Summary
Let users run the Git-Ape deployment workflows (git-ape-plan / -deploy / -destroy / -verify) on private self-hosted runners in their own Azure subscription, and migrate from public GitHub-hosted runners to private ones without code changes.
Motivation
Some organizations cannot run deployment workflows on public GitHub-hosted runners — they need deployments to originate from inside their network (private endpoints, no public egress, policy restrictions). Git-Ape should support this while keeping the zero-infrastructure default for everyone else.
Bootstrap model: start public, switch to private later
Private runners are themselves Azure resources deployed by a Git-Ape workflow, so the first deploy — including the one that creates the runner host — must run on a GitHub-hosted runner. Onboarding should therefore default to ubuntu-latest, with going private as a later, additive, reversible step driven by a single variable:
runs-on: ${{ vars.GIT_APE_RUNNER_LABEL || 'ubuntu-latest' }}
GIT_APE_RUNNER_LABEL |
Effect |
| unset (default) |
GitHub-hosted ubuntu-latest, no infrastructure |
| set to a label |
Self-hosted runners registered with that label |
Requirements
Out of scope
- Changing the continuous drift workflow's runner by default (it is a compiled gh-aw workflow; documented as a manual recompile).
Summary
Let users run the Git-Ape deployment workflows (
git-ape-plan/-deploy/-destroy/-verify) on private self-hosted runners in their own Azure subscription, and migrate from public GitHub-hosted runners to private ones without code changes.Motivation
Some organizations cannot run deployment workflows on public GitHub-hosted runners — they need deployments to originate from inside their network (private endpoints, no public egress, policy restrictions). Git-Ape should support this while keeping the zero-infrastructure default for everyone else.
Bootstrap model: start public, switch to private later
Private runners are themselves Azure resources deployed by a Git-Ape workflow, so the first deploy — including the one that creates the runner host — must run on a GitHub-hosted runner. Onboarding should therefore default to
ubuntu-latest, with going private as a later, additive, reversible step driven by a single variable:GIT_APE_RUNNER_LABELubuntu-latest, no infrastructureRequirements
runs-onacross all four Git-Ape workflow templates viaGIT_APE_RUNNER_LABEL(defaultubuntu-latest).github-runnerscaler)GIT_APE_RUNNER_LABEL.copilot-instructions.mdand the website docs.Out of scope