githubEdit

Self-Hosted Runners

Run GitHub Actions with self-hosted runners in DuploCloud

Self-hosted runners let repository users run code inside your environment, which can pose security risks. Before continuing, read at least GitHub's self-hosted runner security docarrow-up-right and the runner security hardening docarrow-up-right.

The setup outlined here simplifies security by supporting runners for a single repository only. Supporting multiple repos or organizations requires additional controls like restricting runner use or managing access with groups.

DuploCloud recommends using the Actions Runner Controller (ARC)arrow-up-right and isolating workloads by running the controller in one tenant and the runners in another ( gharc01 and ghrun01 in the example below). If runners need access to other tenants, grant cross-tenant permissions only to the runner tenant.

The Helm charts for the controller and scale sets are pinned to specific versions for stability, while runners run the latest image to stay updated. Keeping runners patched is critical despite possible compatibility risks.

Example code below is adapted from Terraform and can also be used with Helm CLI. Both charts were tested at version 0.9.3, with variable references replaced by explicit values for clarity.

Deploying Self-Hosted Runners

Deploy the Actions Runner Controller (ARC)

  1. Deploy the controller Helm chart in the gharc01 tenant using this Terraform resource as an example:

resource "helm_release" "runner_scale_set_controller" {
  name      = "runner-scale-set-controller"
  namespace = "duploservices-gharc01"

  repository = "oci://ghcr.io/actions/actions-runner-controller-charts"
  chart      = "gha-runner-scale-set-controller"
  version    = "0.9.3"

  atomic  = true
  timeout = 600

  values = [
    yamlencode({
      nodeSelector = {
        # Only place the controller pods on hosts for this tenant.
        tenantname = "duploservices-gharc01"
      }
    })
  ]
}

Setup Access by Creating a GitHub App

  1. Create a new GitHub Apparrow-up-right in your GitHub organization or user account:

    • Uncheck the option to configure a webhook URL.

    • Choose Only allow this app to be installed on this account during installation.

    • Limit the app’s access to the specific repository you will use (matching the githubConfigUrl).

  2. In the Kubernetes tenant where runners will run (e.g., ghrun01), create a secret named as your githubConfigSecret (e.g., github-auth) with these keys:

See the upstream values.yamlarrow-up-right for docs of the key names.

Deploy the Runners

  1. Deploy the runner and controller Helm charts as configured. This will create:

    • A runner pod in the tenant where runners are deployed (e.g., ghrun01).

    • A listener pod in the tenant where the controller is deployed (e.g., gharc01).

  2. In the DuploCloud Portal, go to Kubernetes Containers (not Services) in each tenant and confirm the pods are running.

Test the Runners

  1. Run a test GitHub Actions workflow in the repository using the configured runs-on label, for example:

Replace duplo-ghrun01-myorg-myrepo with the actual label from your runner configuration.

If you need help creating a test workflow, see this examplearrow-up-right.

Additional Resources

Last updated

Was this helpful?