GitHub runner

Canonical IS DevOps

Architecture:

Base version:

Channel	Revision	Published	Runs on
latest/stable	295	Today	Ubuntu 22.04 Ubuntu 20.04
latest/stable	290	11 Nov 2024	Ubuntu 22.04 Ubuntu 20.04
latest/stable	1	09 Feb 2022	Ubuntu 22.04 Ubuntu 20.04
latest/beta	290	11 Nov 2024	Ubuntu 22.04
latest/beta	234	05 Aug 2024	Ubuntu 22.04
latest/edge	300	Today	Ubuntu 22.04 Ubuntu 20.04
latest/edge	299	Yesterday	Ubuntu 22.04 Ubuntu 20.04
latest/edge	4	26 Apr 2022	Ubuntu 22.04 Ubuntu 20.04
1/stable	177	05 Jun 2024	Ubuntu 22.04
1/edge	177	05 Jun 2024	Ubuntu 22.04

Learn to deploy on juju >

Platform:

22.04 20.04

Relevant links

Discuss this charm

Share your thoughts on this charm with the community on discourse.

Join the discussion

How to comply with security requirements

According to GitHub, running code inside the GitHub self-hosted runner poses a significant security risk of arbitrary code execution. The self-hosted runners managed by the charm are isolated in its own single-use virtual machine instance. In addition, the charm enforces some repository settings to ensure all code running on the self-hosted runners is reviewed by someone trusted.

The repository settings are enforced with the repo-policy-compliance Python library. The enforced rules differ depending on how the GitHub Actions workflow is triggered. The details can be found in the README.

In this guide, a recommended set of policies will be presented, but any set repository settings that passes the Python library checks will work with the self-hosted runners managed by this charm.

Recommended policy

For outside collaborators the permission should be set to read. See here for instructions to change collaborator permissions. Outside collaborators will still be able to contribute with pull requests, but reviews will be needed. Details in a later section.
Create the following branch protection rules, with the instructions here:
- branch name pattern ** with Require signed commits enabled.
- branch name pattern matching only the default branch of the repository, such as main, with the follow enabled:
  - Dismiss stale pull request approvals when new commits are pushed
  - Required signed commits
  - Do not allow bypassing the above settings

With these settings, the common workflow of creating branches with pull requests and merging to the default branch is supported. Other GitHub Actions workflow triggers such as workflow_dispatch, push, and schedule are supported as well.

Working with outside collaborators

Generally, outside collaborators are not completely trusted, but still would need to contribute in some manner. As such, this charm requires pull requests by outside collaborators to be reviewed by someone with write permission or above. Once the review is completed, the reviewer should add a comment including the following string: /canonical/self-hosted-runners/run-workflows <commit SHA>, where <commit SHA> is the commit SHA of the approved commit. Once posted, the self-hosted runners will run the workflow for this commit.

Help improve this document in the forum (guidelines). Last updated a month ago.