feat: Add optional runner.post_task_script hook after task cleanup (#1026)

- Adds `runner.post_task_script` and `runner.post_task_script_timeout` (default `5m`) to run a host executable after each task’s built-in cleanup (post-steps, container teardown, bind-workdir removal). - Stops task heartbeats via `Reporter.StopHeartbeats()` while the script runs so Gitea won’t assign overlapping work; the final task acknowledgement still happens in `reporter.Close()`. - Script output goes to the runner process log; non-zero exits are warned only and do not change the job result. - Documents lifecycle, offline behavior, timeouts, and Windows limits (`.ps1` not supported yet) in `docs/post-task-script.md`. Reviewed-on: https://gitea.com/gitea/runner/pulls/1026 Reviewed-by: Zettat123 <39446+zettat123@noreply.gitea.com>
2026-06-21 17:24:23 +02:00 · 2026-06-19 19:28:10 +00:00
parent df0370f8bf
commit 007717956a
28 changed files with 922 additions and 263 deletions
--- a/act/container/host_environment.go
+++ b/act/container/host_environment.go
@@ -23,6 +23,7 @@ import (
 	"gitea.com/gitea/runner/act/common"
 	"gitea.com/gitea/runner/act/filecollector"
 	"gitea.com/gitea/runner/act/lookpath"
+	"gitea.com/gitea/runner/internal/pkg/process"

 	"github.com/go-git/go-billy/v5/helper/polyfill"
 	"github.com/go-git/go-billy/v5/osfs"
@@ -261,7 +262,7 @@ func setupPty(cmd *exec.Cmd, cmdline string) (*os.File, *os.File, error) {
 	cmd.Stdin = tty
 	cmd.Stdout = tty
 	cmd.Stderr = tty
-	cmd.SysProcAttr = getSysProcAttr(cmdline, true)
+	cmd.SysProcAttr = process.SysProcAttr(cmdline, true)
 	return ppty, tty, nil
 }

@@ -321,30 +322,14 @@ func (e *HostEnvironment) exec(ctx context.Context, command []string, cmdline st
 	cmd.Env = envList
 	cmd.Stderr = e.StdOut
 	cmd.Dir = wd
-	cmd.SysProcAttr = getSysProcAttr(cmdline, false)
+	cmd.SysProcAttr = process.SysProcAttr(cmdline, false)

-	// A step often launches a process tree (a shell that starts a child which
-	// spawns further background or GUI processes). The default context
-	// cancellation only kills the direct child, leaving the rest of the tree
-	// running; and because the orphans inherit cmd's stdout/stderr pipe,
-	// cmd.Wait() would block forever, hanging the runner. Kill the whole tree on
-	// cancellation — via a Job Object on Windows and the process group on Unix
-	// (see processKiller) — and bound the wait so a leftover pipe writer can
-	// never hang Wait indefinitely.
-	var killer atomic.Pointer[processKiller]
-	cmd.Cancel = func() error {
-		if k := killer.Load(); k != nil {
-			return k.Kill()
-		}
-		if cmd.Process != nil {
-			return cmd.Process.Kill()
-		}
-		return nil
-	}
-	// Once the step process has exited, give its I/O pipes at most this long to
-	// drain before Wait force-closes them and returns (Go's WaitDelay). This
-	// also covers a step that backgrounds a process holding the pipe open.
-	cmd.WaitDelay = 10 * time.Second
+	// Kill the step's whole process tree on cancellation (a step often launches a
+	// shell that spawns further background or GUI children) and bound the post-exit
+	// I/O wait, so an orphan inheriting cmd's stdout/stderr pipe can never hang
+	// cmd.Wait() and the runner. See process.TreeKill. The PTY path below may
+	// override SysProcAttr, but never touches Cancel/WaitDelay.
+	treeKill := process.NewTreeKill(cmd)

 	var ppty *os.File
 	var tty *os.File
@@ -375,15 +360,9 @@ func (e *HostEnvironment) exec(ctx context.Context, command []string, cmdline st
 	if err := cmd.Start(); err != nil {
 		return err
 	}
-	// Capture the started process for tree-kill on cancellation: a Job Object on
-	// Windows (children spawned afterwards are auto-included) and the process
-	// group on Unix. On failure (e.g. Windows nested-job restrictions) we fall
-	// back to the default single-process kill; WaitDelay + end-of-job cleanup
-	// still apply.
-	if k, kerr := newProcessKiller(cmd.Process); kerr != nil {
+	if k, kerr := treeKill.Capture(cmd.Process); kerr != nil {
 		common.Logger(ctx).Warnf("process tree kill setup failed, falling back to single-process kill: %v", kerr)
 	} else {
-		killer.Store(k)
 		defer k.Close()
 	}
 	err = cmd.Wait()
--- a/act/container/process_other.go
+++ b/act/container/process_other.go
@@ -1,29 +0,0 @@
-// Copyright 2026 The Gitea Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-//go:build plan9
-
-package container
-
-import "os"
-
-// processKiller falls back to single-process termination on platforms without
-// a process-group / Job Object tree-kill. The Job Object (Windows) and process
-// group (Unix) based tree-kills live in process_windows.go / process_unix.go;
-// here we just kill the direct child, matching the previous default behaviour.
-type processKiller struct {
-	p *os.Process
-}
-
-func newProcessKiller(p *os.Process) (*processKiller, error) {
-	return &processKiller{p: p}, nil
-}
-
-func (k *processKiller) Kill() error {
-	if k == nil || k.p == nil {
-		return nil
-	}
-	return k.p.Kill()
-}
-
-func (k *processKiller) Close() error { return nil }
--- a/act/container/process_unix.go
+++ b/act/container/process_unix.go
@@ -1,56 +0,0 @@
-// Copyright 2026 The Gitea Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-//go:build !windows && !plan9
-
-package container
-
-import (
-	"errors"
-	"os"
-	"syscall"
-)
-
-// processKiller terminates a step process together with its whole process
-// group, which is the Unix counterpart of the Windows Job Object tree-kill.
-//
-// Background: a step often launches a process tree (a shell that starts a child
-// which in turn spawns further background processes). The default
-// exec.CommandContext cancellation only kills the direct child, so cancelling a
-// job left the rest of the tree running. Because those orphans inherited the
-// step's stdout/stderr pipe, cmd.Wait() also blocked forever and the runner
-// hung.
-//
-// Steps are started with Setpgid (or Setsid for the PTY path, see
-// getSysProcAttr), which makes the step process the leader of a new process
-// group whose ID equals its PID. Signalling the negative PID delivers to every
-// process still in that group, so we can tear down the whole tree atomically on
-// cancellation, which also closes the inherited pipe handles so cmd.Wait() can
-// return.
-type processKiller struct {
-	pgid int
-}
-
-// newProcessKiller captures the process group of p (an already-started
-// process). Because the step is launched with Setpgid/Setsid, p is a group
-// leader and its PGID equals its PID; children spawned afterwards stay in the
-// same group unless they explicitly create their own.
-func newProcessKiller(p *os.Process) (*processKiller, error) {
-	return &processKiller{pgid: p.Pid}, nil
-}
-
-// Kill sends SIGKILL to the entire process group (the step process and every
-// descendant that stayed in the group). A missing group (ESRCH) means the
-// processes already exited and is not treated as an error.
-func (k *processKiller) Kill() error {
-	if k == nil || k.pgid <= 0 {
-		return nil
-	}
-	if err := syscall.Kill(-k.pgid, syscall.SIGKILL); err != nil && !errors.Is(err, syscall.ESRCH) {
-		return err
-	}
-	return nil
-}
-
-// Close is a no-op on Unix; there is no job handle to release.
-func (k *processKiller) Close() error { return nil }
--- a/act/container/process_unix_test.go
+++ b/act/container/process_unix_test.go
@@ -1,100 +0,0 @@
-// Copyright 2026 The Gitea Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-//go:build !windows && !plan9
-
-package container
-
-import (
-	"fmt"
-	"os"
-	"os/exec"
-	"path/filepath"
-	"strconv"
-	"strings"
-	"syscall"
-	"testing"
-	"time"
-
-	"github.com/stretchr/testify/require"
-)
-
-// processAlive reports whether pid refers to a still-running process. Signal 0
-// performs error checking without delivering a signal: a nil error (or EPERM)
-// means the process exists, ESRCH means it is gone.
-//
-// On Linux, zombie processes (state Z in /proc/<pid>/stat) appear alive to
-// kill(0) but have already terminated — their corpse lingers until the parent
-// calls wait(). In a Docker container the child may be reparented to a PID 1
-// that does not reap promptly, so we treat zombies as not alive.
-func processAlive(pid int) bool {
-	err := syscall.Kill(pid, 0)
-	if err != nil {
-		return false
-	}
-	// On Linux /proc is available; check whether the process is a zombie.
-	if b, readErr := os.ReadFile(fmt.Sprintf("/proc/%d/stat", pid)); readErr == nil {
-		// Format: "pid (comm) state ..." — state follows the closing ')' of the
-		// command name (which may itself contain spaces and parens).
-		rest := string(b)
-		if idx := strings.LastIndex(rest, ") "); idx >= 0 {
-			fields := strings.Fields(rest[idx+2:])
-			if len(fields) > 0 && fields[0] == "Z" {
-				return false // zombie: terminated but not yet reaped
-			}
-		}
-	}
-	return true
-}
-
-// TestProcessKillerKillsTree verifies that a process group captured by the
-// killer is terminated together with a child the step spawns afterwards. This
-// mirrors a step that launches a child which spawns further processes, where
-// cancelling the job must take down the whole tree, not just the direct child.
-func TestProcessKillerKillsTree(t *testing.T) {
-	dir := t.TempDir()
-	pidFile := filepath.Join(dir, "child.pid")
-
-	// Parent shell backgrounds a long-lived child (writing its PID to a file)
-	// and then sleeps. With job control off (non-interactive sh) the backgrounded
-	// child stays in the parent's process group, so the group kill must reach it.
-	script := fmt.Sprintf(`sleep 600 & echo $! > %q; sleep 600`, pidFile)
-	cmd := exec.Command("/bin/sh", "-c", script)
-	// Launch as its own process-group leader, exactly like a real step does (see
-	// getSysProcAttr), so the killer's PGID == the process PID.
-	cmd.SysProcAttr = &syscall.SysProcAttr{Setpgid: true}
-	require.NoError(t, cmd.Start())
-	t.Cleanup(func() {
-		_ = syscall.Kill(-cmd.Process.Pid, syscall.SIGKILL)
-		_ = cmd.Wait()
-	})
-
-	killer, err := newProcessKiller(cmd.Process)
-	require.NoError(t, err)
-	defer killer.Close()
-
-	// Wait for the backgrounded child PID to be reported.
-	var childPID int
-	require.Eventually(t, func() bool {
-		b, e := os.ReadFile(pidFile)
-		if e != nil {
-			return false
-		}
-		s := strings.TrimSpace(string(b))
-		if s == "" {
-			return false
-		}
-		childPID, _ = strconv.Atoi(s)
-		return childPID > 0 && processAlive(childPID)
-	}, 20*time.Second, 100*time.Millisecond, "child process should start")
-
-	// Killing the group must terminate both the parent and the backgrounded child.
-	require.NoError(t, killer.Kill())
-	// Reap the parent so it does not linger as a zombie (which would still report
-	// as alive); SIGKILL makes Wait return promptly.
-	_ = cmd.Wait()
-
-	require.Eventually(t, func() bool {
-		return !processAlive(childPID)
-	}, 20*time.Second, 100*time.Millisecond, "backgrounded child should be terminated")
-}
--- a/act/container/process_windows.go
+++ b/act/container/process_windows.go
@@ -1,71 +0,0 @@
-// Copyright 2026 The Gitea Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-package container
-
-import (
-	"os"
-
-	"golang.org/x/sys/windows"
-)
-
-// processKiller terminates a step process together with its entire descendant
-// tree via a Windows Job Object.
-//
-// Background: a step often launches a process tree (a shell that starts a
-// child which in turn spawns further GUI or background processes). The default
-// exec.CommandContext cancellation only kills the direct child, so cancelling a
-// job left the rest of the tree running. Because those orphans inherited the
-// step's stdout/stderr pipe, cmd.Wait() also blocked forever and the runner hung.
-//
-// Assigning the step process to a Job Object lets us kill the whole tree
-// atomically on cancellation (TerminateJobObject), which also closes the
-// inherited pipe handles so cmd.Wait() can return.
-type processKiller struct {
-	job windows.Handle
-}
-
-// newProcessKiller creates a Job Object and assigns p (an already-started
-// process) to it. Children spawned by p afterwards are automatically part of
-// the job. The job does NOT use JOB_OBJECT_LIMIT_KILL_ON_JOB_CLOSE, so closing
-// the handle on normal completion does not kill legitimate background
-// processes; the tree is only torn down by an explicit Kill (cancellation).
-func newProcessKiller(p *os.Process) (*processKiller, error) {
-	job, err := windows.CreateJobObject(nil, nil)
-	if err != nil {
-		return nil, err
-	}
-
-	h, err := windows.OpenProcess(windows.PROCESS_SET_QUOTA|windows.PROCESS_TERMINATE, false, uint32(p.Pid))
-	if err != nil {
-		windows.CloseHandle(job)
-		return nil, err
-	}
-	defer windows.CloseHandle(h)
-
-	if err := windows.AssignProcessToJobObject(job, h); err != nil {
-		windows.CloseHandle(job)
-		return nil, err
-	}
-
-	return &processKiller{job: job}, nil
-}
-
-// Kill terminates every process currently assigned to the job (the step process
-// and all of its descendants).
-func (k *processKiller) Kill() error {
-	if k == nil || k.job == 0 {
-		return nil
-	}
-	return windows.TerminateJobObject(k.job, 1)
-}
-
-// Close releases the job handle. It does not terminate the processes.
-func (k *processKiller) Close() error {
-	if k == nil || k.job == 0 {
-		return nil
-	}
-	h := k.job
-	k.job = 0
-	return windows.CloseHandle(h)
-}
--- a/act/container/process_windows_test.go
+++ b/act/container/process_windows_test.go
@@ -1,78 +0,0 @@
-// Copyright 2026 The Gitea Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-package container
-
-import (
-	"fmt"
-	"os"
-	"os/exec"
-	"path/filepath"
-	"strconv"
-	"strings"
-	"testing"
-	"time"
-
-	"github.com/stretchr/testify/require"
-	"golang.org/x/sys/windows"
-)
-
-// processAlive reports whether pid refers to a still-running process.
-func processAlive(pid int) bool {
-	h, err := windows.OpenProcess(windows.PROCESS_QUERY_LIMITED_INFORMATION, false, uint32(pid))
-	if err != nil {
-		return false
-	}
-	defer windows.CloseHandle(h)
-	var code uint32
-	if err := windows.GetExitCodeProcess(h, &code); err != nil {
-		return false
-	}
-	const stillActive = 259 // STILL_ACTIVE
-	return code == stillActive
-}
-
-// TestProcessKillerKillsTree verifies that a process assigned to the Job Object
-// is terminated together with a child it spawns afterwards. This mirrors a step
-// that launches a child which spawns further processes, where cancelling the
-// job must take down the whole tree, not just the direct child.
-func TestProcessKillerKillsTree(t *testing.T) {
-	dir := t.TempDir()
-	pidFile := filepath.Join(dir, "child.pid")
-
-	// Parent powershell spawns a detached, long-lived child powershell (writing
-	// its PID to a file) and then sleeps. The child is launched AFTER the parent
-	// has been assigned to the job, so it must be captured by the job too.
-	script := fmt.Sprintf(
-		`$c = Start-Process powershell -PassThru -ArgumentList '-NoProfile','-Command','Start-Sleep -Seconds 600'; `+
-			`Set-Content -LiteralPath %q -Value $c.Id; Start-Sleep -Seconds 600`, pidFile)
-	cmd := exec.Command("powershell.exe", "-NoProfile", "-Command", script)
-	require.NoError(t, cmd.Start())
-	t.Cleanup(func() { _ = cmd.Process.Kill() })
-
-	killer, err := newProcessKiller(cmd.Process)
-	require.NoError(t, err)
-	defer killer.Close()
-
-	// Wait for the child PID to be reported.
-	var childPID int
-	require.Eventually(t, func() bool {
-		b, e := os.ReadFile(pidFile)
-		if e != nil {
-			return false
-		}
-		s := strings.TrimSpace(string(b))
-		if s == "" {
-			return false
-		}
-		childPID, _ = strconv.Atoi(s)
-		return childPID > 0 && processAlive(childPID)
-	}, 20*time.Second, 200*time.Millisecond, "child process should start")
-
-	// Killing the job must terminate both the parent and the detached child.
-	require.NoError(t, killer.Kill())
-
-	require.Eventually(t, func() bool {
-		return !processAlive(cmd.Process.Pid) && !processAlive(childPID)
-	}, 20*time.Second, 200*time.Millisecond, "parent and child should both be terminated")
-}
--- a/act/container/util.go
+++ b/act/container/util.go
@@ -8,23 +8,10 @@ package container

 import (
 	"os"
-	"syscall"

 	"github.com/creack/pty"
 )

-func getSysProcAttr(_ string, tty bool) *syscall.SysProcAttr {
-	if tty {
-		return &syscall.SysProcAttr{
-			Setsid:  true,
-			Setctty: true,
-		}
-	}
-	return &syscall.SysProcAttr{
-		Setpgid: true,
-	}
-}
-
 func openPty() (*os.File, *os.File, error) {
 	return pty.Open()
 }
--- a/act/container/util_openbsd_mips64.go
+++ b/act/container/util_openbsd_mips64.go
@@ -7,15 +7,8 @@ package container
 import (
 	"errors"
 	"os"
-	"syscall"
 )

-func getSysProcAttr(cmdLine string, tty bool) *syscall.SysProcAttr {
-	return &syscall.SysProcAttr{
-		Setpgid: true,
-	}
-}
-
 func openPty() (*os.File, *os.File, error) {
 	return nil, nil, errors.New("Unsupported")
 }
--- a/act/container/util_plan9.go
+++ b/act/container/util_plan9.go
@@ -7,15 +7,8 @@ package container
 import (
 	"errors"
 	"os"
-	"syscall"
 )

-func getSysProcAttr(cmdLine string, tty bool) *syscall.SysProcAttr {
-	return &syscall.SysProcAttr{
-		Rfork: syscall.RFNOTEG,
-	}
-}
-
 func openPty() (*os.File, *os.File, error) {
 	return nil, nil, errors.New("Unsupported")
 }
--- a/act/container/util_windows.go
+++ b/act/container/util_windows.go
@@ -7,13 +7,8 @@ package container
 import (
 	"errors"
 	"os"
-	"syscall"
 )

-func getSysProcAttr(cmdLine string, tty bool) *syscall.SysProcAttr {
-	return &syscall.SysProcAttr{CmdLine: cmdLine, CreationFlags: syscall.CREATE_NEW_PROCESS_GROUP}
-}
-
 func openPty() (*os.File, *os.File, error) {
 	return nil, nil, errors.New("Unsupported")
 }