What would you like added?
When using ARC at the org level, there's no way to attribute runner pod costs to the specific repository or workflow that triggered the job. The EphemeralRunner status already receives job info (repository name, display name, workflow run ID) from the listener when a job is assigned, but this information is never propagated to the pod.
Proposal: Patch pod labels/annotations with job metadata when the controller reconciles an EphemeralRunner that has been assigned a job:
- actions.github.com/job-repository (label, sanitized)
- actions.github.com/job-display-name (label, sanitized)
- actions.github.com/job-repository-name (annotation, full value)
- actions.github.com/workflow-run-id (annotation)
Changes required:
- EphemeralRunner controller patches pod labels/annotations when job info is present on the status
- Scale set manager role needs patch verb on pods
- Label values are sanitized to meet K8s validation (63 chars, alphanumeric start/end)
Why is this needed?
This enables cost attribution via pod labels without requiring changes to individual workflows. It also allows us to only modify permissions on the listener pods, ensuring the actual runner pods don't have permissions to mutate pod configuration.
What would you like added?
When using ARC at the org level, there's no way to attribute runner pod costs to the specific repository or workflow that triggered the job. The EphemeralRunner status already receives job info (repository name, display name, workflow run ID) from the listener when a job is assigned, but this information is never propagated to the pod.
Proposal: Patch pod labels/annotations with job metadata when the controller reconciles an EphemeralRunner that has been assigned a job:
Changes required:
Why is this needed?
This enables cost attribution via pod labels without requiring changes to individual workflows. It also allows us to only modify permissions on the listener pods, ensuring the actual runner pods don't have permissions to mutate pod configuration.