Deploy ephemeral, rootless GitHub Actions runners using Podman with automated token management and resource allocation. Runners execute in isolated containers with tmpfs mounts for security and state isolation. Includes Python, Node.js, Rust, and standard CI tools. Perfect if you want secure, stateless self-hosted runners without root privileges.
- Podman: For rootless container execution.
- GitHub CLI (
gh): To fetch runner registration tokens.- You must authenticate first:
gh auth login
- You must authenticate first:
jq: To parse the token JSON response from the GitHub API.
- Copy the example environment file:
cp .env.example .env
- (Optional) Set your default target repository in
.env:Note: Real runner tokens will be written toGITHUB_REPO=your-user/your-repo
.envautomatically when the deployment script runs. This file is ignored by git.
The deploy_runner.sh script automates fetching tokens via the GitHub API, building the Podman image, and running the container(s).
Deploy a single runner for a specific repository:
./deploy_runner.sh -r owner/repoIf you configured GITHUB_REPO in your .env, you can omit the -r flag:
./deploy_runner.shYou can deploy multiple runners for the same repository simultaneously by specifying the -n flag. The script will automatically calculate CPU and RAM limits to distribute your host's resources evenly among them.
# Deploy 4 runners
./deploy_runner.sh -n 4 -r owner/repo- Token Retrieval: The script uses
gh apito fetch ephemeral runner registration tokens. - Container Build: A custom Ubuntu-based image is built containing Node.js, Python, Rust, and other CI tools (defined in
Containerfile). - Rootless Execution:
podmancreates the runner instances in rootless mode with limited privileges. - Ephemeral Configuration: When a container starts,
entrypoint.shinitializes the runner config using--ephemeral, ensuring it only runs one job before unregistering and exiting. The container's restart policy automatically spins it back up to fetch the next job.