{"id":13487087,"url":"https://github.com/evryfs/github-actions-runner-operator","last_synced_at":"2026-01-17T08:28:37.463Z","repository":{"id":37101177,"uuid":"256623849","full_name":"evryfs/github-actions-runner-operator","owner":"evryfs","description":"K8S operator for scheduling github actions runner pods","archived":false,"fork":false,"pushed_at":"2025-08-31T23:12:42.000Z","size":1536,"stargazers_count":445,"open_issues_count":28,"forks_count":51,"subscribers_count":8,"default_branch":"master","last_synced_at":"2025-09-01T01:19:43.934Z","etag":null,"topics":["auto-scaling","automation","ci","cicd","github","github-actions","github-runner","k8s-operator","kubernetes","kubernetes-operator","runner-pod","runners","scaling","schedule-runners"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/evryfs.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2020-04-17T22:36:28.000Z","updated_at":"2025-08-31T23:06:26.000Z","dependencies_parsed_at":"2024-03-20T03:23:48.528Z","dependency_job_id":"89d10668-44ab-4d9a-8ef4-18f93ee08f04","html_url":"https://github.com/evryfs/github-actions-runner-operator","commit_stats":null,"previous_names":[],"tags_count":39,"template":false,"template_full_name":null,"purl":"pkg:github/evryfs/github-actions-runner-operator","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/evryfs%2Fgithub-actions-runner-operator","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/evryfs%2Fgithub-actions-runner-operator/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/evryfs%2Fgithub-actions-runner-operator/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/evryfs%2Fgithub-actions-runner-operator/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/evryfs","download_url":"https://codeload.github.com/evryfs/github-actions-runner-operator/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/evryfs%2Fgithub-actions-runner-operator/sbom","scorecard":{"id":387131,"data":{"date":"2025-08-11","repo":{"name":"github.com/evryfs/github-actions-runner-operator","commit":"4f507c2439f6cb80b8848a48d12fe1018034b441"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":3.5,"checks":[{"name":"Code-Review","score":0,"reason":"Found 0/7 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/build.yaml:1","Warn: no topLevel permission defined: .github/workflows/codeql-analysis.yml:1","Warn: no topLevel permission defined: .github/workflows/release-drafter.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yaml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/evryfs/github-actions-runner-operator/build.yaml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yaml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/evryfs/github-actions-runner-operator/build.yaml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build.yaml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/evryfs/github-actions-runner-operator/build.yaml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build.yaml:35: update your workflow using https://app.stepsecurity.io/secureworkflow/evryfs/github-actions-runner-operator/build.yaml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yaml:51: update your workflow using https://app.stepsecurity.io/secureworkflow/evryfs/github-actions-runner-operator/build.yaml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yaml:55: update your workflow using https://app.stepsecurity.io/secureworkflow/evryfs/github-actions-runner-operator/build.yaml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build.yaml:61: update your workflow using https://app.stepsecurity.io/secureworkflow/evryfs/github-actions-runner-operator/build.yaml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yaml:81: update your workflow using https://app.stepsecurity.io/secureworkflow/evryfs/github-actions-runner-operator/build.yaml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yaml:85: update your workflow using https://app.stepsecurity.io/secureworkflow/evryfs/github-actions-runner-operator/build.yaml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build.yaml:99: update your workflow using https://app.stepsecurity.io/secureworkflow/evryfs/github-actions-runner-operator/build.yaml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/evryfs/github-actions-runner-operator/codeql-analysis.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:32: update your workflow using https://app.stepsecurity.io/secureworkflow/evryfs/github-actions-runner-operator/codeql-analysis.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:40: update your workflow using https://app.stepsecurity.io/secureworkflow/evryfs/github-actions-runner-operator/codeql-analysis.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:54: update your workflow using https://app.stepsecurity.io/secureworkflow/evryfs/github-actions-runner-operator/codeql-analysis.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release-drafter.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/evryfs/github-actions-runner-operator/release-drafter.yml/master?enable=pin","Warn: containerImage not pinned by hash: Dockerfile:2","Warn: containerImage not pinned by hash: Dockerfile:22: pin your Docker image by updating gcr.io/distroless/static:nonroot to gcr.io/distroless/static:nonroot@sha256:cdf4daaf154e3e27cfffc799c16f343a384228f38646928a1513d925f473cb46","Info:   0 out of  10 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of   5 third-party GitHubAction dependencies pinned","Info:   0 out of   2 containerImage dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE.txt:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE.txt:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Packaging","score":10,"reason":"packaging workflow detected","details":["Info: Project packages its releases by way of GitHub Actions.: .github/workflows/build.yaml:12"],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'master'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"SAST","score":7,"reason":"SAST tool detected but not run on all commits","details":["Info: SAST configuration detected: CodeQL","Warn: 0 commits out of 30 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Vulnerabilities","score":2,"reason":"8 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GO-2024-3250 / GHSA-29wx-vh33-7x7r","Warn: Project is vulnerable to: GO-2025-3553 / GHSA-mh63-6h87-95cp","Warn: Project is vulnerable to: GO-2024-3321 / GHSA-v778-237x-gjrc","Warn: Project is vulnerable to: GO-2025-3487 / GHSA-hcg3-q754-cr77","Warn: Project is vulnerable to: GO-2024-3333","Warn: Project is vulnerable to: GO-2025-3503 / GHSA-qxp5-gwg8-xv66","Warn: Project is vulnerable to: GO-2025-3595 / GHSA-vvgc-356p-c3xw","Warn: Project is vulnerable to: GO-2025-3488 / GHSA-6v2p-p543-phr9"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-18T16:54:47.523Z","repository_id":37101177,"created_at":"2025-08-18T16:54:47.523Z","updated_at":"2025-08-18T16:54:47.523Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28504364,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-17T06:57:29.758Z","status":"ssl_error","status_checked_at":"2026-01-17T06:56:03.931Z","response_time":85,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["auto-scaling","automation","ci","cicd","github","github-actions","github-runner","k8s-operator","kubernetes","kubernetes-operator","runner-pod","runners","scaling","schedule-runners"],"created_at":"2024-07-31T18:00:55.209Z","updated_at":"2026-01-17T08:28:37.434Z","avatar_url":"https://github.com/evryfs.png","language":"Go","readme":"[![awesome-runners](https://img.shields.io/badge/listed%20on-awesome--runners-blue.svg)](https://github.com/jonico/awesome-runners)\n![GitHub go.mod Go version](https://img.shields.io/github/go-mod/go-version/evryfs/github-actions-runner-operator)\n[![Codacy Badge](https://api.codacy.com/project/badge/Grade/f31ef6cd50994eebb882389ec2ec37f1)](https://app.codacy.com/gh/evryfs/github-actions-runner-operator?utm_source=github.com\u0026utm_medium=referral\u0026utm_content=evryfs/github-actions-runner-operator\u0026utm_campaign=Badge_Grade_Dashboard)\n[![Go Report Card](https://goreportcard.com/badge/github.com/evryfs/github-actions-runner-operator)](https://goreportcard.com/report/github.com/evryfs/github-actions-runner-operator)\n![build](https://github.com/evryfs/github-actions-runner-operator/workflows/build/badge.svg?branch=master)\n[![codecov](https://codecov.io/gh/evryfs/github-actions-runner-operator/branch/master/graph/badge.svg)](https://codecov.io/gh/evryfs/github-actions-runner-operator)\n![GitHub release (latest SemVer)](https://img.shields.io/github/v/release/evryfs/github-actions-runner-operator?sort=semver)\n[![Stargazers over time](https://starchart.cc/evryfs/github-actions-runner-operator.svg)](https://starchart.cc/evryfs/github-actions-runner-operator)\n\n\n# github-actions-runner-operator\n\nK8s operator for scheduling [GitHub Actions](https://github.com/features/actions) runner pods.\n[self-hosted-runners](https://help.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners)\nare a way to host your own runners and customize the environment used to run jobs in your GitHub Actions workflows.\n\nThis operator helps you scale and schedule runners on-demand in a declarative way.\n\n## Configuration\n### Authentication modes\n\nThe operator communicates with GitHub in order to determine available jobs and execute workflow on runners. Authentication to GitHub is available using the following modes:\n\n1.  As a [GitHub app](https://docs.github.com/en/free-pro-team@latest/developers/apps/creating-a-github-app).\n\nThis is the preferred mode as it provides enhanced security and increased API quota, and avoids exposure of tokens to runner pods.\n\nFollow the guide for creating GitHub applications. There is no need to define a callback url or webhook secret as they are not used by this integration.\n\nDepending on whether the GitHub application will operate at a repository or organization level, the following [permissions](https://docs.github.com/en/rest/overview/permissions-required-for-github-apps#permission-on-administration) must be set:\n\n* Repository level\n    * Actions - Read/Write\n    * Administration - Read/Write\n* Organization level\n    * Self Hosted Runners - Read/Write\n\nOnce the GitHub application has been created, obtain the integration ID and download the private key. \n\nA Github application can only be used by injecting environment variables into the Operator deployment. It is recommended that credentials be stored as Kubernetes secrets and then injected into the operator deployment.\n\nCreate a secret called `github-runner-app` by executing the following command in the namespace containing the operator:\n\n```shell script\nkubectl create secret generic github-runner-app --from-literal=GITHUB_APP_INTEGRATION_ID=\u003capp_id\u003e --from-file=GITHUB_APP_PRIVATE_KEY=\u003cprivate_key\u003e\n```\n\nFinally define the following on the operator deployment:\n\n```shell script\nenvFrom:\n- secretRef:\n    name: github-runner-app\n````\n\n2.  Using [Personal Access Tokens (PAT)](https://docs.github.com/en/free-pro-team@latest/github/authenticating-to-github/creating-a-personal-access-token)\n\nCreate a Personal Access token with rights at a repository or organization level.\n\nThis PAT can be defined at the operator level or within the custom resource (A PAT defined at the CR level will take precedence)\n\nTo make use of a PAT that is declared at a CR level, first create a secret called `actions-runner`\n\n```shell script\nkubectl create secret generic actions-runner --from-literal=GH_TOKEN=\u003ctoken\u003e\n```\n\nDefine the `tokenRef` field on the `GithubActionRunner` custom resource as shown below:\n\n```yaml\napiVersion: garo.tietoevry.com/v1alpha1\nkind: GithubActionRunner\nmetadata:\n  name: runner-pool\nspec:\n  tokenRef:\n    key: GH_TOKEN\n    name: actions-runner\n```\n\n### Runner Scope\n\nRunners can be registered either against an individual repository or at an organizational level. The following fields are available on the `GithubActionRunner` custom resource to specify the repository and/or organization to monitor actions:\n\n  * `organization` - GitHub user or Organization\n  * `repository` - (Optional) GitHub repository\n\n```yaml\napiVersion: garo.tietoevry.com/v1alpha1\nkind: GithubActionRunner\nmetadata:\n  name: runner-pool\nspec:\n  # the github org, required\n  organization: yourOrg\n  # the githb repository\n  repository: myrepo\n```\n\n### Runner Selection\n\nArguably the most important field of the `GithubActionRunner` custom resource is the `podTemplateSpec` field as it allow you to define the runner that will be managed by the operator. You have the flexibility to define all of the properties that will be needed by the runner including the image, resources and environment variables. During normal operation, the operator will create a token that can be used in your runner to communicate with GitHub. This token is created in a secret called `\u003cCR_NAME\u003e-regtoken` in the `RUNNER_TOKEN` key. You should inject this secret into your runner using an environment variable or volume mount.\n\n## Installation Methods\n\nThe following options are available to install the operator:\n### Helm Chart\n\nA [Helm](https://helm.sh/) chart is available from [this Helm repository](https://github.com/evryfs/helm-charts).\n\nUse the following steps to create a namespace and install the operator into the namespace using a Helm chart\n\n```shell script\nhelm repo add evryfs-oss https://evryfs.github.io/helm-charts/\nkubectl create namespace github-actions-runner-operator\nhelm install github-actions-runner-operator evryfs-oss/github-actions-runner-operator --namespace github-actions-runner-operator\n```\n### Manual\n\nExecute the following commands to deploy the operator using manifests available within this repository.\n\n_Note:_ The [Kustomize](https://kustomize.io/) tool is required\n\n1. Install the CRD's\n\n```shell script\nmake install\n```\n\n2. Deploy the Operator\n\n```shell script\nmake deploy\n```\n\n### OperatorHub\n\nComing Soon\n\n## Examples\n\nA sample of the `GithubActionRunner` custom resource is found [here](config/samples/garo_v1alpha1_githubactionrunner.yaml)\n\n## development\n\nOperator is based on [Operator SDK](https://github.com/operator-framework/operator-sdk) / [Kube builder](https://github.com/kubernetes-sigs/kubebuilder) and written in Go.\n","funding_links":[],"categories":["Go","The matrix (might be better readable on [GitHub pages](https://jonico.github.io/awesome-runners/))"],"sub_categories":["A word about self-hosted action runner images / virtual environments and how to test locally"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fevryfs%2Fgithub-actions-runner-operator","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fevryfs%2Fgithub-actions-runner-operator","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fevryfs%2Fgithub-actions-runner-operator/lists"}