fix(lambda): Prevent scale-up lambda from starting runner for user repo if org level runners is enabled

lambdas/functions/control-plane/src/lambda.test.ts

@@ -15,6 +15,7 @@ const body: ActionRequestMessage = {
   installationId: 1,
   repositoryName: 'name',
   repositoryOwner: 'owner',
+  repoOwnerType: "Organization",
 };
 
 const sqsRecord: SQSRecord = {

lambdas/functions/control-plane/src/scale-runners/scale-up.test.ts

@@ -53,6 +53,16 @@ const TEST_DATA: scaleUpModule.ActionRequestMessage = {
   repositoryName: 'hello-world',
   repositoryOwner: 'Codertocat',
   installationId: 2,
+  repoOwnerType: "Organization",
+};
+
+const TEST_DATA_USER_REPO: scaleUpModule.ActionRequestMessage = {
+  id: 1,
+  eventType: 'workflow_job',
+  repositoryName: 'hello-world',
+  repositoryOwner: 'Octocat',
+  installationId: 2,
+  repoOwnerType: "User",
 };
 
 // installationId 0 means no installationId is set.
@@ -62,6 +72,7 @@ const TEST_DATA_WITH_ZERO_INSTALL_ID: scaleUpModule.ActionRequestMessage = {
   repositoryName: 'hello-world',
   repositoryOwner: 'Codertocat',
   installationId: 0,
+  repoOwnerType: "Organization",
 };
 
 const cleanEnv = process.env;
@@ -305,6 +316,11 @@ describe('scaleUp with GHES', () => {
       expect(mockOctokit.paginate).toHaveBeenCalledTimes(1);
     });
 
+    it('Throws error if it is a User repo and org level runners is enabled', () => {
+      process.env.ENABLE_ORGANIZATION_RUNNERS = 'true';
+      expect(() => scaleUpModule.scaleUp('aws:sqs', TEST_DATA_USER_REPO)).rejects.toBeInstanceOf(Error);
+    });
+
     it('create SSM parameter for runner group id if it doesnt exist', async () => {
       mockSSMClient.on(GetParameterCommand).rejects();
       await scaleUpModule.scaleUp('aws:sqs', TEST_DATA);

lambdas/functions/control-plane/src/scale-runners/scale-up.ts

@@ -1,4 +1,4 @@
 import { Octokit } from '@octokit/rest';
 import { addPersistentContextToChildLogger, createChildLogger } from '@terraform-aws-github-runner/aws-powertools-util';
 import { getParameter, putParameter } from '@terraform-aws-github-runner/aws-ssm-util';
 import yn from 'yn';
@@ -27,6 +27,7 @@
   repositoryName: string;
   repositoryOwner: string;
   installationId: number;
+  repoOwnerType: string;
 }
 
 interface CreateGitHubRunnerConfig {
@@ -250,6 +251,9 @@
         `Please ensure you have enabled workflow_job events.`,
     );
   }
+
+  validateRepoOwnerTypeIfOrgLevelEnabled(payload, enableOrgLevel);
+
   const ephemeral = ephemeralEnabled && payload.eventType === 'workflow_job';
   const runnerType = enableOrgLevel ? 'Org' : 'Repo';
   const runnerOwner = enableOrgLevel ? payload.repositoryOwner : `${payload.repositoryOwner}/${payload.repositoryName}`;
@@ -341,6 +345,17 @@
   }
 }
 
+function validateRepoOwnerTypeIfOrgLevelEnabled(payload: ActionRequestMessage, enableOrgLevel: boolean) {
+  if (enableOrgLevel && payload.repoOwnerType !== 'Organization') {
+    logger.warn(`Repository ${payload.repositoryOwner}/${payload.repositoryName} does not belong to a GitHub` +
+      `organization and organization runners are enabled. This is not supported. Not scaling up for this event.`);
+    throw Error(
+      `Repository ${payload.repositoryOwner}/${payload.repositoryName} does not belong to a GitHub` +
+      `organization and organization runners are enabled. This is not supported. Not scaling up for this event.`,
+    );
+  }
+}
+
 function addDelay(instances: string[]) {
   const delay = async (ms: number) => new Promise((resolve) => setTimeout(resolve, ms));
   const ssmParameterStoreMaxThroughput = 40;

lambdas/functions/webhook/src/sqs/index.test.ts

@@ -26,6 +26,7 @@ describe('Test sending message to SQS.', () => {
     repositoryOwner: 'owner',
     queueId: queueUrl,
     queueFifo: false,
+    repoOwnerType: 'Organization',
   };
 
   afterEach(() => {

lambdas/functions/webhook/src/sqs/index.ts

@@ -13,6 +13,7 @@ export interface ActionRequestMessage {
   installationId: number;
   queueId: string;
   queueFifo: boolean;
+  repoOwnerType: string;
 }
 
 export interface MatcherConfig {

lambdas/functions/webhook/src/webhook/index.test.ts

@@ -450,6 +450,7 @@ describe('handler', () => {
         installationId: 0,
         queueId: 'ubuntu-queue-id',
         queueFifo: false,
+        repoOwnerType: "Organization",
       });
     });
     it('Check webhook will accept jobs for latest labels if workflow labels are not specific', async () => {
@@ -492,6 +493,7 @@ describe('handler', () => {
         installationId: 0,
         queueId: 'ubuntu-queue-id',
         queueFifo: false,
+        repoOwnerType: "Organization",
       });
     });
   });
@@ -531,6 +533,7 @@ describe('handler', () => {
       installationId: 0,
       queueId: 'ubuntu-queue-id',
       queueFifo: false,
+      repoOwnerType: "Organization",
     });
   });
 

lambdas/functions/webhook/src/webhook/index.ts

@@ -53,6 +53,7 @@ async function handleWorkflowJob(
           installationId: installationId,
           queueId: queue.id,
           queueFifo: queue.fifo,
+          repoOwnerType: body.repository.owner.type,
         });
         logger.info(`Successfully queued job for ${body.repository.full_name} to the queue ${queue.id}`);
         return { statusCode: 201 };