Updates: runner to v2.329.0 container-hooks to v0.8.0 (#4279 )

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Delete listener resources without requeueing on each call (#4289 )
2025-10-30 10:32:22 +01:00 · 2025-10-29 13:01:00 +01:00 · 2025-10-29 12:49:39 +01:00 · 2025-10-22 11:26:36 +02:00 · 2025-10-16 19:25:56 +02:00 · 2025-10-15 01:31:29 +02:00
268 changed files with 109024 additions and 31356 deletions
--- a/.github/actions/execute-assert-arc-e2e/action.yaml
+++ b/.github/actions/execute-assert-arc-e2e/action.yaml
@ -47,7 +47,7 @@ runs:
        -d '{"ref": "main", "inputs": { "arc_name": "${{inputs.arc-name}}" } }'
    - name: Fetch workflow run & job ids
-      uses: actions/github-script@v6
+      uses: actions/github-script@v7
      id: query_workflow
      with:
        script: |
@ -128,7 +128,7 @@ runs:
    - name: Wait for workflow to start running
      if: inputs.wait-to-running == 'true' && inputs.wait-to-finish == 'false'
-      uses: actions/github-script@v6
+      uses: actions/github-script@v7
      with:
        script: |
          function sleep(ms) {
@ -156,7 +156,7 @@ runs:
    - name: Wait for workflow to finish successfully
      if: inputs.wait-to-finish == 'true'
-      uses: actions/github-script@v6
+      uses: actions/github-script@v7
      with:
        script: |
          // Wait 5 minutes and make sure the workflow run we triggered completed with result 'success'
@ -188,6 +188,19 @@ runs:
          }
          core.setFailed(`The triggered workflow run didn't finish properly using ${{inputs.arc-name}}`)
    - name: Gather listener logs
      shell: bash
      if: always()
      run: |
        LISTENER_POD="$(kubectl get autoscalinglisteners.actions.github.com -n arc-systems -o jsonpath='{.items[*].metadata.name}')"
        kubectl logs $LISTENER_POD -n ${{inputs.arc-controller-namespace}}
    - name: Gather coredns logs
      shell: bash
      if: always()
      run: |
        kubectl logs deployments/coredns -n kube-system 
    - name: cleanup
      if: inputs.wait-to-finish == 'true'
      shell: bash
@ -195,7 +208,7 @@ runs:
        helm uninstall ${{ inputs.arc-name }} --namespace ${{inputs.arc-namespace}} --debug
        kubectl wait --timeout=30s --for=delete AutoScalingRunnerSet -n ${{inputs.arc-namespace}} -l app.kubernetes.io/instance=${{ inputs.arc-name }}
-    - name: Gather logs and cleanup
+    - name: Gather controller logs
      shell: bash
      if: always()
      run: |
--- a/.github/actions/setup-arc-e2e/action.yaml
+++ b/.github/actions/setup-arc-e2e/action.yaml
@ -1,9 +1,9 @@
-name: 'Setup ARC E2E Test Action'
+name: "Setup ARC E2E Test Action"
-description: 'Build controller image, create kind cluster, load the image, and exchange ARC configure token.'
+description: "Build controller image, create kind cluster, load the image, and exchange ARC configure token."
 inputs:
  app-id:
-    description: 'GitHub App Id for exchange access token'
+    description: "GitHub App Id for exchange access token"
    required: true
  app-pk:
    description: "GitHub App private key for exchange access token"
@ -20,23 +20,24 @@ inputs:
 outputs:
  token:
-    description: 'Token to use for configure ARC'
+    description: "Token to use for configure ARC"
    value: ${{steps.config-token.outputs.token}}
 runs:
  using: "composite"
  steps:
    - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@v2
+      uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2
      with:
-          # Pinning v0.9.1 for Buildx and BuildKit v0.10.6
+        # Pinning v0.9.1 for Buildx and BuildKit v0.10.6
-          # BuildKit v0.11 which has a bug causing intermittent 
+        # BuildKit v0.11 which has a bug causing intermittent
-          # failures pushing images to GHCR
+        # failures pushing images to GHCR
-          version: v0.9.1
+        version: v0.9.1
-          driver-opts: image=moby/buildkit:v0.10.6
+        driver-opts: image=moby/buildkit:v0.10.6
    - name: Build controller image
-      uses: docker/build-push-action@v3
+      # https://github.com/docker/build-push-action/releases/tag/v6.18.0
      uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83
      with:
        file: Dockerfile
        platforms: linux/amd64
@ -56,7 +57,8 @@ runs:
    - name: Get configure token
      id: config-token
-      uses: peter-murray/workflow-application-token-action@8e1ba3bf1619726336414f1014e37f17fbadf1db
+      # https://github.com/peter-murray/workflow-application-token-action/releases/tag/v3.0.0
      uses: peter-murray/workflow-application-token-action@dc0413987a085fa17d19df9e47d4677cf81ffef3
      with:
        application_id: ${{ inputs.app-id }}
        application_private_key: ${{ inputs.app-pk }}
--- a/.github/actions/setup-docker-environment/action.yaml
+++ b/.github/actions/setup-docker-environment/action.yaml
@ -24,23 +24,27 @@ runs:
      shell: bash
    - name: Set up QEMU
-      uses: docker/setup-qemu-action@v2
+      # https://github.com/docker/setup-qemu-action/releases/tag/v3.6.0
      uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392
    - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@v2
+      # https://github.com/docker/setup-buildx-action/releases/tag/v3.10.0
      uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2
      with:
        version: latest
    - name: Login to DockerHub
      if: ${{ github.event_name == 'release' || github.event_name == 'push' && github.ref == 'refs/heads/master' && inputs.password != ''  }}
-      uses: docker/login-action@v2
+      # https://github.com/docker/login-action/releases/tag/v3.4.0
      uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772
      with:
        username: ${{ inputs.username }}
        password: ${{ inputs.password }}
    - name: Login to GitHub Container Registry
      if: ${{ github.event_name == 'release' || github.event_name == 'push' && github.ref == 'refs/heads/master' && inputs.ghcr_password != ''  }}
-      uses: docker/login-action@v2
+      # https://github.com/docker/login-action/releases/tag/v3.4.0
      uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772
      with:
        registry: ghcr.io
        username: ${{ inputs.ghcr_username }}
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -9,3 +9,15 @@ updates:
    directory: "/" # Location of package manifests
    schedule:
      interval: "weekly"
    groups:
      gomod:
        patterns:
          - "*"
  - package-ecosystem: github-actions
    directory: "/"
    schedule:
      interval: "weekly"
    groups:
      actions:
        patterns:
          - "*"
--- a/.github/workflows/arc-publish-chart.yaml
+++ b/.github/workflows/arc-publish-chart.yaml
@ -5,18 +5,18 @@ name: Publish ARC Helm Charts
 on:
  push:
    branches:
-    - master
+      - master
    paths:
-    - 'charts/**'
+      - "charts/**"
-    - '.github/workflows/arc-publish-chart.yaml'
+      - ".github/workflows/arc-publish-chart.yaml"
-    - '!charts/actions-runner-controller/docs/**'
+      - "!charts/actions-runner-controller/docs/**"
-    - '!charts/gha-runner-scale-set-controller/**'
+      - "!charts/gha-runner-scale-set-controller/**"
-    - '!charts/gha-runner-scale-set/**'
+      - "!charts/gha-runner-scale-set/**"
-    - '!**.md'
+      - "!**.md"
  workflow_dispatch:
    inputs:
      force:
-        description: 'Force publish even if the chart version is not bumped'
+        description: "Force publish even if the chart version is not bumped"
        type: boolean
        required: true
        default: false
@ -39,86 +39,86 @@ jobs:
    outputs:
      publish-chart: ${{ steps.publish-chart-step.outputs.publish }}
    steps:
-    - name: Checkout
+      - name: Checkout
-      uses: actions/checkout@v3
+        uses: actions/checkout@v5
-      with:
+        with:
-        fetch-depth: 0
+          fetch-depth: 0
-    - name: Set up Helm
+      - name: Set up Helm
-      uses: azure/setup-helm@v3.4
+        uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4
-      with:
+        with:
-        version: ${{ env.HELM_VERSION }}
+          version: ${{ env.HELM_VERSION }}
-    - name: Set up kube-score
+      - name: Set up kube-score
-      run: |
+        run: |
-        wget https://github.com/zegl/kube-score/releases/download/v${{ env.KUBE_SCORE_VERSION }}/kube-score_${{ env.KUBE_SCORE_VERSION }}_linux_amd64 -O kube-score
+          wget https://github.com/zegl/kube-score/releases/download/v${{ env.KUBE_SCORE_VERSION }}/kube-score_${{ env.KUBE_SCORE_VERSION }}_linux_amd64 -O kube-score
-        chmod 755 kube-score
+          chmod 755 kube-score
-    - name: Kube-score generated manifests
+      - name: Kube-score generated manifests
-      run: helm template  --values charts/.ci/values-kube-score.yaml charts/* | ./kube-score score - --ignore-test pod-networkpolicy --ignore-test deployment-has-poddisruptionbudget --ignore-test deployment-has-host-podantiaffinity --ignore-test container-security-context --ignore-test pod-probes --ignore-test container-image-tag --enable-optional-test container-security-context-privileged --enable-optional-test container-security-context-readonlyrootfilesystem
+        run: helm template  --values charts/.ci/values-kube-score.yaml charts/* | ./kube-score score - --ignore-test pod-networkpolicy --ignore-test deployment-has-poddisruptionbudget --ignore-test deployment-has-host-podantiaffinity --ignore-test container-security-context --ignore-test pod-probes --ignore-test container-image-tag --enable-optional-test container-security-context-privileged --enable-optional-test container-security-context-readonlyrootfilesystem
-    # python is a requirement for the chart-testing action below (supports yamllint among other tests)
+      # python is a requirement for the chart-testing action below (supports yamllint among other tests)
-    - uses: actions/setup-python@v4
+      - uses: actions/setup-python@v6
-      with:
+        with:
-        python-version: '3.11'
+          python-version: "3.11"
-    - name: Set up chart-testing
+      - name: Set up chart-testing
-      uses: helm/chart-testing-action@v2.6.0
+        uses: helm/chart-testing-action@0d28d3144d3a25ea2cc349d6e59901c4ff469b3b
-    - name: Run chart-testing (list-changed)
+      - name: Run chart-testing (list-changed)
-      id: list-changed
+        id: list-changed
-      run: |
+        run: |
-        changed=$(ct list-changed --config charts/.ci/ct-config.yaml)
+          changed=$(ct list-changed --config charts/.ci/ct-config.yaml)
-        if [[ -n "$changed" ]]; then
+          if [[ -n "$changed" ]]; then
-          echo "changed=true" >> $GITHUB_OUTPUT
+            echo "changed=true" >> $GITHUB_OUTPUT
-        fi
+          fi
-    - name: Run chart-testing (lint)
+      - name: Run chart-testing (lint)
-      run: |
+        run: |
-        ct lint --config charts/.ci/ct-config.yaml
+          ct lint --config charts/.ci/ct-config.yaml
-    - name: Create kind cluster
+      - name: Create kind cluster
-      if: steps.list-changed.outputs.changed == 'true'
+        if: steps.list-changed.outputs.changed == 'true'
-      uses: helm/kind-action@v1.4.0
+        uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3
-    # We need cert-manager already installed in the cluster because we assume the CRDs exist
+      # We need cert-manager already installed in the cluster because we assume the CRDs exist
-    - name: Install cert-manager
+      - name: Install cert-manager
-      if: steps.list-changed.outputs.changed == 'true'
+        if: steps.list-changed.outputs.changed == 'true'
-      run: |
+        run: |
-        helm repo add jetstack https://charts.jetstack.io --force-update
+          helm repo add jetstack https://charts.jetstack.io --force-update
-        helm install cert-manager jetstack/cert-manager --set installCRDs=true --wait
+          helm install cert-manager jetstack/cert-manager --set installCRDs=true --wait
-    - name: Run chart-testing (install)
+      - name: Run chart-testing (install)
-      if: steps.list-changed.outputs.changed == 'true'
+        if: steps.list-changed.outputs.changed == 'true'
-      run: ct install --config charts/.ci/ct-config.yaml
+        run: ct install --config charts/.ci/ct-config.yaml
-    # WARNING: This relies on the latest release being at the top of the JSON from GitHub and a clean chart.yaml
+      # WARNING: This relies on the latest release being at the top of the JSON from GitHub and a clean chart.yaml
-    - name: Check if Chart Publish is Needed
+      - name: Check if Chart Publish is Needed
-      id: publish-chart-step
+        id: publish-chart-step
-      run: |
+        run: |
-        CHART_TEXT=$(curl -fs https://raw.githubusercontent.com/${{ github.repository }}/master/charts/actions-runner-controller/Chart.yaml)
+          CHART_TEXT=$(curl -fs https://raw.githubusercontent.com/${{ github.repository }}/master/charts/actions-runner-controller/Chart.yaml)
-        NEW_CHART_VERSION=$(echo "$CHART_TEXT" | grep version: | cut -d ' ' -f 2)
+          NEW_CHART_VERSION=$(echo "$CHART_TEXT" | grep version: | cut -d ' ' -f 2)
-        RELEASE_LIST=$(curl -fs https://api.github.com/repos/${{ github.repository }}/releases  | jq .[].tag_name | grep actions-runner-controller | cut -d '"' -f 2 | cut -d '-' -f 4)
+          RELEASE_LIST=$(curl -fs https://api.github.com/repos/${{ github.repository }}/releases  | jq .[].tag_name | grep actions-runner-controller | cut -d '"' -f 2 | cut -d '-' -f 4)
-        LATEST_RELEASED_CHART_VERSION=$(echo $RELEASE_LIST | cut -d ' ' -f 1)
+          LATEST_RELEASED_CHART_VERSION=$(echo $RELEASE_LIST | cut -d ' ' -f 1)
-        echo "CHART_VERSION_IN_MASTER=$NEW_CHART_VERSION" >> $GITHUB_ENV
+          echo "CHART_VERSION_IN_MASTER=$NEW_CHART_VERSION" >> $GITHUB_ENV
-        echo "LATEST_CHART_VERSION=$LATEST_RELEASED_CHART_VERSION" >> $GITHUB_ENV
+          echo "LATEST_CHART_VERSION=$LATEST_RELEASED_CHART_VERSION" >> $GITHUB_ENV
-        # Always publish if force is true
+          # Always publish if force is true
-        if [[ $NEW_CHART_VERSION != $LATEST_RELEASED_CHART_VERSION || "${{ inputs.force }}" == "true" ]]; then
+          if [[ $NEW_CHART_VERSION != $LATEST_RELEASED_CHART_VERSION || "${{ inputs.force }}" == "true" ]]; then
-          echo "publish=true" >> $GITHUB_OUTPUT
+            echo "publish=true" >> $GITHUB_OUTPUT
-        else
+          else
-          echo "publish=false" >> $GITHUB_OUTPUT
+            echo "publish=false" >> $GITHUB_OUTPUT
-        fi
+          fi
-    - name: Job summary
+      - name: Job summary
-      run: |
+        run: |
-        echo "Chart linting has been completed." >> $GITHUB_STEP_SUMMARY
+          echo "Chart linting has been completed." >> $GITHUB_STEP_SUMMARY
-        echo "" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
-        echo "**Status:**" >> $GITHUB_STEP_SUMMARY
+          echo "**Status:**" >> $GITHUB_STEP_SUMMARY
-        echo "- chart version in master: ${{ env.CHART_VERSION_IN_MASTER }}" >> $GITHUB_STEP_SUMMARY
+          echo "- chart version in master: ${{ env.CHART_VERSION_IN_MASTER }}" >> $GITHUB_STEP_SUMMARY
-        echo "- latest chart version: ${{ env.LATEST_CHART_VERSION }}" >> $GITHUB_STEP_SUMMARY
+          echo "- latest chart version: ${{ env.LATEST_CHART_VERSION }}" >> $GITHUB_STEP_SUMMARY
-        echo "- publish new chart: ${{ steps.publish-chart-step.outputs.publish }}" >> $GITHUB_STEP_SUMMARY
+          echo "- publish new chart: ${{ steps.publish-chart-step.outputs.publish }}" >> $GITHUB_STEP_SUMMARY
  publish-chart:
    if: needs.lint-chart.outputs.publish-chart == 'true'
@ -133,80 +133,80 @@ jobs:
      CHART_TARGET_BRANCH: master
    steps:
-    - name: Checkout
+      - name: Checkout
-      uses: actions/checkout@v3
+        uses: actions/checkout@v5
-      with:
+        with:
-        fetch-depth: 0
+          fetch-depth: 0
-    - name: Configure Git
+      - name: Configure Git
-      run: |
+        run: |
-        git config user.name "$GITHUB_ACTOR"
+          git config user.name "$GITHUB_ACTOR"
-        git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
+          git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
-    - name: Get Token
+      - name: Get Token
-      id: get_workflow_token
+        id: get_workflow_token
-      uses: peter-murray/workflow-application-token-action@8e1ba3bf1619726336414f1014e37f17fbadf1db
+        uses: peter-murray/workflow-application-token-action@d17e3a9a36850ea89f35db16c1067dd2b68ee343
-      with:
+        with:
-        application_id: ${{ secrets.ACTIONS_ACCESS_APP_ID }}
+          application_id: ${{ secrets.ACTIONS_ACCESS_APP_ID }}
-        application_private_key: ${{ secrets.ACTIONS_ACCESS_PK }}
+          application_private_key: ${{ secrets.ACTIONS_ACCESS_PK }}
-        organization: ${{ env.CHART_TARGET_ORG }}
+          organization: ${{ env.CHART_TARGET_ORG }}
-    - name: Install chart-releaser
+      - name: Install chart-releaser
-      uses: helm/chart-releaser-action@v1.4.1
+        uses: helm/chart-releaser-action@cae68fefc6b5f367a0275617c9f83181ba54714f
-      with:
+        with:
-        install_only: true
+          install_only: true
-        install_dir: ${{ github.workspace }}/bin
+          install_dir: ${{ github.workspace }}/bin
-    - name: Package and upload release assets
+      - name: Package and upload release assets
-      run: |
+        run: |
-        cr package \
+          cr package \
-          ${{ github.workspace }}/charts/actions-runner-controller/ \
+            ${{ github.workspace }}/charts/actions-runner-controller/ \
-          --package-path .cr-release-packages
+            --package-path .cr-release-packages
-        cr upload \
+          cr upload \
-          --owner "$(echo ${{ github.repository }} | cut -d '/' -f 1)" \
+            --owner "$(echo ${{ github.repository }} | cut -d '/' -f 1)" \
-          --git-repo "$(echo ${{ github.repository }} | cut -d '/' -f 2)" \
+            --git-repo "$(echo ${{ github.repository }} | cut -d '/' -f 2)" \
-          --package-path .cr-release-packages \
+            --package-path .cr-release-packages \
-          --token ${{ secrets.GITHUB_TOKEN }}
+            --token ${{ secrets.GITHUB_TOKEN }}
-    - name: Generate updated index.yaml
+      - name: Generate updated index.yaml
-      run: |
+        run: |
-        cr index \
+          cr index \
-          --owner "$(echo ${{ github.repository }} | cut -d '/' -f 1)" \
+            --owner "$(echo ${{ github.repository }} | cut -d '/' -f 1)" \
-          --git-repo "$(echo ${{ github.repository }} | cut -d '/' -f 2)" \
+            --git-repo "$(echo ${{ github.repository }} | cut -d '/' -f 2)" \
-          --index-path ${{ github.workspace }}/index.yaml \
+            --index-path ${{ github.workspace }}/index.yaml \
-          --token ${{ secrets.GITHUB_TOKEN }} \
+            --token ${{ secrets.GITHUB_TOKEN }} \
-          --push \
+            --push \
-          --pages-branch 'gh-pages' \
+            --pages-branch 'gh-pages' \
-          --pages-index-path 'index.yaml'
+            --pages-index-path 'index.yaml'
-    # Chart Release was never intended to publish to a different repo
+      # Chart Release was never intended to publish to a different repo
-    # this workaround is intended to move the index.yaml to the target repo
+      # this workaround is intended to move the index.yaml to the target repo
-    # where the github pages are hosted
+      # where the github pages are hosted
-    - name: Checkout target repository
+      - name: Checkout target repository
-      uses: actions/checkout@v3
+        uses: actions/checkout@v5
-      with:
+        with:
-        repository: ${{ env.CHART_TARGET_ORG }}/${{ env.CHART_TARGET_REPO }}
+          repository: ${{ env.CHART_TARGET_ORG }}/${{ env.CHART_TARGET_REPO }}
-        path: ${{ env.CHART_TARGET_REPO }}
+          path: ${{ env.CHART_TARGET_REPO }}
-        ref: ${{ env.CHART_TARGET_BRANCH }}
+          ref: ${{ env.CHART_TARGET_BRANCH }}
-        token: ${{ steps.get_workflow_token.outputs.token }}
+          token: ${{ steps.get_workflow_token.outputs.token }}
-    - name: Copy index.yaml
+      - name: Copy index.yaml
-      run: |
+        run: |
-        cp ${{ github.workspace }}/index.yaml ${{ env.CHART_TARGET_REPO }}/actions-runner-controller/index.yaml
+          cp ${{ github.workspace }}/index.yaml ${{ env.CHART_TARGET_REPO }}/actions-runner-controller/index.yaml
-    - name: Commit and push to target repository
+      - name: Commit and push to target repository
-      run: |
+        run: |
-        git config user.name "$GITHUB_ACTOR"
+          git config user.name "$GITHUB_ACTOR"
-        git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
+          git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
-        git add .
+          git add .
-        git commit -m "Update index.yaml"
+          git commit -m "Update index.yaml"
-        git push
+          git push
-      working-directory: ${{ github.workspace }}/${{ env.CHART_TARGET_REPO }}
+        working-directory: ${{ github.workspace }}/${{ env.CHART_TARGET_REPO }}
-    - name: Job summary
+      - name: Job summary
-      run: |
+        run: |
-        echo "New helm chart has been published" >> $GITHUB_STEP_SUMMARY
+          echo "New helm chart has been published" >> $GITHUB_STEP_SUMMARY
-        echo "" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
-        echo "**Status:**" >> $GITHUB_STEP_SUMMARY
+          echo "**Status:**" >> $GITHUB_STEP_SUMMARY
-        echo "- New [index.yaml](https://github.com/${{ env.CHART_TARGET_ORG }}/${{ env.CHART_TARGET_REPO }}/tree/master/actions-runner-controller) pushed" >> $GITHUB_STEP_SUMMARY
+          echo "- New [index.yaml](https://github.com/${{ env.CHART_TARGET_ORG }}/${{ env.CHART_TARGET_REPO }}/tree/master/actions-runner-controller) pushed" >> $GITHUB_STEP_SUMMARY
--- a/.github/workflows/arc-publish.yaml
+++ b/.github/workflows/arc-publish.yaml
@ -9,17 +9,17 @@ on:
  workflow_dispatch:
    inputs:
      release_tag_name:
-        description: 'Tag name of the release to publish'
+        description: "Tag name of the release to publish"
        required: true
      push_to_registries:
-        description: 'Push images to registries'
+        description: "Push images to registries"
        required: true
        type: boolean
        default: false
 permissions:
- contents: write
+  contents: write
- packages: write
+  packages: write
 env:
  TARGET_ORG: actions-runner-controller
@ -39,11 +39,11 @@ jobs:
    if: ${{ !startsWith(github.event.inputs.release_tag_name, 'gha-runner-scale-set-') }}
    steps:
      - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v5
-      - uses: actions/setup-go@v4
+      - uses: actions/setup-go@v6
        with:
-          go-version-file: 'go.mod'
+          go-version-file: "go.mod"
      - name: Install tools
        run: |
@ -73,7 +73,7 @@ jobs:
      - name: Get Token
        id: get_workflow_token
-        uses: peter-murray/workflow-application-token-action@8e1ba3bf1619726336414f1014e37f17fbadf1db
+        uses: peter-murray/workflow-application-token-action@d17e3a9a36850ea89f35db16c1067dd2b68ee343
        with:
          application_id: ${{ secrets.ACTIONS_ACCESS_APP_ID }}
          application_private_key: ${{ secrets.ACTIONS_ACCESS_PK }}
--- a/.github/workflows/arc-release-runners.yaml
+++ b/.github/workflows/arc-release-runners.yaml
@ -7,10 +7,10 @@ on:
  # are available to the workflow run
  push:
    branches:
-      - 'master'
+      - "master"
    paths:
-      - 'runner/VERSION'
+      - "runner/VERSION"
-      - '.github/workflows/arc-release-runners.yaml'
+      - ".github/workflows/arc-release-runners.yaml"
 env:
  # Safeguard to prevent pushing images to registeries after build
@ -28,7 +28,7 @@ jobs:
    name: Trigger Build and Push of Runner Images
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v5
      - name: Get runner version
        id: versions
        run: |
@ -39,7 +39,7 @@ jobs:
      - name: Get Token
        id: get_workflow_token
-        uses: peter-murray/workflow-application-token-action@8e1ba3bf1619726336414f1014e37f17fbadf1db
+        uses: peter-murray/workflow-application-token-action@d17e3a9a36850ea89f35db16c1067dd2b68ee343
        with:
          application_id: ${{ secrets.ACTIONS_ACCESS_APP_ID }}
          application_private_key: ${{ secrets.ACTIONS_ACCESS_PK }}
--- a/.github/workflows/arc-update-runners-scheduled.yaml
+++ b/.github/workflows/arc-update-runners-scheduled.yaml
@ -1,6 +1,9 @@
 # This workflows polls releases from actions/runner and in case of a new one it
 # updates files containing runner version and opens a pull request.
 name: Runner Updates Check (Scheduled Job)
 permissions:
  pull-requests: write
  contents: write
 on:
  schedule:
@ -21,7 +24,7 @@ jobs:
      container_hooks_current_version: ${{ steps.container_hooks_versions.outputs.container_hooks_current_version }}
      container_hooks_latest_version: ${{ steps.container_hooks_versions.outputs.container_hooks_latest_version }}
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v5
      - name: Get runner current and latest versions
        id: runner_versions
@ -50,6 +53,8 @@ jobs:
  # it sets a PR name as output.
  check_pr:
    runs-on: ubuntu-latest
    permissions:
      contents: read
    needs: check_versions
    if: needs.check_versions.outputs.runner_current_version != needs.check_versions.outputs.runner_latest_version || needs.check_versions.outputs.container_hooks_current_version != needs.check_versions.outputs.container_hooks_latest_version
    outputs:
@ -64,7 +69,7 @@ jobs:
          echo "CONTAINER_HOOKS_CURRENT_VERSION=${{ needs.check_versions.outputs.container_hooks_current_version }}"
          echo "CONTAINER_HOOKS_LATEST_VERSION=${{ needs.check_versions.outputs.container_hooks_latest_version }}"
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v5
      - name: PR Name
        id: pr_name
@ -119,22 +124,26 @@ jobs:
      PR_NAME: ${{ needs.check_pr.outputs.pr_name }}
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v5
      - name: New branch
        run: git checkout -b update-runner-"$(date +%Y-%m-%d)"
      - name: Update files
        run: |
-          sed -i "s/$RUNNER_CURRENT_VERSION/$RUNNER_LATEST_VERSION/g" runner/VERSION
+          CURRENT_VERSION="${RUNNER_CURRENT_VERSION//./\\.}"
-          sed -i "s/$RUNNER_CURRENT_VERSION/$RUNNER_LATEST_VERSION/g" runner/Makefile
+          LATEST_VERSION="${RUNNER_LATEST_VERSION//./\\.}"
-          sed -i "s/$RUNNER_CURRENT_VERSION/$RUNNER_LATEST_VERSION/g" Makefile
+          sed -i "s/$CURRENT_VERSION/$LATEST_VERSION/g" runner/VERSION
-          sed -i "s/$RUNNER_CURRENT_VERSION/$RUNNER_LATEST_VERSION/g" test/e2e/e2e_test.go
+          sed -i "s/$CURRENT_VERSION/$LATEST_VERSION/g" runner/Makefile
          sed -i "s/$CURRENT_VERSION/$LATEST_VERSION/g" Makefile
          sed -i "s/$CURRENT_VERSION/$LATEST_VERSION/g" test/e2e/e2e_test.go
-          sed -i "s/$CONTAINER_HOOKS_CURRENT_VERSION/$CONTAINER_HOOKS_LATEST_VERSION/g" runner/VERSION
+          CURRENT_VERSION="${CONTAINER_HOOKS_CURRENT_VERSION//./\\.}"
-          sed -i "s/$CONTAINER_HOOKS_CURRENT_VERSION/$CONTAINER_HOOKS_LATEST_VERSION/g" runner/Makefile
+          LATEST_VERSION="${CONTAINER_HOOKS_LATEST_VERSION//./\\.}"
-          sed -i "s/$CONTAINER_HOOKS_CURRENT_VERSION/$CONTAINER_HOOKS_LATEST_VERSION/g" Makefile
+          sed -i "s/$CURRENT_VERSION/$LATEST_VERSION/g" runner/VERSION
-          sed -i "s/$CONTAINER_HOOKS_CURRENT_VERSION/$CONTAINER_HOOKS_LATEST_VERSION/g" test/e2e/e2e_test.go
+          sed -i "s/$CURRENT_VERSION/$LATEST_VERSION/g" runner/Makefile
          sed -i "s/$CURRENT_VERSION/$LATEST_VERSION/g" Makefile
          sed -i "s/$CURRENT_VERSION/$LATEST_VERSION/g" test/e2e/e2e_test.go
      - name: Commit changes
        run: |
--- a/.github/workflows/arc-validate-chart.yaml
+++ b/.github/workflows/arc-validate-chart.yaml
@ -5,20 +5,20 @@ on:
    branches:
      - master
    paths:
-      - 'charts/**'
+      - "charts/**"
-      - '.github/workflows/arc-validate-chart.yaml'
+      - ".github/workflows/arc-validate-chart.yaml"
-      - '!charts/actions-runner-controller/docs/**'
+      - "!charts/actions-runner-controller/docs/**"
-      - '!**.md'
+      - "!**.md"
-      - '!charts/gha-runner-scale-set-controller/**'
+      - "!charts/gha-runner-scale-set-controller/**"
-      - '!charts/gha-runner-scale-set/**'
+      - "!charts/gha-runner-scale-set/**"
  push:
    paths:
-      - 'charts/**'
+      - "charts/**"
-      - '.github/workflows/arc-validate-chart.yaml'
+      - ".github/workflows/arc-validate-chart.yaml"
-      - '!charts/actions-runner-controller/docs/**'
+      - "!charts/actions-runner-controller/docs/**"
-      - '!**.md'
+      - "!**.md"
-      - '!charts/gha-runner-scale-set-controller/**'
+      - "!charts/gha-runner-scale-set-controller/**"
-      - '!charts/gha-runner-scale-set/**'
+      - "!charts/gha-runner-scale-set/**"
  workflow_dispatch:
 env:
  KUBE_SCORE_VERSION: 1.10.0
@ -40,39 +40,22 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v5
        with:
          fetch-depth: 0
      - name: Set up Helm
-        # Using https://github.com/Azure/setup-helm/releases/tag/v3.5
+        uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4
        uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78
        with:
          version: ${{ env.HELM_VERSION }}
      - name: Set up kube-score
        run: |
          wget https://github.com/zegl/kube-score/releases/download/v${{ env.KUBE_SCORE_VERSION }}/kube-score_${{ env.KUBE_SCORE_VERSION }}_linux_amd64 -O kube-score
          chmod 755 kube-score
      - name: Kube-score generated manifests
        run: helm template  --values charts/.ci/values-kube-score.yaml charts/* | ./kube-score score -
              --ignore-test pod-networkpolicy
              --ignore-test deployment-has-poddisruptionbudget
              --ignore-test deployment-has-host-podantiaffinity
              --ignore-test container-security-context
              --ignore-test pod-probes
              --ignore-test container-image-tag
              --enable-optional-test container-security-context-privileged
              --enable-optional-test container-security-context-readonlyrootfilesystem
      # python is a requirement for the chart-testing action below (supports yamllint among other tests)
-      - uses: actions/setup-python@v4
+      - uses: actions/setup-python@v6
        with:
-          python-version: '3.11'
+          python-version: "3.11"
      - name: Set up chart-testing
-        uses: helm/chart-testing-action@v2.6.0
+        uses: helm/chart-testing-action@0d28d3144d3a25ea2cc349d6e59901c4ff469b3b
      - name: Run chart-testing (list-changed)
        id: list-changed
@ -87,7 +70,7 @@ jobs:
          ct lint --config charts/.ci/ct-config.yaml
      - name: Create kind cluster
-        uses: helm/kind-action@v1.4.0
+        uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3
        if: steps.list-changed.outputs.changed == 'true'
      # We need cert-manager already installed in the cluster because we assume the CRDs exist
--- a/.github/workflows/arc-validate-runners.yaml
+++ b/.github/workflows/arc-validate-runners.yaml
@ -3,11 +3,11 @@ name: Validate ARC Runners
 on:
  pull_request:
    branches:
-      - '**'
+      - "**"
    paths:
-      - 'runner/**'
+      - "runner/**"
-      - 'test/startup/**'
+      - "test/startup/**"
-      - '!**.md'
+      - "!**.md"
 permissions:
  contents: read
@ -24,29 +24,17 @@ jobs:
    name: runner / shellcheck
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v5
-      - name: shellcheck
+      - name: "Run shellcheck"
-        uses: reviewdog/action-shellcheck@v1
+        run: make shellcheck
-        with:
+
          github_token: ${{ secrets.GITHUB_TOKEN }}
          path: "./runner"
          pattern: |
            *.sh
            *.bash
            update-status
          # Make this consistent with `make shellsheck`
          shellcheck_flags: "--shell bash --source-path runner"
          exclude: "./.git/*"
          check_all_files_with_shebangs: "false"
          # Set this to "true" once we addressed all the shellcheck findings
          fail_on_error: "false"
  test-runner-entrypoint:
    name: Test entrypoint
    runs-on: ubuntu-latest
    steps:
-    - name: Checkout
+      - name: Checkout
-      uses: actions/checkout@v3
+        uses: actions/checkout@v5
-    - name: Run tests
+      - name: Run tests
-      run: |
+        run: |
-        make acceptance/runner/startup
+          make acceptance/runner/startup
--- a/.github/workflows/gha-e2e-tests.yaml
+++ b/.github/workflows/gha-e2e-tests.yaml
@ -16,7 +16,7 @@ env:
  TARGET_ORG: actions-runner-controller
  TARGET_REPO: arc_e2e_test_dummy
  IMAGE_NAME: "arc-test-image"
-  IMAGE_VERSION: "0.8.0"
+  IMAGE_VERSION: "0.13.0"
 concurrency:
  # This will make sure we only apply the concurrency limits on pull requests
@ -33,7 +33,7 @@ jobs:
    env:
      WORKFLOW_FILE: "arc-test-workflow.yaml"
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v5
        with:
          ref: ${{github.head_ref}}
@ -103,6 +103,8 @@ jobs:
          kubectl wait --timeout=30s --for=condition=ready pod -n arc-systems -l actions.github.com/scale-set-name=$ARC_NAME
          kubectl get pod -n arc-systems
          sleep 60
      - name: Test ARC E2E
        uses: ./.github/actions/execute-assert-arc-e2e
        timeout-minutes: 10
@ -122,7 +124,7 @@ jobs:
    env:
      WORKFLOW_FILE: "arc-test-workflow.yaml"
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v5
        with:
          ref: ${{github.head_ref}}
@ -194,6 +196,8 @@ jobs:
          kubectl wait --timeout=30s --for=condition=ready pod -n arc-systems -l actions.github.com/scale-set-name=$ARC_NAME
          kubectl get pod -n arc-systems
          sleep 60
      - name: Test ARC E2E
        uses: ./.github/actions/execute-assert-arc-e2e
        timeout-minutes: 10
@ -213,7 +217,7 @@ jobs:
    env:
      WORKFLOW_FILE: arc-test-dind-workflow.yaml
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v5
        with:
          ref: ${{github.head_ref}}
@ -284,6 +288,8 @@ jobs:
          kubectl wait --timeout=30s --for=condition=ready pod -n arc-systems -l actions.github.com/scale-set-name=$ARC_NAME
          kubectl get pod -n arc-systems
          sleep 60
      - name: Test ARC E2E
        uses: ./.github/actions/execute-assert-arc-e2e
        timeout-minutes: 10
@ -303,7 +309,7 @@ jobs:
    env:
      WORKFLOW_FILE: "arc-test-kubernetes-workflow.yaml"
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v5
        with:
          ref: ${{github.head_ref}}
@ -383,6 +389,8 @@ jobs:
          kubectl wait --timeout=30s --for=condition=ready pod -n arc-systems -l actions.github.com/scale-set-name=$ARC_NAME
          kubectl get pod -n arc-systems
          sleep 60
      - name: Test ARC E2E
        uses: ./.github/actions/execute-assert-arc-e2e
        timeout-minutes: 10
@ -402,7 +410,7 @@ jobs:
    env:
      WORKFLOW_FILE: "arc-test-workflow.yaml"
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v5
        with:
          ref: ${{github.head_ref}}
@ -484,6 +492,8 @@ jobs:
          kubectl wait --timeout=30s --for=condition=ready pod -n arc-systems -l actions.github.com/scale-set-name=$ARC_NAME
          kubectl get pod -n arc-systems
          sleep 60
      - name: Test ARC E2E
        uses: ./.github/actions/execute-assert-arc-e2e
        timeout-minutes: 10
@ -503,7 +513,7 @@ jobs:
    env:
      WORKFLOW_FILE: "arc-test-workflow.yaml"
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v5
        with:
          ref: ${{github.head_ref}}
@ -579,6 +589,8 @@ jobs:
          kubectl wait --timeout=30s --for=condition=ready pod -n arc-systems -l actions.github.com/scale-set-name=$ARC_NAME
          kubectl get pod -n arc-systems
          sleep 60
      - name: Test ARC E2E
        uses: ./.github/actions/execute-assert-arc-e2e
        timeout-minutes: 10
@ -598,7 +610,7 @@ jobs:
    env:
      WORKFLOW_FILE: "arc-test-workflow.yaml"
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v5
        with:
          ref: ${{github.head_ref}}
@ -699,6 +711,8 @@ jobs:
          kubectl wait --timeout=30s --for=condition=ready pod -n arc-systems -l actions.github.com/scale-set-name=$ARC_NAME
          kubectl get pod -n arc-systems
          sleep 60
      - name: Test ARC E2E
        uses: ./.github/actions/execute-assert-arc-e2e
        timeout-minutes: 10
@ -718,7 +732,7 @@ jobs:
    env:
      WORKFLOW_FILE: "arc-test-sleepy-matrix.yaml"
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v5
        with:
          ref: ${{github.head_ref}}
@ -789,6 +803,8 @@ jobs:
          kubectl wait --timeout=30s --for=condition=ready pod -n arc-systems -l actions.github.com/scale-set-name=$ARC_NAME
          kubectl get pod -n arc-systems
          sleep 60
      - name: Trigger long running jobs and wait for runners to pick them up
        uses: ./.github/actions/execute-assert-arc-e2e
        timeout-minutes: 10
@ -888,7 +904,7 @@ jobs:
    env:
      WORKFLOW_FILE: arc-test-workflow.yaml
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v5
        with:
          ref: ${{ github.head_ref }}
--- a/.github/workflows/gha-publish-chart.yaml
+++ b/.github/workflows/gha-publish-chart.yaml
@ -4,27 +4,27 @@ on:
  workflow_dispatch:
    inputs:
      ref:
-        description: 'The branch, tag or SHA to cut a release from'
+        description: "The branch, tag or SHA to cut a release from"
        required: false
        type: string
-        default: ''
+        default: ""
      release_tag_name:
-        description: 'The name to tag the controller image with'
+        description: "The name to tag the controller image with"
        required: true
        type: string
-        default: 'canary'
+        default: "canary"
      push_to_registries:
-        description: 'Push images to registries'
+        description: "Push images to registries"
        required: true
        type: boolean
        default: false
      publish_gha_runner_scale_set_controller_chart:
-        description: 'Publish new helm chart for gha-runner-scale-set-controller'
+        description: "Publish new helm chart for gha-runner-scale-set-controller"
        required: true
        type: boolean
        default: false
      publish_gha_runner_scale_set_chart:
-        description: 'Publish new helm chart for gha-runner-scale-set'
+        description: "Publish new helm chart for gha-runner-scale-set"
        required: true
        type: boolean
        default: false
@ -45,7 +45,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v5
        with:
          # If inputs.ref is empty, it'll resolve to the default branch
          ref: ${{ inputs.ref }}
@ -72,10 +72,10 @@ jobs:
          echo "repository_owner=$(echo ${{ github.repository_owner }} | tr '[:upper:]' '[:lower:]')" >> $GITHUB_OUTPUT
      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392
      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435
        with:
          # Pinning v0.9.1 for Buildx and BuildKit v0.10.6
          # BuildKit v0.11 which has a bug causing intermittent
@ -84,14 +84,14 @@ jobs:
          driver-opts: image=moby/buildkit:v0.10.6
      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v2
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Build & push controller image
-        uses: docker/build-push-action@v3
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83
        with:
          file: Dockerfile
          platforms: linux/amd64,linux/arm64
@ -100,8 +100,6 @@ jobs:
          tags: |
            ghcr.io/${{ steps.resolve_parameters.outputs.repository_owner }}/gha-runner-scale-set-controller:${{ inputs.release_tag_name }}
            ghcr.io/${{ steps.resolve_parameters.outputs.repository_owner }}/gha-runner-scale-set-controller:${{ inputs.release_tag_name }}-${{ steps.resolve_parameters.outputs.short_sha }}
          cache-from: type=gha
          cache-to: type=gha,mode=max
      - name: Job summary
        run: |
@ -121,7 +119,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v5
        with:
          # If inputs.ref is empty, it'll resolve to the default branch
          ref: ${{ inputs.ref }}
@ -140,8 +138,7 @@ jobs:
          echo "repository_owner=$(echo ${{ github.repository_owner }} | tr '[:upper:]' '[:lower:]')" >> $GITHUB_OUTPUT
      - name: Set up Helm
-        # Using https://github.com/Azure/setup-helm/releases/tag/v3.5
+        uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4
        uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78
        with:
          version: ${{ env.HELM_VERSION }}
@ -169,7 +166,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v5
        with:
          # If inputs.ref is empty, it'll resolve to the default branch
          ref: ${{ inputs.ref }}
@ -188,8 +185,7 @@ jobs:
          echo "repository_owner=$(echo ${{ github.repository_owner }} | tr '[:upper:]' '[:lower:]')" >> $GITHUB_OUTPUT
      - name: Set up Helm
-        # Using https://github.com/Azure/setup-helm/releases/tag/v3.5
+        uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4
        uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78
        with:
          version: ${{ env.HELM_VERSION }}
--- a/.github/workflows/gha-validate-chart.yaml
+++ b/.github/workflows/gha-validate-chart.yaml
@ -5,20 +5,20 @@ on:
    branches:
      - master
    paths:
-      - 'charts/**'
+      - "charts/**"
-      - '.github/workflows/gha-validate-chart.yaml'
+      - ".github/workflows/gha-validate-chart.yaml"
-      - '!charts/actions-runner-controller/**'
+      - "!charts/actions-runner-controller/**"
-      - '!**.md'
+      - "!**.md"
  push:
    paths:
-      - 'charts/**'
+      - "charts/**"
-      - '.github/workflows/gha-validate-chart.yaml'
+      - ".github/workflows/gha-validate-chart.yaml"
-      - '!charts/actions-runner-controller/**'
+      - "!charts/actions-runner-controller/**"
-      - '!**.md'
+      - "!**.md"
  workflow_dispatch:
 env:
  KUBE_SCORE_VERSION: 1.16.1
-  HELM_VERSION: v3.8.0
+  HELM_VERSION: v3.17.0
 permissions:
  contents: read
@ -36,39 +36,22 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v5
        with:
          fetch-depth: 0
      - name: Set up Helm
-        # Using https://github.com/Azure/setup-helm/releases/tag/v3.5
+        uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4
        uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78
        with:
          version: ${{ env.HELM_VERSION }}
      - name: Set up kube-score
        run: |
          wget https://github.com/zegl/kube-score/releases/download/v${{ env.KUBE_SCORE_VERSION }}/kube-score_${{ env.KUBE_SCORE_VERSION }}_linux_amd64 -O kube-score
          chmod 755 kube-score
      - name: Kube-score generated manifests
        run: helm template  --values charts/.ci/values-kube-score.yaml charts/* | ./kube-score score -
              --ignore-test pod-networkpolicy
              --ignore-test deployment-has-poddisruptionbudget
              --ignore-test deployment-has-host-podantiaffinity
              --ignore-test container-security-context
              --ignore-test pod-probes
              --ignore-test container-image-tag
              --enable-optional-test container-security-context-privileged
              --enable-optional-test container-security-context-readonlyrootfilesystem
      # python is a requirement for the chart-testing action below (supports yamllint among other tests)
-      - uses: actions/setup-python@v4
+      - uses: actions/setup-python@v6
        with:
-          python-version: '3.11'
+          python-version: "3.11"
      - name: Set up chart-testing
-        uses: helm/chart-testing-action@v2.6.0
+        uses: helm/chart-testing-action@0d28d3144d3a25ea2cc349d6e59901c4ff469b3b
      - name: Run chart-testing (list-changed)
        id: list-changed
@ -84,13 +67,13 @@ jobs:
          ct lint --config charts/.ci/ct-config-gha.yaml
      - name: Set up docker buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435
        if: steps.list-changed.outputs.changed == 'true'
        with:
          version: latest
      - name: Build controller image
-        uses: docker/build-push-action@v3
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83
        if: steps.list-changed.outputs.changed == 'true'
        with:
          file: Dockerfile
@ -105,7 +88,7 @@ jobs:
          cache-to: type=gha,mode=max
      - name: Create kind cluster
-        uses: helm/kind-action@v1.4.0
+        uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3
        if: steps.list-changed.outputs.changed == 'true'
        with:
          cluster_name: chart-testing
@ -113,13 +96,27 @@ jobs:
      - name: Load image into cluster
        if: steps.list-changed.outputs.changed == 'true'
        run: |
-            export DOCKER_IMAGE_NAME=test-arc
+          export DOCKER_IMAGE_NAME=test-arc
-            export VERSION=dev
+          export VERSION=dev
-            export IMG_RESULT=load
+          export IMG_RESULT=load
-            make docker-buildx
+          make docker-buildx
-            kind load docker-image test-arc:dev --name chart-testing
+          kind load docker-image test-arc:dev --name chart-testing
      - name: Run chart-testing (install)
        if: steps.list-changed.outputs.changed == 'true'
        run: |
          ct install --config charts/.ci/ct-config-gha.yaml
  test-chart:
    name: Test Chart
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v5
      - uses: actions/setup-go@v6
        with:
          go-version-file: "go.mod"
          cache: false
      - name: Test gha-runner-scale-set
        run: go test ./charts/gha-runner-scale-set/...
      - name: Test gha-runner-scale-set-controller
        run: go test ./charts/gha-runner-scale-set-controller/...
--- a/.github/workflows/global-publish-canary.yaml
+++ b/.github/workflows/global-publish-canary.yaml
@ -7,30 +7,30 @@ on:
    branches:
      - master
    paths-ignore:
-      - '**.md'
+      - "**.md"
-      - '.github/actions/**'
+      - ".github/actions/**"
-      - '.github/ISSUE_TEMPLATE/**'
+      - ".github/ISSUE_TEMPLATE/**"
-      - '.github/workflows/e2e-test-dispatch-workflow.yaml'
+      - ".github/workflows/e2e-test-dispatch-workflow.yaml"
-      - '.github/workflows/gha-e2e-tests.yaml'
+      - ".github/workflows/gha-e2e-tests.yaml"
-      - '.github/workflows/arc-publish.yaml'
+      - ".github/workflows/arc-publish.yaml"
-      - '.github/workflows/arc-publish-chart.yaml'
+      - ".github/workflows/arc-publish-chart.yaml"
-      - '.github/workflows/gha-publish-chart.yaml'
+      - ".github/workflows/gha-publish-chart.yaml"
-      - '.github/workflows/arc-release-runners.yaml'
+      - ".github/workflows/arc-release-runners.yaml"
-      - '.github/workflows/global-run-codeql.yaml'
+      - ".github/workflows/global-run-codeql.yaml"
-      - '.github/workflows/global-run-first-interaction.yaml'
+      - ".github/workflows/global-run-first-interaction.yaml"
-      - '.github/workflows/global-run-stale.yaml'
+      - ".github/workflows/global-run-stale.yaml"
-      - '.github/workflows/arc-update-runners-scheduled.yaml'
+      - ".github/workflows/arc-update-runners-scheduled.yaml"
-      - '.github/workflows/validate-arc.yaml'
+      - ".github/workflows/validate-arc.yaml"
-      - '.github/workflows/arc-validate-chart.yaml'
+      - ".github/workflows/arc-validate-chart.yaml"
-      - '.github/workflows/gha-validate-chart.yaml'
+      - ".github/workflows/gha-validate-chart.yaml"
-      - '.github/workflows/arc-validate-runners.yaml'
+      - ".github/workflows/arc-validate-runners.yaml"
-      - '.github/dependabot.yml'
+      - ".github/dependabot.yml"
-      - '.github/RELEASE_NOTE_TEMPLATE.md'
+      - ".github/RELEASE_NOTE_TEMPLATE.md"
-      - 'runner/**'
+      - "runner/**"
-      - '.gitignore'
+      - ".gitignore"
-      - 'PROJECT'
+      - "PROJECT"
-      - 'LICENSE'
+      - "LICENSE"
-      - 'Makefile'
+      - "Makefile"
 # https://docs.github.com/en/rest/overview/permissions-required-for-github-apps
 permissions:
@ -55,11 +55,11 @@ jobs:
      TARGET_REPO: actions-runner-controller
    steps:
      - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v5
      - name: Get Token
        id: get_workflow_token
-        uses: peter-murray/workflow-application-token-action@8e1ba3bf1619726336414f1014e37f17fbadf1db
+        uses: peter-murray/workflow-application-token-action@d17e3a9a36850ea89f35db16c1067dd2b68ee343
        with:
          application_id: ${{ secrets.ACTIONS_ACCESS_APP_ID }}
          application_private_key: ${{ secrets.ACTIONS_ACCESS_PK }}
@ -90,10 +90,10 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v5
      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v2
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
@ -110,16 +110,16 @@ jobs:
          echo "repository_owner=$(echo ${{ github.repository_owner }} | tr '[:upper:]' '[:lower:]')" >> $GITHUB_OUTPUT
      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392
      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435
        with:
          version: latest
      # Unstable builds - run at your own risk
      - name: Build and Push
-        uses: docker/build-push-action@v3
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83
        with:
          context: .
          file: ./Dockerfile
--- a/.github/workflows/global-run-codeql.yaml
+++ b/.github/workflows/global-run-codeql.yaml
@ -25,20 +25,20 @@ jobs:
      security-events: write
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v5
      - name: Install Go
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@v6
        with:
          go-version-file: go.mod
      - name: Initialize CodeQL
-        uses: github/codeql-action/init@v2
+        uses: github/codeql-action/init@v4
        with:
-          languages: go
+          languages: go, actions
      - name: Autobuild
-        uses: github/codeql-action/autobuild@v2
+        uses: github/codeql-action/autobuild@v4
      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v2
+        uses: github/codeql-action/analyze@v4
--- a/.github/workflows/global-run-first-interaction.yaml
+++ b/.github/workflows/global-run-first-interaction.yaml
@ -1,5 +1,10 @@
 name: First Interaction
 permissions:
  contents: read
  issues: write
  pull-requests: write
 on:
  issues:
    types: [opened]
@ -11,11 +16,11 @@ jobs:
  check_for_first_interaction:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v5
-      - uses: actions/first-interaction@main
+      - uses: actions/first-interaction@v3
        with:
-          repo-token: ${{ secrets.GITHUB_TOKEN }}
+          repo_token: ${{ secrets.GITHUB_TOKEN }}
-          issue-message: |
+          issue_message: |
            Hello! Thank you for filing an issue.
            The maintainers will triage your issue shortly.
@ -23,7 +28,7 @@ jobs:
            In the meantime, please take a look at the [troubleshooting guide](https://github.com/actions/actions-runner-controller/blob/master/TROUBLESHOOTING.md) for bug reports.
            If this is a feature request, please review our [contribution guidelines](https://github.com/actions/actions-runner-controller/blob/master/CONTRIBUTING.md).
-          pr-message: |
+          pr_message: |
            Hello! Thank you for your contribution.
            Please review our [contribution guidelines](https://github.com/actions/actions-runner-controller/blob/master/CONTRIBUTING.md) to understand the project's testing and code conventions.
--- a/.github/workflows/global-run-stale.yaml
+++ b/.github/workflows/global-run-stale.yaml
@ -14,7 +14,7 @@ jobs:
      issues: write         # for actions/stale to close stale issues
      pull-requests: write  # for actions/stale to close stale PRs
    steps:
-      - uses: actions/stale@v6
+      - uses: actions/stale@v10
        with:
          stale-issue-message: 'This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.'
          # turn off stale for both issues and PRs
--- a/.github/workflows/go.yaml
+++ b/.github/workflows/go.yaml
@ -4,16 +4,16 @@ on:
    branches:
      - master
    paths:
-      - '.github/workflows/go.yaml'
+      - ".github/workflows/go.yaml"
-      - '**.go'
+      - "**.go"
-      - 'go.mod'
+      - "go.mod"
-      - 'go.sum'
+      - "go.sum"
  pull_request:
    paths:
-      - '.github/workflows/go.yaml'
+      - ".github/workflows/go.yaml"
-      - '**.go'
+      - "**.go"
-      - 'go.mod'
+      - "go.mod"
-      - 'go.sum'
+      - "go.sum"
 permissions:
  contents: read
@ -29,10 +29,10 @@ jobs:
  fmt:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v5
-      - uses: actions/setup-go@v4
+      - uses: actions/setup-go@v6
        with:
-          go-version-file: 'go.mod'
+          go-version-file: "go.mod"
          cache: false
      - name: fmt
        run: go fmt ./...
@ -42,24 +42,24 @@ jobs:
  lint:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v5
-      - uses: actions/setup-go@v4
+      - uses: actions/setup-go@v6
        with:
-          go-version-file: 'go.mod'
+          go-version-file: "go.mod"
          cache: false
      - name: golangci-lint
-        uses: golangci/golangci-lint-action@v3
+        uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9
        with:
          only-new-issues: true
-          version: v1.55.2
+          version: v2.5.0
  generate:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v5
-      - uses: actions/setup-go@v4
+      - uses: actions/setup-go@v6
        with:
-          go-version-file: 'go.mod'
+          go-version-file: "go.mod"
          cache: false
      - name: Generate
        run: make generate
@ -69,10 +69,10 @@ jobs:
  test:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v5
-      - uses: actions/setup-go@v4
+      - uses: actions/setup-go@v6
        with:
-          go-version-file: 'go.mod'
+          go-version-file: "go.mod"
      - run: make manifests
      - name: Check diff
        run: git diff --exit-code
--- a/.golangci.yaml
+++ b/.golangci.yaml
@ -1,17 +1,14 @@
 version: "2"
 run:
-  timeout: 3m
+  timeout: 5m
-output:
+linters:
-  format: github-actions
+  settings:
-linters-settings:
+    errcheck:
-  errcheck:
+      exclude-functions:
-    exclude-functions:
+        - (net/http.ResponseWriter).Write
-      - (net/http.ResponseWriter).Write
+        - (*net/http.Server).Shutdown
-      - (*net/http.Server).Shutdown
+        - (*github.com/actions/actions-runner-controller/simulator.VisibleRunnerGroups).Add
-      - (*github.com/actions/actions-runner-controller/simulator.VisibleRunnerGroups).Add
+        - (*github.com/actions/actions-runner-controller/testing.Kind).Stop
-      - (*github.com/actions/actions-runner-controller/testing.Kind).Stop
+  exclusions:
-issues:
+    presets:
-  exclude-rules:
+      - std-error-handling
    - path: controllers/suite_test.go
      linters:
        - staticcheck
      text: "SA1019"
--- a/2
+++ b/2
@ -1,2 +1,2 @@
 # actions-runner-controller maintainers
-* @mumoshu @toast-gear @actions/actions-launch @nikola-jokic
+* @mumoshu @toast-gear @actions/actions-launch @actions/actions-compute @nikola-jokic @rentziass
--- a/6
+++ b/6
@ -1,5 +1,5 @@
 # Build the manager binary
-FROM --platform=$BUILDPLATFORM golang:1.21.3 as builder
+FROM --platform=$BUILDPLATFORM golang:1.25.1 AS builder
 WORKDIR /workspace
@ -30,14 +30,13 @@ ARG TARGETPLATFORM TARGETOS TARGETARCH TARGETVARIANT VERSION=dev COMMIT_SHA=dev
 # to avoid https://github.com/moby/buildkit/issues/2334
 # We can use docker layer cache so the build is fast enogh anyway
 # We also use per-platform GOCACHE for the same reason.
-ENV GOCACHE /build/${TARGETPLATFORM}/root/.cache/go-build
+ENV GOCACHE="/build/${TARGETPLATFORM}/root/.cache/go-build"
 # Build
 RUN --mount=target=. \
  --mount=type=cache,mode=0777,target=${GOCACHE} \
  export GOOS=${TARGETOS} GOARCH=${TARGETARCH} GOARM=${TARGETVARIANT#v} && \
  go build -trimpath -ldflags="-s -w -X 'github.com/actions/actions-runner-controller/build.Version=${VERSION}' -X 'github.com/actions/actions-runner-controller/build.CommitSHA=${COMMIT_SHA}'" -o /out/manager main.go && \
  go build -trimpath -ldflags="-s -w -X 'github.com/actions/actions-runner-controller/build.Version=${VERSION}' -X 'github.com/actions/actions-runner-controller/build.CommitSHA=${COMMIT_SHA}'" -o /out/github-runnerscaleset-listener ./cmd/githubrunnerscalesetlistener && \
  go build -trimpath -ldflags="-s -w -X 'github.com/actions/actions-runner-controller/build.Version=${VERSION}' -X 'github.com/actions/actions-runner-controller/build.CommitSHA=${COMMIT_SHA}'" -o /out/ghalistener ./cmd/ghalistener && \
  go build -trimpath -ldflags="-s -w" -o /out/github-webhook-server ./cmd/githubwebhookserver && \
  go build -trimpath -ldflags="-s -w" -o /out/actions-metrics-server ./cmd/actionsmetricsserver && \
@ -52,7 +51,6 @@ WORKDIR /
 COPY --from=builder /out/manager .
 COPY --from=builder /out/github-webhook-server .
 COPY --from=builder /out/actions-metrics-server .
 COPY --from=builder /out/github-runnerscaleset-listener .
 COPY --from=builder /out/ghalistener .
 COPY --from=builder /out/sleep .
--- a/19
+++ b/19
@ -6,7 +6,7 @@ endif
 DOCKER_USER ?= $(shell echo ${DOCKER_IMAGE_NAME} | cut -d / -f1)
 VERSION ?= dev
 COMMIT_SHA = $(shell git rev-parse HEAD)
-RUNNER_VERSION ?= 2.311.0
+RUNNER_VERSION ?= 2.329.0
 TARGETPLATFORM ?= $(shell arch)
 RUNNER_NAME ?= ${DOCKER_USER}/actions-runner
 RUNNER_TAG  ?= ${VERSION}
@ -20,10 +20,10 @@ KUBECONTEXT ?= kind-acceptance
 CLUSTER ?= acceptance
 CERT_MANAGER_VERSION ?= v1.1.1
 KUBE_RBAC_PROXY_VERSION ?= v0.11.0
-SHELLCHECK_VERSION ?= 0.8.0
+SHELLCHECK_VERSION ?= 0.10.0
 # Produce CRDs that work back to Kubernetes 1.11 (no version conversion)
-CRD_OPTIONS ?= "crd:generateEmbeddedObjectMeta=true"
+CRD_OPTIONS ?= "crd:generateEmbeddedObjectMeta=true,allowDangerousTypes=true"
 # Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set)
 ifeq (,$(shell go env GOBIN))
@ -68,7 +68,7 @@ endif
 all: manager
 lint:
-	docker run --rm -v $(PWD):/app -w /app golangci/golangci-lint:v1.55.2 golangci-lint run
+	docker run --rm -v $(PWD):/app -w /app golangci/golangci-lint:v2.5.0 golangci-lint run
 GO_TEST_ARGS ?= -short
@ -87,7 +87,7 @@ test-with-deps: kube-apiserver etcd kubectl
 # Build manager binary
 manager: generate fmt vet
 	go build -o bin/manager main.go
-	go build -o bin/github-runnerscaleset-listener ./cmd/githubrunnerscalesetlistener
+	go build -o bin/github-runnerscaleset-listener ./cmd/ghalistener
 # Run against the configured Kubernetes cluster in ~/.kube/config
 run: generate fmt vet manifests
@ -117,9 +117,6 @@ manifests: manifests-gen-crds chart-crds
 manifests-gen-crds: controller-gen yq
 	$(CONTROLLER_GEN) $(CRD_OPTIONS) rbac:roleName=manager-role webhook paths="./..." output:crd:artifacts:config=config/crd/bases
 	for YAMLFILE in config/crd/bases/actions*.yaml; do \
 		$(YQ) '.spec.preserveUnknownFields = false' --inplace "$$YAMLFILE" ; \
 	done
 	make manifests-gen-crds-fix DELETE_KEY=x-kubernetes-list-type
 	make manifests-gen-crds-fix DELETE_KEY=x-kubernetes-list-map-keys
@ -204,7 +201,7 @@ generate: controller-gen
 # Run shellcheck on runner scripts
 shellcheck: shellcheck-install
-	$(TOOLS_PATH)/shellcheck --shell bash --source-path runner runner/*.sh hack/*.sh
+	$(TOOLS_PATH)/shellcheck --shell bash --source-path runner runner/*.sh runner/update-status hack/*.sh
 docker-buildx:
 	export DOCKER_CLI_EXPERIMENTAL=enabled ;\
@ -310,7 +307,7 @@ github-release: release
 # Otherwise we get errors like the below:
 #   Error: failed to install CRD crds/actions.summerwind.dev_runnersets.yaml: CustomResourceDefinition.apiextensions.k8s.io "runnersets.actions.summerwind.dev" is invalid: [spec.validation.openAPIV3Schema.properties[spec].properties[template].properties[spec].properties[containers].items.properties[ports].items.properties[protocol].default: Required value: this property is in x-kubernetes-list-map-keys, so it must have a default or be a required property, spec.validation.openAPIV3Schema.properties[spec].properties[template].properties[spec].properties[initContainers].items.properties[ports].items.properties[protocol].default: Required value: this property is in x-kubernetes-list-map-keys, so it must have a default or be a required property]
 #
-# Note that controller-gen newer than 0.6.0 is needed due to https://github.com/kubernetes-sigs/controller-tools/issues/448
+# Note that controller-gen newer than 0.8.0 is needed due to https://github.com/kubernetes-sigs/controller-tools/issues/448
 # Otherwise ObjectMeta embedded in Spec results in empty on the storage.
 controller-gen:
 ifeq (, $(shell which controller-gen))
@ -320,7 +317,7 @@ ifeq (, $(wildcard $(GOBIN)/controller-gen))
 	CONTROLLER_GEN_TMP_DIR=$$(mktemp -d) ;\
 	cd $$CONTROLLER_GEN_TMP_DIR ;\
 	go mod init tmp ;\
-	go install sigs.k8s.io/controller-tools/cmd/controller-gen@v0.13.0 ;\
+	go install sigs.k8s.io/controller-tools/cmd/controller-gen@v0.19.0 ;\
 	rm -rf $$CONTROLLER_GEN_TMP_DIR ;\
 	}
 endif
--- a/README.md
+++ b/README.md
@ -11,21 +11,22 @@ Actions Runner Controller (ARC) is a Kubernetes operator that orchestrates and s
 With ARC, you can create runner scale sets that automatically scale based on the number of workflows running in your repository, organization, or enterprise. Because controlled runners can be ephemeral and based on containers, new runner instances can scale up or down rapidly and cleanly. For more information about autoscaling, see ["Autoscaling with self-hosted runners."](https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners/autoscaling-with-self-hosted-runners)
 You can set up ARC on Kubernetes using Helm, then create and run a workflow that uses runner scale sets. For more information about runner scale sets, see ["Deploying runner scale sets with Actions Runner Controller."](https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/deploying-runner-scale-sets-with-actions-runner-controller#runner-scale-set)
 ## People
 Actions Runner Controller (ARC) is an open-source project currently developed and maintained in collaboration with the GitHub Actions team, external maintainers @mumoshu and @toast-gear, various [contributors](https://github.com/actions/actions-runner-controller/graphs/contributors), and the [awesome community](https://github.com/actions/actions-runner-controller/discussions).
 If you think the project is awesome and is adding value to your business, please consider directly sponsoring [community maintainers](https://github.com/sponsors/actions-runner-controller) and individual contributors via GitHub Sponsors.
-In case you are already the employer of one of contributors, sponsoring via GitHub Sponsors might not be an option. Just support them in other means!
+If you are already the employer of one of the contributors, sponsoring via GitHub Sponsors might not be an option. Just support them by other means!
 See [the sponsorship dashboard](https://github.com/sponsors/actions-runner-controller) for the former and the current sponsors.
 ## Getting Started
-To give ARC a try with just a handful of commands, Please refer to the [Quickstart guide](https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/quickstart-for-actions-runner-controller).
+To give ARC a try with just a handful of commands, please refer to the [Quickstart guide](https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/quickstart-for-actions-runner-controller).
-For an overview of ARC, please refer to [About ARC](https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/about-actions-runner-controller)
+For an overview of ARC, please refer to [About ARC](https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/about-actions-runner-controller).
 With the introduction of [autoscaling runner scale sets](https://github.com/actions/actions-runner-controller/discussions/2775), the existing [autoscaling modes](./docs/automatically-scaling-runners.md) are now legacy. The legacy modes have certain use cases and will continue to be maintained by the community only.
@ -37,7 +38,7 @@ ARC documentation is available on [docs.github.com](https://docs.github.com/en/a
 ### Legacy documentation
-The following documentation is for the legacy autoscaling modes that continue to be maintained by the community
+The following documentation is for the legacy autoscaling modes that continue to be maintained by the community:
 - [Quickstart guide](/docs/quickstart.md)
 - [About ARC](/docs/about-arc.md)
--- a/acceptance/pipelines/eks-integration-tests.yaml
+++ b/acceptance/pipelines/eks-integration-tests.yaml
@ -10,16 +10,17 @@ env:
 jobs:
  assume-role-in-runner-test:
-    runs-on: ['self-hosted', 'Linux']
+    runs-on: ["self-hosted", "Linux"]
    steps:
      - name: Test aws-actions/configure-aws-credentials Action
-        uses: aws-actions/configure-aws-credentials@v1
+        # https://github.com/aws-actions/configure-aws-credentials/releases/tag/v4.1.0
        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722
        with:
          aws-region: ${{ env.AWS_REGION }}
          role-to-assume: ${{ env.ASSUME_ROLE_ARN }}
          role-duration-seconds: 900
  assume-role-in-container-test:
-    runs-on: ['self-hosted', 'Linux']
+    runs-on: ["self-hosted", "Linux"]
    container:
      image: amazon/aws-cli
      env:
@ -29,7 +30,8 @@ jobs:
        - /var/run/secrets/eks.amazonaws.com/serviceaccount/token:/var/run/secrets/eks.amazonaws.com/serviceaccount/token
    steps:
      - name: Test aws-actions/configure-aws-credentials Action in container
-        uses: aws-actions/configure-aws-credentials@v1
+        # https://github.com/aws-actions/configure-aws-credentials/releases/tag/v4.1.0
        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722
        with:
          aws-region: ${{ env.AWS_REGION }}
          role-to-assume: ${{ env.ASSUME_ROLE_ARN }}
--- a/acceptance/pipelines/runner-integration-tests.yaml
+++ b/acceptance/pipelines/runner-integration-tests.yaml
@ -8,7 +8,7 @@ env:
 jobs:
  run-step-in-container-test:
-    runs-on: ['self-hosted', 'Linux']
+    runs-on: ["self-hosted", "Linux"]
    container:
      image: alpine
    steps:
@ -21,7 +21,7 @@ jobs:
              exit 1
          fi
  setup-python-test:
-    runs-on: ['self-hosted', 'Linux']
+    runs-on: ["self-hosted", "Linux"]
    steps:
      - name: Print native Python environment
        run: |
@ -41,11 +41,11 @@ jobs:
            echo "Python version detected : $(python --version 2>&1)"
          fi
  setup-node-test:
-    runs-on: ['self-hosted', 'Linux']
+    runs-on: ["self-hosted", "Linux"]
    steps:
      - uses: actions/setup-node@v2
        with:
-          node-version: '12'
+          node-version: "12"
      - name: Test actions/setup-node works
        run: |
          VERSION=$(node --version | cut -c 2- | cut -d '.' -f1)
@ -57,9 +57,10 @@ jobs:
            echo "Node version detected : $(node --version 2>&1)"
          fi
  setup-ruby-test:
-    runs-on: ['self-hosted', 'Linux']
+    runs-on: ["self-hosted", "Linux"]
    steps:
-      - uses: ruby/setup-ruby@v1
+      # https://github.com/ruby/setup-ruby/releases/tag/v1.227.0
      - uses: ruby/setup-ruby@1a615958ad9d422dd932dc1d5823942ee002799f
        with:
          ruby-version: 3.0
          bundler-cache: true
@ -74,7 +75,7 @@ jobs:
              echo "Ruby version detected : $(ruby --version 2>&1)"
          fi
  python-shell-test:
-    runs-on: ['self-hosted', 'Linux']
+    runs-on: ["self-hosted", "Linux"]
    steps:
      - name: Test Python shell works
        run: |
--- a/apis/actions.github.com/v1alpha1/appconfig/appconfig.go
+++ b/apis/actions.github.com/v1alpha1/appconfig/appconfig.go
@ -0,0 +1,89 @@
 package appconfig
 import (
 	"bytes"
 	"encoding/json"
 	"fmt"
 	"strconv"
 	corev1 "k8s.io/api/core/v1"
 )
 type AppConfig struct {
 	AppID             string `json:"github_app_id"`
 	AppInstallationID int64  `json:"github_app_installation_id"`
 	AppPrivateKey     string `json:"github_app_private_key"`
 	Token string `json:"github_token"`
 }
 func (c *AppConfig) tidy() *AppConfig {
 	if len(c.Token) > 0 {
 		return &AppConfig{
 			Token: c.Token,
 		}
 	}
 	return &AppConfig{
 		AppID:             c.AppID,
 		AppInstallationID: c.AppInstallationID,
 		AppPrivateKey:     c.AppPrivateKey,
 	}
 }
 func (c *AppConfig) Validate() error {
 	if c == nil {
 		return fmt.Errorf("missing app config")
 	}
 	hasToken := len(c.Token) > 0
 	hasGitHubAppAuth := c.hasGitHubAppAuth()
 	if hasToken && hasGitHubAppAuth {
 		return fmt.Errorf("both PAT and GitHub App credentials provided. should only provide one")
 	}
 	if !hasToken && !hasGitHubAppAuth {
 		return fmt.Errorf("no credentials provided: either a PAT or GitHub App credentials should be provided")
 	}
 	return nil
 }
 func (c *AppConfig) hasGitHubAppAuth() bool {
 	return len(c.AppID) > 0 && c.AppInstallationID > 0 && len(c.AppPrivateKey) > 0
 }
 func FromSecret(secret *corev1.Secret) (*AppConfig, error) {
 	var appInstallationID int64
 	if v := string(secret.Data["github_app_installation_id"]); v != "" {
 		val, err := strconv.ParseInt(v, 10, 64)
 		if err != nil {
 			return nil, err
 		}
 		appInstallationID = val
 	}
 	cfg := &AppConfig{
 		Token:             string(secret.Data["github_token"]),
 		AppID:             string(secret.Data["github_app_id"]),
 		AppInstallationID: appInstallationID,
 		AppPrivateKey:     string(secret.Data["github_app_private_key"]),
 	}
 	if err := cfg.Validate(); err != nil {
 		return nil, fmt.Errorf("failed to validate config: %v", err)
 	}
 	return cfg.tidy(), nil
 }
 func FromJSONString(v string) (*AppConfig, error) {
 	var appConfig AppConfig
 	if err := json.NewDecoder(bytes.NewBufferString(v)).Decode(&appConfig); err != nil {
 		return nil, err
 	}
 	if err := appConfig.Validate(); err != nil {
 		return nil, fmt.Errorf("failed to validate app config decoded from string: %w", err)
 	}
 	return appConfig.tidy(), nil
 }
--- a/apis/actions.github.com/v1alpha1/appconfig/appconfig_test.go
+++ b/apis/actions.github.com/v1alpha1/appconfig/appconfig_test.go
@ -0,0 +1,152 @@
 package appconfig
 import (
 	"encoding/json"
 	"testing"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	corev1 "k8s.io/api/core/v1"
 )
 func TestAppConfigValidate_invalid(t *testing.T) {
 	tt := map[string]*AppConfig{
 		"empty": {},
 		"token and app config": {
 			AppID:             "1",
 			AppInstallationID: 2,
 			AppPrivateKey:     "private key",
 			Token:             "token",
 		},
 		"app id not set": {
 			AppInstallationID: 2,
 			AppPrivateKey:     "private key",
 		},
 		"app installation id not set": {
 			AppID:         "2",
 			AppPrivateKey: "private key",
 		},
 		"private key empty": {
 			AppID:             "2",
 			AppInstallationID: 1,
 			AppPrivateKey:     "",
 		},
 	}
 	for name, cfg := range tt {
 		t.Run(name, func(t *testing.T) {
 			err := cfg.Validate()
 			require.Error(t, err)
 		})
 	}
 }
 func TestAppConfigValidate_valid(t *testing.T) {
 	tt := map[string]*AppConfig{
 		"token": {
 			Token: "token",
 		},
 		"app ID": {
 			AppID:             "1",
 			AppInstallationID: 2,
 			AppPrivateKey:     "private key",
 		},
 	}
 	for name, cfg := range tt {
 		t.Run(name, func(t *testing.T) {
 			err := cfg.Validate()
 			require.NoError(t, err)
 		})
 	}
 }
 func TestAppConfigFromSecret_invalid(t *testing.T) {
 	tt := map[string]map[string]string{
 		"empty": {},
 		"token and app provided": {
 			"github_token":              "token",
 			"github_app_id":             "2",
 			"githu_app_installation_id": "3",
 			"github_app_private_key":    "private key",
 		},
 		"invalid app id": {
 			"github_app_id":             "abc",
 			"githu_app_installation_id": "3",
 			"github_app_private_key":    "private key",
 		},
 		"invalid app installation_id": {
 			"github_app_id":             "1",
 			"githu_app_installation_id": "abc",
 			"github_app_private_key":    "private key",
 		},
 		"empty private key": {
 			"github_app_id":             "1",
 			"githu_app_installation_id": "2",
 			"github_app_private_key":    "",
 		},
 	}
 	for name, data := range tt {
 		t.Run(name, func(t *testing.T) {
 			secret := &corev1.Secret{
 				StringData: data,
 			}
 			appConfig, err := FromSecret(secret)
 			assert.Error(t, err)
 			assert.Nil(t, appConfig)
 		})
 	}
 }
 func TestAppConfigFromSecret_valid(t *testing.T) {
 	tt := map[string]map[string]string{
 		"with token": {
 			"github_token": "token",
 		},
 		"app config": {
 			"github_app_id":             "2",
 			"githu_app_installation_id": "3",
 			"github_app_private_key":    "private key",
 		},
 	}
 	for name, data := range tt {
 		t.Run(name, func(t *testing.T) {
 			secret := &corev1.Secret{
 				StringData: data,
 			}
 			appConfig, err := FromSecret(secret)
 			assert.Error(t, err)
 			assert.Nil(t, appConfig)
 		})
 	}
 }
 func TestAppConfigFromString_valid(t *testing.T) {
 	tt := map[string]*AppConfig{
 		"token": {
 			Token: "token",
 		},
 		"app ID": {
 			AppID:             "1",
 			AppInstallationID: 2,
 			AppPrivateKey:     "private key",
 		},
 	}
 	for name, cfg := range tt {
 		t.Run(name, func(t *testing.T) {
 			bytes, err := json.Marshal(cfg)
 			require.NoError(t, err)
 			got, err := FromJSONString(string(bytes))
 			require.NoError(t, err)
 			want := cfg.tidy()
 			assert.Equal(t, want, got)
 		})
 	}
 }
--- a/apis/actions.github.com/v1alpha1/autoscalinglistener_types.go
+++ b/apis/actions.github.com/v1alpha1/autoscalinglistener_types.go
@ -59,7 +59,13 @@ type AutoscalingListenerSpec struct {
 	Proxy *ProxyConfig `json:"proxy,omitempty"`
 	// +optional
-	GitHubServerTLS *GitHubServerTLSConfig `json:"githubServerTLS,omitempty"`
+	GitHubServerTLS *TLSConfig `json:"githubServerTLS,omitempty"`
 	// +optional
 	VaultConfig *VaultConfig `json:"vaultConfig,omitempty"`
 	// +optional
 	Metrics *MetricsConfig `json:"metrics,omitempty"`
 	// +optional
 	Template *corev1.PodTemplateSpec `json:"template,omitempty"`
@ -68,11 +74,11 @@ type AutoscalingListenerSpec struct {
 // AutoscalingListenerStatus defines the observed state of AutoscalingListener
 type AutoscalingListenerStatus struct{}
-//+kubebuilder:object:root=true
+// +kubebuilder:object:root=true
-//+kubebuilder:subresource:status
+// +kubebuilder:subresource:status
-//+kubebuilder:printcolumn:JSONPath=".spec.githubConfigUrl",name=GitHub Configure URL,type=string
+// +kubebuilder:printcolumn:JSONPath=".spec.githubConfigUrl",name=GitHub Configure URL,type=string
-//+kubebuilder:printcolumn:JSONPath=".spec.autoscalingRunnerSetNamespace",name=AutoscalingRunnerSet Namespace,type=string
+// +kubebuilder:printcolumn:JSONPath=".spec.autoscalingRunnerSetNamespace",name=AutoscalingRunnerSet Namespace,type=string
-//+kubebuilder:printcolumn:JSONPath=".spec.autoscalingRunnerSetName",name=AutoscalingRunnerSet Name,type=string
+// +kubebuilder:printcolumn:JSONPath=".spec.autoscalingRunnerSetName",name=AutoscalingRunnerSet Name,type=string
 // AutoscalingListener is the Schema for the autoscalinglisteners API
 type AutoscalingListener struct {
@ -83,8 +89,7 @@ type AutoscalingListener struct {
 	Status AutoscalingListenerStatus `json:"status,omitempty"`
 }
-//+kubebuilder:object:root=true
+// +kubebuilder:object:root=true
 // AutoscalingListenerList contains a list of AutoscalingListener
 type AutoscalingListenerList struct {
 	metav1.TypeMeta `json:",inline"`
--- a/apis/actions.github.com/v1alpha1/autoscalingrunnerset_types.go
+++ b/apis/actions.github.com/v1alpha1/autoscalingrunnerset_types.go
@ -24,6 +24,7 @@ import (
 	"strings"
 	"github.com/actions/actions-runner-controller/hash"
 	"github.com/actions/actions-runner-controller/vault"
 	"golang.org/x/net/http/httpproxy"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@ -31,16 +32,16 @@ import (
 // NOTE: json tags are required.  Any new fields you add must have json tags for the fields to be serialized.
-//+kubebuilder:object:root=true
+// +kubebuilder:object:root=true
-//+kubebuilder:subresource:status
+// +kubebuilder:subresource:status
-//+kubebuilder:printcolumn:JSONPath=".spec.minRunners",name=Minimum Runners,type=integer
+// +kubebuilder:printcolumn:JSONPath=".spec.minRunners",name=Minimum Runners,type=integer
-//+kubebuilder:printcolumn:JSONPath=".spec.maxRunners",name=Maximum Runners,type=integer
+// +kubebuilder:printcolumn:JSONPath=".spec.maxRunners",name=Maximum Runners,type=integer
-//+kubebuilder:printcolumn:JSONPath=".status.currentRunners",name=Current Runners,type=integer
+// +kubebuilder:printcolumn:JSONPath=".status.currentRunners",name=Current Runners,type=integer
-//+kubebuilder:printcolumn:JSONPath=".status.state",name=State,type=string
+// +kubebuilder:printcolumn:JSONPath=".status.state",name=State,type=string
-//+kubebuilder:printcolumn:JSONPath=".status.pendingEphemeralRunners",name=Pending Runners,type=integer
+// +kubebuilder:printcolumn:JSONPath=".status.pendingEphemeralRunners",name=Pending Runners,type=integer
-//+kubebuilder:printcolumn:JSONPath=".status.runningEphemeralRunners",name=Running Runners,type=integer
+// +kubebuilder:printcolumn:JSONPath=".status.runningEphemeralRunners",name=Running Runners,type=integer
-//+kubebuilder:printcolumn:JSONPath=".status.finishedEphemeralRunners",name=Finished Runners,type=integer
+// +kubebuilder:printcolumn:JSONPath=".status.finishedEphemeralRunners",name=Finished Runners,type=integer
-//+kubebuilder:printcolumn:JSONPath=".status.deletingEphemeralRunners",name=Deleting Runners,type=integer
+// +kubebuilder:printcolumn:JSONPath=".status.deletingEphemeralRunners",name=Deleting Runners,type=integer
 // AutoscalingRunnerSet is the Schema for the autoscalingrunnersets API
 type AutoscalingRunnerSet struct {
@ -69,11 +70,17 @@ type AutoscalingRunnerSetSpec struct {
 	Proxy *ProxyConfig `json:"proxy,omitempty"`
 	// +optional
-	GitHubServerTLS *GitHubServerTLSConfig `json:"githubServerTLS,omitempty"`
+	GitHubServerTLS *TLSConfig `json:"githubServerTLS,omitempty"`
 	// +optional
 	VaultConfig *VaultConfig `json:"vaultConfig,omitempty"`
 	// Required
 	Template corev1.PodTemplateSpec `json:"template,omitempty"`
 	// +optional
 	ListenerMetrics *MetricsConfig `json:"listenerMetrics,omitempty"`
 	// +optional
 	ListenerTemplate *corev1.PodTemplateSpec `json:"listenerTemplate,omitempty"`
@ -86,12 +93,12 @@ type AutoscalingRunnerSetSpec struct {
 	MinRunners *int `json:"minRunners,omitempty"`
 }
-type GitHubServerTLSConfig struct {
+type TLSConfig struct {
 	// Required
 	CertificateFrom *TLSCertificateSource `json:"certificateFrom,omitempty"`
 }
-func (c *GitHubServerTLSConfig) ToCertPool(keyFetcher func(name, key string) ([]byte, error)) (*x509.CertPool, error) {
+func (c *TLSConfig) ToCertPool(keyFetcher func(name, key string) ([]byte, error)) (*x509.CertPool, error) {
 	if c.CertificateFrom == nil {
 		return nil, fmt.Errorf("certificateFrom not specified")
 	}
@ -139,7 +146,7 @@ type ProxyConfig struct {
 	NoProxy []string `json:"noProxy,omitempty"`
 }
-func (c *ProxyConfig) toHTTPProxyConfig(secretFetcher func(string) (*corev1.Secret, error)) (*httpproxy.Config, error) {
+func (c *ProxyConfig) ToHTTPProxyConfig(secretFetcher func(string) (*corev1.Secret, error)) (*httpproxy.Config, error) {
 	config := &httpproxy.Config{
 		NoProxy: strings.Join(c.NoProxy, ","),
 	}
@ -198,7 +205,7 @@ func (c *ProxyConfig) toHTTPProxyConfig(secretFetcher func(string) (*corev1.Secr
 }
 func (c *ProxyConfig) ToSecretData(secretFetcher func(string) (*corev1.Secret, error)) (map[string][]byte, error) {
-	config, err := c.toHTTPProxyConfig(secretFetcher)
+	config, err := c.ToHTTPProxyConfig(secretFetcher)
 	if err != nil {
 		return nil, err
 	}
@ -212,7 +219,7 @@ func (c *ProxyConfig) ToSecretData(secretFetcher func(string) (*corev1.Secret, e
 }
 func (c *ProxyConfig) ProxyFunc(secretFetcher func(string) (*corev1.Secret, error)) (func(*http.Request) (*url.URL, error), error) {
-	config, err := c.toHTTPProxyConfig(secretFetcher)
+	config, err := c.ToHTTPProxyConfig(secretFetcher)
 	if err != nil {
 		return nil, err
 	}
@ -232,6 +239,52 @@ type ProxyServerConfig struct {
 	CredentialSecretRef string `json:"credentialSecretRef,omitempty"`
 }
 type VaultConfig struct {
 	// +optional
 	Type vault.VaultType `json:"type,omitempty"`
 	// +optional
 	AzureKeyVault *AzureKeyVaultConfig `json:"azureKeyVault,omitempty"`
 	// +optional
 	Proxy *ProxyConfig `json:"proxy,omitempty"`
 }
 type AzureKeyVaultConfig struct {
 	// +required
 	URL string `json:"url,omitempty"`
 	// +required
 	TenantID string `json:"tenantId,omitempty"`
 	// +required
 	ClientID string `json:"clientId,omitempty"`
 	// +required
 	CertificatePath string `json:"certificatePath,omitempty"`
 }
 // MetricsConfig holds configuration parameters for each metric type
 type MetricsConfig struct {
 	// +optional
 	Counters map[string]*CounterMetric `json:"counters,omitempty"`
 	// +optional
 	Gauges map[string]*GaugeMetric `json:"gauges,omitempty"`
 	// +optional
 	Histograms map[string]*HistogramMetric `json:"histograms,omitempty"`
 }
 // CounterMetric holds configuration of a single metric of type Counter
 type CounterMetric struct {
 	Labels []string `json:"labels"`
 }
 // GaugeMetric holds configuration of a single metric of type Gauge
 type GaugeMetric struct {
 	Labels []string `json:"labels"`
 }
 // HistogramMetric holds configuration of a single metric of type Histogram
 type HistogramMetric struct {
 	Labels  []string  `json:"labels"`
 	Buckets []float64 `json:"buckets,omitempty"`
 }
 // AutoscalingRunnerSetStatus defines the observed state of AutoscalingRunnerSet
 type AutoscalingRunnerSetStatus struct {
 	// +optional
@ -242,7 +295,7 @@ type AutoscalingRunnerSetStatus struct {
 	// EphemeralRunner counts separated by the stage ephemeral runners are in, taken from the EphemeralRunnerSet
-	//+optional
+	// +optional
 	PendingEphemeralRunners int `json:"pendingEphemeralRunners"`
 	// +optional
 	RunningEphemeralRunners int `json:"runningEphemeralRunners"`
@ -256,6 +309,33 @@ func (ars *AutoscalingRunnerSet) ListenerSpecHash() string {
 	return hash.ComputeTemplateHash(&spec)
 }
 func (ars *AutoscalingRunnerSet) GitHubConfigSecret() string {
 	return ars.Spec.GitHubConfigSecret
 }
 func (ars *AutoscalingRunnerSet) GitHubConfigUrl() string {
 	return ars.Spec.GitHubConfigUrl
 }
 func (ars *AutoscalingRunnerSet) GitHubProxy() *ProxyConfig {
 	return ars.Spec.Proxy
 }
 func (ars *AutoscalingRunnerSet) GitHubServerTLS() *TLSConfig {
 	return ars.Spec.GitHubServerTLS
 }
 func (ars *AutoscalingRunnerSet) VaultConfig() *VaultConfig {
 	return ars.Spec.VaultConfig
 }
 func (ars *AutoscalingRunnerSet) VaultProxy() *ProxyConfig {
 	if ars.Spec.VaultConfig != nil {
 		return ars.Spec.VaultConfig.Proxy
 	}
 	return nil
 }
 func (ars *AutoscalingRunnerSet) RunnerSetSpecHash() string {
 	type runnerSetSpec struct {
 		GitHubConfigUrl    string
@ -263,7 +343,7 @@ func (ars *AutoscalingRunnerSet) RunnerSetSpecHash() string {
 		RunnerGroup        string
 		RunnerScaleSetName string
 		Proxy              *ProxyConfig
-		GitHubServerTLS    *GitHubServerTLSConfig
+		GitHubServerTLS    *TLSConfig
 		Template           corev1.PodTemplateSpec
 	}
 	spec := &runnerSetSpec{
@ -278,7 +358,7 @@ func (ars *AutoscalingRunnerSet) RunnerSetSpecHash() string {
 	return hash.ComputeTemplateHash(&spec)
 }
-//+kubebuilder:object:root=true
+// +kubebuilder:object:root=true
 // AutoscalingRunnerSetList contains a list of AutoscalingRunnerSet
 type AutoscalingRunnerSetList struct {
--- a/apis/actions.github.com/v1alpha1/ephemeralrunner_types.go
+++ b/apis/actions.github.com/v1alpha1/ephemeralrunner_types.go
@ -21,8 +21,12 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
-//+kubebuilder:object:root=true
+// EphemeralRunnerContainerName is the name of the runner container.
-//+kubebuilder:subresource:status
+// It represents the name of the container running the self-hosted runner image.
 const EphemeralRunnerContainerName = "runner"
 // +kubebuilder:object:root=true
 // +kubebuilder:subresource:status
 // +kubebuilder:printcolumn:JSONPath=".spec.githubConfigUrl",name="GitHub Config URL",type=string
 // +kubebuilder:printcolumn:JSONPath=".status.runnerId",name=RunnerId,type=number
 // +kubebuilder:printcolumn:JSONPath=".status.phase",name=Status,type=string
@ -30,6 +34,7 @@ import (
 // +kubebuilder:printcolumn:JSONPath=".status.jobWorkflowRef",name=JobWorkflowRef,type=string
 // +kubebuilder:printcolumn:JSONPath=".status.workflowRunId",name=WorkflowRunId,type=number
 // +kubebuilder:printcolumn:JSONPath=".status.jobDisplayName",name=JobDisplayName,type=string
 // +kubebuilder:printcolumn:JSONPath=".status.jobId",name=JobId,type=string
 // +kubebuilder:printcolumn:JSONPath=".status.message",name=Message,type=string
 // +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp"
@ -42,17 +47,69 @@ type EphemeralRunner struct {
 	Status EphemeralRunnerStatus `json:"status,omitempty"`
 }
 func (er *EphemeralRunner) IsDone() bool {
 	return er.Status.Phase == corev1.PodSucceeded || er.Status.Phase == corev1.PodFailed
 }
 func (er *EphemeralRunner) HasJob() bool {
 	return len(er.Status.JobID) > 0
 }
 func (er *EphemeralRunner) HasContainerHookConfigured() bool {
 	for i := range er.Spec.Spec.Containers {
 		if er.Spec.Spec.Containers[i].Name != EphemeralRunnerContainerName {
 			continue
 		}
 		for _, env := range er.Spec.Spec.Containers[i].Env {
 			if env.Name == "ACTIONS_RUNNER_CONTAINER_HOOKS" {
 				return true
 			}
 		}
 		return false
 	}
 	return false
 }
 func (er *EphemeralRunner) GitHubConfigSecret() string {
 	return er.Spec.GitHubConfigSecret
 }
 func (er *EphemeralRunner) GitHubConfigUrl() string {
 	return er.Spec.GitHubConfigUrl
 }
 func (er *EphemeralRunner) GitHubProxy() *ProxyConfig {
 	return er.Spec.Proxy
 }
 func (er *EphemeralRunner) GitHubServerTLS() *TLSConfig {
 	return er.Spec.GitHubServerTLS
 }
 func (er *EphemeralRunner) VaultConfig() *VaultConfig {
 	return er.Spec.VaultConfig
 }
 func (er *EphemeralRunner) VaultProxy() *ProxyConfig {
 	if er.Spec.VaultConfig != nil {
 		return er.Spec.VaultConfig.Proxy
 	}
 	return nil
 }
 // EphemeralRunnerSpec defines the desired state of EphemeralRunner
 type EphemeralRunnerSpec struct {
 	// INSERT ADDITIONAL SPEC FIELDS - desired state of cluster
 	// Important: Run "make" to regenerate code after modifying this file
 	// +required
 	GitHubConfigUrl string `json:"githubConfigUrl,omitempty"`
 	// +required
 	GitHubConfigSecret string `json:"githubConfigSecret,omitempty"`
 	// +optional
 	GitHubServerTLS *TLSConfig `json:"githubServerTLS,omitempty"`
 	// +required
 	RunnerScaleSetId int `json:"runnerScaleSetId,omitempty"`
@ -63,17 +120,13 @@ type EphemeralRunnerSpec struct {
 	ProxySecretRef string `json:"proxySecretRef,omitempty"`
 	// +optional
-	GitHubServerTLS *GitHubServerTLSConfig `json:"githubServerTLS,omitempty"`
+	VaultConfig *VaultConfig `json:"vaultConfig,omitempty"`
 	// +required
 	corev1.PodTemplateSpec `json:",inline"`
 }
 // EphemeralRunnerStatus defines the observed state of EphemeralRunner
 type EphemeralRunnerStatus struct {
 	// INSERT ADDITIONAL STATUS FIELD - define observed state of cluster
 	// Important: Run "make" to regenerate code after modifying this file
 	// Turns true only if the runner is online.
 	// +optional
 	Ready bool `json:"ready"`
@ -97,15 +150,16 @@ type EphemeralRunnerStatus struct {
 	RunnerId int `json:"runnerId,omitempty"`
 	// +optional
 	RunnerName string `json:"runnerName,omitempty"`
 	// +optional
 	RunnerJITConfig string `json:"runnerJITConfig,omitempty"`
 	// +optional
-	Failures map[string]bool `json:"failures,omitempty"`
+	Failures map[string]metav1.Time `json:"failures,omitempty"`
 	// +optional
 	JobRequestId int64 `json:"jobRequestId,omitempty"`
 	// +optional
 	JobID string `json:"jobId,omitempty"`
 	// +optional
 	JobRepositoryName string `json:"jobRepositoryName,omitempty"`
@ -119,7 +173,21 @@ type EphemeralRunnerStatus struct {
 	JobDisplayName string `json:"jobDisplayName,omitempty"`
 }
-//+kubebuilder:object:root=true
+func (s *EphemeralRunnerStatus) LastFailure() metav1.Time {
 	var maxTime metav1.Time
 	if len(s.Failures) == 0 {
 		return maxTime
 	}
 	for _, ts := range s.Failures {
 		if ts.After(maxTime.Time) {
 			maxTime = ts
 		}
 	}
 	return maxTime
 }
 // +kubebuilder:object:root=true
 // EphemeralRunnerList contains a list of EphemeralRunner
 type EphemeralRunnerList struct {
--- a/apis/actions.github.com/v1alpha1/ephemeralrunnerset_types.go
+++ b/apis/actions.github.com/v1alpha1/ephemeralrunnerset_types.go
@ -24,7 +24,9 @@ import (
 type EphemeralRunnerSetSpec struct {
 	// Replicas is the number of desired EphemeralRunner resources in the k8s namespace.
 	Replicas int `json:"replicas,omitempty"`
-
+	// PatchID is the unique identifier for the patch issued by the listener app
 	PatchID int `json:"patchID"`
 	// EphemeralRunnerSpec is the spec of the ephemeral runner
 	EphemeralRunnerSpec EphemeralRunnerSpec `json:"ephemeralRunnerSpec,omitempty"`
 }
@ -32,9 +34,6 @@ type EphemeralRunnerSetSpec struct {
 type EphemeralRunnerSetStatus struct {
 	// CurrentReplicas is the number of currently running EphemeralRunner resources being managed by this EphemeralRunnerSet.
 	CurrentReplicas int `json:"currentReplicas"`
 	// EphemeralRunner counts separated by the stage ephemeral runners are in
 	// +optional
 	PendingEphemeralRunners int `json:"pendingEphemeralRunners"`
 	// +optional
@ -47,10 +46,10 @@ type EphemeralRunnerSetStatus struct {
 // +kubebuilder:subresource:status
 // +kubebuilder:printcolumn:JSONPath=".spec.replicas",name="DesiredReplicas",type="integer"
 // +kubebuilder:printcolumn:JSONPath=".status.currentReplicas", name="CurrentReplicas",type="integer"
-//+kubebuilder:printcolumn:JSONPath=".status.pendingEphemeralRunners",name=Pending Runners,type=integer
+// +kubebuilder:printcolumn:JSONPath=".status.pendingEphemeralRunners",name=Pending Runners,type=integer
-//+kubebuilder:printcolumn:JSONPath=".status.runningEphemeralRunners",name=Running Runners,type=integer
+// +kubebuilder:printcolumn:JSONPath=".status.runningEphemeralRunners",name=Running Runners,type=integer
-//+kubebuilder:printcolumn:JSONPath=".status.finishedEphemeralRunners",name=Finished Runners,type=integer
+// +kubebuilder:printcolumn:JSONPath=".status.finishedEphemeralRunners",name=Finished Runners,type=integer
-//+kubebuilder:printcolumn:JSONPath=".status.deletingEphemeralRunners",name=Deleting Runners,type=integer
+// +kubebuilder:printcolumn:JSONPath=".status.deletingEphemeralRunners",name=Deleting Runners,type=integer
 // EphemeralRunnerSet is the Schema for the ephemeralrunnersets API
 type EphemeralRunnerSet struct {
@ -61,9 +60,35 @@ type EphemeralRunnerSet struct {
 	Status EphemeralRunnerSetStatus `json:"status,omitempty"`
 }
-//+kubebuilder:object:root=true
+func (ers *EphemeralRunnerSet) GitHubConfigSecret() string {
 	return ers.Spec.EphemeralRunnerSpec.GitHubConfigSecret
 }
 func (ers *EphemeralRunnerSet) GitHubConfigUrl() string {
 	return ers.Spec.EphemeralRunnerSpec.GitHubConfigUrl
 }
 func (ers *EphemeralRunnerSet) GitHubProxy() *ProxyConfig {
 	return ers.Spec.EphemeralRunnerSpec.Proxy
 }
 func (ers *EphemeralRunnerSet) GitHubServerTLS() *TLSConfig {
 	return ers.Spec.EphemeralRunnerSpec.GitHubServerTLS
 }
 func (ers *EphemeralRunnerSet) VaultConfig() *VaultConfig {
 	return ers.Spec.EphemeralRunnerSpec.VaultConfig
 }
 func (ers *EphemeralRunnerSet) VaultProxy() *ProxyConfig {
 	if ers.Spec.EphemeralRunnerSpec.VaultConfig != nil {
 		return ers.Spec.EphemeralRunnerSpec.VaultConfig.Proxy
 	}
 	return nil
 }
 // EphemeralRunnerSetList contains a list of EphemeralRunnerSet
 // +kubebuilder:object:root=true
 type EphemeralRunnerSetList struct {
 	metav1.TypeMeta `json:",inline"`
 	metav1.ListMeta `json:"metadata,omitempty"`
--- a/apis/actions.github.com/v1alpha1/tls_config_test.go
+++ b/apis/actions.github.com/v1alpha1/tls_config_test.go
@ -17,7 +17,7 @@ import (
 func TestGitHubServerTLSConfig_ToCertPool(t *testing.T) {
 	t.Run("returns an error if CertificateFrom not specified", func(t *testing.T) {
-		c := &v1alpha1.GitHubServerTLSConfig{
+		c := &v1alpha1.TLSConfig{
 			CertificateFrom: nil,
 		}
@ -29,7 +29,7 @@ func TestGitHubServerTLSConfig_ToCertPool(t *testing.T) {
 	})
 	t.Run("returns an error if CertificateFrom.ConfigMapKeyRef not specified", func(t *testing.T) {
-		c := &v1alpha1.GitHubServerTLSConfig{
+		c := &v1alpha1.TLSConfig{
 			CertificateFrom: &v1alpha1.TLSCertificateSource{},
 		}
@ -41,7 +41,7 @@ func TestGitHubServerTLSConfig_ToCertPool(t *testing.T) {
 	})
 	t.Run("returns a valid cert pool with correct configuration", func(t *testing.T) {
-		c := &v1alpha1.GitHubServerTLSConfig{
+		c := &v1alpha1.TLSConfig{
 			CertificateFrom: &v1alpha1.TLSCertificateSource{
 				ConfigMapKeyRef: &v1.ConfigMapKeySelector{
 					LocalObjectReference: v1.LocalObjectReference{
--- a/apis/actions.github.com/v1alpha1/version.go
+++ b/apis/actions.github.com/v1alpha1/version.go
@ -0,0 +1,72 @@
 package v1alpha1
 import "strings"
 func IsVersionAllowed(resourceVersion, buildVersion string) bool {
 	if buildVersion == "dev" || resourceVersion == buildVersion || strings.HasPrefix(buildVersion, "canary-") {
 		return true
 	}
 	rv, ok := parseSemver(resourceVersion)
 	if !ok {
 		return false
 	}
 	bv, ok := parseSemver(buildVersion)
 	if !ok {
 		return false
 	}
 	return rv.major == bv.major && rv.minor == bv.minor
 }
 type semver struct {
 	major string
 	minor string
 }
 func parseSemver(v string) (p semver, ok bool) {
 	if v == "" {
 		return
 	}
 	p.major, v, ok = parseInt(v)
 	if !ok {
 		return p, false
 	}
 	if v == "" {
 		p.minor = "0"
 		return p, true
 	}
 	if v[0] != '.' {
 		return p, false
 	}
 	p.minor, v, ok = parseInt(v[1:])
 	if !ok {
 		return p, false
 	}
 	if v == "" {
 		return p, true
 	}
 	if v[0] != '.' {
 		return p, false
 	}
 	if _, _, ok = parseInt(v[1:]); !ok {
 		return p, false
 	}
 	return p, true
 }
 func parseInt(v string) (t, rest string, ok bool) {
 	if v == "" {
 		return
 	}
 	if v[0] < '0' || '9' < v[0] {
 		return
 	}
 	i := 1
 	for i < len(v) && '0' <= v[i] && v[i] <= '9' {
 		i++
 	}
 	if v[0] == '0' && i != 1 {
 		return
 	}
 	return v[:i], v[i:], true
 }
--- a/apis/actions.github.com/v1alpha1/version_test.go
+++ b/apis/actions.github.com/v1alpha1/version_test.go
@ -0,0 +1,60 @@
 package v1alpha1_test
 import (
 	"testing"
 	"github.com/actions/actions-runner-controller/apis/actions.github.com/v1alpha1"
 	"github.com/stretchr/testify/assert"
 )
 func TestIsVersionAllowed(t *testing.T) {
 	t.Parallel()
 	tt := map[string]struct {
 		resourceVersion string
 		buildVersion    string
 		want            bool
 	}{
 		"dev should always be allowed": {
 			resourceVersion: "0.11.0",
 			buildVersion:    "dev",
 			want:            true,
 		},
 		"resourceVersion is not semver": {
 			resourceVersion: "dev",
 			buildVersion:    "0.11.0",
 			want:            false,
 		},
 		"buildVersion is not semver": {
 			resourceVersion: "0.11.0",
 			buildVersion:    "NA",
 			want:            false,
 		},
 		"major version mismatch": {
 			resourceVersion: "0.11.0",
 			buildVersion:    "1.11.0",
 			want:            false,
 		},
 		"minor version mismatch": {
 			resourceVersion: "0.11.0",
 			buildVersion:    "0.10.0",
 			want:            false,
 		},
 		"patch version mismatch": {
 			resourceVersion: "0.11.1",
 			buildVersion:    "0.11.0",
 			want:            true,
 		},
 		"arbitrary version match": {
 			resourceVersion: "abc",
 			buildVersion:    "abc",
 			want:            true,
 		},
 	}
 	for name, tc := range tt {
 		t.Run(name, func(t *testing.T) {
 			got := v1alpha1.IsVersionAllowed(tc.resourceVersion, tc.buildVersion)
 			assert.Equal(t, tc.want, got)
 		})
 	}
 }
--- a/apis/actions.github.com/v1alpha1/zz_generated.deepcopy.go
+++ b/apis/actions.github.com/v1alpha1/zz_generated.deepcopy.go
@ -22,6 +22,7 @@ package v1alpha1
 import (
 	"k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	runtime "k8s.io/apimachinery/pkg/runtime"
 )
@ -99,7 +100,17 @@ func (in *AutoscalingListenerSpec) DeepCopyInto(out *AutoscalingListenerSpec) {
 	}
 	if in.GitHubServerTLS != nil {
 		in, out := &in.GitHubServerTLS, &out.GitHubServerTLS
-		*out = new(GitHubServerTLSConfig)
+		*out = new(TLSConfig)
 		(*in).DeepCopyInto(*out)
 	}
 	if in.VaultConfig != nil {
 		in, out := &in.VaultConfig, &out.VaultConfig
 		*out = new(VaultConfig)
 		(*in).DeepCopyInto(*out)
 	}
 	if in.Metrics != nil {
 		in, out := &in.Metrics, &out.Metrics
 		*out = new(MetricsConfig)
 		(*in).DeepCopyInto(*out)
 	}
 	if in.Template != nil {
@ -203,10 +214,20 @@ func (in *AutoscalingRunnerSetSpec) DeepCopyInto(out *AutoscalingRunnerSetSpec)
 	}
 	if in.GitHubServerTLS != nil {
 		in, out := &in.GitHubServerTLS, &out.GitHubServerTLS
-		*out = new(GitHubServerTLSConfig)
+		*out = new(TLSConfig)
 		(*in).DeepCopyInto(*out)
 	}
 	if in.VaultConfig != nil {
 		in, out := &in.VaultConfig, &out.VaultConfig
 		*out = new(VaultConfig)
 		(*in).DeepCopyInto(*out)
 	}
 	in.Template.DeepCopyInto(&out.Template)
 	if in.ListenerMetrics != nil {
 		in, out := &in.ListenerMetrics, &out.ListenerMetrics
 		*out = new(MetricsConfig)
 		(*in).DeepCopyInto(*out)
 	}
 	if in.ListenerTemplate != nil {
 		in, out := &in.ListenerTemplate, &out.ListenerTemplate
 		*out = new(v1.PodTemplateSpec)
@ -249,6 +270,41 @@ func (in *AutoscalingRunnerSetStatus) DeepCopy() *AutoscalingRunnerSetStatus {
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AzureKeyVaultConfig) DeepCopyInto(out *AzureKeyVaultConfig) {
 	*out = *in
 }
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AzureKeyVaultConfig.
 func (in *AzureKeyVaultConfig) DeepCopy() *AzureKeyVaultConfig {
 	if in == nil {
 		return nil
 	}
 	out := new(AzureKeyVaultConfig)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CounterMetric) DeepCopyInto(out *CounterMetric) {
 	*out = *in
 	if in.Labels != nil {
 		in, out := &in.Labels, &out.Labels
 		*out = make([]string, len(*in))
 		copy(*out, *in)
 	}
 }
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CounterMetric.
 func (in *CounterMetric) DeepCopy() *CounterMetric {
 	if in == nil {
 		return nil
 	}
 	out := new(CounterMetric)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EphemeralRunner) DeepCopyInto(out *EphemeralRunner) {
 	*out = *in
@ -401,14 +457,19 @@ func (in *EphemeralRunnerSetStatus) DeepCopy() *EphemeralRunnerSetStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EphemeralRunnerSpec) DeepCopyInto(out *EphemeralRunnerSpec) {
 	*out = *in
 	if in.GitHubServerTLS != nil {
 		in, out := &in.GitHubServerTLS, &out.GitHubServerTLS
 		*out = new(TLSConfig)
 		(*in).DeepCopyInto(*out)
 	}
 	if in.Proxy != nil {
 		in, out := &in.Proxy, &out.Proxy
 		*out = new(ProxyConfig)
 		(*in).DeepCopyInto(*out)
 	}
-	if in.GitHubServerTLS != nil {
+	if in.VaultConfig != nil {
-		in, out := &in.GitHubServerTLS, &out.GitHubServerTLS
+		in, out := &in.VaultConfig, &out.VaultConfig
-		*out = new(GitHubServerTLSConfig)
+		*out = new(VaultConfig)
 		(*in).DeepCopyInto(*out)
 	}
 	in.PodTemplateSpec.DeepCopyInto(&out.PodTemplateSpec)
@ -429,9 +490,9 @@ func (in *EphemeralRunnerStatus) DeepCopyInto(out *EphemeralRunnerStatus) {
 	*out = *in
 	if in.Failures != nil {
 		in, out := &in.Failures, &out.Failures
-		*out = make(map[string]bool, len(*in))
+		*out = make(map[string]metav1.Time, len(*in))
 		for key, val := range *in {
-			(*out)[key] = val
+			(*out)[key] = *val.DeepCopy()
 		}
 	}
 }
@ -447,21 +508,109 @@ func (in *EphemeralRunnerStatus) DeepCopy() *EphemeralRunnerStatus {
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *GitHubServerTLSConfig) DeepCopyInto(out *GitHubServerTLSConfig) {
+func (in *GaugeMetric) DeepCopyInto(out *GaugeMetric) {
 	*out = *in
-	if in.CertificateFrom != nil {
+	if in.Labels != nil {
-		in, out := &in.CertificateFrom, &out.CertificateFrom
+		in, out := &in.Labels, &out.Labels
-		*out = new(TLSCertificateSource)
+		*out = make([]string, len(*in))
-		(*in).DeepCopyInto(*out)
+		copy(*out, *in)
 	}
 }
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubServerTLSConfig.
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GaugeMetric.
-func (in *GitHubServerTLSConfig) DeepCopy() *GitHubServerTLSConfig {
+func (in *GaugeMetric) DeepCopy() *GaugeMetric {
 	if in == nil {
 		return nil
 	}
-	out := new(GitHubServerTLSConfig)
+	out := new(GaugeMetric)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *HistogramMetric) DeepCopyInto(out *HistogramMetric) {
 	*out = *in
 	if in.Labels != nil {
 		in, out := &in.Labels, &out.Labels
 		*out = make([]string, len(*in))
 		copy(*out, *in)
 	}
 	if in.Buckets != nil {
 		in, out := &in.Buckets, &out.Buckets
 		*out = make([]float64, len(*in))
 		copy(*out, *in)
 	}
 }
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HistogramMetric.
 func (in *HistogramMetric) DeepCopy() *HistogramMetric {
 	if in == nil {
 		return nil
 	}
 	out := new(HistogramMetric)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MetricsConfig) DeepCopyInto(out *MetricsConfig) {
 	*out = *in
 	if in.Counters != nil {
 		in, out := &in.Counters, &out.Counters
 		*out = make(map[string]*CounterMetric, len(*in))
 		for key, val := range *in {
 			var outVal *CounterMetric
 			if val == nil {
 				(*out)[key] = nil
 			} else {
 				inVal := (*in)[key]
 				in, out := &inVal, &outVal
 				*out = new(CounterMetric)
 				(*in).DeepCopyInto(*out)
 			}
 			(*out)[key] = outVal
 		}
 	}
 	if in.Gauges != nil {
 		in, out := &in.Gauges, &out.Gauges
 		*out = make(map[string]*GaugeMetric, len(*in))
 		for key, val := range *in {
 			var outVal *GaugeMetric
 			if val == nil {
 				(*out)[key] = nil
 			} else {
 				inVal := (*in)[key]
 				in, out := &inVal, &outVal
 				*out = new(GaugeMetric)
 				(*in).DeepCopyInto(*out)
 			}
 			(*out)[key] = outVal
 		}
 	}
 	if in.Histograms != nil {
 		in, out := &in.Histograms, &out.Histograms
 		*out = make(map[string]*HistogramMetric, len(*in))
 		for key, val := range *in {
 			var outVal *HistogramMetric
 			if val == nil {
 				(*out)[key] = nil
 			} else {
 				inVal := (*in)[key]
 				in, out := &inVal, &outVal
 				*out = new(HistogramMetric)
 				(*in).DeepCopyInto(*out)
 			}
 			(*out)[key] = outVal
 		}
 	}
 }
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MetricsConfig.
 func (in *MetricsConfig) DeepCopy() *MetricsConfig {
 	if in == nil {
 		return nil
 	}
 	out := new(MetricsConfig)
 	in.DeepCopyInto(out)
 	return out
 }
@ -530,3 +679,48 @@ func (in *TLSCertificateSource) DeepCopy() *TLSCertificateSource {
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TLSConfig) DeepCopyInto(out *TLSConfig) {
 	*out = *in
 	if in.CertificateFrom != nil {
 		in, out := &in.CertificateFrom, &out.CertificateFrom
 		*out = new(TLSCertificateSource)
 		(*in).DeepCopyInto(*out)
 	}
 }
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLSConfig.
 func (in *TLSConfig) DeepCopy() *TLSConfig {
 	if in == nil {
 		return nil
 	}
 	out := new(TLSConfig)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *VaultConfig) DeepCopyInto(out *VaultConfig) {
 	*out = *in
 	if in.AzureKeyVault != nil {
 		in, out := &in.AzureKeyVault, &out.AzureKeyVault
 		*out = new(AzureKeyVaultConfig)
 		**out = **in
 	}
 	if in.Proxy != nil {
 		in, out := &in.Proxy, &out.Proxy
 		*out = new(ProxyConfig)
 		(*in).DeepCopyInto(*out)
 	}
 }
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultConfig.
 func (in *VaultConfig) DeepCopy() *VaultConfig {
 	if in == nil {
 		return nil
 	}
 	out := new(VaultConfig)
 	in.DeepCopyInto(out)
 	return out
 }
--- a/apis/actions.summerwind.net/v1alpha1/runner_types.go
+++ b/apis/actions.summerwind.net/v1alpha1/runner_types.go
@ -215,10 +215,10 @@ func (rs *RunnerSpec) validateRepository() error {
 		foundCount += 1
 	}
 	if foundCount == 0 {
-		return errors.New("Spec needs enterprise, organization or repository")
+		return errors.New("spec needs enterprise, organization or repository")
 	}
 	if foundCount > 1 {
-		return errors.New("Spec cannot have many fields defined enterprise, organization and repository")
+		return errors.New("spec cannot have many fields defined enterprise, organization and repository")
 	}
 	return nil
@ -317,19 +317,19 @@ type RunnerStatusRegistration struct {
 type WorkVolumeClaimTemplate struct {
 	StorageClassName string                              `json:"storageClassName"`
 	AccessModes      []corev1.PersistentVolumeAccessMode `json:"accessModes"`
-	Resources        corev1.ResourceRequirements         `json:"resources"`
+	Resources        corev1.VolumeResourceRequirements   `json:"resources"`
 }
 func (w *WorkVolumeClaimTemplate) validate() error {
-	if w.AccessModes == nil || len(w.AccessModes) == 0 {
+	if len(w.AccessModes) == 0 {
-		return errors.New("Access mode should have at least one mode specified")
+		return errors.New("access mode should have at least one mode specified")
 	}
 	for _, accessMode := range w.AccessModes {
 		switch accessMode {
 		case corev1.ReadWriteOnce, corev1.ReadWriteMany:
 		default:
-			return fmt.Errorf("Access mode %v is not supported", accessMode)
+			return fmt.Errorf("access mode %v is not supported", accessMode)
 		}
 	}
 	return nil
--- a/apis/actions.summerwind.net/v1alpha1/runner_webhook.go
+++ b/apis/actions.summerwind.net/v1alpha1/runner_webhook.go
@ -17,6 +17,9 @@ limitations under the License.
 package v1alpha1
 import (
 	"context"
 	"fmt"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/util/validation/field"
@ -32,36 +35,51 @@ var runnerLog = logf.Log.WithName("runner-resource")
 func (r *Runner) SetupWebhookWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewWebhookManagedBy(mgr).
 		For(r).
 		WithDefaulter(&RunnerDefaulter{}).
 		WithValidator(&RunnerValidator{}).
 		Complete()
 }
 // +kubebuilder:webhook:path=/mutate-actions-summerwind-dev-v1alpha1-runner,verbs=create;update,mutating=true,failurePolicy=fail,groups=actions.summerwind.dev,resources=runners,versions=v1alpha1,name=mutate.runner.actions.summerwind.dev,sideEffects=None,admissionReviewVersions=v1beta1
-var _ webhook.Defaulter = &Runner{}
+var _ webhook.CustomDefaulter = &RunnerDefaulter{}
 type RunnerDefaulter struct{}
 // Default implements webhook.Defaulter so a webhook will be registered for the type
-func (r *Runner) Default() {
+func (*RunnerDefaulter) Default(ctx context.Context, obj runtime.Object) error {
 	// Nothing to do.
 	return nil
 }
 // +kubebuilder:webhook:path=/validate-actions-summerwind-dev-v1alpha1-runner,verbs=create;update,mutating=false,failurePolicy=fail,groups=actions.summerwind.dev,resources=runners,versions=v1alpha1,name=validate.runner.actions.summerwind.dev,sideEffects=None,admissionReviewVersions=v1beta1
-var _ webhook.Validator = &Runner{}
+var _ webhook.CustomValidator = &RunnerValidator{}
 type RunnerValidator struct{}
 // ValidateCreate implements webhook.Validator so a webhook will be registered for the type
-func (r *Runner) ValidateCreate() (admission.Warnings, error) {
+func (*RunnerValidator) ValidateCreate(ctx context.Context, obj runtime.Object) (admission.Warnings, error) {
 	r, ok := obj.(*Runner)
 	if !ok {
 		return nil, fmt.Errorf("expected Runner object, got %T", obj)
 	}
 	runnerLog.Info("validate resource to be created", "name", r.Name)
 	return nil, r.Validate()
 }
 // ValidateUpdate implements webhook.Validator so a webhook will be registered for the type
-func (r *Runner) ValidateUpdate(old runtime.Object) (admission.Warnings, error) {
+func (*RunnerValidator) ValidateUpdate(ctx context.Context, old, obj runtime.Object) (admission.Warnings, error) {
 	r, ok := obj.(*Runner)
 	if !ok {
 		return nil, fmt.Errorf("expected Runner object, got %T", obj)
 	}
 	runnerLog.Info("validate resource to be updated", "name", r.Name)
 	return nil, r.Validate()
 }
 // ValidateDelete implements webhook.Validator so a webhook will be registered for the type
-func (r *Runner) ValidateDelete() (admission.Warnings, error) {
+func (*RunnerValidator) ValidateDelete(ctx context.Context, obj runtime.Object) (admission.Warnings, error) {
 	return nil, nil
 }
--- a/apis/actions.summerwind.net/v1alpha1/runnerdeployment_webhook.go
+++ b/apis/actions.summerwind.net/v1alpha1/runnerdeployment_webhook.go
@ -17,6 +17,9 @@ limitations under the License.
 package v1alpha1
 import (
 	"context"
 	"fmt"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/util/validation/field"
@ -32,36 +35,51 @@ var runnerDeploymentLog = logf.Log.WithName("runnerdeployment-resource")
 func (r *RunnerDeployment) SetupWebhookWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewWebhookManagedBy(mgr).
 		For(r).
 		WithDefaulter(&RunnerDeploymentDefaulter{}).
 		WithValidator(&RunnerDeploymentValidator{}).
 		Complete()
 }
 // +kubebuilder:webhook:path=/mutate-actions-summerwind-dev-v1alpha1-runnerdeployment,verbs=create;update,mutating=true,failurePolicy=fail,groups=actions.summerwind.dev,resources=runnerdeployments,versions=v1alpha1,name=mutate.runnerdeployment.actions.summerwind.dev,sideEffects=None,admissionReviewVersions=v1beta1
-var _ webhook.Defaulter = &RunnerDeployment{}
+var _ webhook.CustomDefaulter = &RunnerDeploymentDefaulter{}
 type RunnerDeploymentDefaulter struct{}
 // Default implements webhook.Defaulter so a webhook will be registered for the type
-func (r *RunnerDeployment) Default() {
+func (*RunnerDeploymentDefaulter) Default(context.Context, runtime.Object) error {
 	// Nothing to do.
 	return nil
 }
 // +kubebuilder:webhook:path=/validate-actions-summerwind-dev-v1alpha1-runnerdeployment,verbs=create;update,mutating=false,failurePolicy=fail,groups=actions.summerwind.dev,resources=runnerdeployments,versions=v1alpha1,name=validate.runnerdeployment.actions.summerwind.dev,sideEffects=None,admissionReviewVersions=v1beta1
-var _ webhook.Validator = &RunnerDeployment{}
+var _ webhook.CustomValidator = &RunnerDeploymentValidator{}
 type RunnerDeploymentValidator struct{}
 // ValidateCreate implements webhook.Validator so a webhook will be registered for the type
-func (r *RunnerDeployment) ValidateCreate() (admission.Warnings, error) {
+func (*RunnerDeploymentValidator) ValidateCreate(ctx context.Context, obj runtime.Object) (admission.Warnings, error) {
 	r, ok := obj.(*RunnerDeployment)
 	if !ok {
 		return nil, fmt.Errorf("expected RunnerDeployment object, got %T", obj)
 	}
 	runnerDeploymentLog.Info("validate resource to be created", "name", r.Name)
 	return nil, r.Validate()
 }
 // ValidateUpdate implements webhook.Validator so a webhook will be registered for the type
-func (r *RunnerDeployment) ValidateUpdate(old runtime.Object) (admission.Warnings, error) {
+func (*RunnerDeploymentValidator) ValidateUpdate(ctx context.Context, old, obj runtime.Object) (admission.Warnings, error) {
 	r, ok := obj.(*RunnerDeployment)
 	if !ok {
 		return nil, fmt.Errorf("expected RunnerDeployment object, got %T", obj)
 	}
 	runnerDeploymentLog.Info("validate resource to be updated", "name", r.Name)
 	return nil, r.Validate()
 }
 // ValidateDelete implements webhook.Validator so a webhook will be registered for the type
-func (r *RunnerDeployment) ValidateDelete() (admission.Warnings, error) {
+func (*RunnerDeploymentValidator) ValidateDelete(context.Context, runtime.Object) (admission.Warnings, error) {
 	return nil, nil
 }
--- a/apis/actions.summerwind.net/v1alpha1/runnerreplicaset_webhook.go
+++ b/apis/actions.summerwind.net/v1alpha1/runnerreplicaset_webhook.go
@ -17,6 +17,9 @@ limitations under the License.
 package v1alpha1
 import (
 	"context"
 	"fmt"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/util/validation/field"
@ -32,36 +35,51 @@ var runnerReplicaSetLog = logf.Log.WithName("runnerreplicaset-resource")
 func (r *RunnerReplicaSet) SetupWebhookWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewWebhookManagedBy(mgr).
 		For(r).
 		WithDefaulter(&RunnerReplicaSetDefaulter{}).
 		WithValidator(&RunnerReplicaSetValidator{}).
 		Complete()
 }
 // +kubebuilder:webhook:path=/mutate-actions-summerwind-dev-v1alpha1-runnerreplicaset,verbs=create;update,mutating=true,failurePolicy=fail,groups=actions.summerwind.dev,resources=runnerreplicasets,versions=v1alpha1,name=mutate.runnerreplicaset.actions.summerwind.dev,sideEffects=None,admissionReviewVersions=v1beta1
-var _ webhook.Defaulter = &RunnerReplicaSet{}
+var _ webhook.CustomDefaulter = &RunnerReplicaSetDefaulter{}
 type RunnerReplicaSetDefaulter struct{}
 // Default implements webhook.Defaulter so a webhook will be registered for the type
-func (r *RunnerReplicaSet) Default() {
+func (*RunnerReplicaSetDefaulter) Default(context.Context, runtime.Object) error {
 	// Nothing to do.
 	return nil
 }
 // +kubebuilder:webhook:path=/validate-actions-summerwind-dev-v1alpha1-runnerreplicaset,verbs=create;update,mutating=false,failurePolicy=fail,groups=actions.summerwind.dev,resources=runnerreplicasets,versions=v1alpha1,name=validate.runnerreplicaset.actions.summerwind.dev,sideEffects=None,admissionReviewVersions=v1beta1
-var _ webhook.Validator = &RunnerReplicaSet{}
+var _ webhook.CustomValidator = &RunnerReplicaSetValidator{}
 type RunnerReplicaSetValidator struct{}
 // ValidateCreate implements webhook.Validator so a webhook will be registered for the type
-func (r *RunnerReplicaSet) ValidateCreate() (admission.Warnings, error) {
+func (*RunnerReplicaSetValidator) ValidateCreate(ctx context.Context, obj runtime.Object) (admission.Warnings, error) {
 	r, ok := obj.(*RunnerReplicaSet)
 	if !ok {
 		return nil, fmt.Errorf("expected RunnerReplicaSet object, got %T", obj)
 	}
 	runnerReplicaSetLog.Info("validate resource to be created", "name", r.Name)
 	return nil, r.Validate()
 }
 // ValidateUpdate implements webhook.Validator so a webhook will be registered for the type
-func (r *RunnerReplicaSet) ValidateUpdate(old runtime.Object) (admission.Warnings, error) {
+func (*RunnerReplicaSetValidator) ValidateUpdate(ctx context.Context, old, obj runtime.Object) (admission.Warnings, error) {
 	r, ok := obj.(*RunnerReplicaSet)
 	if !ok {
 		return nil, fmt.Errorf("expected RunnerReplicaSet object, got %T", obj)
 	}
 	runnerReplicaSetLog.Info("validate resource to be updated", "name", r.Name)
 	return nil, r.Validate()
 }
 // ValidateDelete implements webhook.Validator so a webhook will be registered for the type
-func (r *RunnerReplicaSet) ValidateDelete() (admission.Warnings, error) {
+func (*RunnerReplicaSetValidator) ValidateDelete(context.Context, runtime.Object) (admission.Warnings, error) {
 	return nil, nil
 }
--- a/apis/actions.summerwind.net/v1alpha1/zz_generated.deepcopy.go
+++ b/apis/actions.summerwind.net/v1alpha1/zz_generated.deepcopy.go
@ -467,6 +467,21 @@ func (in *RunnerConfig) DeepCopy() *RunnerConfig {
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RunnerDefaulter) DeepCopyInto(out *RunnerDefaulter) {
 	*out = *in
 }
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RunnerDefaulter.
 func (in *RunnerDefaulter) DeepCopy() *RunnerDefaulter {
 	if in == nil {
 		return nil
 	}
 	out := new(RunnerDefaulter)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RunnerDeployment) DeepCopyInto(out *RunnerDeployment) {
 	*out = *in
@ -494,6 +509,21 @@ func (in *RunnerDeployment) DeepCopyObject() runtime.Object {
 	return nil
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RunnerDeploymentDefaulter) DeepCopyInto(out *RunnerDeploymentDefaulter) {
 	*out = *in
 }
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RunnerDeploymentDefaulter.
 func (in *RunnerDeploymentDefaulter) DeepCopy() *RunnerDeploymentDefaulter {
 	if in == nil {
 		return nil
 	}
 	out := new(RunnerDeploymentDefaulter)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RunnerDeploymentList) DeepCopyInto(out *RunnerDeploymentList) {
 	*out = *in
@ -596,6 +626,21 @@ func (in *RunnerDeploymentStatus) DeepCopy() *RunnerDeploymentStatus {
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RunnerDeploymentValidator) DeepCopyInto(out *RunnerDeploymentValidator) {
 	*out = *in
 }
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RunnerDeploymentValidator.
 func (in *RunnerDeploymentValidator) DeepCopy() *RunnerDeploymentValidator {
 	if in == nil {
 		return nil
 	}
 	out := new(RunnerDeploymentValidator)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RunnerList) DeepCopyInto(out *RunnerList) {
 	*out = *in
@ -815,6 +860,21 @@ func (in *RunnerReplicaSet) DeepCopyObject() runtime.Object {
 	return nil
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RunnerReplicaSetDefaulter) DeepCopyInto(out *RunnerReplicaSetDefaulter) {
 	*out = *in
 }
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RunnerReplicaSetDefaulter.
 func (in *RunnerReplicaSetDefaulter) DeepCopy() *RunnerReplicaSetDefaulter {
 	if in == nil {
 		return nil
 	}
 	out := new(RunnerReplicaSetDefaulter)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RunnerReplicaSetList) DeepCopyInto(out *RunnerReplicaSetList) {
 	*out = *in
@ -907,6 +967,21 @@ func (in *RunnerReplicaSetStatus) DeepCopy() *RunnerReplicaSetStatus {
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RunnerReplicaSetValidator) DeepCopyInto(out *RunnerReplicaSetValidator) {
 	*out = *in
 }
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RunnerReplicaSetValidator.
 func (in *RunnerReplicaSetValidator) DeepCopy() *RunnerReplicaSetValidator {
 	if in == nil {
 		return nil
 	}
 	out := new(RunnerReplicaSetValidator)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RunnerSet) DeepCopyInto(out *RunnerSet) {
 	*out = *in
@ -1112,6 +1187,21 @@ func (in *RunnerTemplate) DeepCopy() *RunnerTemplate {
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RunnerValidator) DeepCopyInto(out *RunnerValidator) {
 	*out = *in
 }
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RunnerValidator.
 func (in *RunnerValidator) DeepCopy() *RunnerValidator {
 	if in == nil {
 		return nil
 	}
 	out := new(RunnerValidator)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ScaleTargetRef) DeepCopyInto(out *ScaleTargetRef) {
 	*out = *in
--- a/charts/.ci/ct-config-gha.yaml
+++ b/charts/.ci/ct-config-gha.yaml
@ -1,9 +1,11 @@
 # This file defines the config for "ct" (chart tester) used by the helm linting GitHub workflow
 remote: origin
 target-branch: master
 lint-conf: charts/.ci/lint-config.yaml
 chart-repos:
  - jetstack=https://charts.jetstack.io
 check-version-increment: false # Disable checking that the chart version has been bumped
 charts:
- charts/gha-runner-scale-set-controller
+  - charts/gha-runner-scale-set-controller
- charts/gha-runner-scale-set
+  - charts/gha-runner-scale-set
 skip-clean-up: true
--- a/charts/.ci/ct-config.yaml
+++ b/charts/.ci/ct-config.yaml
@ -1,7 +1,9 @@
 # This file defines the config for "ct" (chart tester) used by the helm linting GitHub workflow
 remote: origin
 target-branch: master
 lint-conf: charts/.ci/lint-config.yaml
 chart-repos:
  - jetstack=https://charts.jetstack.io
 check-version-increment: false # Disable checking that the chart version has been bumped
 charts:
- charts/actions-runner-controller
+  - charts/actions-runner-controller
--- a/charts/.ci/scripts/local-kube-score.sh
+++ b/charts/.ci/scripts/local-kube-score.sh
@ -1,6 +1,5 @@
 #!/bin/bash
 for chart in `ls charts`;
 do
 helm template --values charts/$chart/ci/ci-values.yaml charts/$chart | kube-score score - \
--- a/charts/actions-runner-controller/README.md
+++ b/charts/actions-runner-controller/README.md
@ -44,7 +44,7 @@ All additional docs are kept in the `docs/` folder, this README is solely for do
 | `image.pullPolicy`                                        | The pull policy of the controller image                                                                                                   | IfNotPresent                                                                                    |
 | `metrics.serviceMonitor.enable`                           | Deploy serviceMonitor kind for for use with prometheus-operator CRDs                                                                      | false                                                                                           |
 | `metrics.serviceMonitor.interval`                         | Configure the interval that Prometheus should scrap the controller's metrics                                                              | 1m                                                                                              |
-| `metrics.serviceMonitor.namespace                         | Namespace which Prometheus is running in                                                                                                  | `Release.Namespace` (the default namespace of the helm chart).                                  |
+| `metrics.serviceMonitor.namespace`                        | Namespace which Prometheus is running in                                                                                                  | `Release.Namespace` (the default namespace of the helm chart).                                  |
 | `metrics.serviceMonitor.timeout`                          | Configure the timeout the timeout of Prometheus scrapping.                                                                                | 30s                                                                                             |
 | `metrics.serviceAnnotations`                              | Set annotations for the provisioned metrics service resource                                                                              |                                                                                                 |
 | `metrics.port`                                            | Set port of metrics service                                                                                                               | 8443                                                                                            |
--- a/charts/actions-runner-controller/crds/actions.summerwind.dev_horizontalrunnerautoscalers.yaml
+++ b/charts/actions-runner-controller/crds/actions.summerwind.dev_horizontalrunnerautoscalers.yaml
@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.13.0
+    controller-gen.kubebuilder.io/version: v0.19.0
  name: horizontalrunnerautoscalers.actions.summerwind.dev
 spec:
  group: actions.summerwind.dev
@ -12,242 +12,313 @@ spec:
    listKind: HorizontalRunnerAutoscalerList
    plural: horizontalrunnerautoscalers
    shortNames:
-      - hra
+    - hra
    singular: horizontalrunnerautoscaler
  scope: Namespaced
  versions:
-    - additionalPrinterColumns:
+  - additionalPrinterColumns:
-        - jsonPath: .spec.minReplicas
+    - jsonPath: .spec.minReplicas
-          name: Min
+      name: Min
-          type: number
+      type: number
-        - jsonPath: .spec.maxReplicas
+    - jsonPath: .spec.maxReplicas
-          name: Max
+      name: Max
-          type: number
+      type: number
-        - jsonPath: .status.desiredReplicas
+    - jsonPath: .status.desiredReplicas
-          name: Desired
+      name: Desired
-          type: number
+      type: number
-        - jsonPath: .status.scheduledOverridesSummary
+    - jsonPath: .status.scheduledOverridesSummary
-          name: Schedule
+      name: Schedule
-          type: string
+      type: string
-      name: v1alpha1
+    name: v1alpha1
-      schema:
+    schema:
-        openAPIV3Schema:
+      openAPIV3Schema:
-          description: HorizontalRunnerAutoscaler is the Schema for the horizontalrunnerautoscaler API
+        description: HorizontalRunnerAutoscaler is the Schema for the horizontalrunnerautoscaler
-          properties:
+          API
-            apiVersion:
+        properties:
-              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+          apiVersion:
-              type: string
+            description: |-
-            kind:
+              APIVersion defines the versioned schema of this representation of an object.
-              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+              Servers should convert recognized schemas to the latest internal value, and
-              type: string
+              may reject unrecognized values.
-            metadata:
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-              type: object
+            type: string
-            spec:
+          kind:
-              description: HorizontalRunnerAutoscalerSpec defines the desired state of HorizontalRunnerAutoscaler
+            description: |-
-              properties:
+              Kind is a string value representing the REST resource this object represents.
-                capacityReservations:
+              Servers may infer this from the endpoint the client submits requests to.
-                  items:
+              Cannot be updated.
-                    description: CapacityReservation specifies the number of replicas temporarily added to the scale target until ExpirationTime.
+              In CamelCase.
-                    properties:
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-                      effectiveTime:
+            type: string
-                        format: date-time
+          metadata:
-                        type: string
+            type: object
-                      expirationTime:
+          spec:
-                        format: date-time
+            description: HorizontalRunnerAutoscalerSpec defines the desired state
-                        type: string
+              of HorizontalRunnerAutoscaler
-                      name:
+            properties:
-                        type: string
+              capacityReservations:
-                      replicas:
+                items:
-                        type: integer
+                  description: |-
-                    type: object
+                    CapacityReservation specifies the number of replicas temporarily added
-                  type: array
+                    to the scale target until ExpirationTime.
                githubAPICredentialsFrom:
                  properties:
-                    secretRef:
+                    effectiveTime:
-                      properties:
+                      format: date-time
-                        name:
+                      type: string
-                          type: string
+                    expirationTime:
-                      required:
+                      format: date-time
                        - name
                      type: object
                  type: object
                maxReplicas:
                  description: MaxReplicas is the maximum number of replicas the deployment is allowed to scale
                  type: integer
                metrics:
                  description: Metrics is the collection of various metric targets to calculate desired number of runners
                  items:
                    properties:
                      repositoryNames:
                        description: RepositoryNames is the list of repository names to be used for calculating the metric. For example, a repository name is the REPO part of `github.com/USER/REPO`.
                        items:
                          type: string
                        type: array
                      scaleDownAdjustment:
                        description: ScaleDownAdjustment is the number of runners removed on scale-down. You can only specify either ScaleDownFactor or ScaleDownAdjustment.
                        type: integer
                      scaleDownFactor:
                        description: ScaleDownFactor is the multiplicative factor applied to the current number of runners used to determine how many pods should be removed.
                        type: string
                      scaleDownThreshold:
                        description: ScaleDownThreshold is the percentage of busy runners less than which will trigger the hpa to scale the runners down.
                        type: string
                      scaleUpAdjustment:
                        description: ScaleUpAdjustment is the number of runners added on scale-up. You can only specify either ScaleUpFactor or ScaleUpAdjustment.
                        type: integer
                      scaleUpFactor:
                        description: ScaleUpFactor is the multiplicative factor applied to the current number of runners used to determine how many pods should be added.
                        type: string
                      scaleUpThreshold:
                        description: ScaleUpThreshold is the percentage of busy runners greater than which will trigger the hpa to scale runners up.
                        type: string
                      type:
                        description: Type is the type of metric to be used for autoscaling. It can be TotalNumberOfQueuedAndInProgressWorkflowRuns or PercentageRunnersBusy.
                        type: string
                    type: object
                  type: array
                minReplicas:
                  description: MinReplicas is the minimum number of replicas the deployment is allowed to scale
                  type: integer
                scaleDownDelaySecondsAfterScaleOut:
                  description: ScaleDownDelaySecondsAfterScaleUp is the approximate delay for a scale down followed by a scale up Used to prevent flapping (down->up->down->... loop)
                  type: integer
                scaleTargetRef:
                  description: ScaleTargetRef is the reference to scaled resource like RunnerDeployment
                  properties:
                    kind:
                      description: Kind is the type of resource being referenced
                      enum:
                        - RunnerDeployment
                        - RunnerSet
                      type: string
                    name:
                      description: Name is the name of resource being referenced
                      type: string
                    replicas:
                      type: integer
                  type: object
-                scaleUpTriggers:
+                type: array
-                  description: "ScaleUpTriggers is an experimental feature to increase the desired replicas by 1 on each webhook requested received by the webhookBasedAutoscaler. \n This feature requires you to also enable and deploy the webhookBasedAutoscaler onto your cluster. \n Note that the added runners remain until the next sync period at least, and they may or may not be used by GitHub Actions depending on the timing. They are intended to be used to gain \"resource slack\" immediately after you receive a webhook from GitHub, so that you can loosely expect MinReplicas runners to be always available."
+              githubAPICredentialsFrom:
-                  items:
+                properties:
                  secretRef:
                    properties:
-                      amount:
+                      name:
                        type: integer
                      duration:
                        type: string
                      githubEvent:
                        properties:
                          checkRun:
                            description: https://docs.github.com/en/actions/reference/events-that-trigger-workflows#check_run
                            properties:
                              names:
                                description: Names is a list of GitHub Actions glob patterns. Any check_run event whose name matches one of patterns in the list can trigger autoscaling. Note that check_run name seem to equal to the job name you've defined in your actions workflow yaml file. So it is very likely that you can utilize this to trigger depending on the job.
                                items:
                                  type: string
                                type: array
                              repositories:
                                description: Repositories is a list of GitHub repositories. Any check_run event whose repository matches one of repositories in the list can trigger autoscaling.
                                items:
                                  type: string
                                type: array
                              status:
                                type: string
                              types:
                                description: 'One of: created, rerequested, or completed'
                                items:
                                  type: string
                                type: array
                            type: object
                          pullRequest:
                            description: https://docs.github.com/en/actions/reference/events-that-trigger-workflows#pull_request
                            properties:
                              branches:
                                items:
                                  type: string
                                type: array
                              types:
                                items:
                                  type: string
                                type: array
                            type: object
                          push:
                            description: PushSpec is the condition for triggering scale-up on push event Also see https://docs.github.com/en/actions/reference/events-that-trigger-workflows#push
                            type: object
                          workflowJob:
                            description: https://docs.github.com/en/developers/webhooks-and-events/webhooks/webhook-events-and-payloads#workflow_job
                            type: object
                        type: object
                    type: object
                  type: array
                scheduledOverrides:
                  description: ScheduledOverrides is the list of ScheduledOverride. It can be used to override a few fields of HorizontalRunnerAutoscalerSpec on schedule. The earlier a scheduled override is, the higher it is prioritized.
                  items:
                    description: ScheduledOverride can be used to override a few fields of HorizontalRunnerAutoscalerSpec on schedule. A schedule can optionally be recurring, so that the corresponding override happens every day, week, month, or year.
                    properties:
                      endTime:
                        description: EndTime is the time at which the first override ends.
                        format: date-time
                        type: string
                      minReplicas:
                        description: MinReplicas is the number of runners while overriding. If omitted, it doesn't override minReplicas.
                        minimum: 0
                        nullable: true
                        type: integer
                      recurrenceRule:
                        properties:
                          frequency:
                            description: Frequency is the name of a predefined interval of each recurrence. The valid values are "Daily", "Weekly", "Monthly", and "Yearly". If empty, the corresponding override happens only once.
                            enum:
                              - Daily
                              - Weekly
                              - Monthly
                              - Yearly
                            type: string
                          untilTime:
                            description: UntilTime is the time of the final recurrence. If empty, the schedule recurs forever.
                            format: date-time
                            type: string
                        type: object
                      startTime:
                        description: StartTime is the time at which the first override starts.
                        format: date-time
                        type: string
                    required:
-                      - endTime
+                    - name
                      - startTime
                    type: object
-                  type: array
+                type: object
-              type: object
+              maxReplicas:
-            status:
+                description: MaxReplicas is the maximum number of replicas the deployment
-              properties:
+                  is allowed to scale
-                cacheEntries:
+                type: integer
-                  items:
+              metrics:
-                    properties:
+                description: Metrics is the collection of various metric targets to
-                      expirationTime:
+                  calculate desired number of runners
-                        format: date-time
+                items:
                  properties:
                    repositoryNames:
                      description: |-
                        RepositoryNames is the list of repository names to be used for calculating the metric.
                        For example, a repository name is the REPO part of `github.com/USER/REPO`.
                      items:
                        type: string
-                      key:
+                      type: array
-                        type: string
+                    scaleDownAdjustment:
-                      value:
+                      description: |-
-                        type: integer
+                        ScaleDownAdjustment is the number of runners removed on scale-down.
-                    type: object
+                        You can only specify either ScaleDownFactor or ScaleDownAdjustment.
-                  type: array
+                      type: integer
-                desiredReplicas:
+                    scaleDownFactor:
-                  description: DesiredReplicas is the total number of desired, non-terminated and latest pods to be set for the primary RunnerSet This doesn't include outdated pods while upgrading the deployment and replacing the runnerset.
+                      description: |-
-                  type: integer
+                        ScaleDownFactor is the multiplicative factor applied to the current number of runners used
-                lastSuccessfulScaleOutTime:
+                        to determine how many pods should be removed.
-                  format: date-time
+                      type: string
-                  nullable: true
+                    scaleDownThreshold:
-                  type: string
+                      description: |-
-                observedGeneration:
+                        ScaleDownThreshold is the percentage of busy runners less than which will
-                  description: ObservedGeneration is the most recent generation observed for the target. It corresponds to e.g. RunnerDeployment's generation, which is updated on mutation by the API Server.
+                        trigger the hpa to scale the runners down.
-                  format: int64
+                      type: string
-                  type: integer
+                    scaleUpAdjustment:
-                scheduledOverridesSummary:
+                      description: |-
-                  description: ScheduledOverridesSummary is the summary of active and upcoming scheduled overrides to be shown in e.g. a column of a `kubectl get hra` output for observability.
+                        ScaleUpAdjustment is the number of runners added on scale-up.
-                  type: string
+                        You can only specify either ScaleUpFactor or ScaleUpAdjustment.
-              type: object
+                      type: integer
-          type: object
+                    scaleUpFactor:
-      served: true
+                      description: |-
-      storage: true
+                        ScaleUpFactor is the multiplicative factor applied to the current number of runners used
-      subresources:
+                        to determine how many pods should be added.
-        status: {}
+                      type: string
-  preserveUnknownFields: false
+                    scaleUpThreshold:
                      description: |-
                        ScaleUpThreshold is the percentage of busy runners greater than which will
                        trigger the hpa to scale runners up.
                      type: string
                    type:
                      description: |-
                        Type is the type of metric to be used for autoscaling.
                        It can be TotalNumberOfQueuedAndInProgressWorkflowRuns or PercentageRunnersBusy.
                      type: string
                  type: object
                type: array
              minReplicas:
                description: MinReplicas is the minimum number of replicas the deployment
                  is allowed to scale
                type: integer
              scaleDownDelaySecondsAfterScaleOut:
                description: |-
                  ScaleDownDelaySecondsAfterScaleUp is the approximate delay for a scale down followed by a scale up
                  Used to prevent flapping (down->up->down->... loop)
                type: integer
              scaleTargetRef:
                description: ScaleTargetRef is the reference to scaled resource like
                  RunnerDeployment
                properties:
                  kind:
                    description: Kind is the type of resource being referenced
                    enum:
                    - RunnerDeployment
                    - RunnerSet
                    type: string
                  name:
                    description: Name is the name of resource being referenced
                    type: string
                type: object
              scaleUpTriggers:
                description: |-
                  ScaleUpTriggers is an experimental feature to increase the desired replicas by 1
                  on each webhook requested received by the webhookBasedAutoscaler.
                  This feature requires you to also enable and deploy the webhookBasedAutoscaler onto your cluster.
                  Note that the added runners remain until the next sync period at least,
                  and they may or may not be used by GitHub Actions depending on the timing.
                  They are intended to be used to gain "resource slack" immediately after you
                  receive a webhook from GitHub, so that you can loosely expect MinReplicas runners to be always available.
                items:
                  properties:
                    amount:
                      type: integer
                    duration:
                      type: string
                    githubEvent:
                      properties:
                        checkRun:
                          description: https://docs.github.com/en/actions/reference/events-that-trigger-workflows#check_run
                          properties:
                            names:
                              description: |-
                                Names is a list of GitHub Actions glob patterns.
                                Any check_run event whose name matches one of patterns in the list can trigger autoscaling.
                                Note that check_run name seem to equal to the job name you've defined in your actions workflow yaml file.
                                So it is very likely that you can utilize this to trigger depending on the job.
                              items:
                                type: string
                              type: array
                            repositories:
                              description: |-
                                Repositories is a list of GitHub repositories.
                                Any check_run event whose repository matches one of repositories in the list can trigger autoscaling.
                              items:
                                type: string
                              type: array
                            status:
                              type: string
                            types:
                              description: 'One of: created, rerequested, or completed'
                              items:
                                type: string
                              type: array
                          type: object
                        pullRequest:
                          description: https://docs.github.com/en/actions/reference/events-that-trigger-workflows#pull_request
                          properties:
                            branches:
                              items:
                                type: string
                              type: array
                            types:
                              items:
                                type: string
                              type: array
                          type: object
                        push:
                          description: |-
                            PushSpec is the condition for triggering scale-up on push event
                            Also see https://docs.github.com/en/actions/reference/events-that-trigger-workflows#push
                          type: object
                        workflowJob:
                          description: https://docs.github.com/en/developers/webhooks-and-events/webhooks/webhook-events-and-payloads#workflow_job
                          type: object
                      type: object
                  type: object
                type: array
              scheduledOverrides:
                description: |-
                  ScheduledOverrides is the list of ScheduledOverride.
                  It can be used to override a few fields of HorizontalRunnerAutoscalerSpec on schedule.
                  The earlier a scheduled override is, the higher it is prioritized.
                items:
                  description: |-
                    ScheduledOverride can be used to override a few fields of HorizontalRunnerAutoscalerSpec on schedule.
                    A schedule can optionally be recurring, so that the corresponding override happens every day, week, month, or year.
                  properties:
                    endTime:
                      description: EndTime is the time at which the first override
                        ends.
                      format: date-time
                      type: string
                    minReplicas:
                      description: |-
                        MinReplicas is the number of runners while overriding.
                        If omitted, it doesn't override minReplicas.
                      minimum: 0
                      nullable: true
                      type: integer
                    recurrenceRule:
                      properties:
                        frequency:
                          description: |-
                            Frequency is the name of a predefined interval of each recurrence.
                            The valid values are "Daily", "Weekly", "Monthly", and "Yearly".
                            If empty, the corresponding override happens only once.
                          enum:
                          - Daily
                          - Weekly
                          - Monthly
                          - Yearly
                          type: string
                        untilTime:
                          description: |-
                            UntilTime is the time of the final recurrence.
                            If empty, the schedule recurs forever.
                          format: date-time
                          type: string
                      type: object
                    startTime:
                      description: StartTime is the time at which the first override
                        starts.
                      format: date-time
                      type: string
                  required:
                  - endTime
                  - startTime
                  type: object
                type: array
            type: object
          status:
            properties:
              cacheEntries:
                items:
                  properties:
                    expirationTime:
                      format: date-time
                      type: string
                    key:
                      type: string
                    value:
                      type: integer
                  type: object
                type: array
              desiredReplicas:
                description: |-
                  DesiredReplicas is the total number of desired, non-terminated and latest pods to be set for the primary RunnerSet
                  This doesn't include outdated pods while upgrading the deployment and replacing the runnerset.
                type: integer
              lastSuccessfulScaleOutTime:
                format: date-time
                nullable: true
                type: string
              observedGeneration:
                description: |-
                  ObservedGeneration is the most recent generation observed for the target. It corresponds to e.g.
                  RunnerDeployment's generation, which is updated on mutation by the API Server.
                format: int64
                type: integer
              scheduledOverridesSummary:
                description: |-
                  ScheduledOverridesSummary is the summary of active and upcoming scheduled overrides to be shown in e.g. a column of a `kubectl get hra` output
                  for observability.
                type: string
            type: object
        type: object
    served: true
    storage: true
    subresources:
      status: {}
--- a/charts/actions-runner-controller/crds/actions.summerwind.dev_runnerdeployments.yaml
+++ b/charts/actions-runner-controller/crds/actions.summerwind.dev_runnerdeployments.yaml
--- a/charts/actions-runner-controller/crds/actions.summerwind.dev_runnerreplicasets.yaml
+++ b/charts/actions-runner-controller/crds/actions.summerwind.dev_runnerreplicasets.yaml
--- a/charts/actions-runner-controller/crds/actions.summerwind.dev_runners.yaml
+++ b/charts/actions-runner-controller/crds/actions.summerwind.dev_runners.yaml
--- a/charts/actions-runner-controller/crds/actions.summerwind.dev_runnersets.yaml
+++ b/charts/actions-runner-controller/crds/actions.summerwind.dev_runnersets.yaml
--- a/charts/actions-runner-controller/templates/NOTES.txt
+++ b/charts/actions-runner-controller/templates/NOTES.txt
@ -6,17 +6,17 @@
  {{- end }}
 {{- end }}
 {{- else if contains "NodePort" .Values.service.type }}
-  export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "actions-runner-controller.fullname" . }})
+  export NODE_PORT=$(kubectl get --namespace {{ include "actions-runner-controller.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "actions-runner-controller.fullname" . }})
-  export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
+  export NODE_IP=$(kubectl get nodes --namespace {{ include "actions-runner-controller.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}")
  echo http://$NODE_IP:$NODE_PORT
 {{- else if contains "LoadBalancer" .Values.service.type }}
     NOTE: It may take a few minutes for the LoadBalancer IP to be available.
-           You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "actions-runner-controller.fullname" . }}'
+           You can watch the status of by running 'kubectl get --namespace {{ include "actions-runner-controller.namespace" . }} svc -w {{ include "actions-runner-controller.fullname" . }}'
-  export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "actions-runner-controller.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
+  export SERVICE_IP=$(kubectl get svc --namespace {{ include "actions-runner-controller.namespace" . }} {{ include "actions-runner-controller.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
  echo http://$SERVICE_IP:{{ .Values.service.port }}
 {{- else if contains "ClusterIP" .Values.service.type }}
-  export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "actions-runner-controller.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
+  export POD_NAME=$(kubectl get pods --namespace {{ include "actions-runner-controller.namespace" . }} -l "app.kubernetes.io/name={{ include "actions-runner-controller.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
-  export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
+  export CONTAINER_PORT=$(kubectl get pod --namespace {{ include "actions-runner-controller.namespace" . }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
  echo "Visit http://127.0.0.1:8080 to use your application"
-  kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT
+  kubectl --namespace {{ include "actions-runner-controller.namespace" . }} port-forward $POD_NAME 8080:$CONTAINER_PORT
 {{- end }}
--- a/charts/actions-runner-controller/templates/_helpers.tpl
+++ b/charts/actions-runner-controller/templates/_helpers.tpl
@ -1,3 +1,14 @@
 {{/*
 Allow overriding the namespace for the resources.
 */}}
 {{- define "actions-runner-controller.namespace" -}}
 {{- if .Values.namespaceOverride }}
  {{- .Values.namespaceOverride }}
 {{- else }}
  {{- .Release.Namespace }}
 {{- end }}
 {{- end }}
 {{/*
 Expand the name of the chart.
 */}}
--- a/charts/actions-runner-controller/templates/actionsmetrics.deployment.yaml
+++ b/charts/actions-runner-controller/templates/actionsmetrics.deployment.yaml
@ -3,7 +3,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: {{ include "actions-runner-controller-actions-metrics-server.fullname" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "actions-runner-controller.namespace" . }}
  labels:
    {{- include "actions-runner-controller.labels" . | nindent 4 }}
 spec:
--- a/charts/actions-runner-controller/templates/actionsmetrics.ingress.yaml.yml
+++ b/charts/actions-runner-controller/templates/actionsmetrics.ingress.yaml.yml
@ -5,7 +5,7 @@ apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: {{ $fullName }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "actions-runner-controller.namespace" . }}
  labels:
    {{- include "actions-runner-controller.labels" . | nindent 4 }}
  {{- with .Values.actionsMetricsServer.ingress.annotations }}
--- a/charts/actions-runner-controller/templates/actionsmetrics.role_binding.yaml
+++ b/charts/actions-runner-controller/templates/actionsmetrics.role_binding.yaml
@ -10,5 +10,5 @@ roleRef:
 subjects:
  - kind: ServiceAccount
    name: {{ include "actions-runner-controller-actions-metrics-server.serviceAccountName" . }}
-    namespace: {{ .Release.Namespace }}
+    namespace: {{ include "actions-runner-controller.namespace" . }}
 {{- end }}
--- a/charts/actions-runner-controller/templates/actionsmetrics.secrets.yaml
+++ b/charts/actions-runner-controller/templates/actionsmetrics.secrets.yaml
@ -4,7 +4,7 @@ apiVersion: v1
 kind: Secret
 metadata:
  name: {{ include "actions-runner-controller-actions-metrics-server.secretName" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "actions-runner-controller.namespace" . }}
  labels:
    {{- include "actions-runner-controller.labels" . | nindent 4 }}
 type: Opaque
--- a/charts/actions-runner-controller/templates/actionsmetrics.service.yaml
+++ b/charts/actions-runner-controller/templates/actionsmetrics.service.yaml
@ -3,7 +3,7 @@ apiVersion: v1
 kind: Service
 metadata:
  name: {{ include "actions-runner-controller-actions-metrics-server.fullname" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "actions-runner-controller.namespace" . }}
  labels:
    {{- include "actions-runner-controller-actions-metrics-server.selectorLabels" . | nindent 4 }}
 {{- if .Values.actionsMetricsServer.service.annotations }}
--- a/charts/actions-runner-controller/templates/actionsmetrics.serviceaccount.yaml.yml
+++ b/charts/actions-runner-controller/templates/actionsmetrics.serviceaccount.yaml.yml
@ -4,7 +4,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: {{ include "actions-runner-controller-actions-metrics-server.serviceAccountName" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "actions-runner-controller.namespace" . }}
  labels:
    {{- include "actions-runner-controller.labels" . | nindent 4 }}
  {{- with .Values.actionsMetricsServer.serviceAccount.annotations }}
--- a/charts/actions-runner-controller/templates/actionsmetrics.servicemonitor.yaml.yml
+++ b/charts/actions-runner-controller/templates/actionsmetrics.servicemonitor.yaml.yml
@ -1,5 +1,5 @@
 {{- if and .Values.actionsMetricsServer.enabled .Values.actionsMetrics.serviceMonitor.enable }}
-{{- $servicemonitornamespace := .Values.actionsMetrics.serviceMonitor.namespace | default .Release.Namespace }}
+{{- $servicemonitornamespace := .Values.actionsMetrics.serviceMonitor.namespace | default (include "actions-runner-controller.namespace" .) }}
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
--- a/charts/actions-runner-controller/templates/auth_proxy_role_binding.yaml
+++ b/charts/actions-runner-controller/templates/auth_proxy_role_binding.yaml
@ -10,5 +10,5 @@ roleRef:
 subjects:
 - kind: ServiceAccount
  name: {{ include "actions-runner-controller.serviceAccountName" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "actions-runner-controller.namespace" . }}
 {{- end }}
--- a/charts/actions-runner-controller/templates/certificate.yaml
+++ b/charts/actions-runner-controller/templates/certificate.yaml
@ -6,7 +6,7 @@ apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:
  name: {{ include "actions-runner-controller.selfsignedIssuerName" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "actions-runner-controller.namespace" . }}
 spec:
  selfSigned: {}
 ---
@ -14,11 +14,11 @@ apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: {{ include "actions-runner-controller.servingCertName" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "actions-runner-controller.namespace" . }}
 spec:
  dnsNames:
-  - {{ include "actions-runner-controller.webhookServiceName" . }}.{{ .Release.Namespace }}.svc
+  - {{ include "actions-runner-controller.webhookServiceName" . }}.{{ include "actions-runner-controller.namespace" . }}.svc
-  - {{ include "actions-runner-controller.webhookServiceName" . }}.{{ .Release.Namespace }}.svc.cluster.local
+  - {{ include "actions-runner-controller.webhookServiceName" . }}.{{ include "actions-runner-controller.namespace" . }}.svc.cluster.local
  issuerRef:
    kind: Issuer
    name: {{ include "actions-runner-controller.selfsignedIssuerName" . }}
--- a/charts/actions-runner-controller/templates/controller.metrics.service.yaml
+++ b/charts/actions-runner-controller/templates/controller.metrics.service.yaml
@ -4,7 +4,7 @@ metadata:
  labels:
    {{- include "actions-runner-controller.labels" . | nindent 4 }}
  name: {{ include "actions-runner-controller.metricsServiceName" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "actions-runner-controller.namespace" . }}
  {{- with .Values.metrics.serviceAnnotations }}
  annotations:
    {{- toYaml . | nindent 4 }}
--- a/charts/actions-runner-controller/templates/controller.metrics.serviceMonitor.yaml
+++ b/charts/actions-runner-controller/templates/controller.metrics.serviceMonitor.yaml
@ -8,7 +8,7 @@ metadata:
    {{- toYaml . | nindent 4 }}
  {{- end }}
  name: {{ include "actions-runner-controller.serviceMonitorName" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "actions-runner-controller.namespace" . }}
 spec:
  endpoints:
    - path: /metrics
--- a/charts/actions-runner-controller/templates/controller.pdb.yaml
+++ b/charts/actions-runner-controller/templates/controller.pdb.yaml
@ -5,7 +5,7 @@ metadata:
  labels:
    {{- include "actions-runner-controller.labels" . | nindent 4 }}
  name: {{ include "actions-runner-controller.pdbName" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "actions-runner-controller.namespace" . }}
 spec:
  {{- if .Values.podDisruptionBudget.minAvailable }}
  minAvailable: {{ .Values.podDisruptionBudget.minAvailable }}
--- a/charts/actions-runner-controller/templates/deployment.yaml
+++ b/charts/actions-runner-controller/templates/deployment.yaml
@ -2,7 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: {{ include "actions-runner-controller.fullname" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "actions-runner-controller.namespace" . }}
  labels:
    {{- include "actions-runner-controller.labels" . | nindent 4 }}
 spec:
@ -56,7 +56,7 @@ spec:
        - "--docker-registry-mirror={{ .Values.dockerRegistryMirror }}"
        {{- end }}
        {{- if .Values.scope.singleNamespace }}
-        - "--watch-namespace={{ default .Release.Namespace .Values.scope.watchNamespace }}"
+        - "--watch-namespace={{ default (include "actions-runner-controller.namespace" .) .Values.scope.watchNamespace }}"
        {{- end }}
        {{- if .Values.logLevel }}
        - "--log-level={{ .Values.logLevel }}"
--- a/charts/actions-runner-controller/templates/githubwebhook.deployment.yaml
+++ b/charts/actions-runner-controller/templates/githubwebhook.deployment.yaml
@ -3,7 +3,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: {{ include "actions-runner-controller-github-webhook-server.fullname" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "actions-runner-controller.namespace" . }}
  labels:
    {{- include "actions-runner-controller.labels" . | nindent 4 }}
 spec:
@ -43,7 +43,7 @@ spec:
        - "--log-level={{ .Values.githubWebhookServer.logLevel }}"
        {{- end }}
        {{- if .Values.scope.singleNamespace }}
-        - "--watch-namespace={{ default .Release.Namespace .Values.scope.watchNamespace }}"
+        - "--watch-namespace={{ default (include "actions-runner-controller.namespace" .) .Values.scope.watchNamespace }}"
        {{- end }}
        {{- if .Values.runnerGithubURL  }}
        - "--runner-github-url={{ .Values.runnerGithubURL }}"
--- a/charts/actions-runner-controller/templates/githubwebhook.ingress.yaml
+++ b/charts/actions-runner-controller/templates/githubwebhook.ingress.yaml
@ -5,7 +5,7 @@ apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: {{ $fullName }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "actions-runner-controller.namespace" . }}
  labels:
    {{- include "actions-runner-controller.labels" . | nindent 4 }}
  {{- with .Values.githubWebhookServer.ingress.annotations }}
--- a/charts/actions-runner-controller/templates/githubwebhook.pdb.yaml
+++ b/charts/actions-runner-controller/templates/githubwebhook.pdb.yaml
@ -5,7 +5,7 @@ metadata:
  labels:
    {{- include "actions-runner-controller.labels" . | nindent 4 }}
  name: {{ include "actions-runner-controller-github-webhook-server.pdbName" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "actions-runner-controller.namespace" . }}
 spec:
  {{- if .Values.githubWebhookServer.podDisruptionBudget.minAvailable }}
  minAvailable: {{ .Values.githubWebhookServer.podDisruptionBudget.minAvailable }}
--- a/charts/actions-runner-controller/templates/githubwebhook.role_binding.yaml
+++ b/charts/actions-runner-controller/templates/githubwebhook.role_binding.yaml
@ -10,5 +10,5 @@ roleRef:
 subjects:
  - kind: ServiceAccount
    name: {{ include "actions-runner-controller-github-webhook-server.serviceAccountName" . }}
-    namespace: {{ .Release.Namespace }}
+    namespace: {{ include "actions-runner-controller.namespace" . }}
 {{- end }}
--- a/charts/actions-runner-controller/templates/githubwebhook.secrets.yaml
+++ b/charts/actions-runner-controller/templates/githubwebhook.secrets.yaml
@ -4,7 +4,7 @@ apiVersion: v1
 kind: Secret
 metadata:
  name: {{ include "actions-runner-controller-github-webhook-server.secretName" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "actions-runner-controller.namespace" . }}
  labels:
    {{- include "actions-runner-controller.labels" . | nindent 4 }}
 type: Opaque
--- a/charts/actions-runner-controller/templates/githubwebhook.service.yaml
+++ b/charts/actions-runner-controller/templates/githubwebhook.service.yaml
@ -3,7 +3,7 @@ apiVersion: v1
 kind: Service
 metadata:
  name: {{ include "actions-runner-controller-github-webhook-server.fullname" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "actions-runner-controller.namespace" . }}
  labels:
    {{- include "actions-runner-controller-github-webhook-server.selectorLabels" . | nindent 4 }}
 {{- if .Values.githubWebhookServer.service.annotations }}
--- a/charts/actions-runner-controller/templates/githubwebhook.serviceMonitor.yaml
+++ b/charts/actions-runner-controller/templates/githubwebhook.serviceMonitor.yaml
@ -1,5 +1,5 @@
 {{- if and .Values.githubWebhookServer.enabled .Values.metrics.serviceMonitor.enable }}
-{{- $servicemonitornamespace := .Values.actionsMetrics.serviceMonitor.namespace | default .Release.Namespace }}
+{{- $servicemonitornamespace := .Values.actionsMetrics.serviceMonitor.namespace | default (include "actions-runner-controller.namespace" .) }}
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
--- a/charts/actions-runner-controller/templates/githubwebhook.serviceaccount.yaml
+++ b/charts/actions-runner-controller/templates/githubwebhook.serviceaccount.yaml
@ -4,7 +4,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: {{ include "actions-runner-controller-github-webhook-server.serviceAccountName" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "actions-runner-controller.namespace" . }}
  labels:
    {{- include "actions-runner-controller.labels" . | nindent 4 }}
  {{- with .Values.githubWebhookServer.serviceAccount.annotations }}
--- a/charts/actions-runner-controller/templates/leader_election_role.yaml
+++ b/charts/actions-runner-controller/templates/leader_election_role.yaml
@ -3,7 +3,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: {{ include "actions-runner-controller.leaderElectionRoleName" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "actions-runner-controller.namespace" . }}
 rules:
 - apiGroups:
  - ""
--- a/charts/actions-runner-controller/templates/leader_election_role_binding.yaml
+++ b/charts/actions-runner-controller/templates/leader_election_role_binding.yaml
@ -2,7 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: {{ include "actions-runner-controller.leaderElectionRoleName" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "actions-runner-controller.namespace" . }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
@ -10,4 +10,4 @@ roleRef:
 subjects:
 - kind: ServiceAccount
  name: {{ include "actions-runner-controller.serviceAccountName" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "actions-runner-controller.namespace" . }}
--- a/charts/actions-runner-controller/templates/manager_role_binding.yaml
+++ b/charts/actions-runner-controller/templates/manager_role_binding.yaml
@ -9,4 +9,4 @@ roleRef:
 subjects:
 - kind: ServiceAccount
  name: {{ include "actions-runner-controller.serviceAccountName" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "actions-runner-controller.namespace" . }}
--- a/charts/actions-runner-controller/templates/manager_role_binding_secrets.yaml
+++ b/charts/actions-runner-controller/templates/manager_role_binding_secrets.yaml
@ -6,7 +6,7 @@ kind: ClusterRoleBinding
 {{- end }}
 metadata:
  name: {{ include "actions-runner-controller.managerRoleName" . }}-secrets
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "actions-runner-controller.namespace" . }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  {{- if .Values.scope.singleNamespace }}
@ -18,4 +18,4 @@ roleRef:
 subjects:
 - kind: ServiceAccount
  name: {{ include "actions-runner-controller.serviceAccountName" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "actions-runner-controller.namespace" . }}
--- a/charts/actions-runner-controller/templates/manager_secrets.yaml
+++ b/charts/actions-runner-controller/templates/manager_secrets.yaml
@ -3,7 +3,7 @@ apiVersion: v1
 kind: Secret
 metadata:
  name: {{ include "actions-runner-controller.secretName" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "actions-runner-controller.namespace" . }}
  {{- if .Values.authSecret.annotations }}
  annotations:
    {{ toYaml .Values.authSecret.annotations | nindent 4 }}
--- a/charts/actions-runner-controller/templates/serviceaccount.yaml
+++ b/charts/actions-runner-controller/templates/serviceaccount.yaml
@ -3,7 +3,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: {{ include "actions-runner-controller.serviceAccountName" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "actions-runner-controller.namespace" . }}
  labels:
    {{- include "actions-runner-controller.labels" . | nindent 4 }}
  {{- with .Values.serviceAccount.annotations }}
--- a/charts/actions-runner-controller/templates/webhook_configs.yaml
+++ b/charts/actions-runner-controller/templates/webhook_configs.yaml
@ -2,7 +2,7 @@
 We will use a self managed CA if one is not provided by cert-manager
 */}}
 {{- $ca := genCA "actions-runner-ca" 3650 }}
-{{- $cert := genSignedCert (printf "%s.%s.svc" (include "actions-runner-controller.webhookServiceName" .) .Release.Namespace) nil (list (printf "%s.%s.svc" (include "actions-runner-controller.webhookServiceName" .) .Release.Namespace)) 3650 $ca }}
+{{- $cert := genSignedCert (printf "%s.%s.svc" (include "actions-runner-controller.webhookServiceName" .) (include "actions-runner-controller.namespace" .)) nil (list (printf "%s.%s.svc" (include "actions-runner-controller.webhookServiceName" .) (include "actions-runner-controller.namespace" .))) 3650 $ca }}
 ---
 apiVersion: admissionregistration.k8s.io/v1
 kind: MutatingWebhookConfiguration
@ -11,7 +11,7 @@ metadata:
  name: {{ include "actions-runner-controller.fullname" . }}-mutating-webhook-configuration
  {{- if .Values.certManagerEnabled }}
  annotations:
-    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "actions-runner-controller.servingCertName" . }}
+    cert-manager.io/inject-ca-from: {{ include "actions-runner-controller.namespace" . }}/{{ include "actions-runner-controller.servingCertName" . }}
  {{- end }}
 webhooks:
 - admissionReviewVersions:
@ -19,7 +19,7 @@ webhooks:
  {{- if .Values.scope.singleNamespace }}
  namespaceSelector:
    matchLabels:
-      kubernetes.io/metadata.name: {{ default .Release.Namespace .Values.scope.watchNamespace }}
+      kubernetes.io/metadata.name: {{ default (include "actions-runner-controller.namespace" .) .Values.scope.watchNamespace }}
  {{- end }}
  clientConfig:
    {{- if .Values.admissionWebHooks.caBundle }}
@ -29,7 +29,7 @@ webhooks:
    {{- end }}
    service:
      name: {{ include "actions-runner-controller.webhookServiceName" . }}
-      namespace: {{ .Release.Namespace }}
+      namespace: {{ include "actions-runner-controller.namespace" . }}
      path: /mutate-actions-summerwind-dev-v1alpha1-runner
  failurePolicy: Fail
  name: mutate.runner.actions.summerwind.dev
@ -50,7 +50,7 @@ webhooks:
  {{- if .Values.scope.singleNamespace }}
  namespaceSelector:
    matchLabels:
-      kubernetes.io/metadata.name: {{ default .Release.Namespace .Values.scope.watchNamespace }}
+      kubernetes.io/metadata.name: {{ default (include "actions-runner-controller.namespace" .) .Values.scope.watchNamespace }}
  {{- end }}
  clientConfig:
    {{- if .Values.admissionWebHooks.caBundle }}
@ -60,7 +60,7 @@ webhooks:
    {{- end }}
    service:
      name: {{ include "actions-runner-controller.webhookServiceName" . }}
-      namespace: {{ .Release.Namespace }}
+      namespace: {{ include "actions-runner-controller.namespace" . }}
      path: /mutate-actions-summerwind-dev-v1alpha1-runnerdeployment
  failurePolicy: Fail
  name: mutate.runnerdeployment.actions.summerwind.dev
@ -81,7 +81,7 @@ webhooks:
  {{- if .Values.scope.singleNamespace }}
  namespaceSelector:
    matchLabels:
-      kubernetes.io/metadata.name: {{ default .Release.Namespace .Values.scope.watchNamespace }}
+      kubernetes.io/metadata.name: {{ default (include "actions-runner-controller.namespace" .) .Values.scope.watchNamespace }}
  {{- end }}
  clientConfig:
    {{- if .Values.admissionWebHooks.caBundle }}
@ -91,7 +91,7 @@ webhooks:
    {{- end }}
    service:
      name: {{ include "actions-runner-controller.webhookServiceName" . }}
-      namespace: {{ .Release.Namespace }}
+      namespace: {{ include "actions-runner-controller.namespace" . }}
      path: /mutate-actions-summerwind-dev-v1alpha1-runnerreplicaset
  failurePolicy: Fail
  name: mutate.runnerreplicaset.actions.summerwind.dev
@ -112,7 +112,7 @@ webhooks:
  {{- if .Values.scope.singleNamespace }}
  namespaceSelector:
    matchLabels:
-      kubernetes.io/metadata.name: {{ default .Release.Namespace .Values.scope.watchNamespace }}
+      kubernetes.io/metadata.name: {{ default (include "actions-runner-controller.namespace" .) .Values.scope.watchNamespace }}
  {{- end }}
  clientConfig:
    {{- if .Values.admissionWebHooks.caBundle }}
@ -122,7 +122,7 @@ webhooks:
    {{- end }}
    service:
      name: {{ include "actions-runner-controller.webhookServiceName" . }}
-      namespace: {{ .Release.Namespace }}
+      namespace: {{ include "actions-runner-controller.namespace" . }}
      path: /mutate-runner-set-pod
  failurePolicy: Fail
  name: mutate-runner-pod.webhook.actions.summerwind.dev
@ -148,7 +148,7 @@ metadata:
  name: {{ include "actions-runner-controller.fullname" . }}-validating-webhook-configuration
  {{- if .Values.certManagerEnabled }}
  annotations:
-    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "actions-runner-controller.servingCertName" . }}
+    cert-manager.io/inject-ca-from: {{ include "actions-runner-controller.namespace" . }}/{{ include "actions-runner-controller.servingCertName" . }}
  {{- end }}
 webhooks:
 - admissionReviewVersions:
@ -156,7 +156,7 @@ webhooks:
  {{- if .Values.scope.singleNamespace }}
  namespaceSelector:
    matchLabels:
-      kubernetes.io/metadata.name: {{ default .Release.Namespace .Values.scope.watchNamespace }}
+      kubernetes.io/metadata.name: {{ default (include "actions-runner-controller.namespace" .) .Values.scope.watchNamespace }}
  {{- end }}
  clientConfig:
    {{- if .Values.admissionWebHooks.caBundle }}
@ -166,7 +166,7 @@ webhooks:
    {{- end }}
    service:
      name: {{ include "actions-runner-controller.webhookServiceName" . }}
-      namespace: {{ .Release.Namespace }}
+      namespace: {{ include "actions-runner-controller.namespace" . }}
      path: /validate-actions-summerwind-dev-v1alpha1-runner
  failurePolicy: Fail
  name: validate.runner.actions.summerwind.dev
@ -187,7 +187,7 @@ webhooks:
  {{- if .Values.scope.singleNamespace }}
  namespaceSelector:
    matchLabels:
-      kubernetes.io/metadata.name: {{ default .Release.Namespace .Values.scope.watchNamespace }}
+      kubernetes.io/metadata.name: {{ default (include "actions-runner-controller.namespace" .) .Values.scope.watchNamespace }}
  {{- end }}
  clientConfig:
    {{- if .Values.admissionWebHooks.caBundle }}
@ -197,7 +197,7 @@ webhooks:
    {{- end }}
    service:
      name: {{ include "actions-runner-controller.webhookServiceName" . }}
-      namespace: {{ .Release.Namespace }}
+      namespace: {{ include "actions-runner-controller.namespace" . }}
      path: /validate-actions-summerwind-dev-v1alpha1-runnerdeployment
  failurePolicy: Fail
  name: validate.runnerdeployment.actions.summerwind.dev
@ -218,7 +218,7 @@ webhooks:
  {{- if .Values.scope.singleNamespace }}
  namespaceSelector:
    matchLabels:
-      kubernetes.io/metadata.name: {{ default .Release.Namespace .Values.scope.watchNamespace }}
+      kubernetes.io/metadata.name: {{ default (include "actions-runner-controller.namespace" .) .Values.scope.watchNamespace }}
  {{- end }}
  clientConfig:
    {{- if .Values.admissionWebHooks.caBundle }}
@ -228,7 +228,7 @@ webhooks:
    {{- end }}
    service:
      name: {{ include "actions-runner-controller.webhookServiceName" . }}
-      namespace: {{ .Release.Namespace }}
+      namespace: {{ include "actions-runner-controller.namespace" . }}
      path: /validate-actions-summerwind-dev-v1alpha1-runnerreplicaset
  failurePolicy: Fail
  name: validate.runnerreplicaset.actions.summerwind.dev
@ -250,7 +250,7 @@ apiVersion: v1
 kind: Secret
 metadata:
  name: {{ include "actions-runner-controller.servingCertName" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "actions-runner-controller.namespace" . }}
  labels:
    {{- include "actions-runner-controller.labels" . | nindent 4 }}
 type: kubernetes.io/tls
--- a/charts/actions-runner-controller/templates/webhook_service.yaml
+++ b/charts/actions-runner-controller/templates/webhook_service.yaml
@ -2,7 +2,7 @@ apiVersion: v1
 kind: Service
 metadata:
  name: {{ include "actions-runner-controller.webhookServiceName" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "actions-runner-controller.namespace" . }}
  labels:
    {{- include "actions-runner-controller.labels" . | nindent 4 }}
  {{- with .Values.service.annotations }}
--- a/charts/actions-runner-controller/values.yaml
+++ b/charts/actions-runner-controller/values.yaml
@ -420,3 +420,6 @@ actionsMetricsServer:
    #      - chart-example.local
  terminationGracePeriodSeconds: 10
  lifecycle: {}
 # Add the option to deploy in another namespace rather than .Release.Namespace.
 namespaceOverride: ""
--- a/charts/gha-runner-scale-set-controller/Chart.yaml
+++ b/charts/gha-runner-scale-set-controller/Chart.yaml
@ -15,13 +15,13 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.8.0
+version: 0.13.0
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "0.8.0"
+appVersion: "0.13.0"
 home: https://github.com/actions/actions-runner-controller
--- a/charts/gha-runner-scale-set-controller/crds/actions.github.com_autoscalinglisteners.yaml
+++ b/charts/gha-runner-scale-set-controller/crds/actions.github.com_autoscalinglisteners.yaml
--- a/charts/gha-runner-scale-set-controller/crds/actions.github.com_autoscalingrunnersets.yaml
+++ b/charts/gha-runner-scale-set-controller/crds/actions.github.com_autoscalingrunnersets.yaml
--- a/charts/gha-runner-scale-set-controller/crds/actions.github.com_ephemeralrunners.yaml
+++ b/charts/gha-runner-scale-set-controller/crds/actions.github.com_ephemeralrunners.yaml
--- a/charts/gha-runner-scale-set-controller/crds/actions.github.com_ephemeralrunnersets.yaml
+++ b/charts/gha-runner-scale-set-controller/crds/actions.github.com_ephemeralrunnersets.yaml
--- a/charts/gha-runner-scale-set-controller/templates/NOTES.txt
+++ b/charts/gha-runner-scale-set-controller/templates/NOTES.txt
@ -1,4 +1,3 @@
 Thank you for installing {{ .Chart.Name }}.
 Your release is named {{ .Release.Name }}.
--- a/charts/gha-runner-scale-set-controller/templates/_helpers.tpl
+++ b/charts/gha-runner-scale-set-controller/templates/_helpers.tpl
@ -7,6 +7,17 @@ Expand the name of the chart.
 gha-rs-controller
 {{- end }}
 {{/*
 Allow overriding the namespace for the resources.
 */}}
 {{- define "gha-runner-scale-set-controller.namespace" -}}
 {{- if .Values.namespaceOverride }}
  {{- .Values.namespaceOverride }}
 {{- else }}
  {{- .Release.Namespace }}
 {{- end }}
 {{- end }}
 {{- define "gha-runner-scale-set-controller.name" -}}
 {{- default (include "gha-base-name" .) .Values.nameOverride | trunc 63 | trimSuffix "-" }}
 {{- end }}
@ -57,7 +68,7 @@ Selector labels
 */}}
 {{- define "gha-runner-scale-set-controller.selectorLabels" -}}
 app.kubernetes.io/name: {{ include "gha-runner-scale-set-controller.name" . }}
-app.kubernetes.io/namespace: {{ .Release.Namespace }}
+app.kubernetes.io/namespace: {{ include "gha-runner-scale-set-controller.namespace" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
@ -118,15 +129,3 @@ Create the name of the service account to use
 {{- define "gha-runner-scale-set-controller.leaderElectionRoleBinding" -}}
 {{- include "gha-runner-scale-set-controller.fullname" . }}-leader-election
 {{- end }}
 {{- define "gha-runner-scale-set-controller.imagePullSecretsNames" -}}
 {{- $names := list }}
 {{- range $k, $v := . }}
  {{- $names = append $names $v.name }}
 {{- end }}
 {{- $names | join ","}}
 {{- end }}
 {{- define "gha-runner-scale-set-controller.serviceMonitorName" -}}
 {{- include "gha-runner-scale-set-controller.fullname" . }}-service-monitor
 {{- end }}
--- a/charts/gha-runner-scale-set-controller/templates/deployment.yaml
+++ b/charts/gha-runner-scale-set-controller/templates/deployment.yaml
@ -2,10 +2,10 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: {{ include "gha-runner-scale-set-controller.fullname" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "gha-runner-scale-set-controller.namespace" . }}
  labels:
    {{- include "gha-runner-scale-set-controller.labels" . | nindent 4 }}
-    actions.github.com/controller-service-account-namespace: {{ .Release.Namespace }}
+    actions.github.com/controller-service-account-namespace: {{ include "gha-runner-scale-set-controller.namespace" . }}
    actions.github.com/controller-service-account-name: {{ include "gha-runner-scale-set-controller.serviceAccountName" . }}
    {{- if .Values.flags.watchSingleNamespace }}
    actions.github.com/controller-watch-single-namespace: {{ .Values.flags.watchSingleNamespace }}
@ -25,7 +25,7 @@ spec:
      labels:
        app.kubernetes.io/part-of: gha-rs-controller
        app.kubernetes.io/component: controller-manager
-        app.kubernetes.io/version: {{ .Chart.Version }}
+        app.kubernetes.io/version: {{ .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
        {{- include "gha-runner-scale-set-controller.selectorLabels" . | nindent 8 }}
        {{- with .Values.podLabels }}
          {{- toYaml . | nindent 8 }}
@ -54,7 +54,9 @@ spec:
        - "--leader-election-id={{ include "gha-runner-scale-set-controller.fullname" . }}"
        {{- end }}
        {{- with .Values.imagePullSecrets }}
-        - "--auto-scaler-image-pull-secrets={{ include "gha-runner-scale-set-controller.imagePullSecretsNames" . }}"
+        {{- range . }}
        - "--auto-scaler-image-pull-secrets={{- .name -}}"
        {{- end }}
        {{- end }}
        {{- with .Values.flags.logLevel }}
        - "--log-level={{ . }}"
@ -65,6 +67,9 @@ spec:
        {{- with .Values.flags.watchSingleNamespace }}
        - "--watch-single-namespace={{ . }}"
        {{- end }}
        {{- with .Values.flags.runnerMaxConcurrentReconciles }}
        - "--runner-max-concurrent-reconciles={{ . }}"
        {{- end }}
        {{- with .Values.flags.updateStrategy }}
        - "--update-strategy={{ . }}"
        {{- end }}
@ -79,6 +84,15 @@ spec:
        - "--listener-metrics-endpoint="
        - "--metrics-addr=0"
        {{- end }}
        {{- range .Values.flags.excludeLabelPropagationPrefixes }}
        - "--exclude-label-propagation-prefix={{ . }}"
        {{- end }}
        {{- with .Values.flags.k8sClientRateLimiterQPS }}
        - "--k8s-client-rate-limiter-qps={{ . }}"
        {{- end }}
        {{- with .Values.flags.k8sClientRateLimiterBurst }}
        - "--k8s-client-rate-limiter-burst={{ . }}"
        {{- end }}
        command:
        - "/manager"
        {{- with .Values.metrics }}
@ -110,10 +124,16 @@ spec:
        volumeMounts:
        - mountPath: /tmp
          name: tmp
        {{- range .Values.volumeMounts }}
        - {{ toYaml . | nindent 10 }}
        {{- end }}
      terminationGracePeriodSeconds: 10
      volumes:
      - name: tmp
        emptyDir: {}
      {{- range .Values.volumes }}
      - {{ toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.nodeSelector }}
      nodeSelector:
        {{- toYaml . | nindent 8 }}
@ -122,6 +142,10 @@ spec:
      affinity:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.topologySpreadConstraints }}
      topologySpreadConstraints:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.tolerations }}
      tolerations:
        {{- toYaml . | nindent 8 }}
--- a/charts/gha-runner-scale-set-controller/templates/leader_election_role.yaml
+++ b/charts/gha-runner-scale-set-controller/templates/leader_election_role.yaml
@ -4,9 +4,12 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: {{ include "gha-runner-scale-set-controller.leaderElectionRoleName" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "gha-runner-scale-set-controller.namespace" . }}
 rules:
  - apiGroups: ["coordination.k8s.io"]
    resources: ["leases"]
    verbs: ["get", "watch", "list", "delete", "update", "create"]
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["create", "patch"]
 {{- end }}
--- a/charts/gha-runner-scale-set-controller/templates/leader_election_role_binding.yaml
+++ b/charts/gha-runner-scale-set-controller/templates/leader_election_role_binding.yaml
@ -3,7 +3,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: {{ include "gha-runner-scale-set-controller.leaderElectionRoleBinding" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "gha-runner-scale-set-controller.namespace" . }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
@ -11,5 +11,5 @@ roleRef:
 subjects:
 - kind: ServiceAccount
  name: {{ include "gha-runner-scale-set-controller.serviceAccountName" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "gha-runner-scale-set-controller.namespace" . }}
 {{- end }}
--- a/charts/gha-runner-scale-set-controller/templates/manager_cluster_role_binding.yaml
+++ b/charts/gha-runner-scale-set-controller/templates/manager_cluster_role_binding.yaml
@ -10,5 +10,5 @@ roleRef:
 subjects:
 - kind: ServiceAccount
  name: {{ include "gha-runner-scale-set-controller.serviceAccountName" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "gha-runner-scale-set-controller.namespace" . }}
 {{- end }}
--- a/charts/gha-runner-scale-set-controller/templates/manager_listener_role.yaml
+++ b/charts/gha-runner-scale-set-controller/templates/manager_listener_role.yaml
@ -2,7 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: {{ include "gha-runner-scale-set-controller.managerListenerRoleName" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "gha-runner-scale-set-controller.namespace" . }}
 rules:
 - apiGroups:
  - ""
--- a/charts/gha-runner-scale-set-controller/templates/manager_listener_role_binding.yaml
+++ b/charts/gha-runner-scale-set-controller/templates/manager_listener_role_binding.yaml
@ -2,7 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: {{ include "gha-runner-scale-set-controller.managerListenerRoleBinding" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "gha-runner-scale-set-controller.namespace" . }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
@ -10,4 +10,4 @@ roleRef:
 subjects:
 - kind: ServiceAccount
  name: {{ include "gha-runner-scale-set-controller.serviceAccountName" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "gha-runner-scale-set-controller.namespace" . }}
--- a/charts/gha-runner-scale-set-controller/templates/manager_single_namespace_controller_role.yaml
+++ b/charts/gha-runner-scale-set-controller/templates/manager_single_namespace_controller_role.yaml
@ -3,7 +3,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: {{ include "gha-runner-scale-set-controller.managerSingleNamespaceRoleName" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "gha-runner-scale-set-controller.namespace" . }}
 rules:
 - apiGroups:
  - actions.github.com
--- a/charts/gha-runner-scale-set-controller/templates/manager_single_namespace_controller_role_binding.yaml
+++ b/charts/gha-runner-scale-set-controller/templates/manager_single_namespace_controller_role_binding.yaml
@ -3,7 +3,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: {{ include "gha-runner-scale-set-controller.managerSingleNamespaceRoleBinding" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "gha-runner-scale-set-controller.namespace" . }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
@ -11,5 +11,5 @@ roleRef:
 subjects:
 - kind: ServiceAccount
  name: {{ include "gha-runner-scale-set-controller.serviceAccountName" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "gha-runner-scale-set-controller.namespace" . }}
 {{- end }}
--- a/charts/gha-runner-scale-set-controller/templates/manager_single_namespace_watch_role_binding.yaml
+++ b/charts/gha-runner-scale-set-controller/templates/manager_single_namespace_watch_role_binding.yaml
@ -11,5 +11,5 @@ roleRef:
 subjects:
 - kind: ServiceAccount
  name: {{ include "gha-runner-scale-set-controller.serviceAccountName" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "gha-runner-scale-set-controller.namespace" . }}
 {{- end }}
--- a/charts/gha-runner-scale-set-controller/templates/serviceaccount.yaml
+++ b/charts/gha-runner-scale-set-controller/templates/serviceaccount.yaml
@ -3,7 +3,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: {{ include "gha-runner-scale-set-controller.serviceAccountName" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "gha-runner-scale-set-controller.namespace" . }}
  labels:
    {{- include "gha-runner-scale-set-controller.labels" . | nindent 4 }}
  {{- with .Values.serviceAccount.annotations }}
--- a/charts/gha-runner-scale-set-controller/tests/template_test.go
+++ b/charts/gha-runner-scale-set-controller/tests/template_test.go
@ -17,6 +17,7 @@ import (
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 type Chart struct {
@ -345,6 +346,7 @@ func TestTemplate_ControllerDeployment_Defaults(t *testing.T) {
 	assert.Len(t, deployment.Spec.Template.Spec.NodeSelector, 0)
 	assert.Nil(t, deployment.Spec.Template.Spec.Affinity)
 	assert.Len(t, deployment.Spec.Template.Spec.TopologySpreadConstraints, 0)
 	assert.Len(t, deployment.Spec.Template.Spec.Tolerations, 0)
 	managerImage := "ghcr.io/actions/gha-runner-scale-set-controller:dev"
@ -365,6 +367,7 @@ func TestTemplate_ControllerDeployment_Defaults(t *testing.T) {
 		"--metrics-addr=0",
 		"--listener-metrics-addr=0",
 		"--listener-metrics-endpoint=",
 		"--runner-max-concurrent-reconciles=2",
 	}
 	assert.ElementsMatch(t, expectedArgs, deployment.Spec.Template.Spec.Containers[0].Args)
@ -424,10 +427,17 @@ func TestTemplate_ControllerDeployment_Customize(t *testing.T) {
 			"tolerations[0].key":           "foo",
 			"affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[0].matchExpressions[0].key":      "foo",
 			"affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[0].matchExpressions[0].operator": "bar",
-			"priorityClassName":    "test-priority-class",
+			"topologySpreadConstraints[0].labelSelector.matchLabels.foo":                                                             "bar",
-			"flags.updateStrategy": "eventual",
+			"topologySpreadConstraints[0].maxSkew":                                                                                   "1",
-			"flags.logLevel":       "info",
+			"topologySpreadConstraints[0].topologyKey":                                                                               "foo",
-			"flags.logFormat":      "json",
+			"priorityClassName":         "test-priority-class",
 			"flags.updateStrategy":      "eventual",
 			"flags.logLevel":            "info",
 			"flags.logFormat":           "json",
 			"volumes[0].name":           "customMount",
 			"volumes[0].configMap.name": "my-configmap",
 			"volumeMounts[0].name":      "customMount",
 			"volumeMounts[0].mountPath": "/my/mount/path",
 		},
 		KubectlOptions: k8s.NewKubectlOptions("", "", namespaceName),
 	}
@ -470,9 +480,11 @@ func TestTemplate_ControllerDeployment_Customize(t *testing.T) {
 	assert.Equal(t, int64(1000), *deployment.Spec.Template.Spec.SecurityContext.FSGroup)
 	assert.Equal(t, "test-priority-class", deployment.Spec.Template.Spec.PriorityClassName)
 	assert.Equal(t, int64(10), *deployment.Spec.Template.Spec.TerminationGracePeriodSeconds)
-	assert.Len(t, deployment.Spec.Template.Spec.Volumes, 1)
+	assert.Len(t, deployment.Spec.Template.Spec.Volumes, 2)
 	assert.Equal(t, "tmp", deployment.Spec.Template.Spec.Volumes[0].Name)
-	assert.NotNil(t, 10, deployment.Spec.Template.Spec.Volumes[0].EmptyDir)
+	assert.NotNil(t, deployment.Spec.Template.Spec.Volumes[0].EmptyDir)
 	assert.Equal(t, "customMount", deployment.Spec.Template.Spec.Volumes[1].Name)
 	assert.Equal(t, "my-configmap", deployment.Spec.Template.Spec.Volumes[1].ConfigMap.Name)
 	assert.Len(t, deployment.Spec.Template.Spec.NodeSelector, 1)
 	assert.Equal(t, "bar", deployment.Spec.Template.Spec.NodeSelector["foo"])
@ -481,6 +493,11 @@ func TestTemplate_ControllerDeployment_Customize(t *testing.T) {
 	assert.Equal(t, "foo", deployment.Spec.Template.Spec.Affinity.NodeAffinity.RequiredDuringSchedulingIgnoredDuringExecution.NodeSelectorTerms[0].MatchExpressions[0].Key)
 	assert.Equal(t, "bar", string(deployment.Spec.Template.Spec.Affinity.NodeAffinity.RequiredDuringSchedulingIgnoredDuringExecution.NodeSelectorTerms[0].MatchExpressions[0].Operator))
 	assert.Len(t, deployment.Spec.Template.Spec.TopologySpreadConstraints, 1)
 	assert.Equal(t, "bar", deployment.Spec.Template.Spec.TopologySpreadConstraints[0].LabelSelector.MatchLabels["foo"])
 	assert.Equal(t, int32(1), deployment.Spec.Template.Spec.TopologySpreadConstraints[0].MaxSkew)
 	assert.Equal(t, "foo", deployment.Spec.Template.Spec.TopologySpreadConstraints[0].TopologyKey)
 	assert.Len(t, deployment.Spec.Template.Spec.Tolerations, 1)
 	assert.Equal(t, "foo", deployment.Spec.Template.Spec.Tolerations[0].Key)
@ -503,6 +520,7 @@ func TestTemplate_ControllerDeployment_Customize(t *testing.T) {
 		"--listener-metrics-addr=0",
 		"--listener-metrics-endpoint=",
 		"--metrics-addr=0",
 		"--runner-max-concurrent-reconciles=2",
 	}
 	assert.ElementsMatch(t, expectArgs, deployment.Spec.Template.Spec.Containers[0].Args)
@ -521,9 +539,11 @@ func TestTemplate_ControllerDeployment_Customize(t *testing.T) {
 	assert.True(t, *deployment.Spec.Template.Spec.Containers[0].SecurityContext.RunAsNonRoot)
 	assert.Equal(t, int64(1000), *deployment.Spec.Template.Spec.Containers[0].SecurityContext.RunAsUser)
-	assert.Len(t, deployment.Spec.Template.Spec.Containers[0].VolumeMounts, 1)
+	assert.Len(t, deployment.Spec.Template.Spec.Containers[0].VolumeMounts, 2)
 	assert.Equal(t, "tmp", deployment.Spec.Template.Spec.Containers[0].VolumeMounts[0].Name)
 	assert.Equal(t, "/tmp", deployment.Spec.Template.Spec.Containers[0].VolumeMounts[0].MountPath)
 	assert.Equal(t, "customMount", deployment.Spec.Template.Spec.Containers[0].VolumeMounts[1].Name)
 	assert.Equal(t, "/my/mount/path", deployment.Spec.Template.Spec.Containers[0].VolumeMounts[1].MountPath)
 }
 func TestTemplate_EnableLeaderElectionRole(t *testing.T) {
@ -629,6 +649,7 @@ func TestTemplate_EnableLeaderElection(t *testing.T) {
 		"--listener-metrics-addr=0",
 		"--listener-metrics-endpoint=",
 		"--metrics-addr=0",
 		"--runner-max-concurrent-reconciles=2",
 	}
 	assert.ElementsMatch(t, expectedArgs, deployment.Spec.Template.Spec.Containers[0].Args)
@ -662,13 +683,15 @@ func TestTemplate_ControllerDeployment_ForwardImagePullSecrets(t *testing.T) {
 	expectedArgs := []string{
 		"--auto-scaling-runner-set-only",
-		"--auto-scaler-image-pull-secrets=dockerhub,ghcr",
+		"--auto-scaler-image-pull-secrets=dockerhub",
 		"--auto-scaler-image-pull-secrets=ghcr",
 		"--log-level=debug",
 		"--log-format=text",
 		"--update-strategy=immediate",
 		"--listener-metrics-addr=0",
 		"--listener-metrics-endpoint=",
 		"--metrics-addr=0",
 		"--runner-max-concurrent-reconciles=2",
 	}
 	assert.ElementsMatch(t, expectedArgs, deployment.Spec.Template.Spec.Containers[0].Args)
@ -737,6 +760,7 @@ func TestTemplate_ControllerDeployment_WatchSingleNamespace(t *testing.T) {
 	assert.Len(t, deployment.Spec.Template.Spec.NodeSelector, 0)
 	assert.Nil(t, deployment.Spec.Template.Spec.Affinity)
 	assert.Len(t, deployment.Spec.Template.Spec.TopologySpreadConstraints, 0)
 	assert.Len(t, deployment.Spec.Template.Spec.Tolerations, 0)
 	managerImage := "ghcr.io/actions/gha-runner-scale-set-controller:dev"
@ -758,6 +782,7 @@ func TestTemplate_ControllerDeployment_WatchSingleNamespace(t *testing.T) {
 		"--listener-metrics-addr=0",
 		"--listener-metrics-endpoint=",
 		"--metrics-addr=0",
 		"--runner-max-concurrent-reconciles=2",
 	}
 	assert.ElementsMatch(t, expectedArgs, deployment.Spec.Template.Spec.Containers[0].Args)
@ -1017,3 +1042,185 @@ func TestControllerDeployment_MetricsPorts(t *testing.T) {
 		assert.Equal(t, value.frequency, 1, fmt.Sprintf("frequency of %q is not 1", key))
 	}
 }
 func TestDeployment_excludeLabelPropagationPrefixes(t *testing.T) {
 	t.Parallel()
 	// Path to the helm chart we will test
 	helmChartPath, err := filepath.Abs("../../gha-runner-scale-set-controller")
 	require.NoError(t, err)
 	chartContent, err := os.ReadFile(filepath.Join(helmChartPath, "Chart.yaml"))
 	require.NoError(t, err)
 	chart := new(Chart)
 	err = yaml.Unmarshal(chartContent, chart)
 	require.NoError(t, err)
 	releaseName := "test-arc"
 	namespaceName := "test-" + strings.ToLower(random.UniqueId())
 	options := &helm.Options{
 		Logger: logger.Discard,
 		SetValues: map[string]string{
 			"flags.excludeLabelPropagationPrefixes[0]": "prefix.com/",
 			"flags.excludeLabelPropagationPrefixes[1]": "complete.io/label",
 		},
 		KubectlOptions: k8s.NewKubectlOptions("", "", namespaceName),
 	}
 	output := helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"templates/deployment.yaml"})
 	var deployment appsv1.Deployment
 	helm.UnmarshalK8SYaml(t, output, &deployment)
 	require.Len(t, deployment.Spec.Template.Spec.Containers, 1, "Expected one container")
 	container := deployment.Spec.Template.Spec.Containers[0]
 	assert.Contains(t, container.Args, "--exclude-label-propagation-prefix=prefix.com/")
 	assert.Contains(t, container.Args, "--exclude-label-propagation-prefix=complete.io/label")
 }
 func TestNamespaceOverride(t *testing.T) {
 	t.Parallel()
 	chartPath := "../../gha-runner-scale-set-controller"
 	releaseName := "test"
 	releaseNamespace := "test-" + strings.ToLower(random.UniqueId())
 	namespaceOverride := "test-" + strings.ToLower(random.UniqueId())
 	tt := map[string]struct {
 		file          string
 		options       *helm.Options
 		wantNamespace string
 	}{
 		"deployment": {
 			file: "deployment.yaml",
 			options: &helm.Options{
 				Logger: logger.Discard,
 				SetValues: map[string]string{
 					"namespaceOverride": namespaceOverride,
 				},
 				KubectlOptions: k8s.NewKubectlOptions("", "", releaseNamespace),
 			},
 			wantNamespace: namespaceOverride,
 		},
 		"leader_election_role_binding": {
 			file: "leader_election_role_binding.yaml",
 			options: &helm.Options{
 				Logger: logger.Discard,
 				SetValues: map[string]string{
 					"namespaceOverride": namespaceOverride,
 					"replicaCount":      "2",
 				},
 				KubectlOptions: k8s.NewKubectlOptions("", "", releaseNamespace),
 			},
 			wantNamespace: namespaceOverride,
 		},
 		"leader_election_role": {
 			file: "leader_election_role.yaml",
 			options: &helm.Options{
 				Logger: logger.Discard,
 				SetValues: map[string]string{
 					"namespaceOverride": namespaceOverride,
 					"replicaCount":      "2",
 				},
 				KubectlOptions: k8s.NewKubectlOptions("", "", releaseNamespace),
 			},
 			wantNamespace: namespaceOverride,
 		},
 		"manager_listener_role_binding": {
 			file: "manager_listener_role_binding.yaml",
 			options: &helm.Options{
 				Logger: logger.Discard,
 				SetValues: map[string]string{
 					"namespaceOverride": namespaceOverride,
 					"replicaCount":      "2",
 				},
 				KubectlOptions: k8s.NewKubectlOptions("", "", releaseNamespace),
 			},
 			wantNamespace: namespaceOverride,
 		},
 		"manager_listener_role": {
 			file: "manager_listener_role.yaml",
 			options: &helm.Options{
 				Logger: logger.Discard,
 				SetValues: map[string]string{
 					"namespaceOverride": namespaceOverride,
 					"replicaCount":      "2",
 				},
 				KubectlOptions: k8s.NewKubectlOptions("", "", releaseNamespace),
 			},
 			wantNamespace: namespaceOverride,
 		},
 		"manager_single_namespace_controller_role": {
 			file: "manager_single_namespace_controller_role.yaml",
 			options: &helm.Options{
 				Logger: logger.Discard,
 				SetValues: map[string]string{
 					"namespaceOverride":          namespaceOverride,
 					"flags.watchSingleNamespace": "true",
 				},
 				KubectlOptions: k8s.NewKubectlOptions("", "", releaseNamespace),
 			},
 			wantNamespace: namespaceOverride,
 		},
 		"manager_single_namespace_controller_role_binding": {
 			file: "manager_single_namespace_controller_role_binding.yaml",
 			options: &helm.Options{
 				Logger: logger.Discard,
 				SetValues: map[string]string{
 					"namespaceOverride":          namespaceOverride,
 					"flags.watchSingleNamespace": "true",
 				},
 				KubectlOptions: k8s.NewKubectlOptions("", "", releaseNamespace),
 			},
 			wantNamespace: namespaceOverride,
 		},
 		"manager_single_namespace_watch_role": {
 			file: "manager_single_namespace_watch_role.yaml",
 			options: &helm.Options{
 				Logger: logger.Discard,
 				SetValues: map[string]string{
 					"namespaceOverride":          namespaceOverride,
 					"flags.watchSingleNamespace": "target-ns",
 				},
 				KubectlOptions: k8s.NewKubectlOptions("", "", releaseNamespace),
 			},
 			wantNamespace: "target-ns",
 		},
 		"manager_single_namespace_watch_role_binding": {
 			file: "manager_single_namespace_watch_role_binding.yaml",
 			options: &helm.Options{
 				Logger: logger.Discard,
 				SetValues: map[string]string{
 					"namespaceOverride":          namespaceOverride,
 					"flags.watchSingleNamespace": "target-ns",
 				},
 				KubectlOptions: k8s.NewKubectlOptions("", "", releaseNamespace),
 			},
 			wantNamespace: "target-ns",
 		},
 	}
 	for name, tc := range tt {
 		c := tc
 		t.Run(name, func(t *testing.T) {
 			t.Parallel()
 			templateFile := filepath.Join("./templates", c.file)
 			output, err := helm.RenderTemplateE(t, c.options, chartPath, releaseName, []string{templateFile})
 			if err != nil {
 				t.Errorf("Error rendering template %s from chart %s: %s", c.file, chartPath, err)
 			}
 			type object struct {
 				Metadata metav1.ObjectMeta
 			}
 			var renderedObject object
 			helm.UnmarshalK8SYaml(t, output, &renderedObject)
 			assert.Equal(t, tc.wantNamespace, renderedObject.Metadata.Namespace)
 		})
 	}
 }
--- a/charts/gha-runner-scale-set-controller/values.yaml
+++ b/charts/gha-runner-scale-set-controller/values.yaml
@ -72,6 +72,12 @@ tolerations: []
 affinity: {}
 topologySpreadConstraints: []
 # Mount volumes in the container.
 volumes: []
 volumeMounts: []
 # Leverage a PriorityClass to ensure your pods survive resource shortages
 # ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
 # PriorityClass: system-cluster-critical
@ -100,6 +106,11 @@ flags:
  ## Defaults to watch all namespaces when unset.
  # watchSingleNamespace: ""
  ## The maximum number of concurrent reconciles which can be run by the EphemeralRunner controller.
  # Increase this value to improve the throughput of the controller.
  # It may also increase the load on the API server and the external service (e.g. GitHub API).
  runnerMaxConcurrentReconciles: 2
  ## Defines how the controller should handle upgrades while having running jobs.
  ##
  ## The strategies available are:
@ -115,3 +126,19 @@ flags:
  ##   This can lead to a longer time to apply the change but it will ensure
  ##   that you don't have any overprovisioning of runners.
  updateStrategy: "immediate"
  ## Defines a list of prefixes that should not be propagated to internal resources.
  ## This is useful when you have labels that are used for internal purposes and should not be propagated to internal resources.
  ## See https://github.com/actions/actions-runner-controller/issues/3533 for more information.
  ##
  ## By default, all labels are propagated to internal resources
  ## Labels that match prefix specified in the list are excluded from propagation.
  # excludeLabelPropagationPrefixes:
  #   - "argocd.argoproj.io/instance"
 # Overrides the default `.Release.Namespace` for all resources in this chart.
 namespaceOverride: ""
 ## Defines the K8s client rate limiter parameters.
  # k8sClientRateLimiterQPS: 20
  # k8sClientRateLimiterBurst: 30
--- a/Show More
+++ b/Show More
`@ -1,2 +1,2 @@`
	`# actions-runner-controller maintainers`	`# actions-runner-controller maintainers`
	`* @mumoshu @toast-gear @actions/actions-launch @nikola-jokic`	`* @mumoshu @toast-gear @actions/actions-launch @actions/actions-compute @nikola-jokic @rentziass`
`@ -1,4 +1,3 @@`
	`Thank you for installing {{ .Chart.Name }}.`	`Thank you for installing {{ .Chart.Name }}.`

	`Your release is named {{ .Release.Name }}.`	`Your release is named {{ .Release.Name }}.`