chatwork · tasuku43 · May 7, 2026
diff --git a/gha-runner-scale-set-helmfile/Dockerfile b/gha-runner-scale-set-helmfile/Dockerfile
@@ -0,0 +1,59 @@
+ARG RUNNER_VERSION=2.334.0
+FROM ghcr.io/actions/actions-runner:${RUNNER_VERSION}
+
+ARG TARGETOS
+ARG TARGETARCH
+
+ARG RUNNER_VERSION=2.334.0
+ARG KUBECTL_VERSION=1.35.4
+ARG HELMFILE_VERSION=1.5.0
+ARG HELM_VERSION=4.1.4
+ARG HELM_FILE_NAME=helm-v${HELM_VERSION}-${TARGETOS}-${TARGETARCH}.tar.gz
+ARG HELMFILE_FILE_NAME=helmfile_${HELMFILE_VERSION}_${TARGETOS}_${TARGETARCH}.tar.gz
+ARG KUSTOMIZE_VERSION=5.8.1
+ARG KUSTOMIZE_FILE_NAME=kustomize_v${KUSTOMIZE_VERSION}_${TARGETOS}_${TARGETARCH}.tar.gz
+ARG HELM_DIFF_VERSION=3.15.6
+ARG HELM_SECRETS_VERSION=4.7.6
+ARG HELM_GIT_VERSION=1.5.2
+ARG YQ_VERSION=4.53.2
+ARG YQ_FILE_NAME=yq_${TARGETOS}_${TARGETARCH}
+
+LABEL version="v${RUNNER_VERSION}-v${HELMFILE_VERSION}-v${HELM_VERSION}"
+
+USER root
+
+RUN apt-get update -y \
+    && apt-get install -y --no-install-recommends gh wget ca-certificates \
+    && rm -rf /var/lib/apt/lists/*
+
+ADD https://github.com/mikefarah/yq/releases/download/v${YQ_VERSION}/${YQ_FILE_NAME} /tmp
+RUN mv /tmp/${YQ_FILE_NAME} /usr/local/bin/yq \
+    && chmod 755 /usr/local/bin/yq
+
+ADD https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/${TARGETOS}/${TARGETARCH}/kubectl /tmp
+RUN mv /tmp/kubectl /usr/local/bin/kubectl \
+    && chmod 755 /usr/local/bin/kubectl
+
+ADD https://get.helm.sh/${HELM_FILE_NAME} /tmp
+RUN tar -zxvf /tmp/${HELM_FILE_NAME} -C /tmp \
+    && mv /tmp/${TARGETOS}-${TARGETARCH}/helm /usr/local/bin/helm \
+    && chmod 755 /usr/local/bin/helm \
+    && rm -rf /tmp/*
+
+ADD https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/v${KUSTOMIZE_VERSION}/${KUSTOMIZE_FILE_NAME} /tmp
+RUN tar -zxf /tmp/${KUSTOMIZE_FILE_NAME} -C /tmp \
+    && mv /tmp/kustomize /usr/local/bin/kustomize \
+    && chmod 755 /usr/local/bin/kustomize \
+    && rm -fr /tmp/*
+
+ADD https://github.com/helmfile/helmfile/releases/download/v${HELMFILE_VERSION}/${HELMFILE_FILE_NAME} /tmp
+RUN tar -zxvf /tmp/${HELMFILE_FILE_NAME} -C /tmp \
+    && mv /tmp/helmfile /usr/local/bin/helmfile \
+    && chmod 755 /usr/local/bin/helmfile \
+    && rm -rf /tmp/*
+
+USER runner
+
+RUN helm plugin install https://github.com/databus23/helm-diff --version v${HELM_DIFF_VERSION} --verify=false \
+    && helm plugin install https://github.com/jkroepke/helm-secrets --version v${HELM_SECRETS_VERSION} --verify=false \
+    && helm plugin install https://github.com/aslafy-z/helm-git.git --version v${HELM_GIT_VERSION} --verify=false
diff --git a/gha-runner-scale-set-helmfile/Dockerfile.arm64 b/gha-runner-scale-set-helmfile/Dockerfile.arm64
@@ -0,0 +1,59 @@
+ARG RUNNER_VERSION=2.334.0
+FROM ghcr.io/actions/actions-runner:${RUNNER_VERSION}
+
+ARG TARGETOS
+ARG TARGETARCH
+
+ARG RUNNER_VERSION=2.334.0
+ARG KUBECTL_VERSION=1.35.4
+ARG HELMFILE_VERSION=1.5.0
+ARG HELM_VERSION=4.1.4
+ARG HELM_FILE_NAME=helm-v${HELM_VERSION}-${TARGETOS}-${TARGETARCH}.tar.gz
+ARG HELMFILE_FILE_NAME=helmfile_${HELMFILE_VERSION}_${TARGETOS}_${TARGETARCH}.tar.gz
+ARG KUSTOMIZE_VERSION=5.8.1
+ARG KUSTOMIZE_FILE_NAME=kustomize_v${KUSTOMIZE_VERSION}_${TARGETOS}_${TARGETARCH}.tar.gz
+ARG HELM_DIFF_VERSION=3.15.6
+ARG HELM_SECRETS_VERSION=4.7.6
+ARG HELM_GIT_VERSION=1.5.2
+ARG YQ_VERSION=4.53.2
+ARG YQ_FILE_NAME=yq_${TARGETOS}_${TARGETARCH}
+
+LABEL version="v${RUNNER_VERSION}-v${HELMFILE_VERSION}-v${HELM_VERSION}"
+
+USER root
+
+RUN apt-get update -y \
+    && apt-get install -y --no-install-recommends gh wget ca-certificates \
+    && rm -rf /var/lib/apt/lists/*
+
+ADD https://github.com/mikefarah/yq/releases/download/v${YQ_VERSION}/${YQ_FILE_NAME} /tmp
+RUN mv /tmp/${YQ_FILE_NAME} /usr/local/bin/yq \
+    && chmod 755 /usr/local/bin/yq
+
+ADD https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/${TARGETOS}/${TARGETARCH}/kubectl /tmp
+RUN mv /tmp/kubectl /usr/local/bin/kubectl \
+    && chmod 755 /usr/local/bin/kubectl
+
+ADD https://get.helm.sh/${HELM_FILE_NAME} /tmp
+RUN tar -zxvf /tmp/${HELM_FILE_NAME} -C /tmp \
+    && mv /tmp/${TARGETOS}-${TARGETARCH}/helm /usr/local/bin/helm \
+    && chmod 755 /usr/local/bin/helm \
+    && rm -rf /tmp/*
+
+ADD https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/v${KUSTOMIZE_VERSION}/${KUSTOMIZE_FILE_NAME} /tmp
+RUN tar -zxf /tmp/${KUSTOMIZE_FILE_NAME} -C /tmp \
+    && mv /tmp/kustomize /usr/local/bin/kustomize \
+    && chmod 755 /usr/local/bin/kustomize \
+    && rm -fr /tmp/*
+
+ADD https://github.com/helmfile/helmfile/releases/download/v${HELMFILE_VERSION}/${HELMFILE_FILE_NAME} /tmp
+RUN tar -zxvf /tmp/${HELMFILE_FILE_NAME} -C /tmp \
+    && mv /tmp/helmfile /usr/local/bin/helmfile \
+    && chmod 755 /usr/local/bin/helmfile \
+    && rm -rf /tmp/*
+
+USER runner
+
+RUN helm plugin install https://github.com/databus23/helm-diff --version v${HELM_DIFF_VERSION} --verify=false \
+    && helm plugin install https://github.com/jkroepke/helm-secrets --version v${HELM_SECRETS_VERSION} --verify=false \
+    && helm plugin install https://github.com/aslafy-z/helm-git.git --version v${HELM_GIT_VERSION} --verify=false
diff --git a/gha-runner-scale-set-helmfile/Dockerfile.tpl b/gha-runner-scale-set-helmfile/Dockerfile.tpl
@@ -0,0 +1,59 @@
+ARG RUNNER_VERSION={{ .runner_version }}
+FROM ghcr.io/actions/actions-runner:${RUNNER_VERSION}
+
+ARG TARGETOS
+ARG TARGETARCH
+
+ARG RUNNER_VERSION={{ .runner_version }}
+ARG KUBECTL_VERSION=1.35.4
+ARG HELMFILE_VERSION={{ .helmfile_version }}
+ARG HELM_VERSION={{ .helm_version }}
+ARG HELM_FILE_NAME=helm-v${HELM_VERSION}-${TARGETOS}-${TARGETARCH}.tar.gz
+ARG HELMFILE_FILE_NAME=helmfile_${HELMFILE_VERSION}_${TARGETOS}_${TARGETARCH}.tar.gz
+ARG KUSTOMIZE_VERSION=5.8.1
+ARG KUSTOMIZE_FILE_NAME=kustomize_v${KUSTOMIZE_VERSION}_${TARGETOS}_${TARGETARCH}.tar.gz
+ARG HELM_DIFF_VERSION=3.15.6
+ARG HELM_SECRETS_VERSION=4.7.6
+ARG HELM_GIT_VERSION=1.5.2
+ARG YQ_VERSION=4.53.2
+ARG YQ_FILE_NAME=yq_${TARGETOS}_${TARGETARCH}
+
+LABEL version="v${RUNNER_VERSION}-v${HELMFILE_VERSION}-v${HELM_VERSION}"
+
+USER root
+
+RUN apt-get update -y \
+    && apt-get install -y --no-install-recommends gh wget ca-certificates \
+    && rm -rf /var/lib/apt/lists/*
+
+ADD https://github.com/mikefarah/yq/releases/download/v${YQ_VERSION}/${YQ_FILE_NAME} /tmp
+RUN mv /tmp/${YQ_FILE_NAME} /usr/local/bin/yq \
+    && chmod 755 /usr/local/bin/yq
+
+ADD https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/${TARGETOS}/${TARGETARCH}/kubectl /tmp
+RUN mv /tmp/kubectl /usr/local/bin/kubectl \
+    && chmod 755 /usr/local/bin/kubectl
+
+ADD https://get.helm.sh/${HELM_FILE_NAME} /tmp
+RUN tar -zxvf /tmp/${HELM_FILE_NAME} -C /tmp \
+    && mv /tmp/${TARGETOS}-${TARGETARCH}/helm /usr/local/bin/helm \
+    && chmod 755 /usr/local/bin/helm \
+    && rm -rf /tmp/*
+
+ADD https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/v${KUSTOMIZE_VERSION}/${KUSTOMIZE_FILE_NAME} /tmp
+RUN tar -zxf /tmp/${KUSTOMIZE_FILE_NAME} -C /tmp \
+    && mv /tmp/kustomize /usr/local/bin/kustomize \
+    && chmod 755 /usr/local/bin/kustomize \
+    && rm -fr /tmp/*
+
+ADD https://github.com/helmfile/helmfile/releases/download/v${HELMFILE_VERSION}/${HELMFILE_FILE_NAME} /tmp
+RUN tar -zxvf /tmp/${HELMFILE_FILE_NAME} -C /tmp \
+    && mv /tmp/helmfile /usr/local/bin/helmfile \
+    && chmod 755 /usr/local/bin/helmfile \
+    && rm -rf /tmp/*
+
+USER runner
+
+RUN helm plugin install https://github.com/databus23/helm-diff --version v${HELM_DIFF_VERSION} --verify=false \
+    && helm plugin install https://github.com/jkroepke/helm-secrets --version v${HELM_SECRETS_VERSION} --verify=false \
+    && helm plugin install https://github.com/aslafy-z/helm-git.git --version v${HELM_GIT_VERSION} --verify=false
diff --git a/gha-runner-scale-set-helmfile/Makefile b/gha-runner-scale-set-helmfile/Makefile
@@ -0,0 +1,63 @@
+ARCH:=$(shell uname -m)
+PLATFORM:=$(shell case "$(ARCH)" in \
+	("arm64"|"aarch64") echo "arm64" ;; \
+	("x86_64") echo "amd64" ;; \
+	(*) echo $(ARCH) ;; \
+esac)
+
+ARM64_SUFFIX:=aarch64
+AMD64_SUFFIX:=x86_64
+SUFFIX:=$(shell case "$(ARCH)" in \
+	("arm64"|"aarch64") echo "$(ARM64_SUFFIX)" ;; \
+	("x86_64") echo "$(AMD64_SUFFIX)" ;; \
+	(*) echo $(ARCH) ;; \
+esac)
+
+# $(call image_ref,version,suffix) -> chatwork/gha-runner-scale-set-helmfile:<version>[-<suffix>]
+image_ref=chatwork/gha-runner-scale-set-helmfile:$(1)$(if $(2),-$(2))
+
+.PHONY: build
+build:
+	@docker buildx build -t $(call image_ref,latest) --platform linux/${PLATFORM} -f Dockerfile --load .; \
+	version=$$(docker inspect -f {{.Config.Labels.version}} $(call image_ref,latest)); \
+	if [ -n "$$version" ]; then \
+		docker tag $(call image_ref,latest) $(call image_ref,$$version); \
+	fi
+
+.PHONY: test
+test: build
+	docker-compose -f docker-compose.test.yml up --no-start sut
+	docker cp $(shell pwd)/goss gha-runner-scale-set-helmfile:/goss
+	docker-compose -f docker-compose.test.yml up --no-recreate --exit-code-from sut sut
+
+.PHONY: push
+push:
+	@version=$$(docker inspect -f {{.Config.Labels.version}} $(call image_ref,latest)); \
+		if docker inspect --format='{{index .RepoDigests 0}}' $(call image_ref,$$version,$(SUFFIX)) >/dev/null 2>&1; then \
+			echo "no changes"; \
+		else \
+			docker buildx build -t $(call image_ref,$$version,$(SUFFIX)) --platform linux/${PLATFORM} -f Dockerfile --push .; \
+		fi
+
+.PHONY: manifest\:push
+manifest\:push:
+	@version=$$(docker inspect -f {{.Config.Labels.version}} $(call image_ref,latest)); \
+		if docker buildx imagetools inspect $(call image_ref,$$version) >/dev/null 2>&1; then \
+			echo "no changes"; \
+		else \
+			docker buildx imagetools create -t $(call image_ref,$$version) \
+				$(call image_ref,$$version,$(ARM64_SUFFIX)) \
+				$(call image_ref,$$version,$(AMD64_SUFFIX)); \
+			docker buildx imagetools create -t $(call image_ref,latest) \
+				$(call image_ref,$$version,$(ARM64_SUFFIX)) \
+				$(call image_ref,$$version,$(AMD64_SUFFIX)); \
+			hub-tool tag rm $(call image_ref,$$version,$(ARM64_SUFFIX)) -f || true; \
+			hub-tool tag rm $(call image_ref,$$version,$(AMD64_SUFFIX)) -f || true; \
+		fi
+
+.PHONY: manifest\:succeed-message
+manifest\:succeed-message:
+	@version=$$(docker inspect -f {{.Config.Labels.version}} $(call image_ref,latest)); \
+		echo "Released new tags."; \
+		echo "- $(call image_ref,$$version)"; \
+		echo "- $(call image_ref,latest)"
diff --git a/gha-runner-scale-set-helmfile/README.md b/gha-runner-scale-set-helmfile/README.md
@@ -0,0 +1,7 @@
+# gha-runner-scale-set-helmfile
+
+GitHub Actions self-hosted runner image based on the new ARC (`gha-runner-scale-set`) base image, with helmfile / helm / kubectl / kustomize / yq and helm plugins (helm-diff / helm-secrets / helm-git) pre-installed.
+
+The legacy `actions-runner-helmfile` directory keeps the old summerwind base for the legacy ARC; this directory is the new ARC equivalent and will eventually replace it once the legacy ARC runners are decommissioned.
+
+https://github.com/actions/actions-runner-controller
diff --git a/gha-runner-scale-set-helmfile/docker-compose.test.yml b/gha-runner-scale-set-helmfile/docker-compose.test.yml
@@ -0,0 +1,18 @@
+version: '3'
+services:
+  gha-runner-scale-set-helmfile:
+    build:
+      context: .
+    image: chatwork/gha-runner-scale-set-helmfile
+  sut:
+    image: chatwork/dgoss:latest
+    environment:
+      GOSS_FILES_PATH: /goss
+      GOSS_FILES_STRATEGY: cp
+    entrypoint: ""
+    command: /usr/local/bin/dgoss run --entrypoint '' chatwork/gha-runner-scale-set-helmfile tail -f /dev/null
+    container_name: gha-runner-scale-set-helmfile
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+    depends_on:
+      - gha-runner-scale-set-helmfile
diff --git a/gha-runner-scale-set-helmfile/goss/goss.yaml b/gha-runner-scale-set-helmfile/goss/goss.yaml
@@ -0,0 +1,32 @@
+file:
+  /usr/local/bin/helmfile:
+    exists: true
+    mode: "0755"
+  /usr/local/bin/helm:
+    exists: true
+    mode: "0755"
+  /usr/local/bin/kubectl:
+    exists: true
+    mode: "0755"
+  /usr/local/bin/yq:
+    exists: true
+    mode: "0755"
+command:
+  /usr/local/bin/helm version:
+    exit-status: 0
+    stdout:
+      - "4.1.4"
+  /usr/local/bin/helmfile -v:
+    exit-status: 0
+    stdout:
+      - "1.5.0"
+  /usr/local/bin/helm plugin list:
+    exit-status: 0
+    stdout:
+      - /^diff/
+      - /^helm-git/
+      - /^secrets/
+  /usr/local/bin/yq --version:
+    exit-status: 0
+  /usr/local/bin/kubectl version --client:
+    exit-status: 0
diff --git a/gha-runner-scale-set-helmfile/goss/goss.yaml.tpl b/gha-runner-scale-set-helmfile/goss/goss.yaml.tpl
@@ -0,0 +1,32 @@
+file:
+  /usr/local/bin/helmfile:
+    exists: true
+    mode: "0755"
+  /usr/local/bin/helm:
+    exists: true
+    mode: "0755"
+  /usr/local/bin/kubectl:
+    exists: true
+    mode: "0755"
+  /usr/local/bin/yq:
+    exists: true
+    mode: "0755"
+command:
+  /usr/local/bin/helm version:
+    exit-status: 0
+    stdout:
+      - "{{ .helm_version }}"
+  /usr/local/bin/helmfile -v:
+    exit-status: 0
+    stdout:
+      - "{{ .helmfile_version }}"
+  /usr/local/bin/helm plugin list:
+    exit-status: 0
+    stdout:
+      - /^diff/
+      - /^helm-git/
+      - /^secrets/
+  /usr/local/bin/yq --version:
+    exit-status: 0
+  /usr/local/bin/kubectl version --client:
+    exit-status: 0
diff --git a/gha-runner-scale-set-helmfile/hooks/test b/gha-runner-scale-set-helmfile/hooks/test
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+make test