Skip to main content

Enterprise Server 3.15 is currently available as a release candidate.

About self-hosted runners

You can host your own runners and customize the environment used to run jobs in your GitHub Actions workflows.

Note

GitHub-hosted runners are not currently supported on GitHub Enterprise Server. You can see more information about planned future support on the GitHub public roadmap.

About self-hosted runners

A self-hosted runner is a system that you deploy and manage to execute jobs from GitHub Actions on GitHub Enterprise Server. For more information about GitHub Actions, see "Understanding GitHub Actions" and "About GitHub Actions for enterprises."

With self-hosted runners, you can create custom hardware configurations that meet your needs with processing power or memory to run larger jobs, install software available on your local network, and choose an operating system. Self-hosted runners can be physical, virtual, in a container, on-premises, or in a cloud.

You can add self-hosted runners at various levels in the management hierarchy:

  • Repository-level runners are dedicated to a single repository.
  • Organization-level runners can process jobs for multiple repositories in an organization.
  • Enterprise-level runners can be assigned to multiple organizations in an enterprise account.

Your runner machine connects to GitHub Enterprise Server using the GitHub Actions self-hosted runner application. The GitHub Actions runner application is open source. You can contribute and file issues in the runner repository. When a new version is released, the runner application will automatically update within 24 hours.

Note

If you use ephemeral runners and have disabled automatic updates, before you upgrade GitHub Enterprise Server, you should first upgrade your self-hosted runners to the version of the runner application that your upgraded instance will run. Upgrading GitHub Enterprise Server before you upgrade ephemeral runners may result in your runners going offline. For more information, see "Overview of the upgrade process."

A self-hosted runner is automatically removed from GitHub Enterprise Server if it has not connected to GitHub Actions for more than 14 days. An ephemeral self-hosted runner is automatically removed from GitHub Enterprise Server if it has not connected to GitHub Actions for more than 1 day.

For more information about installing and using self-hosted runners, see "Adding self-hosted runners" and "Using self-hosted runners in a workflow."

Differences between GitHub-hosted and self-hosted runners

GitHub-hosted runners offer a quicker, simpler way to run your workflows, while self-hosted runners are a highly configurable way to run workflows in your own custom environment.

GitHub-hosted runners:

  • Receive automatic updates for the operating system, preinstalled packages and tools, and the self-hosted runner application.
  • Are managed and maintained by GitHub.
  • Provide a clean instance for every job execution.
  • Use free minutes on your GitHub plan, with per-minute rates applied after surpassing the free minutes.

Self-hosted runners:

  • Receive automatic updates for the self-hosted runner application only, though you may disable automatic updates of the runner. For more information about controlling runner software updates on self-hosted runners, see "Autoscaling with self-hosted runners." You are responsible for updating the operating system and all other software.
  • Can use cloud services or local machines that you already pay for.
  • Are customizable to your hardware, operating system, software, and security requirements.
  • Don't need to have a clean instance for every job execution.
  • Are free to use with GitHub Actions, but you are responsible for the cost of maintaining your runner machines.
  • Can be organized into groups to restrict access to specific workflows, organizations and repositories. For more information, see "Managing access to self-hosted runners using groups."

Requirements for self-hosted runner machines

You can use any machine as a self-hosted runner as long at it meets these requirements:

Autoscaling your self-hosted runners

You can automatically increase or decrease the number of self-hosted runners in your environment in response to the webhook events you receive. For more information, see "Autoscaling with self-hosted runners."

Usage limits

There are some limits on GitHub Actions usage when using self-hosted runners. These limits are subject to change.

  • Job execution time - Each job in a workflow can run for up to 5 days of execution time. If a job reaches this limit, the job is terminated and fails to complete.
  • Workflow run time - Each workflow run is limited to 35 days. If a workflow run reaches this limit, the workflow run is cancelled. This period includes execution duration, and time spent on waiting and approval.
  • Job queue time - Each job for self-hosted runners that has been queued for at least 24 hours will be canceled. The actual time in queue can reach up to 48 hours before cancellation occurs. If a self-hosted runner does not start executing the job within this limit, the job is terminated and fails to complete.
  • API requests - You can execute up to 1,000 requests to the GitHub API in an hour across all actions within a repository. If requests are exceeded, additional API calls will fail which might cause jobs to fail.
  • Job matrix - A job matrix can generate a maximum of 256 jobs per workflow run. This limit applies to both GitHub Enterprise Server-hosted and self-hosted runners.
  • Workflow run queue - No more than 500 workflow runs can be queued in a 10 second interval per repository. If a workflow run reaches this limit, the workflow run is terminated and fails to complete.
  • Registering self-hosted runners - You can have a maximum of 10,000 self-hosted runners in one runner group. If this limit is reached, adding a new runner will not be possible.

Workflow continuity for self-hosted runners

If GitHub Actions services are temporarily unavailable, then a workflow run is discarded if it has not been queued within 30 minutes of being triggered. For example, if a workflow is triggered and the GitHub Actions services are unavailable for 31 minutes or longer, then the workflow run will not be processed.

Supported architectures and operating systems for self-hosted runners

The following operating systems are supported for the self-hosted runner application.

Linux

  • Red Hat Enterprise Linux 8 or later
  • CentOS 8 or later
  • Oracle Linux 8 or later
  • Fedora 29 or later
  • Debian 10 or later
  • Ubuntu 20.04 or later
  • Linux Mint 20 or later
  • openSUSE 15.2 or later
  • SUSE Enterprise Linux (SLES) 15 SP2 or later

Windows

  • Windows 10 64-bit
  • Windows 11 64-bit
  • Windows Server 2016 64-bit
  • Windows Server 2019 64-bit
  • Windows Server 2022 64-bit

macOS

  • macOS 11.0 (Big Sur) or later

Architectures

The following processor architectures are supported for the self-hosted runner application.

  • x64 - Linux, macOS, Windows.
  • ARM64 - Linux, macOS.
  • ARM32 - Linux.

Supported actions on self-hosted runners

Some extra configuration might be required to use actions from GitHub with GitHub Enterprise Server, or to use the actions/setup-LANGUAGE actions with self-hosted runners that do not have internet access. For more information, see "Managing access to actions from GitHub.com" and contact your GitHub Enterprise site administrator.

Communication between self-hosted runners and GitHub Enterprise Server

The self-hosted runner connects to GitHub Enterprise Server to receive job assignments and to download new versions of the runner application. The self-hosted runner uses an HTTP(S) long poll that opens a connection to GitHub Enterprise Server for 50 seconds, and if no response is received, it then times out and creates a new long poll. The application must be running on the machine to accept and run GitHub Actions jobs.

The connection between self-hosted runners and GitHub Enterprise Server is over HTTP (port 80) or HTTPS (port 443). To ensure connectivity over HTTPS, configure TLS for GitHub Enterprise Server. For more information, see "Configuring TLS."

Only an outbound connection from the runner to GitHub Enterprise Server is required. There is no need for an inbound connection from GitHub Enterprise Server to the runner. For caching to work, the runner must be able to communicate with the blob storage and directly download content from it.

GitHub Enterprise Server must accept inbound connections from your runners over HTTP(S) at your GitHub Enterprise Server instance's hostname and API subdomain, and your runners must allow outbound connections over HTTP(S) to your GitHub Enterprise Server instance's hostname and API subdomain.

Self-hosted runners do not require any external internet access in order to function. As a result, you can use network routing to direct communication between the self-hosted runner and GitHub Enterprise Server. For example, you can assign a private IP address to your self-hosted runner and configure routing to send traffic to GitHub Enterprise Server, with no need for traffic to traverse a public network.

You can also use self-hosted runners with a proxy server. For more information, see "Using a proxy server with self-hosted runners."

For more information about troubleshooting common network connectivity issues, see "Monitoring and troubleshooting self-hosted runners."

Communication between self-hosted runners and GitHub.com

Self-hosted runners do not need to connect to GitHub.com unless you have enabled automatic access to GitHub.com actions for GitHub Enterprise Server. For more information, see "About using actions in your enterprise."

If you have enabled automatic access to GitHub.com actions, then the self-hosted runner will connect directly to GitHub.com to download actions. You must ensure that the machine has the appropriate network access to communicate with the GitHub URLs listed below.

Shell
github.com
api.github.com
codeload.github.com
ghcr.io
*.actions.githubusercontent.com

Note

Some of the domains listed are configured using CNAME records. Some firewalls might require you to add rules recursively for all CNAME records. Note that the CNAME records might change in the future, and that only the domains listed will remain constant.

Self-hosted runner security

Untrusted workflows running on your self-hosted runner pose significant security risks for your machine and network environment, especially if your machine persists its environment between jobs. Some of the risks include:

  • Malicious programs running on the machine.
  • Escaping the machine's runner sandbox.
  • Exposing access to the machine's network environment.
  • Persisting unwanted or dangerous data on the machine.

For more information about security hardening for self-hosted runners, see "Security hardening for GitHub Actions."

Restricting the use of self-hosted runners

Enterprise owners and organization owners can choose which repositories are allowed to create repository-level self-hosted runners. Users with the “Manage organization runners and runner groups” permission can only choose which repositories are allowed to create repository-level self-hosted runners for repositories in your organization.

For more information about custom organization roles, see "About custom organization roles."

For more information, see "Enforcing policies for GitHub Actions in your enterprise" and "Disabling or limiting GitHub Actions for your organization."

Further reading