Github actions is a nice addition to all GH services. It might be very useful as basic CI/CD system. Easy to setup and use.
I wasn't sure about using it because of GH is a public system and I want to use it to deploy code into private network servers.
Whitelisting GH IP addresses and opening ports from outside is not my way. Here is how to solve it.
GH has a very nice feature called "Self-Hosted Runner". Runner does run all GH actions for given repository. Basically it is a piece of GH infrastructure that can be hosted and run inside your VPC.
Since it runs inside your infrastrucutre its easy to give it access to needed services for deployment or other tasks.
Another nice thing about it, that it just needs one HTTPS outbound connection to GH servers to work properly.
You may read more information on GH itself. I am very satisified with the performance.
However, I found couple of drawbacks:
- Its not clear how to run it inside docker container, since GH runner runtime tries to update itself. This does not work well inside immutable container.
- Its only per repository, can not be setup per organization (so far). In case of multiple repos you have to setup every runner per repo.
# How to run multiple runners on single machine?
Create separate user for every runner and install GH runtime.
# useradd -m github-runner1 # su - github-runner1 $ mkdir actions-runner && cd actions-runner $ curl -O https://githubassets.azureedge.net/runners/2.162.0/actions-runner-linux-x64-2.162.0.tar.gz $ tar xzf ./actions-runner-linux-x64-2.162.0.tar.gz
Add runner to systemd for auto-start, using next configuration /etc/systemd/system/github-runner1.service
[Unit] Description=Github Runner1 After=network.target [Service] ExecStart=/home/github-runner1/actions-runner/bin/runsvc.sh User=github-runner1 WorkingDirectory=/home/github-runner1/actions-runner KillMode=process KillSignal=SIGTERM TimeoutStopSec=5min [Install] WantedBy=multi-user.target
// Enable to start at boot # systemctl enable github-runner1 // Start # systemctl start github-runner1 // Show current status # systemctl status github-runner1 // Follow runner logs, useful for debugging # journalctl -u github-ultius.service -f