/local/bin/docker
+
+# Configure hooks folder structure.
+COPY hooks /etc/arc/hooks/
+
+# Add the Python "User Script Directory" to the PATH
+ENV PATH="${PATH}:${HOME}/.local/bin/"
+ENV ImageOS=ubuntu22
+
+RUN echo "PATH=${PATH}" > /etc/environment \
+    && echo "ImageOS=${ImageOS}" >> /etc/environment
+
+USER runner
+
+ENTRYPOINT ["/bin/bash", "-c"]
+CMD ["entrypoint.sh"]
diff --git a/legacy/runner/docker-shim.sh b/legacy/runner/docker-shim.sh
new file mode 100755
index 0000000..21378dd
--- /dev/null
+++ b/legacy/runner/docker-shim.sh
@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+
+set -Eeuo pipefail
+
+DOCKER=/usr/bin/docker
+if [ ! -e $DOCKER ]; then
+  DOCKER=/home/runner/bin/docker
+fi
+
+if [[ ${ARC_DOCKER_MTU_PROPAGATION:-false} == true ]] &&
+  (($# >= 2)) && [[ $1 == network && $2 == create ]] &&
+  mtu=$($DOCKER network inspect bridge --format '{{index .Options "com.docker.network.driver.mtu"}}' 2>/dev/null); then
+  shift 2
+  set -- network create --opt com.docker.network.driver.mtu="$mtu" "$@"
+fi
+
+exec $DOCKER "$@"
diff --git a/legacy/runner/entrypoint-dind-rootless.sh b/legacy/runner/entrypoint-dind-rootless.sh
new file mode 100644
index 0000000..9c8cc01
--- /dev/null
+++ b/legacy/runner/entrypoint-dind-rootless.sh
@@ -0,0 +1,56 @@
+#!/bin/bash
+source logger.sh
+source graceful-stop.sh
+trap graceful_stop TERM
+
+log.notice "Writing out Docker config file"
+/bin/bash <<SCRIPT
+
+if [ ! -f /home/runner/.config/docker/daemon.json ]; then
+  echo "{}" > /home/runner/.config/docker/daemon.json
+fi
+
+if [ -n "${MTU}" ]; then
+jq ".\"mtu\" = ${MTU}" /home/runner/.config/docker/daemon.json > /tmp/.daemon.json && mv /tmp/.daemon.json /home/runner/.config/docker/daemon.json
+# See https://docs.docker.com/engine/security/rootless/ and https://github.com/docker/engine/blob/8955d8da8951695a98eb7e15bead19d402c6eb27/contrib/dockerd-rootless.sh#L13
+echo "DOCKERD_ROOTLESS_ROOTLESSKIT_MTU=${MTU}" | sudo tee -a /etc/environment
+fi
+
+if [ -n "${DOCKER_DEFAULT_ADDRESS_POOL_BASE}" ] && [ -n "${DOCKER_DEFAULT_ADDRESS_POOL_SIZE}" ]; then
+  jq ".\"default-address-pools\" = [{\"base\": \"${DOCKER_DEFAULT_ADDRESS_POOL_BASE}\", \"size\": ${DOCKER_DEFAULT_ADDRESS_POOL_SIZE}}]" /home/runner/.config/docker/daemon.json > /tmp/.daemon.json && mv /tmp/.daemon.json /home/runner/.config/docker/daemon.json
+fi
+
+if [ -n "${DOCKER_REGISTRY_MIRROR}" ]; then
+jq ".\"registry-mirrors\"[0] = \"${DOCKER_REGISTRY_MIRROR}\"" /home/runner/.config/docker/daemon.json > /tmp/.daemon.json && mv /tmp/.daemon.json /home/runner/.config/docker/daemon.json
+fi
+SCRIPT
+
+if [ -d /home/runner/.local ]; then
+  if [ ! -d /home/runner/.local/share ]; then
+    log.notice "Creating /home/runner/.local/share owned by runner:runner \
+so that rootless dockerd will not fail with a permission error when creating /home/runner/.local/share/docker"
+
+    sudo mkdir /home/runner/.local/share
+    sudo chmod 755 /home/runner/.local/share
+    sudo chown runner:runner /home/runner/.local/share
+  fi
+fi
+
+log.notice "Starting Docker (rootless)"
+
+dumb-init bash <<'SCRIPT' &
+# Note that we don't want dockerd to be terminated before the runner agent,
+# because it defeats the goal of the runner agent graceful stop logic implemenbed above.
+# We can't rely on e.g. `dumb-init --single-child` for that, because with `--single-child` we can't even trap SIGTERM
+# for not only dockerd but also the runner agent.
+/home/runner/bin/dockerd-rootless.sh --config-file /home/runner/.config/docker/daemon.json &
+
+startup.sh
+SCRIPT
+
+RUNNER_INIT_PID=$!
+log.notice "Runner init started with pid $RUNNER_INIT_PID"
+wait $RUNNER_INIT_PID
+log.notice "Runner init exited. Exiting this process with code 0 so that the container and the pod is GC'ed Kubernetes soon."
+
+trap - TERM
diff --git a/legacy/runner/entrypoint-dind.sh b/legacy/runner/entrypoint-dind.sh
new file mode 100755
index 0000000..56bd6e8
--- /dev/null
+++ b/legacy/runner/entrypoint-dind.sh
@@ -0,0 +1,75 @@
+#!/bin/bash
+source logger.sh
+source graceful-stop.sh
+trap graceful_stop TERM
+
+sudo /bin/bash <<SCRIPT
+mkdir -p /etc/docker
+
+if [ ! -f /etc/docker/daemon.json ]; then
+  echo "{}" > /etc/docker/daemon.json
+fi
+
+if [ -n "${MTU}" ]; then
+jq ".\"mtu\" = ${MTU}" /etc/docker/daemon.json > /tmp/.daemon.json && mv /tmp/.daemon.json /etc/docker/daemon.json
+# See https://docs.docker.com/engine/security/rootless/
+export DOCKERD_ROOTLESS_ROOTLESSKIT_MTU=${MTU}
+fi
+
+if [ -n "${DOCKER_DEFAULT_ADDRESS_POOL_BASE}" ] && [ -n "${DOCKER_DEFAULT_ADDRESS_POOL_SIZE}" ]; then
+  jq ".\"default-address-pools\" = [{\"base\": \"${DOCKER_DEFAULT_ADDRESS_POOL_BASE}\", \"size\": ${DOCKER_DEFAULT_ADDRESS_POOL_SIZE}}]" /etc/docker/daemon.json > /tmp/.daemon.json && mv /tmp/.daemon.json /etc/docker/daemon.json
+fi
+
+if [ -n "${DOCKER_REGISTRY_MIRROR}" ]; then
+jq ".\"registry-mirrors\"[0] = \"${DOCKER_REGISTRY_MIRROR}\"" /etc/docker/daemon.json > /tmp/.daemon.json && mv /tmp/.daemon.json /etc/docker/daemon.json
+fi
+
+if [ -n "${DOCKER_INSECURE_REGISTRY}" ]; then
+jq ".\"insecure-registries\"[0] = \"${DOCKER_INSECURE_REGISTRY}\"" /etc/docker/daemon.json > /tmp/.daemon.json && mv /tmp/.daemon.json /etc/docker/daemon.json
+fi
+SCRIPT
+
+dumb-init bash <<'SCRIPT' &
+source logger.sh
+source wait.sh
+
+dump() {
+  local path=${1:?missing required <path> argument}
+  shift
+  printf -- "%s\n---\n" "${*//\{path\}/"$path"}" 1>&2
+  cat "$path" 1>&2
+  printf -- '---\n' 1>&2
+}
+
+for config in /etc/docker/daemon.json; do
+  dump "$config" 'Using {path} with the following content:'
+done
+
+log.debug 'Starting Docker daemon'
+sudo /usr/bin/dockerd &
+
+log.debug 'Waiting for processes to be running...'
+processes=(dockerd)
+
+for process in "${processes[@]}"; do
+    if ! wait_for_process "$process"; then
+        log.error "$process is not running after max time"
+        exit 1
+    else
+        log.debug "$process is running"
+    fi
+done
+
+if [ -n "${MTU}" ]; then
+  sudo ifconfig docker0 mtu "${MTU}" up
+fi
+
+startup.sh
+SCRIPT
+
+RUNNER_INIT_PID=$!
+log.notice "Runner init started with pid $RUNNER_INIT_PID"
+wait $RUNNER_INIT_PID
+log.notice "Runner init exited. Exiting this process with code 0 so that the container and the pod is GC'ed Kubernetes soon."
+
+trap - TERM
diff --git a/legacy/runner/entrypoint.sh b/legacy/runner/entrypoint.sh
new file mode 100755
index 0000000..c2671b7
--- /dev/null
+++ b/legacy/runner/entrypoint.sh
@@ -0,0 +1,30 @@
+#!/bin/bash
+source logger.sh
+source graceful-stop.sh
+trap graceful_stop TERM
+
+dumb-init bash <<'SCRIPT' &
+source logger.sh
+
+startup.sh
+SCRIPT
+
+RUNNER_INIT_PID=$!
+log.notice "Runner init started with pid $RUNNER_INIT_PID"
+wait $RUNNER_INIT_PID
+log.notice "Runner init exited. Exiting this process with code 0 so that the container and the pod is GC'ed Kubernetes soon."
+
+if [ -f /runner/.runner ]; then
+# If the runner failed with the following error:
+#   √ Connected to GitHub
+#   Failed to create a session. The runner registration has been deleted from the server, please re-configure.
+#   Runner listener exit with terminated error, stop the service, no retry needed.
+#   Exiting runner...
+# It might have failed to delete the .runner file.
+# We use the existence of the .runner file as the indicator that the runner agent has not stopped yet.
+# Remove it by ourselves now, so that the dockerd sidecar prestop won't hang waiting for the .runner file to appear.
+  echo "Removing the .runner file"
+  rm -f /runner/.runner
+fi
+
+trap - TERM
diff --git a/legacy/runner/graceful-stop.sh b/legacy/runner/graceful-stop.sh
new file mode 100644
index 0000000..4f69bbf
--- /dev/null
+++ b/legacy/runner/graceful-stop.sh
@@ -0,0 +1,99 @@
+#!/bin/bash
+
+# This should be shorter enough than the terminationGracePeriodSeconds,
+# so that the job is cancelled immediately, instead of hanging for 10 minutes or so and failing without any error message.
+RUNNER_GRACEFUL_STOP_TIMEOUT=${RUNNER_GRACEFUL_STOP_TIMEOUT:-15}
+
+graceful_stop() {
+  log.notice "Executing actions-runner-controller's SIGTERM handler."
+  log.notice "Note that if this takes more time than terminationGracePeriodSeconds, the runner will be forcefully terminated by Kubernetes, which may result in the in-progress workflow job, if any, to fail."
+
+  log.notice "Ensuring dockerd is still running."
+  if ! docker ps -a; then
+    log.warning "Detected configuration error: dockerd should be running but is already nowhere. This is wrong. Ensure that your init system to NOT pass SIGTERM directly to dockerd!"
+  fi
+
+  # The below procedure atomically removes the runner from GitHub Actions service,
+  # to ensure that the runner is not running any job.
+  # This is required to not terminate the actions runner agent while running the job.
+  # If we didn't do this atomically, we might end up with a rare race where
+  # the runner agent is terminated while it was about to start a job.
+
+  # `pushd`` is needed to run the config.sh successfully.
+  # Without this the author of this script ended up with errors like the below:
+  #   Cannot connect to server, because config files are missing. Skipping removing runner from the server.
+  #   Does not exist. Skipping Removing .credentials
+  #   Does not exist. Skipping Removing .runner
+  if ! pushd /runner; then
+    log.error "Failed to pushd ${RUNNER_HOME}"
+    exit 1
+  fi
+
+  # We need to wait for the registration first.
+  # Otherwise a direct runner pod deletion triggered while the runner entrypoint.sh is about to register itself with
+  # config.sh can result in this graceful stop process to get skipped.
+  # In that case, the pod is eventually and forcefully terminated by ARC and K8s, resulting
+  # in the possible running workflow job after this graceful stop process failed might get cancelled prematurely.
+  log.notice "Waiting for the runner to register first."
+  while ! [ -f /runner/.runner ]; do
+    sleep 1
+  done
+  log.notice "Observed that the runner has been registered."
+
+  if ! /runner/config.sh remove --token "$RUNNER_TOKEN"; then
+    i=0
+    log.notice "Waiting for RUNNER_GRACEFUL_STOP_TIMEOUT=$RUNNER_GRACEFUL_STOP_TIMEOUT seconds until the runner agent to stop by itself."
+    while [[ $i -lt $RUNNER_GRACEFUL_STOP_TIMEOUT ]]; do
+      sleep 1
+      if ! pgrep Runner.Listener > /dev/null; then
+        log.notice "The runner agent stopped before RUNNER_GRACEFUL_STOP_TIMEOUT=$RUNNER_GRACEFUL_STOP_TIMEOUT"
+        break
+      fi
+      i=$((i+1))
+    done
+  fi
+
+  if ! popd; then
+    log.error "Failed to popd from ${RUNNER_HOME}"
+    exit 1
+  fi
+
+  if pgrep Runner.Listener > /dev/null; then
+    # The below procedure fixes the runner to correctly notify the Actions service for the cancellation of this runner.
+    # It enables you to see `Error: The operation was canceled.` in the worklow job log, in case a job was still running on this runner when the
+    # termination is requested.
+    #
+    # Note though, due to how Actions work, no all job steps gets `Error: The operation was canceled.` in the job step logs.
+    # Jobs that were still in the first `Stet up job` step` seem to get `Error: A task was canceled.`,
+    #
+    # Anyway, without this, a runer pod is "forcefully" killed by any other controller (like cluster-autoscaler) can result in the workflow job to
+    # hang for 10 minutes or so.
+    # After 10 minutes, the Actions UI just shows the failure icon for the step, without `Error: The operation was canceled.`,
+    # not even showing `Error: The operation was canceled.`, which is confusing.
+    runner_listener_pid=$(pgrep Runner.Listener)
+    log.notice "Sending SIGTERM to the actions runner agent ($runner_listener_pid)."
+    kill -TERM "$runner_listener_pid"
+
+    log.notice "SIGTERM sent. If the runner is still running a job, you'll probably see \"Error: The operation was canceled.\" in its log."
+    log.notice "Waiting for the actions runner agent to stop."
+    while pgrep Runner.Listener > /dev/null; do
+      sleep 1
+    done
+  fi
+
+  # This message is supposed to be output only after the runner agent output:
+  #   2022-08-27 02:04:37Z: Job test3 completed with result: Canceled
+  # because this graceful stopping logic is basically intended to let the runner agent have some time
+  # needed to "Cancel" it.
+  # At the times we didn't have this logic, the runner agent was even unable to output the Cancelled message hence
+  # unable to gracefully stop, hence the workflow job hanged like forever.
+  log.notice "The actions runner process exited."
+  
+  if [ "$RUNNER_INIT_PID" != "" ]; then
+    log.notice "Holding on until runner init (pid $RUNNER_INIT_PID) exits, so that there will hopefully be no zombie processes remaining."
+    # We don't need to kill -TERM $RUNNER_INIT_PID as the init is supposed to exit by itself once the foreground process(=the runner agent) exists.
+    wait "$RUNNER_INIT_PID" || :
+  fi
+  
+  log.notice "Graceful stop completed."
+}
diff --git a/legacy/runner/hooks/job-completed.d/update-status b/legacy/runner/hooks/job-completed.d/update-status
new file mode 100755
index 0000000..6efa332
--- /dev/null
+++ b/legacy/runner/hooks/job-completed.d/update-status
@@ -0,0 +1,4 @@
+#!/usr/bin/env bash
+set -u
+
+exec update-status Idle
diff --git a/legacy/runner/hooks/job-completed.sh b/legacy/runner/hooks/job-completed.sh
new file mode 100755
index 0000000..9bf775e
--- /dev/null
+++ b/legacy/runner/hooks/job-completed.sh
@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+set -Eeuo pipefail
+
+# shellcheck source=runner/logger.sh
+source logger.sh
+
+log.debug "Running ARC Job Completed Hooks"
+
+for hook in /etc/arc/hooks/job-completed.d/*; do
+  log.debug "Running hook: $hook"
+  "$hook" "$@"
+done
diff --git a/legacy/runner/hooks/job-started.d/update-status b/legacy/runner/hooks/job-started.d/update-status
new file mode 100755
index 0000000..db7c6fd
--- /dev/null
+++ b/legacy/runner/hooks/job-started.d/update-status
@@ -0,0 +1,4 @@
+#!/usr/bin/env bash
+set -u
+
+exec update-status Running "Run $GITHUB_RUN_ID from $GITHUB_REPOSITORY"
diff --git a/legacy/runner/hooks/job-started.sh b/legacy/runner/hooks/job-started.sh
new file mode 100644
index 0000000..4b49c22
--- /dev/null
+++ b/legacy/runner/hooks/job-started.sh
@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+set -Eeuo pipefail
+
+# shellcheck source=runner/logger.sh
+source logger.sh
+
+log.debug "Running ARC Job Started Hooks"
+
+for hook in /etc/arc/hooks/job-started.d/*; do
+  log.debug "Running hook: $hook"
+  "$hook" "$@"
+done
diff --git a/legacy/runner/logger.sh b/legacy/runner/logger.sh
new file mode 100755
index 0000000..b80eb91
--- /dev/null
+++ b/legacy/runner/logger.sh
@@ -0,0 +1,73 @@
+#!/usr/bin/env bash
+# We are not using `set -Eeuo pipefail` here because this file is sourced by
+# other scripts that might not be ready for a strict Bash setup. The functions
+# in this file do not require it, because they are not handling signals, have
+# no external calls that can fail (printf as well as date failures are ignored),
+# are not using any variables that need to be set, and are not using any pipes.
+
+# This logger implementation can be replaced with another logger implementation
+# by placing a script called `logger.sh` in `/usr/local/bin` of the image. The
+# only requirement for the script is that it defines the following functions:
+#
+# - `log.debug`
+# - `log.notice`
+# - `log.warning`
+# - `log.error`
+# - `log.success`
+#
+# Each function **MUST** accept an arbitrary amount of arguments that make up
+# the (unstructured) logging message.
+#
+# Additionally the following environment variables **SHOULD** be supported to
+# disable their corresponding log entries, the value of the variables **MUST**
+# not matter the mere fact that they are set is all that matters:
+#
+# - `LOG_DEBUG_DISABLED`
+# - `LOG_NOTICE_DISABLED`
+# - `LOG_WARNING_DISABLED`
+# - `LOG_ERROR_DISABLED`
+# - `LOG_SUCCESS_DISABLED`
+
+# The log format is constructed in a way that it can easily be parsed with
+# standard tools and simple string manipulations; pattern and example:
+#
+#     YYYY-MM-DD hh:mm:ss.SSS  $level --- $message
+#     2022-03-19 10:01:23.172  NOTICE --- example message
+#
+# This function is an implementation detail and **MUST NOT** be called from
+# outside this script (which is possible if the file is sourced).
+__log() {
+  local color instant level
+
+  color=${1:?missing required <color> argument}
+  shift
+
+  level=${FUNCNAME[1]} # `main` if called from top-level
+  level=${level#log.} # substring after `log.`
+  level=${level^^} # UPPERCASE
+
+  if [[ ! -v "LOG_${level}_DISABLED" ]]; then
+    instant=$(date '+%F %T.%-3N' 2>/dev/null || :)
+
+    # https://no-color.org/
+    if [[ -v NO_COLOR ]]; then
+      printf -- '%s  %s --- %s\n' "$instant" "$level" "$*" 1>&2 || :
+    else
+      printf -- '\033[0;%dm%s  %s --- %s\033[0m\n' "$color" "$instant" "$level" "$*" 1>&2 || :
+    fi
+  fi
+}
+
+# To log with a dynamic level use standard Bash capabilities:
+#
+#     level=notice
+#     command || level=error
+#     "log.$level" message
+#
+# @formatter:off
+log.debug   () { __log 37 "$@"; } # white
+log.notice  () { __log 34 "$@"; } # blue
+log.warning () { __log 33 "$@"; } # yellow
+log.error   () { __log 31 "$@"; } # red
+log.success () { __log 32 "$@"; } # green
+# @formatter:on
diff --git a/legacy/runner/startup.sh b/legacy/runner/startup.sh
new file mode 100755
index 0000000..de60ff5
--- /dev/null
+++ b/legacy/runner/startup.sh
@@ -0,0 +1,180 @@
+#!/bin/bash
+source logger.sh
+
+RUNNER_ASSETS_DIR=${RUNNER_ASSETS_DIR:-/runnertmp}
+RUNNER_HOME=${RUNNER_HOME:-/runner}
+
+# Let GitHub runner execute these hooks. These environment variables are used by GitHub's Runner as described here
+# https://github.com/actions/runner/blob/main/docs/adrs/1751-runner-job-hooks.md
+# Scripts referenced in the ACTIONS_RUNNER_HOOK_ environment variables must end in .sh or .ps1
+# for it to become a valid hook script, otherwise GitHub will fail to run the hook
+export ACTIONS_RUNNER_HOOK_JOB_STARTED=/etc/arc/hooks/job-started.sh
+export ACTIONS_RUNNER_HOOK_JOB_COMPLETED=/etc/arc/hooks/job-completed.sh
+
+if [ -n "${STARTUP_DELAY_IN_SECONDS}" ]; then
+  log.notice "Delaying startup by ${STARTUP_DELAY_IN_SECONDS} seconds"
+  sleep "${STARTUP_DELAY_IN_SECONDS}"
+fi
+
+if [ -z "${GITHUB_URL}" ]; then
+  log.debug 'Working with public GitHub'
+  GITHUB_URL="https://github.com/"
+else
+  length=${#GITHUB_URL}
+  last_char=${GITHUB_URL:length-1:1}
+
+  [[ $last_char != "/" ]] && GITHUB_URL="$GITHUB_URL/"; :
+  log.debug "Github endpoint URL ${GITHUB_URL}"
+fi
+
+if [ -z "${RUNNER_NAME}" ]; then
+  log.error 'RUNNER_NAME must be set'
+  exit 1
+fi
+
+if [ -n "${RUNNER_ORG}" ] && [ -n "${RUNNER_REPO}" ] && [ -n "${RUNNER_ENTERPRISE}" ]; then
+  ATTACH="${RUNNER_ORG}/${RUNNER_REPO}"
+elif [ -n "${RUNNER_ORG}" ]; then
+  ATTACH="${RUNNER_ORG}"
+elif [ -n "${RUNNER_REPO}" ]; then
+  ATTACH="${RUNNER_REPO}"
+elif [ -n "${RUNNER_ENTERPRISE}" ]; then
+  ATTACH="enterprises/${RUNNER_ENTERPRISE}"
+else
+  log.error 'At least one of RUNNER_ORG, RUNNER_REPO, or RUNNER_ENTERPRISE must be set'
+  exit 1
+fi
+
+if [ -z "${RUNNER_TOKEN}" ]; then
+  log.error 'RUNNER_TOKEN must be set'
+  exit 1
+fi
+
+if [ -z "${RUNNER_REPO}" ] && [ -n "${RUNNER_GROUP}" ];then
+  RUNNER_GROUPS=${RUNNER_GROUP}
+fi
+
+# Hack due to https://github.com/actions/actions-runner-controller/issues/252#issuecomment-758338483
+if [ ! -d "${RUNNER_HOME}" ]; then
+  log.error "$RUNNER_HOME should be an emptyDir mount. Please fix the pod spec."
+  exit 1
+fi
+
+# if this is not a testing environment
+if [[ "${UNITTEST:-}" == '' ]]; then
+  sudo chown -R runner:docker "$RUNNER_HOME"
+  # enable dotglob so we can copy a ".env" file to load in env vars as part of the service startup if one is provided
+  # loading a .env from the root of the service is part of the actions/runner logic
+  shopt -s dotglob
+  # use cp instead of mv to avoid issues when src and dst are on different devices
+  cp -r "$RUNNER_ASSETS_DIR"/* "$RUNNER_HOME"/
+  shopt -u dotglob
+fi
+
+if ! cd "${RUNNER_HOME}"; then
+  log.error "Failed to cd into ${RUNNER_HOME}"
+  exit 1
+fi
+
+# past that point, it's all relative pathes from /runner
+
+config_args=()
+if [ "${RUNNER_FEATURE_FLAG_ONCE:-}" != "true" ] && [ "${RUNNER_EPHEMERAL}" == "true" ]; then
+  config_args+=(--ephemeral)
+  log.debug 'Passing --ephemeral to config.sh to enable the ephemeral runner.'
+fi
+if [ "${DISABLE_RUNNER_UPDATE:-}" == "true" ]; then
+  config_args+=(--disableupdate)
+  log.debug 'Passing --disableupdate to config.sh to disable automatic runner updates.'
+fi
+
+update-status "Registering"
+
+retries_left=10
+while [[ ${retries_left} -gt 0 ]]; do
+  log.debug 'Configuring the runner.'
+  ./config.sh --unattended --replace \
+    --name "${RUNNER_NAME}" \
+    --url "${GITHUB_URL}${ATTACH}" \
+    --token "${RUNNER_TOKEN}" \
+    --runnergroup "${RUNNER_GROUPS}" \
+    --labels "${RUNNER_LABELS}" \
+    --work "${RUNNER_WORKDIR}" "${config_args[@]}"
+
+  if [ -f .runner ]; then
+    log.debug 'Runner successfully configured.'
+    break
+  fi
+
+  log.debug 'Configuration failed. Retrying'
+  retries_left=$((retries_left - 1))
+  sleep 1
+done
+
+if [ ! -f .runner ]; then
+  # we couldn't configure and register the runner; no point continuing
+  log.error 'Configuration failed!'
+  exit 2
+fi
+
+cat .runner
+# Note: the `.runner` file's content should be something like the below:
+#
+# $ cat /runner/.runner
+# {
+# "agentId": 117, #=> corresponds to the ID of the runner
+# "agentName": "THE_RUNNER_POD_NAME",
+# "poolId": 1,
+# "poolName": "Default",
+# "serverUrl": "https://pipelines.actions.githubusercontent.com/SOME_RANDOM_ID",
+# "gitHubUrl": "https://github.com/USER/REPO",
+# "workFolder": "/some/work/dir" #=> corresponds to Runner.Spec.WorkDir
+# }
+#
+# Especially `agentId` is important, as other than listing all the runners in the repo,
+# this is the only change we could get the exact runnner ID which can be useful for further
+# GitHub API call like the below. Note that 171 is the agentId seen above.
+#   curl \
+#     -H "Accept: application/vnd.github.v3+json" \
+#     -H "Authorization: bearer ${GITHUB_TOKEN}"
+#     https://api.github.com/repos/USER/REPO/actions/runners/171
+
+# Hack due to the DinD volumes
+if [ -z "${UNITTEST:-}" ] && [ -e ./externalstmp ]; then
+  mkdir -p ./externals
+  mv ./externalstmp/* ./externals/
+fi
+
+WAIT_FOR_DOCKER_SECONDS=${WAIT_FOR_DOCKER_SECONDS:-120}
+if [[ "${DISABLE_WAIT_FOR_DOCKER}" != "true" ]] && [[ "${DOCKER_ENABLED}" == "true" ]]; then
+    log.debug 'Docker enabled runner detected and Docker daemon wait is enabled'
+    log.debug "Waiting until Docker is available or the timeout of ${WAIT_FOR_DOCKER_SECONDS} seconds is reached"
+    if ! timeout "${WAIT_FOR_DOCKER_SECONDS}s" bash -c 'until docker ps ;do sleep 1; done'; then
+      log.notice "Docker has not become available within ${WAIT_FOR_DOCKER_SECONDS} seconds. Exiting with status 1."
+      exit 1
+    fi
+else
+  log.notice 'Docker wait check skipped. Either Docker is disabled or the wait is disabled, continuing with entrypoint'
+fi
+
+# Unset entrypoint environment variables so they don't leak into the runner environment
+unset RUNNER_NAME RUNNER_REPO RUNNER_TOKEN STARTUP_DELAY_IN_SECONDS DISABLE_WAIT_FOR_DOCKER
+
+# Docker ignores PAM and thus never loads the system environment variables that
+# are meant to be set in every environment of every user. We emulate the PAM
+# behavior by reading the environment variables without interpreting them.
+#
+# https://github.com/actions/actions-runner-controller/issues/1135
+# https://github.com/actions/runner/issues/1703
+
+# /etc/environment may not exist when running unit tests depending on the platform being used
+# (e.g. Mac OS) so we just skip the mapping entirely
+if [ -z "${UNITTEST:-}" ]; then
+  mapfile -t env </etc/environment
+fi
+
+log.notice "WARNING LATEST TAG HAS BEEN DEPRECATED. SEE GITHUB ISSUE FOR DETAILS:"
+log.notice "https://github.com/actions/actions-runner-controller/issues/2056"
+
+update-status "Idle"
+exec env -- "${env[@]}" ./run.sh
diff --git a/legacy/runner/update-status b/legacy/runner/update-status
new file mode 100755
index 0000000..81b1932
--- /dev/null
+++ b/legacy/runner/update-status
@@ -0,0 +1,52 @@
+#!/usr/bin/env bash
+set -Eeuo pipefail
+
+if [[ ${1:-} == '' ]]; then
+  # shellcheck source=runner/logger.sh
+  source logger.sh
+  log.error "Missing required argument -- '<phase>'"
+  exit 64
+fi
+
+if [[ ${RUNNER_STATUS_UPDATE_HOOK:-false} == true ]]; then
+
+    apiserver=https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT_HTTPS}
+    serviceaccount=/var/run/secrets/kubernetes.io/serviceaccount
+    namespace=$(cat ${serviceaccount}/namespace)
+    token=$(cat ${serviceaccount}/token)
+    phase=$1
+    message=${2:-}
+
+    data=$(jq -n --arg phase "$phase" \
+      --arg message "$message" \
+      --arg workflow_repository "${GITHUB_REPOSITORY:-}" \
+      --arg workflow_repository_owner "${GITHUB_REPOSITORY_OWNER:-}" \
+      --arg workflow_name "${GITHUB_WORKFLOW:-}" \
+      --arg workflow_run_id "${GITHUB_RUN_ID:-}" \
+      --arg workflow_run_number "${GITHUB_RUN_NUMBER:-}" \
+      --arg workflow_job "${GITHUB_JOB:-}" \
+      --arg workflow_action "${GITHUB_ACTION:-}" \
+      '
+       .status.phase = $phase
+     | .status.message = $message
+     | .status.workflow.name = $workflow_name
+     | .status.workflow.runID = $workflow_run_id
+     | .status.workflow.runNumber = $workflow_run_number
+     | .status.workflow.repository = $workflow_repository
+     | .status.workflow.repositoryOwner = $workflow_repository_owner
+     | .status.workflow.job = $workflow_job
+     | .status.workflow.action = $workflow_action
+      ')
+      
+    echo "$data" | curl \
+        --cacert ${serviceaccount}/ca.crt \
+        --data @- \
+        --noproxy '*' \
+        --header "Content-Type: application/merge-patch+json" \
+        --header "Authorization: Bearer ${token}" \
+        --show-error \
+        --silent \
+        --request PATCH \
+        "${apiserver}/apis/actions.summerwind.dev/v1alpha1/namespaces/${namespace}/runners/${HOSTNAME}/status" \
+        1>/dev/null
+fi
diff --git a/legacy/runner/wait.sh b/legacy/runner/wait.sh
new file mode 100644
index 0000000..d8ce918
--- /dev/null
+++ b/legacy/runner/wait.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+function wait_for_process () {
+    local max_time_wait=30
+    local process_name="$1"
+    local waited_sec=0
+    while ! pgrep "$process_name" >/dev/null && ((waited_sec < max_time_wait)); do
+        log.debug "Process $process_name is not running yet. Retrying in 1 seconds"
+        log.debug "Waited $waited_sec seconds of $max_time_wait seconds"
+        sleep 1
+        ((waited_sec=waited_sec+1))
+        if ((waited_sec >= max_time_wait)); then
+            return 1
+        fi
+    done
+    return 0
+}

From bad3ef4ced34762c4f60a2a6d8047b924f9cee7f Mon Sep 17 00:00:00 2001
From: Nathan Klick <nathan@swirldslabs.com>
Date: Tue, 30 Jul 2024 13:04:23 -0500
Subject: [PATCH 07/29] chore: adds a pre-commit configuration file

Signed-off-by: Nathan Klick <nathan@swirldslabs.com>
---
 .pre-commit-config.yaml | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)
 create mode 100644 .pre-commit-config.yaml

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
new file mode 100644
index 0000000..532e7ca
--- /dev/null
+++ b/.pre-commit-config.yaml
@@ -0,0 +1,17 @@
+# See https://pre-commit.com for more information
+# See https://pre-commit.com/hooks.html for more hooks
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.6.0
+    hooks:
+      - id: end-of-file-fixer
+      - id: check-yaml
+      - id: check-added-large-files
+      - id: check-merge-conflict
+      - id: detect-private-key
+      - id: forbid-new-submodules
+  - repo: https://github.com/compilerla/conventional-pre-commit
+    rev: v3.3.0
+    hooks:
+      - id: conventional-pre-commit
+        stages: [ commit-msg ]

From c34c9c278666fc582ea31afc36d1e8296cdc89e9 Mon Sep 17 00:00:00 2001
From: Nathan Klick <nathan@swirldslabs.com>
Date: Tue, 30 Jul 2024 17:42:10 -0500
Subject: [PATCH 08/29] chore: adds pull request formatting workflow

Signed-off-by: Nathan Klick <nathan@swirldslabs.com>
---
 .../flow-pull-request-formatting.yaml         | 46 +++++++++++++++++++
 1 file changed, 46 insertions(+)
 create mode 100644 .github/workflows/flow-pull-request-formatting.yaml

diff --git a/.github/workflows/flow-pull-request-formatting.yaml b/.github/workflows/flow-pull-request-formatting.yaml
new file mode 100644
index 0000000..02e1295
--- /dev/null
+++ b/.github/workflows/flow-pull-request-formatting.yaml
@@ -0,0 +1,46 @@
+##
+# Copyright (C) 2023 Hedera Hashgraph, LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+##
+
+name: "PR Formatting"
+on:
+  pull_request_target:
+    types:
+      - opened
+      - reopened
+      - edited
+      - synchronize
+
+defaults:
+  run:
+    shell: bash
+
+permissions:
+  contents: read
+  statuses: write
+
+concurrency:
+  group: pr-formatting-${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  title-check:
+    name: Title Check
+    runs-on: [self-hosted, Linux, medium, ephemeral]
+    steps:
+      - name: Check PR Title
+        uses: step-security/conventional-pr-title-action@0eae74515f5a79f8773fa04142dd746df76666ac # v1.0.0
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

From 749ebf5caf84bc03e5b60c7fde8214e79e7e16fd Mon Sep 17 00:00:00 2001
From: Nathan Klick <nathan@swirldslabs.com>
Date: Tue, 30 Jul 2024 20:30:49 -0500
Subject: [PATCH 09/29] chore: add basic workflows

Signed-off-by: Nathan Klick <nathan@swirldslabs.com>
---
 .../workflows/flow-pull-request-checks.yaml   |  49 ++++
 .../flow-pull-request-formatting.yaml         |   5 +
 .../workflows/zxc-build-legacy-images.yaml    | 226 ++++++++++++++++++
 .../zxc-retrieve-upstream-versions.yaml       |  99 ++++++++
 .../zxf-forked-pull-request-closer.yaml       |  55 +++++
 5 files changed, 434 insertions(+)
 create mode 100644 .github/workflows/flow-pull-request-checks.yaml
 create mode 100644 .github/workflows/zxc-build-legacy-images.yaml
 create mode 100644 .github/workflows/zxc-retrieve-upstream-versions.yaml
 create mode 100644 .github/workflows/zxf-forked-pull-request-closer.yaml

diff --git a/.github/workflows/flow-pull-request-checks.yaml b/.github/workflows/flow-pull-request-checks.yaml
new file mode 100644
index 0000000..0dc48ad
--- /dev/null
+++ b/.github/workflows/flow-pull-request-checks.yaml
@@ -0,0 +1,49 @@
+##
+# Copyright (C) 2024 Hedera Hashgraph, LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+##
+
+name: "PR Checks"
+on:
+  pull_request:
+    types:
+      - opened
+      - reopened
+      - synchronize
+
+defaults:
+  run:
+    shell: bash
+
+concurrency:
+  group: pr-checks-${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  versions:
+    name: Retrieve Upstream Versions
+    uses: ./.github/workflows/zxc-retrieve-upstream-versions.yaml
+
+  legacy-images:
+    name: Legacy Images
+    uses: ./.github/workflows/zxc-build-legacy-images.yaml
+    needs:
+      - versions
+    with:
+      base-os-image: ubuntu-22.04
+      runner-version: ${{ needs.versions.outputs.runner }}
+      runner-container-hooks-version: ${{ needs.versions.outputs.hooks }}
+      docker-version: 25.0.5
+      platforms: linux/amd64
+      dry-run-enabled: true
diff --git a/.github/workflows/flow-pull-request-formatting.yaml b/.github/workflows/flow-pull-request-formatting.yaml
index 02e1295..514a8a6 100644
--- a/.github/workflows/flow-pull-request-formatting.yaml
+++ b/.github/workflows/flow-pull-request-formatting.yaml
@@ -40,6 +40,11 @@ jobs:
     name: Title Check
     runs-on: [self-hosted, Linux, medium, ephemeral]
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
+        with:
+          egress-policy: audit
+
       - name: Check PR Title
         uses: step-security/conventional-pr-title-action@0eae74515f5a79f8773fa04142dd746df76666ac # v1.0.0
         env:
diff --git a/.github/workflows/zxc-build-legacy-images.yaml b/.github/workflows/zxc-build-legacy-images.yaml
new file mode 100644
index 0000000..950dbe7
--- /dev/null
+++ b/.github/workflows/zxc-build-legacy-images.yaml
@@ -0,0 +1,226 @@
+##
+# Copyright (C) 2024 Hedera Hashgraph, LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+##
+
+name: "ZXC: Build Legacy Images"
+# This reusable component is called by the following workflows:
+# - .github/workflows/flow-pull-request-checks.yaml
+# - .github/workflows/flow-build-application.yaml
+
+on:
+  workflow_call:
+    inputs:
+      ## Base Operating System Image
+      ## Options include:
+      ## - ubuntu-20.04
+      ## - ubuntu-22.04
+      base-os-image:
+        description: "Operating System Image:"
+        type: string
+        required: true
+
+      ## Upstream Github Action Runner Version
+      runner-version:
+        description: "Runner Version:"
+        type: string
+        required: true
+
+      ## Upstream Github Action Runner Container Hooks Version
+      runner-container-hooks-version:
+        description: "Container Hooks Version:"
+        type: string
+        required: false
+        default: "0.6.1"
+
+      ## Upstream Docker Version
+      docker-version:
+        description: "Docker Version:"
+        type: string
+        required: false
+        default: "25.0.5"
+
+      ## Linux Architectures for Multi-Arch Builds
+      platforms:
+        description: "Platforms:"
+        type: string
+        required: false
+        default: "linux/amd64,linux/arm64"
+
+      build-default-image:
+        description: "Build Default Image"
+        type: boolean
+        required: false
+        default: true
+
+      build-dind-image:
+        description: "Build DinD Image"
+        type: boolean
+        required: false
+        default: false
+
+      build-dind-rootless-image:
+        description: "Build DinD Rootless Image"
+        type: boolean
+        required: false
+        default: false
+
+      dry-run-enabled:
+        description: "Perform Dry Run"
+        type: boolean
+        required: false
+        default: false
+
+      custom-job-label:
+        description: "Custom Job Label:"
+        type: string
+        required: false
+        default: "Build"
+
+defaults:
+  run:
+    shell: bash
+
+env:
+  OS_IMAGE: ${{ inputs.base-os-image }}
+  RUNNER_VERSION: ${{ inputs.runner-version }}
+  RUNNER_CONTAINER_HOOKS_VERSION: ${{ inputs.runner-container-hooks-version }}
+  DOCKER_VERSION: ${{ inputs.docker-version }}
+  PLATFORMS: ${{ inputs.platforms }}
+
+permissions:
+  contents: read
+  packages: write
+
+jobs:
+  build-legacy-images:
+    name: ${{ inputs.custom-job-label || 'Build' }}
+    runs-on: [self-hosted, Linux, medium, ephemeral]
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout Code
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
+      - name: Install KillAll
+        run: sudo apt-get install --yes --no-install-recommends psmisc
+
+      - name: Create Docker Working Directory
+        run: |
+          USER="$(id -un)"
+          GROUP="$(id -gn)"
+          sudo mkdir -p /x
+          sudo chown -vR ${USER}:${GROUP} /x
+          sudo ls -lah /x
+
+      - name: Remove Docker from Self Hosted Runners
+        run: |
+          set -x
+          sudo killall dockerd || true
+          sudo killall containerd || true
+          sudo rm -rvf /usr/bin/*containerd* || true
+          sudo rm -rvf /usr/bin/docker* || true
+          sudo rm -rvf /usr/local/bin/docker* || true
+          sudo rm -rvf /usr/local/bin/*lima* || true
+
+      - name: Setup Containerd Support
+        uses: crazy-max/ghaction-setup-containerd@60acbf31e6572da7b83a4ed6b428ed92a35ff4d7 # v3.0.0
+        with:
+          containerd-version: v1.7.2
+
+      - name: Setup Docker Support
+        uses: crazy-max/ghaction-setup-docker@78318f8be53384b971671f27d81f5e72526c102d # v3.3.0
+        env:
+          HOME: /x
+        with:
+          version: v25.0.5
+          daemon-config: |
+            {
+              "registry-mirrors": [
+                "https://artifacts.swirldslabs.io/central-docker-external/"
+              ]
+            }
+
+      - name: Configure Default Docker Context
+        run: |
+          set -x
+          if grep setup-docker-action < <(docker context ls --format '{{ .Name }}') >/dev/null; then
+            docker context rm -f setup-docker-action
+          fi
+
+          DOCKER_CONTEXT_PATH="$(sudo find /x -name docker.sock | tr -d '[:space:]')"
+          docker context create setup-docker-action --docker "host=unix://${DOCKER_CONTEXT_PATH}"
+          docker context use setup-docker-action
+
+      - name: Setup QEmu Support
+        uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
+
+      - name: Setup Docker Buildx Support
+        uses: docker/setup-buildx-action@aa33708b10e362ff993539393ff100fa93ed6a27 # v3.5.0
+        with:
+          version: v0.16.1
+          driver-opts: network=host
+
+      - name: Show Docker Version
+        run: docker version
+
+      - name: Show Docker Info
+        run: docker info
+
+      - name: Docker Login (Github)
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+        if: ${{ inputs.dry-run-enabled != true }}
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Setup Local Container Registry
+        if: ${{ inputs.dry-run-enabled == true }}
+        run: docker run --rm -d -p 5000:5000 --name registry registry:latest
+
+      - name: Calculate Docker Registry
+        id: registry
+        run: |
+          DOCKER_REGISTRY_PREFIX="ghcr.io/${{ github.repository_owner }}"
+          
+          if [[ "${{ inputs.dry-run-enabled }}" == "true" ]]; then
+            DOCKER_REGISTRY_PREFIX="localhost:5000/${{ github.repository_owner }}"
+          fi
+          
+          echo "prefix=${DOCKER_REGISTRY_PREFIX}" >> "${GITHUB_OUTPUTS}"
+
+      - name: Build Default Image
+        env:
+          DOCKER_USER: ${{ steps.registry.outputs.prefix }}
+        working-directory: legacy/runner
+        if: ${{ inputs.build-default-image }}
+        run: make docker-buildx-default
+
+      - name: Build DinD Image
+        env:
+          DOCKER_USER: ${{ steps.registry.outputs.prefix }}
+        working-directory: legacy/runner
+        if: ${{ inputs.build-dind-image }}
+        run: make docker-buildx-dind
+
+      - name: Build DinD Rootless Image
+        env:
+          DOCKER_USER: ${{ steps.registry.outputs.prefix }}
+        working-directory: legacy/runner
+        if: ${{ inputs.build-dind-rootless-image }}
+        run: make docker-buildx-dind-rootless
diff --git a/.github/workflows/zxc-retrieve-upstream-versions.yaml b/.github/workflows/zxc-retrieve-upstream-versions.yaml
new file mode 100644
index 0000000..855a1b6
--- /dev/null
+++ b/.github/workflows/zxc-retrieve-upstream-versions.yaml
@@ -0,0 +1,99 @@
+##
+# Copyright (C) 2024 Hedera Hashgraph, LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+##
+
+name: "ZXC: Retrieve Upstream Versions"
+# This reusable component is called by the following workflows:
+# - .github/workflows/flow-pull-request-checks.yaml
+# - .github/workflows/flow-build-application.yaml
+
+on:
+  workflow_call:
+    inputs:
+      custom-job-label:
+        description: "Custom Job Label"
+        type: string
+        required: false
+        default: "Standard"
+    outputs:
+      runner:
+        description: "Runner Version"
+        value: ${{ jobs.versions.outputs.runner-version }}
+      hooks:
+        description: "Container Hooks Version"
+        value: ${{ jobs.versions.outputs.hooks-version }}
+
+defaults:
+  run:
+    shell: bash
+
+permissions:
+  contents: read
+
+jobs:
+  versions:
+    name: ${{ inputs.custom-job-label || 'Standard' }}
+    runs-on: [self-hosted, Linux, medium, ephemeral]
+    outputs:
+      runner-version: ${{ steps.runner.outputs.version }}
+      hooks-version: ${{ steps.hooks.outputs.version }}
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout Code
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
+      - name: Install GH CLI
+        uses: actions4gh/setup-gh@44a12005484c53be5bf51bebe8c985b4be8ba8de # v1.0.2
+
+      - name: Install JQ CLI
+        run: |
+          if ! command -v jq >/dev/null 2>&1; then
+            echo "::group::Updating APT Repository Indices"
+              sudo apt update
+            echo "::endgroup::"
+            echo "::group::Installing JQ CLI"
+              sudo apt install -y jq
+            echo "::endgroup::"
+          fi
+
+      - name: Install SemVer CLI
+        run: |
+          echo "::group::Download SemVer Binary"
+            sudo curl -L -o /usr/local/bin/semver https://raw.githubusercontent.com/fsaintjacques/semver-tool/master/src/semver
+          echo "::endgroup::"
+          echo "::group::Change SemVer Binary Permissions"
+            sudo chmod -v +x /usr/local/bin/semver
+          echo "::endgroup::"
+          echo "::group::Show SemVer Binary Version Info"
+            semver --version
+          echo "::endgroup::"
+
+      - name: Retrieve Runner Version
+        id: runner
+        run: |
+          LATEST_TAG="$(gh release view -R actions/runner --json tagName | jq -r '.tagName')"
+          VERSION="$(semver get release ${LATEST_TAG})"
+          echo "::set-output name=version::${VERSION}"
+
+      - name: Retrieve Runner Container Hooks Version
+        id: hooks
+        run: |
+          LATEST_TAG="$(gh release view -R actions/runner-container-hooks --json tagName | jq -r '.tagName')"
+          VERSION="$(semver get release ${LATEST_TAG})"
+          echo "::set-output name=version::${VERSION}"
diff --git a/.github/workflows/zxf-forked-pull-request-closer.yaml b/.github/workflows/zxf-forked-pull-request-closer.yaml
new file mode 100644
index 0000000..4fead9d
--- /dev/null
+++ b/.github/workflows/zxf-forked-pull-request-closer.yaml
@@ -0,0 +1,55 @@
+##
+# Copyright (C) 2024 Hedera Hashgraph, LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+##
+
+name: "ZXF: Forked PR Closer"
+on:
+  pull_request_target:
+    types:
+      - opened
+      - reopened
+      - edited
+      - synchronize
+
+defaults:
+  run:
+    shell: bash
+
+permissions:
+  pull-requests: write
+  contents: read
+
+jobs:
+  close-pull-request:
+    name: Close Forked Pull Request
+    runs-on: [self-hosted, Linux, medium, ephemeral]
+    if: ${{ github.event.pull_request.head.repo.fork && github.actor != 'dependabot[bot]' }}
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout Code
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
+      - name: Install GH CLI
+        uses: actions4gh/setup-gh@44a12005484c53be5bf51bebe8c985b4be8ba8de # v1.0.2
+
+      - name: Close Pull Request
+        run: |
+          gh pr close ${{ github.event.pull_request.number }} \
+            --delete-branch \
+            --comment "This pull request was opened from a forked repository and has been closed in accordance with the repository security policies."

From 822f1c3d398487b8b993d7df5e14dc7863570e72 Mon Sep 17 00:00:00 2001
From: Nathan Klick <nathan@swirldslabs.com>
Date: Tue, 30 Jul 2024 20:38:57 -0500
Subject: [PATCH 10/29] chore: rename job

Signed-off-by: Nathan Klick <nathan@swirldslabs.com>
---
 .github/workflows/flow-pull-request-checks.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/flow-pull-request-checks.yaml b/.github/workflows/flow-pull-request-checks.yaml
index 0dc48ad..b3e4cac 100644
--- a/.github/workflows/flow-pull-request-checks.yaml
+++ b/.github/workflows/flow-pull-request-checks.yaml
@@ -32,7 +32,7 @@ concurrency:
 
 jobs:
   versions:
-    name: Retrieve Upstream Versions
+    name: Upstream Versions
     uses: ./.github/workflows/zxc-retrieve-upstream-versions.yaml
 
   legacy-images:

From 7efb7a59cbf136687399ac170ebef05c6fd4ecbe Mon Sep 17 00:00:00 2001
From: Nathan Klick <nathan@swirldslabs.com>
Date: Tue, 30 Jul 2024 20:41:27 -0500
Subject: [PATCH 11/29] chore: update default name

Signed-off-by: Nathan Klick <nathan@swirldslabs.com>
---
 .github/workflows/zxc-retrieve-upstream-versions.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/zxc-retrieve-upstream-versions.yaml b/.github/workflows/zxc-retrieve-upstream-versions.yaml
index 855a1b6..d619bde 100644
--- a/.github/workflows/zxc-retrieve-upstream-versions.yaml
+++ b/.github/workflows/zxc-retrieve-upstream-versions.yaml
@@ -26,7 +26,7 @@ on:
         description: "Custom Job Label"
         type: string
         required: false
-        default: "Standard"
+        default: "Check"
     outputs:
       runner:
         description: "Runner Version"
@@ -44,7 +44,7 @@ permissions:
 
 jobs:
   versions:
-    name: ${{ inputs.custom-job-label || 'Standard' }}
+    name: ${{ inputs.custom-job-label || 'Check' }}
     runs-on: [self-hosted, Linux, medium, ephemeral]
     outputs:
       runner-version: ${{ steps.runner.outputs.version }}

From fd4bd6113d26d89c61e6d1ecd39262bda1dc2329 Mon Sep 17 00:00:00 2001
From: Nathan Klick <nathan@swirldslabs.com>
Date: Tue, 30 Jul 2024 20:51:54 -0500
Subject: [PATCH 12/29] chore: adds id token support

Signed-off-by: Nathan Klick <nathan@swirldslabs.com>
---
 .github/workflows/zxc-build-legacy-images.yaml        | 1 +
 .github/workflows/zxc-retrieve-upstream-versions.yaml | 1 +
 .github/workflows/zxf-forked-pull-request-closer.yaml | 1 +
 3 files changed, 3 insertions(+)

diff --git a/.github/workflows/zxc-build-legacy-images.yaml b/.github/workflows/zxc-build-legacy-images.yaml
index 950dbe7..77a3d23 100644
--- a/.github/workflows/zxc-build-legacy-images.yaml
+++ b/.github/workflows/zxc-build-legacy-images.yaml
@@ -100,6 +100,7 @@ env:
   PLATFORMS: ${{ inputs.platforms }}
 
 permissions:
+  id-token: write
   contents: read
   packages: write
 
diff --git a/.github/workflows/zxc-retrieve-upstream-versions.yaml b/.github/workflows/zxc-retrieve-upstream-versions.yaml
index d619bde..43096e8 100644
--- a/.github/workflows/zxc-retrieve-upstream-versions.yaml
+++ b/.github/workflows/zxc-retrieve-upstream-versions.yaml
@@ -40,6 +40,7 @@ defaults:
     shell: bash
 
 permissions:
+  id-token: write
   contents: read
 
 jobs:
diff --git a/.github/workflows/zxf-forked-pull-request-closer.yaml b/.github/workflows/zxf-forked-pull-request-closer.yaml
index 4fead9d..32db28f 100644
--- a/.github/workflows/zxf-forked-pull-request-closer.yaml
+++ b/.github/workflows/zxf-forked-pull-request-closer.yaml
@@ -28,6 +28,7 @@ defaults:
     shell: bash
 
 permissions:
+  id-token: write
   pull-requests: write
   contents: read
 

From 2ef4961b98e49d9583b034515ebeb2d8e04e6d2d Mon Sep 17 00:00:00 2001
From: Nathan Klick <nathan@swirldslabs.com>
Date: Tue, 30 Jul 2024 20:56:38 -0500
Subject: [PATCH 13/29] chore: update permissions for GH CLI

Signed-off-by: Nathan Klick <nathan@swirldslabs.com>
---
 .github/workflows/flow-pull-request-checks.yaml       | 1 +
 .github/workflows/zxc-retrieve-upstream-versions.yaml | 2 +-
 .github/workflows/zxf-forked-pull-request-closer.yaml | 2 +-
 3 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/flow-pull-request-checks.yaml b/.github/workflows/flow-pull-request-checks.yaml
index b3e4cac..10ce5a8 100644
--- a/.github/workflows/flow-pull-request-checks.yaml
+++ b/.github/workflows/flow-pull-request-checks.yaml
@@ -34,6 +34,7 @@ jobs:
   versions:
     name: Upstream Versions
     uses: ./.github/workflows/zxc-retrieve-upstream-versions.yaml
+    if: ${{ !github.event.pull_request.head.repo.fork }}
 
   legacy-images:
     name: Legacy Images
diff --git a/.github/workflows/zxc-retrieve-upstream-versions.yaml b/.github/workflows/zxc-retrieve-upstream-versions.yaml
index 43096e8..4d41881 100644
--- a/.github/workflows/zxc-retrieve-upstream-versions.yaml
+++ b/.github/workflows/zxc-retrieve-upstream-versions.yaml
@@ -41,7 +41,7 @@ defaults:
 
 permissions:
   id-token: write
-  contents: read
+  contents: write
 
 jobs:
   versions:
diff --git a/.github/workflows/zxf-forked-pull-request-closer.yaml b/.github/workflows/zxf-forked-pull-request-closer.yaml
index 32db28f..3f4e007 100644
--- a/.github/workflows/zxf-forked-pull-request-closer.yaml
+++ b/.github/workflows/zxf-forked-pull-request-closer.yaml
@@ -30,7 +30,7 @@ defaults:
 permissions:
   id-token: write
   pull-requests: write
-  contents: read
+  contents: write
 
 jobs:
   close-pull-request:

From 95dacd3236b9b4b3e60a8ef930e5c036d7092d6e Mon Sep 17 00:00:00 2001
From: Nathan Klick <nathan@swirldslabs.com>
Date: Tue, 30 Jul 2024 21:00:43 -0500
Subject: [PATCH 14/29] chore: update step to install gh cli

Signed-off-by: Nathan Klick <nathan@swirldslabs.com>
---
 .github/workflows/zxc-retrieve-upstream-versions.yaml | 7 ++++---
 .github/workflows/zxf-forked-pull-request-closer.yaml | 7 ++++---
 2 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/zxc-retrieve-upstream-versions.yaml b/.github/workflows/zxc-retrieve-upstream-versions.yaml
index 4d41881..42775ee 100644
--- a/.github/workflows/zxc-retrieve-upstream-versions.yaml
+++ b/.github/workflows/zxc-retrieve-upstream-versions.yaml
@@ -40,8 +40,7 @@ defaults:
     shell: bash
 
 permissions:
-  id-token: write
-  contents: write
+  contents: read
 
 jobs:
   versions:
@@ -60,7 +59,9 @@ jobs:
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: Install GH CLI
-        uses: actions4gh/setup-gh@44a12005484c53be5bf51bebe8c985b4be8ba8de # v1.0.2
+        uses: sersoft-gmbh/setup-gh-cli-action@2d02c06e284b7d55e954d6d6406e7a886f45a818 # v2.0.1
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Install JQ CLI
         run: |
diff --git a/.github/workflows/zxf-forked-pull-request-closer.yaml b/.github/workflows/zxf-forked-pull-request-closer.yaml
index 3f4e007..1bdb849 100644
--- a/.github/workflows/zxf-forked-pull-request-closer.yaml
+++ b/.github/workflows/zxf-forked-pull-request-closer.yaml
@@ -28,9 +28,8 @@ defaults:
     shell: bash
 
 permissions:
-  id-token: write
   pull-requests: write
-  contents: write
+  contents: read
 
 jobs:
   close-pull-request:
@@ -47,7 +46,9 @@ jobs:
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: Install GH CLI
-        uses: actions4gh/setup-gh@44a12005484c53be5bf51bebe8c985b4be8ba8de # v1.0.2
+        uses: sersoft-gmbh/setup-gh-cli-action@2d02c06e284b7d55e954d6d6406e7a886f45a818 # v2.0.1
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Close Pull Request
         run: |

From fb47a4245a4409360d745139509986143709f430 Mon Sep 17 00:00:00 2001
From: Nathan Klick <nathan@swirldslabs.com>
Date: Tue, 30 Jul 2024 21:02:58 -0500
Subject: [PATCH 15/29] chore: authorize gh cli

Signed-off-by: Nathan Klick <nathan@swirldslabs.com>
---
 .github/workflows/zxc-retrieve-upstream-versions.yaml | 3 +++
 .github/workflows/zxf-forked-pull-request-closer.yaml | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/.github/workflows/zxc-retrieve-upstream-versions.yaml b/.github/workflows/zxc-retrieve-upstream-versions.yaml
index 42775ee..19077e0 100644
--- a/.github/workflows/zxc-retrieve-upstream-versions.yaml
+++ b/.github/workflows/zxc-retrieve-upstream-versions.yaml
@@ -63,6 +63,9 @@ jobs:
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
 
+      - name: Authorize GH CLI
+        run: echo "${{ secrets.GITHUB_TOKEN }}" | gh auth login --with-token
+
       - name: Install JQ CLI
         run: |
           if ! command -v jq >/dev/null 2>&1; then
diff --git a/.github/workflows/zxf-forked-pull-request-closer.yaml b/.github/workflows/zxf-forked-pull-request-closer.yaml
index 1bdb849..d1da2bf 100644
--- a/.github/workflows/zxf-forked-pull-request-closer.yaml
+++ b/.github/workflows/zxf-forked-pull-request-closer.yaml
@@ -50,6 +50,9 @@ jobs:
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
 
+      - name: Authorize GH CLI
+        run: echo "${{ secrets.GITHUB_TOKEN }}" | gh auth login --with-token
+
       - name: Close Pull Request
         run: |
           gh pr close ${{ github.event.pull_request.number }} \

From c735102935287e12bb3c4fa6862c50cc39442641 Mon Sep 17 00:00:00 2001
From: Nathan Klick <nathan@swirldslabs.com>
Date: Tue, 30 Jul 2024 21:06:02 -0500
Subject: [PATCH 16/29] chore: fix kill all install

Signed-off-by: Nathan Klick <nathan@swirldslabs.com>
---
 .github/workflows/zxc-build-legacy-images.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/zxc-build-legacy-images.yaml b/.github/workflows/zxc-build-legacy-images.yaml
index 77a3d23..61caaf6 100644
--- a/.github/workflows/zxc-build-legacy-images.yaml
+++ b/.github/workflows/zxc-build-legacy-images.yaml
@@ -118,7 +118,7 @@ jobs:
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: Install KillAll
-        run: sudo apt-get install --yes --no-install-recommends psmisc
+        run: sudo apt-get update && sudo apt-get install --yes --no-install-recommends psmisc
 
       - name: Create Docker Working Directory
         run: |

From b82f1c8a212ea04a59ea00d0edf1ff61d560c11c Mon Sep 17 00:00:00 2001
From: Nathan Klick <nathan@swirldslabs.com>
Date: Tue, 30 Jul 2024 21:07:55 -0500
Subject: [PATCH 17/29] chore: fix outputs

Signed-off-by: Nathan Klick <nathan@swirldslabs.com>
---
 .github/workflows/zxc-build-legacy-images.yaml        | 2 +-
 .github/workflows/zxc-retrieve-upstream-versions.yaml | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/zxc-build-legacy-images.yaml b/.github/workflows/zxc-build-legacy-images.yaml
index 61caaf6..56fcf12 100644
--- a/.github/workflows/zxc-build-legacy-images.yaml
+++ b/.github/workflows/zxc-build-legacy-images.yaml
@@ -203,7 +203,7 @@ jobs:
             DOCKER_REGISTRY_PREFIX="localhost:5000/${{ github.repository_owner }}"
           fi
           
-          echo "prefix=${DOCKER_REGISTRY_PREFIX}" >> "${GITHUB_OUTPUTS}"
+          echo "prefix=${DOCKER_REGISTRY_PREFIX}" >>"${GITHUB_OUTPUT}"
 
       - name: Build Default Image
         env:
diff --git a/.github/workflows/zxc-retrieve-upstream-versions.yaml b/.github/workflows/zxc-retrieve-upstream-versions.yaml
index 19077e0..d841439 100644
--- a/.github/workflows/zxc-retrieve-upstream-versions.yaml
+++ b/.github/workflows/zxc-retrieve-upstream-versions.yaml
@@ -94,11 +94,11 @@ jobs:
         run: |
           LATEST_TAG="$(gh release view -R actions/runner --json tagName | jq -r '.tagName')"
           VERSION="$(semver get release ${LATEST_TAG})"
-          echo "::set-output name=version::${VERSION}"
+          echo "version=${VERSION}" >>"${GITHUB_OUTPUT}"
 
       - name: Retrieve Runner Container Hooks Version
         id: hooks
         run: |
           LATEST_TAG="$(gh release view -R actions/runner-container-hooks --json tagName | jq -r '.tagName')"
           VERSION="$(semver get release ${LATEST_TAG})"
-          echo "::set-output name=version::${VERSION}"
+          echo "version=${VERSION}" >>"${GITHUB_OUTPUT}"

From d20bb7f76bba54f6b265152c347f469f3fd661d3 Mon Sep 17 00:00:00 2001
From: Nathan Klick <nathan@swirldslabs.com>
Date: Tue, 30 Jul 2024 21:11:40 -0500
Subject: [PATCH 18/29] chore: fix for missing make command

Signed-off-by: Nathan Klick <nathan@swirldslabs.com>
---
 .../workflows/zxc-build-legacy-images.yaml    | 21 ++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/zxc-build-legacy-images.yaml b/.github/workflows/zxc-build-legacy-images.yaml
index 56fcf12..81de451 100644
--- a/.github/workflows/zxc-build-legacy-images.yaml
+++ b/.github/workflows/zxc-build-legacy-images.yaml
@@ -118,7 +118,26 @@ jobs:
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: Install KillAll
-        run: sudo apt-get update && sudo apt-get install --yes --no-install-recommends psmisc
+        run: |
+          if ! command -v killall >/dev/null 2>&1; then
+            echo "::group::Updating APT Repository Indices"
+              sudo apt update
+            echo "::endgroup::"
+            echo "::group::Installing KillAll"
+              sudo apt install -y psmisc
+            echo "::endgroup::"
+          fi
+
+      - name: Install Make
+        run: |
+          if ! command -v make >/dev/null 2>&1; then
+            echo "::group::Updating APT Repository Indices"
+              sudo apt update
+            echo "::endgroup::"
+            echo "::group::Installing Make"
+              sudo apt install -y make
+            echo "::endgroup::"
+          fi
 
       - name: Create Docker Working Directory
         run: |

From 0cada267f0d48442f9ea1cd1bd9efeeb29dc6f33 Mon Sep 17 00:00:00 2001
From: Nathan Klick <nathan@swirldslabs.com>
Date: Tue, 30 Jul 2024 21:18:23 -0500
Subject: [PATCH 19/29] chore: run registry with host networking

Signed-off-by: Nathan Klick <nathan@swirldslabs.com>
---
 .github/workflows/zxc-build-legacy-images.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/zxc-build-legacy-images.yaml b/.github/workflows/zxc-build-legacy-images.yaml
index 81de451..77121d1 100644
--- a/.github/workflows/zxc-build-legacy-images.yaml
+++ b/.github/workflows/zxc-build-legacy-images.yaml
@@ -211,7 +211,7 @@ jobs:
 
       - name: Setup Local Container Registry
         if: ${{ inputs.dry-run-enabled == true }}
-        run: docker run --rm -d -p 5000:5000 --name registry registry:latest
+        run: docker run --rm -d --network host --name registry registry:latest
 
       - name: Calculate Docker Registry
         id: registry

From 035203562ee53c36da8085a498cc939906d16adb Mon Sep 17 00:00:00 2001
From: Nathan Klick <nathan@swirldslabs.com>
Date: Tue, 30 Jul 2024 21:25:05 -0500
Subject: [PATCH 20/29] chore: add registry debugging

Signed-off-by: Nathan Klick <nathan@swirldslabs.com>
---
 .github/workflows/zxc-build-legacy-images.yaml | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/zxc-build-legacy-images.yaml b/.github/workflows/zxc-build-legacy-images.yaml
index 77121d1..dc06f0d 100644
--- a/.github/workflows/zxc-build-legacy-images.yaml
+++ b/.github/workflows/zxc-build-legacy-images.yaml
@@ -211,7 +211,15 @@ jobs:
 
       - name: Setup Local Container Registry
         if: ${{ inputs.dry-run-enabled == true }}
-        run: docker run --rm -d --network host --name registry registry:latest
+        run: docker run -d --network host --name registry registry:latest
+
+      - name: Show Docker Containers
+        if: ${{ inputs.dry-run-enabled == true }}
+        run: docker ps -a
+
+      - name: Show Local Container Registry Logs
+        if: ${{ inputs.dry-run-enabled == true }}
+        run: docker logs registry
 
       - name: Calculate Docker Registry
         id: registry

From a5e40d8e0705d820adef602de0fa1eafe83cfd9a Mon Sep 17 00:00:00 2001
From: Nathan Klick <nathan@swirldslabs.com>
Date: Tue, 30 Jul 2024 21:34:48 -0500
Subject: [PATCH 21/29] chore: add additional failure debug check

Signed-off-by: Nathan Klick <nathan@swirldslabs.com>
---
 .github/workflows/zxc-build-legacy-images.yaml | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/.github/workflows/zxc-build-legacy-images.yaml b/.github/workflows/zxc-build-legacy-images.yaml
index dc06f0d..b5a2fdc 100644
--- a/.github/workflows/zxc-build-legacy-images.yaml
+++ b/.github/workflows/zxc-build-legacy-images.yaml
@@ -252,3 +252,12 @@ jobs:
         working-directory: legacy/runner
         if: ${{ inputs.build-dind-rootless-image }}
         run: make docker-buildx-dind-rootless
+
+      - name: Show Docker Containers
+        if: ${{ failure() && inputs.dry-run-enabled == true }}
+        run: docker ps -a
+
+      - name: Show Local Container Registry Logs
+        if: ${{ failure() && inputs.dry-run-enabled == true }}
+        run: docker logs registry
+        

From a03eb1d5310a9d71bfc7e0c71adc82b1c125389b Mon Sep 17 00:00:00 2001
From: Nathan Klick <nathan@swirldslabs.com>
Date: Tue, 30 Jul 2024 21:48:34 -0500
Subject: [PATCH 22/29] chore: change local registry prefix

Signed-off-by: Nathan Klick <nathan@swirldslabs.com>
---
 .github/workflows/zxc-build-legacy-images.yaml | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/zxc-build-legacy-images.yaml b/.github/workflows/zxc-build-legacy-images.yaml
index b5a2fdc..fef813b 100644
--- a/.github/workflows/zxc-build-legacy-images.yaml
+++ b/.github/workflows/zxc-build-legacy-images.yaml
@@ -211,7 +211,7 @@ jobs:
 
       - name: Setup Local Container Registry
         if: ${{ inputs.dry-run-enabled == true }}
-        run: docker run -d --network host --name registry registry:latest
+        run: docker run -d -p 5000:5000 --restart=always --name registry registry:latest
 
       - name: Show Docker Containers
         if: ${{ inputs.dry-run-enabled == true }}
@@ -224,10 +224,10 @@ jobs:
       - name: Calculate Docker Registry
         id: registry
         run: |
-          DOCKER_REGISTRY_PREFIX="ghcr.io/${{ github.repository_owner }}"
+          DOCKER_REGISTRY_PREFIX="ghcr.io/${{ github.repository }}"
           
           if [[ "${{ inputs.dry-run-enabled }}" == "true" ]]; then
-            DOCKER_REGISTRY_PREFIX="localhost:5000/${{ github.repository_owner }}"
+            DOCKER_REGISTRY_PREFIX="localhost:5000"
           fi
           
           echo "prefix=${DOCKER_REGISTRY_PREFIX}" >>"${GITHUB_OUTPUT}"
@@ -260,4 +260,3 @@ jobs:
       - name: Show Local Container Registry Logs
         if: ${{ failure() && inputs.dry-run-enabled == true }}
         run: docker logs registry
-        

From 8e63688da7b78828d2846e18d48a7590970dfc9f Mon Sep 17 00:00:00 2001
From: Nathan Klick <nathan@swirldslabs.com>
Date: Tue, 30 Jul 2024 21:53:25 -0500
Subject: [PATCH 23/29] chore: try alternate network configuration

Signed-off-by: Nathan Klick <nathan@swirldslabs.com>
---
 .github/workflows/zxc-build-legacy-images.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/zxc-build-legacy-images.yaml b/.github/workflows/zxc-build-legacy-images.yaml
index fef813b..a4067fb 100644
--- a/.github/workflows/zxc-build-legacy-images.yaml
+++ b/.github/workflows/zxc-build-legacy-images.yaml
@@ -211,7 +211,7 @@ jobs:
 
       - name: Setup Local Container Registry
         if: ${{ inputs.dry-run-enabled == true }}
-        run: docker run -d -p 5000:5000 --restart=always --name registry registry:latest
+        run: docker run -e REGISTRY_HTTP_ADDR=0.0.0.0:5000 -d --network=host --restart=always --name registry registry:latest
 
       - name: Show Docker Containers
         if: ${{ inputs.dry-run-enabled == true }}

From d45f24818d80972e46fb997b02e9bf6f9ff30e8b Mon Sep 17 00:00:00 2001
From: Nathan Klick <nathan@swirldslabs.com>
Date: Tue, 30 Jul 2024 22:00:10 -0500
Subject: [PATCH 24/29] chore: use default docker setup

Signed-off-by: Nathan Klick <nathan@swirldslabs.com>
---
 .../workflows/zxc-build-legacy-images.yaml    | 83 ++-----------------
 1 file changed, 5 insertions(+), 78 deletions(-)

diff --git a/.github/workflows/zxc-build-legacy-images.yaml b/.github/workflows/zxc-build-legacy-images.yaml
index a4067fb..0212b6a 100644
--- a/.github/workflows/zxc-build-legacy-images.yaml
+++ b/.github/workflows/zxc-build-legacy-images.yaml
@@ -108,6 +108,11 @@ jobs:
   build-legacy-images:
     name: ${{ inputs.custom-job-label || 'Build' }}
     runs-on: [self-hosted, Linux, medium, ephemeral]
+    services: 
+      registry:
+        image: registry:2
+        ports:
+          - 5000:5000
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
@@ -117,17 +122,6 @@ jobs:
       - name: Checkout Code
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
-      - name: Install KillAll
-        run: |
-          if ! command -v killall >/dev/null 2>&1; then
-            echo "::group::Updating APT Repository Indices"
-              sudo apt update
-            echo "::endgroup::"
-            echo "::group::Installing KillAll"
-              sudo apt install -y psmisc
-            echo "::endgroup::"
-          fi
-
       - name: Install Make
         run: |
           if ! command -v make >/dev/null 2>&1; then
@@ -139,53 +133,6 @@ jobs:
             echo "::endgroup::"
           fi
 
-      - name: Create Docker Working Directory
-        run: |
-          USER="$(id -un)"
-          GROUP="$(id -gn)"
-          sudo mkdir -p /x
-          sudo chown -vR ${USER}:${GROUP} /x
-          sudo ls -lah /x
-
-      - name: Remove Docker from Self Hosted Runners
-        run: |
-          set -x
-          sudo killall dockerd || true
-          sudo killall containerd || true
-          sudo rm -rvf /usr/bin/*containerd* || true
-          sudo rm -rvf /usr/bin/docker* || true
-          sudo rm -rvf /usr/local/bin/docker* || true
-          sudo rm -rvf /usr/local/bin/*lima* || true
-
-      - name: Setup Containerd Support
-        uses: crazy-max/ghaction-setup-containerd@60acbf31e6572da7b83a4ed6b428ed92a35ff4d7 # v3.0.0
-        with:
-          containerd-version: v1.7.2
-
-      - name: Setup Docker Support
-        uses: crazy-max/ghaction-setup-docker@78318f8be53384b971671f27d81f5e72526c102d # v3.3.0
-        env:
-          HOME: /x
-        with:
-          version: v25.0.5
-          daemon-config: |
-            {
-              "registry-mirrors": [
-                "https://artifacts.swirldslabs.io/central-docker-external/"
-              ]
-            }
-
-      - name: Configure Default Docker Context
-        run: |
-          set -x
-          if grep setup-docker-action < <(docker context ls --format '{{ .Name }}') >/dev/null; then
-            docker context rm -f setup-docker-action
-          fi
-
-          DOCKER_CONTEXT_PATH="$(sudo find /x -name docker.sock | tr -d '[:space:]')"
-          docker context create setup-docker-action --docker "host=unix://${DOCKER_CONTEXT_PATH}"
-          docker context use setup-docker-action
-
       - name: Setup QEmu Support
         uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
 
@@ -209,18 +156,6 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Setup Local Container Registry
-        if: ${{ inputs.dry-run-enabled == true }}
-        run: docker run -e REGISTRY_HTTP_ADDR=0.0.0.0:5000 -d --network=host --restart=always --name registry registry:latest
-
-      - name: Show Docker Containers
-        if: ${{ inputs.dry-run-enabled == true }}
-        run: docker ps -a
-
-      - name: Show Local Container Registry Logs
-        if: ${{ inputs.dry-run-enabled == true }}
-        run: docker logs registry
-
       - name: Calculate Docker Registry
         id: registry
         run: |
@@ -252,11 +187,3 @@ jobs:
         working-directory: legacy/runner
         if: ${{ inputs.build-dind-rootless-image }}
         run: make docker-buildx-dind-rootless
-
-      - name: Show Docker Containers
-        if: ${{ failure() && inputs.dry-run-enabled == true }}
-        run: docker ps -a
-
-      - name: Show Local Container Registry Logs
-        if: ${{ failure() && inputs.dry-run-enabled == true }}
-        run: docker logs registry

From 6b2a2a5df489c929aceb9fdc28f5bdbf40e29b63 Mon Sep 17 00:00:00 2001
From: Nathan Klick <nathan@swirldslabs.com>
Date: Tue, 30 Jul 2024 22:09:37 -0500
Subject: [PATCH 25/29] chore: support image load

Signed-off-by: Nathan Klick <nathan@swirldslabs.com>
---
 .github/workflows/zxc-build-legacy-images.yaml | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/zxc-build-legacy-images.yaml b/.github/workflows/zxc-build-legacy-images.yaml
index 0212b6a..e14cf5d 100644
--- a/.github/workflows/zxc-build-legacy-images.yaml
+++ b/.github/workflows/zxc-build-legacy-images.yaml
@@ -108,11 +108,6 @@ jobs:
   build-legacy-images:
     name: ${{ inputs.custom-job-label || 'Build' }}
     runs-on: [self-hosted, Linux, medium, ephemeral]
-    services: 
-      registry:
-        image: registry:2
-        ports:
-          - 5000:5000
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
@@ -160,16 +155,20 @@ jobs:
         id: registry
         run: |
           DOCKER_REGISTRY_PREFIX="ghcr.io/${{ github.repository }}"
+          IMG_RESULT="push"
           
           if [[ "${{ inputs.dry-run-enabled }}" == "true" ]]; then
-            DOCKER_REGISTRY_PREFIX="localhost:5000"
+            DOCKER_REGISTRY_PREFIX="local"
+            IMG_RESULT="load"
           fi
           
           echo "prefix=${DOCKER_REGISTRY_PREFIX}" >>"${GITHUB_OUTPUT}"
+          echo "operation=${IMG_RESULT}" >>"${GITHUB_OUTPUT}"
 
       - name: Build Default Image
         env:
           DOCKER_USER: ${{ steps.registry.outputs.prefix }}
+          IMG_RESULT: ${{ steps.registry.outputs.operation }}
         working-directory: legacy/runner
         if: ${{ inputs.build-default-image }}
         run: make docker-buildx-default
@@ -177,6 +176,7 @@ jobs:
       - name: Build DinD Image
         env:
           DOCKER_USER: ${{ steps.registry.outputs.prefix }}
+          IMG_RESULT: ${{ steps.registry.outputs.operation }}
         working-directory: legacy/runner
         if: ${{ inputs.build-dind-image }}
         run: make docker-buildx-dind
@@ -184,6 +184,7 @@ jobs:
       - name: Build DinD Rootless Image
         env:
           DOCKER_USER: ${{ steps.registry.outputs.prefix }}
+          IMG_RESULT: ${{ steps.registry.outputs.operation }}
         working-directory: legacy/runner
         if: ${{ inputs.build-dind-rootless-image }}
         run: make docker-buildx-dind-rootless

From 523dcbd55b828e7930d2378fe733261a314a6526 Mon Sep 17 00:00:00 2001
From: Nathan Klick <nathan@swirldslabs.com>
Date: Tue, 30 Jul 2024 22:15:32 -0500
Subject: [PATCH 26/29] chore: ensure pull requests build all three image
 flavors

Signed-off-by: Nathan Klick <nathan@swirldslabs.com>
---
 .github/workflows/flow-pull-request-checks.yaml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/flow-pull-request-checks.yaml b/.github/workflows/flow-pull-request-checks.yaml
index 10ce5a8..e62a981 100644
--- a/.github/workflows/flow-pull-request-checks.yaml
+++ b/.github/workflows/flow-pull-request-checks.yaml
@@ -42,6 +42,9 @@ jobs:
     needs:
       - versions
     with:
+      build-default-image: true
+      build-dind-image: true
+      build-dind-rootless-image: true
       base-os-image: ubuntu-22.04
       runner-version: ${{ needs.versions.outputs.runner }}
       runner-container-hooks-version: ${{ needs.versions.outputs.hooks }}

From 93c96edf353238d6cdb8ddbab782a61461fe0c50 Mon Sep 17 00:00:00 2001
From: Nathan Klick <nathan@swirldslabs.com>
Date: Wed, 31 Jul 2024 10:10:33 -0500
Subject: [PATCH 27/29] chore: turn off rootless image builds

Signed-off-by: Nathan Klick <nathan@swirldslabs.com>
---
 .github/workflows/flow-pull-request-checks.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/flow-pull-request-checks.yaml b/.github/workflows/flow-pull-request-checks.yaml
index e62a981..1002d78 100644
--- a/.github/workflows/flow-pull-request-checks.yaml
+++ b/.github/workflows/flow-pull-request-checks.yaml
@@ -44,7 +44,7 @@ jobs:
     with:
       build-default-image: true
       build-dind-image: true
-      build-dind-rootless-image: true
+      build-dind-rootless-image: false
       base-os-image: ubuntu-22.04
       runner-version: ${{ needs.versions.outputs.runner }}
       runner-container-hooks-version: ${{ needs.versions.outputs.hooks }}

From 5f43622ea1d2b6662c75ddf9a53e81b505a80244 Mon Sep 17 00:00:00 2001
From: Nathan Klick <nathan@swirldslabs.com>
Date: Wed, 31 Jul 2024 10:12:07 -0500
Subject: [PATCH 28/29] chore: revert to docker 24.0.9

Signed-off-by: Nathan Klick <nathan@swirldslabs.com>
---
 .github/workflows/flow-pull-request-checks.yaml | 4 ++--
 .github/workflows/zxc-build-legacy-images.yaml  | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/flow-pull-request-checks.yaml b/.github/workflows/flow-pull-request-checks.yaml
index 1002d78..cb2cace 100644
--- a/.github/workflows/flow-pull-request-checks.yaml
+++ b/.github/workflows/flow-pull-request-checks.yaml
@@ -44,10 +44,10 @@ jobs:
     with:
       build-default-image: true
       build-dind-image: true
-      build-dind-rootless-image: false
+      build-dind-rootless-image: true
       base-os-image: ubuntu-22.04
       runner-version: ${{ needs.versions.outputs.runner }}
       runner-container-hooks-version: ${{ needs.versions.outputs.hooks }}
-      docker-version: 25.0.5
+      docker-version: 24.0.9
       platforms: linux/amd64
       dry-run-enabled: true
diff --git a/.github/workflows/zxc-build-legacy-images.yaml b/.github/workflows/zxc-build-legacy-images.yaml
index e14cf5d..7f77504 100644
--- a/.github/workflows/zxc-build-legacy-images.yaml
+++ b/.github/workflows/zxc-build-legacy-images.yaml
@@ -49,7 +49,7 @@ on:
         description: "Docker Version:"
         type: string
         required: false
-        default: "25.0.5"
+        default: "24.0.9"
 
       ## Linux Architectures for Multi-Arch Builds
       platforms:

From 9767d34ccfb9bd40255541671f3e239a4329d829 Mon Sep 17 00:00:00 2001
From: Nathan Klick <nathan@swirldslabs.com>
Date: Wed, 31 Jul 2024 10:23:57 -0500
Subject: [PATCH 29/29] chore: turn off rootless image building

Signed-off-by: Nathan Klick <nathan@swirldslabs.com>
---
 .github/workflows/flow-pull-request-checks.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/flow-pull-request-checks.yaml b/.github/workflows/flow-pull-request-checks.yaml
index cb2cace..b6be462 100644
--- a/.github/workflows/flow-pull-request-checks.yaml
+++ b/.github/workflows/flow-pull-request-checks.yaml
@@ -44,7 +44,7 @@ jobs:
     with:
       build-default-image: true
       build-dind-image: true
-      build-dind-rootless-image: true
+      build-dind-rootless-image: false
       base-os-image: ubuntu-22.04
       runner-version: ${{ needs.versions.outputs.runner }}
       runner-container-hooks-version: ${{ needs.versions.outputs.hooks }}