{"id":13487103,"url":"https://github.com/github-developer/self-hosted-runners-anthos","last_synced_at":"2025-03-27T21:31:53.944Z","repository":{"id":53056898,"uuid":"254143252","full_name":"github-developer/self-hosted-runners-anthos","owner":"github-developer","description":"GitHub Actions Self Hosted Runners on Anthos GKE","archived":false,"fork":false,"pushed_at":"2022-02-13T20:48:08.000Z","size":45,"stargazers_count":27,"open_issues_count":1,"forks_count":8,"subscribers_count":4,"default_branch":"master","last_synced_at":"2024-10-30T22:39:48.366Z","etag":null,"topics":["anthos","github-actions","google-cloud"],"latest_commit_sha":null,"homepage":"https://github.com/github-developer/self-hosted-runners-anthos","language":"Dockerfile","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/github-developer.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null}},"created_at":"2020-04-08T16:33:05.000Z","updated_at":"2024-03-28T04:57:55.000Z","dependencies_parsed_at":"2022-08-24T04:51:11.720Z","dependency_job_id":null,"html_url":"https://github.com/github-developer/self-hosted-runners-anthos","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/github-developer%2Fself-hosted-runners-anthos","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/github-developer%2Fself-hosted-runners-anthos/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/github-developer%2Fself-hosted-runners-anthos/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/github-developer%2Fself-hosted-runners-anthos/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/github-developer","download_url":"https://codeload.github.com/github-developer/self-hosted-runners-anthos/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245927324,"owners_count":20695214,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["anthos","github-actions","google-cloud"],"created_at":"2024-07-31T18:00:55.396Z","updated_at":"2025-03-27T21:31:53.473Z","avatar_url":"https://github.com/github-developer.png","language":"Dockerfile","funding_links":[],"categories":["The matrix (might be better readable on [GitHub pages](https://jonico.github.io/awesome-runners/))"],"sub_categories":["A word about self-hosted action runner images / virtual environments and how to test locally"],"readme":"# GitHub Actions Self Hosted Runners on Anthos\n\n\u003e Build and deploy GitHub Actions [self hosted runners](https://help.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners) to Google Cloud [Anthos GKE](https://cloud.google.com/anthos/gke), making them available to a given GitHub repository.\n\n[![awesome-runners](https://img.shields.io/badge/listed%20on-awesome--runners-blue.svg)](https://github.com/jonico/awesome-runners)![Build status](https://github.com/github-developer/self-hosted-runners-anthos/workflows/Self%20Hosted%20Runner%20CI/CD/badge.svg)\n\n## About\n\nThis project accompanies the \"GitHub Actions self-hosted runners on Google Cloud\" [blog post](https://github.blog/2020-08-04-github-actions-self-hosted-runners-on-google-cloud/).\n\n![image](https://github.blog/wp-content/uploads/2020/08/hybrid-runners-with-anthos.png?resize=1024%2C654?w=1384)\n\nA Continuous Integration [job](https://help.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobs) builds the image and publishes it to Google Container Registry, and a Continuous Deployment job deploys it to Google Kubernetes Engine (GKE). The self hosted runners in this cluster are made available to the GitHub repository configured via the `GITHUB_REPO` environment variable below.\n\nBecause a Docker-in-Docker sidecar pod has been used in this project, these self-hosted runners can also run container builds. Though this approach offers build flexibility, it requires a [`privileged` security context](https://github.com/github-developer/self-hosted-runners-anthos/blob/cb2ee160def13ec3fff256ea43804cafe9fb7e20/deployment.yml#L55) and therefore extends the trust boundary to the whole cluster. Extra caution is recommended with this approach or [removing the sidecar](https://github.com/github-developer/self-hosted-runners-anthos/blob/cb2ee160def13ec3fff256ea43804cafe9fb7e20/deployment.yml#L45) if your application doesn’t require container builds.\n\n⚠️ Note that this use case is considered experimental and _not officially supported by GitHub at this time_. Additionally [it’s recommended](https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners) not to use self-hosted runners on public repositories for a number of security reasons. \n\n## Setup\n\n* Create a new Google Cloud Platform project ([docs](https://cloud.google.com/sdk/gcloud/reference/projects/create))\n\n```\ngcloud projects create self-hosted-runner-test --name \"Self Hosted Runner Test\"\n```\n\n* Create a new Service Account ([docs](https://cloud.google.com/iam/docs/creating-managing-service-accounts))\n\n```\ngcloud iam service-accounts create runner-admin \\\n    --description \"Runner administrator\"\n```\n\n* Grant roles to Service Account ([docs](https://cloud.google.com/iam/docs/granting-roles-to-service-accounts)). Note: should be restricted in production environments.\n\n```\ngcloud projects add-iam-policy-binding self-hosted-runner-test \\\n  --member serviceAccount:runner-admin@self-hosted-runner-test.iam.gserviceaccount.com \\\n  --role roles/admin\n```\n\n* Enable APIs ([docs](https://cloud.google.com/endpoints/docs/openapi/enable-api))\n\n```\ngcloud services enable \\\n    stackdriver.googleapis.com \\\n    compute.googleapis.com \\\n    container.googleapis.com \\\n    anthos.googleapis.com\n```\n\n* Create GKE cluster ([docs](https://cloud.google.com/kubernetes-engine/docs/how-to/creating-a-cluster))\n\n```\ngcloud container clusters create self-hosted-runner-test-cluster\n```\n\n* Register cluster to the environ [docs](https://cloud.google.com/anthos/docs/setup/cloud#gcloud)\n```\ngcloud container hub memberships register self-hosted-anthos-membership \\\n  --project=self-hosted-runner-test-myid \\\n  --gke-uri=https://container.googleapis.com/v1/projects/self-hosted-runner-test-myid/locations/us-west1/clusters/self-hosted-runner-test-cluster \\\n  --service-account-key-file=/path-to/service-account-key.json\n```\n\n* Get the credentails for this cluster\n```\ngcloud container clusters get-credentials self-hosted-runner-test-cluster --region us-west1\n```\n\n* Use [Kubernetes secrets](https://kubernetes.io/docs/concepts/configuration/secret/) to provide a Personal Access Token (`TOKEN`) and repository/organization (`GITHUB_REPO`) as environment variables available to your pods.\n\n```\nkubectl create secret generic self-hosted-runner-creds \\\n    --from-literal=GITHUB_REPO='\u003cowner\u003e/\u003crepo\u003e' \\\n    --from-literal=TOKEN='token'\n```\n\n* Set these as secrets in your GitHub repository:\n  * `GCP_PROJECT`: ID of your Google Cloud Platform project, eg. `self-hosted-runner-test-897234`\n  * `GCP_KEY`: Download your [Service Account JSON credentials](https://cloud.google.com/iam/docs/creating-managing-service-account-keys) and Base64 encode them, eg. output of `cat ~/path/to/my/credentials.json | base64`\n  * `TOKEN`: Personal Access Token. From the [documentation](https://developer.github.com/v3/actions/self_hosted_runners/), \"Access tokens require `repo scope` for private repos and `public_repo scope` for public repos\".\n\n* Update these environment variables in [`cicd.yml`](.github/workflows/cicd.yml) according to the specific names you chose for your project:\n  * `GKE_CLUSTER`: Name of your GKE cluster chosen above, eg. `self-hosted-runner-test-cluster`\n  * `GKE_SECRETS`: Name of your secret configuration group, eg. `self-hosted-runner-creds`\n  * `GCP_REGION`: The region your cluster is in, eg. `us-central1`\n  * `IMAGE`: Name of your image used in [`ci.yml`](.github/workflows/ci.yml) and [`deployment.yml`](.github/workflows/deployment.yml)\n  * `GITHUB_REPO`: `owner/repo` of the repository that will use the self hosted runner, eg. `octocat/sandbox`\n\n#### Automation\n* Upon push of any image-related code to any branch, [`ci.yml`](.github/workflows/ci.yml) will kick off to build and push the Docker image.\n* Upon push of any code to master branch, [`cd.yml`](.github/workflows/cd.yml) will kick off to deploy to Google Cloud.\n\n## Future improvements\n* Replace Docker-in-Docker with Tekton, Buildah, etc.\n\n## Contributions\n\nWe welcome contributions! See [how to contribute](CONTRIBUTING.md).\n\n## License\n\n[MIT](LICENSE)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgithub-developer%2Fself-hosted-runners-anthos","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgithub-developer%2Fself-hosted-runners-anthos","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgithub-developer%2Fself-hosted-runners-anthos/lists"}