Skip to content

Actions Runners

In order to run concurrent GitHub Actions in a self-hosted environment, we use the GitHub Actions Runner Controller Kubernetes Controller via k3s, a lightweight Kubernetes distribution.

The ARC is hosted on a dedicated runner server, namely hz-brainstud-runner. All Actions run under the GitHub aycl-bot user which authenticates using a Personal Access Token (classic).

Architecture

Due to the volume of actions we run, we make use of our own self-hosted server instead of using GitHub Hosted Actions. This gives us more control over where our actions are executed, how many resources we allocate and from which IP-addresses we make deployments.

By default GitHub allows you to configure self-hosted runners. The disadvantage of these type of runners is that concurrency is hard to achieve since each runner is one fixed process. That's where the ARC (Actions Runner Controller) comes in: the ARC can spawn ephemeral runners and automatically scale up or down depending on volume and configured constraints.

K3S

The ARC runs in Kubernetes. Instead of using a full fledged Kubernetes set-up we use k3s which offers a full Kubernetes installation in a single distribution and easily managed process. Once k3s is installed, you can use all kubectl and helm commands and you've got a regular Kubernetes distribution running.

ARC Usage

You can view the status of the ARC on the Runners management page on GitHub. The ARC is registered under hz-arc-runner-set. This is also the name which can be used when configuring Actions.

Due to resource constraints, the ARC is configured with a maximum concurrency of 6 actions.

Runner Maintenance

Refresh Personal Access Token

The ARC requires authentication to GitHub in order to register itself as a runner and communicate about all Action runs. The authentication is handled by a Personal Access Token (classic) token created on the aycl-bot account.

The token expires yearly in January, when this happens you must create a new PAT and update the Runner configuration.

Create a new token

  1. Sign in with the aycl-bot user
  2. Go to the Personal access tokens management page
  3. Click on Generate new token > Generate new token (classic)
  4. Create a token with Expiration in 1 year and the following scopes: repo (all) and admin:org (all)

Configure the token

SSH into the Actions Runner server and update the secret:

kubectl create secret generic hz-arc-runner-set-gha-rs-github-secret
    --namespace arc-runners
    --from-literal=github_token='<TOKEN_HERE>'
    --dry-run=client -o yaml | kubectl apply -f -

After aplying the new secret, you may need to restart k3s:

sudo systemctl restart k3s