Skip to main content

Getting started with self-hosted runners for your enterprise

You can configure a runner machine for your enterprise so your developers can start automating workflows with GitHub Actions.

Who can use this feature

Enterprise owners can configure policies for GitHub Actions and add self-hosted runners to the enterprise.

About self-hosted runners for GitHub Actions

GitHub Actions allows members of your enterprise to improve productivity by automating every phase of the software development workflow. For more information, see "About GitHub Actions for enterprises."

With GitHub Actions, developers can write and combine individual tasks called actions to create custom workflows. You can host your own runner machine to execute jobs, and this machine is called a self-hosted runner. 自承载运行器可以是物理设备、虚拟设备、在容器中、在本地或在云中。 运行器机器使用 GitHub Actions 自托管运行器应用程序连接到 GitHub Enterprise Cloud。 All runners can run Linux, Windows, or macOS. For more information, see "About self-hosted runners."

Alternatively, you can use runner machines that GitHub hosts. GitHub-hosted runners are outside the scope of this guide. For more information, see "About GitHub-hosted runners."

This guide shows you how to apply a centralized management approach to self-hosted runners for GitHub Actions in your enterprise. In the guide, you'll complete the following tasks.

  1. Configure a limited policy to restrict the actions and reusable workflows that can run within your enterprise
  2. Deploy a self-hosted runner for your enterprise
  3. Create a group to manage access to the runners available to your enterprise
  4. Optionally, further restrict the repositories that can use the runner
  5. Optionally, build custom tooling to automatically scale your self-hosted runners

You'll also find additional information about how to monitor and secure your self-hosted runners, and how to customize the software on your runner machines.

After you finish the guide, members of your enterprise will be able to run workflow jobs from GitHub Actions on a self-hosted runner machine.

Prerequisites

1. Configure policies for GitHub Actions

First, enable GitHub Actions for all organizations, and configure a policy to restrict the actions and reusable workflows that can run within your enterprise on GitHub Enterprise Cloud. Optionally, organization owners can further restrict these policies for each organization.

  1. 在 GitHub.com 的右上角,单击你的个人资料照片,然后单击“你的企业”。 GitHub Enterprise Cloud 上个人资料照片下拉菜单中的“你的企业”

  2. 在企业列表中,单击您想要查看的企业。 企业列表中的企业名称

  3. 在企业边栏中,单击 “策略”。 企业帐户边栏中的“策略”选项卡

  4. 在“ 策略”下,单击“操作”。

  5. Under "Policies", select Enable for all organizations.

    Screenshot of "Enable for all organizations" policy for GitHub Actions

  6. Select 允许企业,并允许选择非企业、操作和可重用工作流 and Allow actions created by GitHub to allow local actions and reusable workflows, and actions created by GitHub.

    Screenshot of "Allow select actions" and "Allow actions created by GitHub" for GitHub Actions

  7. Click Save.

You can configure additional policies to restrict the actions available to enterprise members. For more information, see "Enforcing policies for GitHub Actions in your enterprise."

2. Deploy the self-hosted runner for your enterprise

Next, add a self-hosted runner to your enterprise. GitHub Enterprise Cloud will guide you through installation of the necessary software on the runner machine. After you deploy the runner, you can verify connectivity between the runner machine and your enterprise.

Adding the self-hosted runner

  1. 在 GitHub.com 的右上角,单击你的个人资料照片,然后单击“你的企业”。 GitHub Enterprise Cloud 上个人资料照片下拉菜单中的“你的企业”

  2. 在企业列表中,单击您想要查看的企业。 企业列表中的企业名称

  3. 在企业边栏中,单击 “策略”。 企业帐户边栏中的“策略”选项卡

  4. 在“ 策略”下,单击“操作”。

  5. 单击“运行器”选项卡。

  6. Click New runner, then click New self-hosted runner.

  7. 选择自托管运行器计算机的操作系统映像和体系结构。

  8. 您将看到指示您如何下载运行器应用程序并安装到自托管运行器机器上的说明。

    在自托管运行器机器上打开 shell,并按显示的顺序运行每个 shell 命令。

    注意:在 Windows 上,如果要将自托管运行器应用程序安装为服务,必须打开具有管理员权限的 shell。 我们还建议你使用 C:\actions-runner 作为自托管运行器应用程序的目录,以便 Windows 系统帐户可以访问运行器目录。

    这些说明将指导您完成以下任务:

    • 下载并提取自托管运行器应用程序。
    • 运行 config 脚本配置自托管运行器应用程序,并将其注册到 GitHub Actions。 config 脚本需要目标 URL 和自动生成的时间限制令牌对请求进行身份验证。
      • 在 Windows 上,config 脚本还会询问你是否想将自托管运行器应用程序安装为服务。 对于 Linux 和 macOS,您可以在完成添加运行器后安装服务。 有关详细信息,请参阅“将自托管运行应用程序配置为服务”。
    • 运行自托管运行器应用程序以将机器连接到 GitHub Actions。

检查您的自托管运行器是否已成功添加

在完成添加自托管运行器的步骤后,运行器及其状态列在“运行器”下。

必须激活自托管运行器应用程序,运行器才能接受作业。 当运行器应用程序连接到 GitHub Enterprise Cloud 并准备接收作业时,你将在机器的终端上看到以下消息。

√ Connected to GitHub

2019-10-24 05:45:56Z: Listening for Jobs

3. Manage access to the self-hosted runner using a group

You can create a runner group to manage access to the runner that you added to your enterprise. You'll use the group to choose which organizations can execute jobs from GitHub Actions on the runner.

GitHub Enterprise Cloud adds all new runners to a group. Runners can be in one group at a time. By default, GitHub Enterprise Cloud adds new runners to the "Default" group.

  1. 在 GitHub.com 的右上角,单击你的个人资料照片,然后单击“你的企业”。 GitHub Enterprise Cloud 上个人资料照片下拉菜单中的“你的企业”

  2. 在企业列表中,单击您想要查看的企业。 企业列表中的企业名称

  3. 在企业边栏中,单击 “策略”。 企业帐户边栏中的“策略”选项卡

  4. 在“ 策略”下,单击“操作”。

  5. 单击“运行器组”选项卡。

  6. Click New runner group.

  7. Under "Group name", type a name for your runner group.

  8. To choose a policy for organization access, under "Organization access", select the Organization access drop-down, and click Selected organizations.

  9. To the right of the drop-down with the organization access policy, click .

  10. Select the organizations you'd like to grant access to the runner group.

  11. Optionally, to allow public repositories in the selected organizations to use runners in the group, select Allow public repositories.

    Warning:

    建议仅将自托管运行器用于私有仓库。 这是因为,通过创建在工作流中执行代码的拉取请求,公共存储库的分支可能会在自托管运行器计算机上运行危险代码。

    For more information, see "About self-hosted runners."

  12. Click Create group to create the group and apply the policy.

  13. Click the "Runners" tab.

  14. In the list of runners, click the runner that you deployed in the previous section.

  15. Click Edit.

  16. Click Runner groups .

  17. In the list of runner groups, click the name of the group that you previously created.

  18. Click Save to move the runner to the group.

You've now deployed a self-hosted runner that can run jobs from GitHub Actions within the organizations that you specified.

4. Further restrict access to the self-hosted runner

Optionally, organization owners can further restrict the access policy of the runner group that you created. For example, an organization owner could allow only certain repositories in the organization to use the runner group.

For more information, see "Managing access to self-hosted runners using groups."

5. Automatically scale your self-hosted runners

Optionally, you can build custom tooling to automatically scale the self-hosted runners for your enterprise. For example, your tooling can respond to webhook events from GitHub.com to automatically scale a cluster of runner machines. For more information, see "Autoscaling with self-hosted runners."

Next steps

  • You can monitor self-hosted runners and troubleshoot common issues. For more information, see "Monitoring and troubleshooting self-hosted runners."

  • GitHub recommends that you review security considerations for self-hosted runner machines. For more information, see "Security hardening for GitHub Actions."

  • If you use GitHub Enterprise Server or GitHub AE, you can manually sync repositories on GitHub.com containing actions to your enterprise on GitHub Enterprise Server or GitHub AE. Alternatively, you can allow members of your enterprise to automatically access actions from GitHub.com by using GitHub Connect. For more information, see the following.

  • You can customize the software available on your self-hosted runner machines, or configure your runners to run software similar to GitHub-hosted runners. The software that powers runner machines for GitHub Actions is open source. For more information, see the actions/runner and actions/runner-images repositories.

Further reading