Skip to content

Support private (self-hosted) GitHub Actions runners for Git-Ape workflows #181

Description

@arnaudlh

Summary

Let users run the Git-Ape deployment workflows (git-ape-plan / -deploy / -destroy / -verify) on private self-hosted runners in their own Azure subscription, and migrate from public GitHub-hosted runners to private ones without code changes.

Motivation

Some organizations cannot run deployment workflows on public GitHub-hosted runners — they need deployments to originate from inside their network (private endpoints, no public egress, policy restrictions). Git-Ape should support this while keeping the zero-infrastructure default for everyone else.

Bootstrap model: start public, switch to private later

Private runners are themselves Azure resources deployed by a Git-Ape workflow, so the first deploy — including the one that creates the runner host — must run on a GitHub-hosted runner. Onboarding should therefore default to ubuntu-latest, with going private as a later, additive, reversible step driven by a single variable:

runs-on: ${{ vars.GIT_APE_RUNNER_LABEL || 'ubuntu-latest' }}
GIT_APE_RUNNER_LABEL Effect
unset (default) GitHub-hosted ubuntu-latest, no infrastructure
set to a label Self-hosted runners registered with that label

Requirements

  • Parametrize runs-on across all four Git-Ape workflow templates via GIT_APE_RUNNER_LABEL (default ubuntu-latest).
  • Provide on-demand runner IaC for the common Azure hosts:
    • ACI — Azure Container Instances (simplest; a handful of runners)
    • ACA — Azure Container Apps (event-driven, ephemeral, scale-to-zero via the KEDA github-runner scaler)
    • AKS — Azure Kubernetes Service (Actions Runner Controller)
  • Support both self-hosted (subscription) and Hosted compute topologies.
  • Security baseline: user-assigned managed identity for Azure access (no keys); the GitHub registration credential sourced from Key Vault; ephemeral runners by default; runner label must match GIT_APE_RUNNER_LABEL.
  • Integrate runner selection into the onboarding agent/skill (re-runnable later), and document the switch in copilot-instructions.md and the website docs.
  • Note the drift workflow caveat (compiled gh-aw — needs recompile to change its runner).

Out of scope

  • Changing the continuous drift workflow's runner by default (it is a compiled gh-aw workflow; documented as a manual recompile).

Metadata

Metadata

Assignees

Labels

enhancementNew feature or request

Type

No type
No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions