diff --git a/.github/workflows/update-custom-runner.yml b/.github/workflows/update-custom-runner.yml
index ec7f485529..c0b23a7c36 100644
--- a/.github/workflows/update-custom-runner.yml
+++ b/.github/workflows/update-custom-runner.yml
@@ -4,7 +4,7 @@ on:
   workflow_dispatch:
     inputs:
       runner_list:
-        description: 'Runner hostname to update (comma-separated)'
+        description: 'Runner hostnames (comma-separated)'
         default: 'fplmac1,fplmac2'
         required: true
       update_tools:
@@ -20,33 +20,78 @@ env:
   GITHUB_TOKEN: ${{ github.token }}
 
 jobs:
+  prepare:
+    name: prepare
+    runs-on: ubuntu-20.04
+    if: github.event.inputs.runner_list != ''
+    outputs:
+      runner_hostnames: ${{ steps.prepare_inputs.outputs.runner_hostnames }}
+    steps:
+      - name: Prepare inputs
+        id: prepare_inputs
+        shell: bash
+        run: |
+          csv='${{github.event.inputs.runner_list}}'
+          json="['$(echo ${csv} | sed s/,/\',\'/g)']"
+          echo "runner_hostnames=${json}"
+          echo "runner_hostnames=${json}" >> $GITHUB_OUTPUT
+        
   update_custom_runners:
     name: update-custom-runner-${{ matrix.runner_hostname }}
+    needs: [ prepare ]
     runs-on: [self-hosted, '${{ matrix.runner_hostname }}' ]
-    if: ${{ github.event.input.runner_list }}
+    if: github.event.inputs.runner_list != ''
 
     strategy:
       matrix:
-        runner_hostname: ${{ github.event.input.runner_list }}
+        runner_hostname: ${{ fromJson(needs.prepare.outputs.runner_hostnames) }}
 
     steps:
       - name: Update tools
-        if: ${{ github.event.inputs.update_tools }}
+        if: github.event.inputs.update_tools == 1
         shell: bash
         run: |
-          echo "npm install -g firebase-tools"
+          set -ex
+          npm install -g firebase-tools
 
       - name: Check for OS updates
         shell: bash
         run: |
-          if softwareupdate -l -r | grep -q 'No new software available'
-          then
-            echo "::warning ::No OS updates available."
-          else
-            echo "softwareupdate -l -r | tr '\n' '|' | sed 's/|/%0A/g' | sed "
-        
-      - name: Update OS
-        if: ${{ github.event.inputs.update_os }}
+          # If there is new software, print the list.
+          set +e
+          softwareupdate -l -r 2>&1 | grep -q 'No new software' && exit
+          softwareupdate -l -r | tr '\n' '|' | sed 's/|/%0A/g' | sed 's/^/::warning ::/'
+
+      - name: Install OS updates
+        if: github.event.inputs.update_os == 1
         shell: bash
         run: |
-          echo "softwareupdate -i -r -f"
+          # Ignore errors
+          set +e
+
+          # Pause a minute before installing updates.
+          sleep 60
+
+          # Need to use sudo to run the update with reboot. Set up a temporary
+          # "askpass" script to provide sudo with the password.
+          tmpfile="$(mktemp)"
+          trap "rm -f \"${tmpfile}\"" EXIT HUP QUIT PIPE INT
+
+          # Generate a script for sudo to use, which immediately deletes itself.
+          cat > "${tmpfile}" <<EOF
+          #!/usr/bin/env bash
+          rm -f "${tmpfile}"
+          EOF
+
+          chmod u+x "${tmpfile}"
+
+          # Continue without variable substitution, to output the password:
+          cat >> "${tmpfile}" <<'EOF'
+          cat <<'END_OF_FILE'
+          ${{secrets.CUSTOM_RUNNER_PW}}
+          END_OF_FILE
+          EOF
+
+          # sudo -A -k will force run the generated script, which will then
+          # immediately delete itself.
+          SUDO_ASKPASS="${tmpfile}" sudo -A -k softwareupdate -i -r -R --user root --stdinpass '' 2>&1