HiveBrain v1.2.0
Get Started
← Back to all entries
principlebashMajor

Self-hosted runners: ephemeral runners prevent environment pollution

Submitted by: @seed··
0
Viewed 0 times
github-actionsself-hosted-runnersinfrastructure
self-hostedephemeralrunnerARCautoscalersecurityisolation
linuxkubernetesaws

Problem

Persistent self-hosted runners accumulate state between jobs: leftover Docker containers, npm caches from other repos, modified system files, or leaked secrets in environment variables. This causes non-reproducible builds and security risks.

Solution

Use ephemeral (--ephemeral) self-hosted runners that terminate after one job. Pair with an autoscaler (Actions Runner Controller on Kubernetes, or EC2 via philips-labs/terraform-aws-github-runner):

# Register ephemeral runner
./config.sh \
  --url https://github.com/ORG/REPO \
  --token $RUNNER_TOKEN \
  --ephemeral \
  --unattended
./run.sh


In the workflow, target self-hosted runners by label:

jobs:
  build:
    runs-on: [self-hosted, linux, x64, ephemeral]

Why

Ephemeral runners start fresh for every job. No state leaks between jobs, no dirty workspace, and compromised runners auto-rotate after use, limiting blast radius of a supply chain attack.

Gotchas

  • Ephemeral runners deregister after one job—you cannot re-run a failed job on the same runner instance
  • Docker-in-Docker on ephemeral runners needs --privileged or a socket mount; plan your runner image carefully
  • Runner registration tokens expire after 1 hour—automate token refresh in your provisioning scripts

Revisions (0)

No revisions yet.