Allow to run a workflow by id on ephemeral runners

[fkorotkov]

Describe the enhancement

Right now the recommended way for auto-scaling runners is to listen for workflow_job event and create runners on-demand.

If there are several workflow_job events are coming in parallel and we create multiple runners that execute ./run.sh script then we don't have guarantee which workflow will be executed on which runner. It will be nice if we could pre-assign workflow to a particular ephemeral runner so when there is a completed workflow_job event it's easier to clean it up.

./run.sh --workflow-id 123456789

[kmaehashi]

👍
This will also allow deploying self-hosted runners securely, especially in public repositories.

In our OSS project, we want to implement a pull-request CI workflow that runs only when maintainers approve. A workflow_job payload contains sender so we can check whether the workflow run was triggered by maintainers or not, however, after the runner is launched, attackers may "steal" the launched runner, as the runner is not bound to the specific run.

[nwf]

This is a duplicate of #620, I think, but it would be very nice to have.

[nikola-jokic]

Hey, I will close this issue as a duplicate. Thank you, @nwf, for answering! For everyone following, please provide 👍 on the issue #620 so we can see the interest!