Skip to main content

GitHub Actions Self-Hosted Runners

There are certain scenarios where we may need to run GitHub Actions workflows that are not on GitHub’s managed infrastructure, for example:

  • A repository that contains sensitive data that cannot be made public

To facilitate this, we can offer a self-hosted runner that runs on Analytical Platform’s EKS cluster.

How to request a self-hosted runner

TBC, but generally on a case-by-case basis. Please contact the Analytical Platform team

How to prepare a self-hosted runner

The intended audience for section is the Analytical Platform Apps and Tools Team

  1. Login to GitHub using the Analytical Platform Robot account (credentials are 1Password)

  2. Create a repository scoped fine-grained access token with the following permissions:

  • Read access to metadata
  • Read and Write access to administration

  1. Create a new Secrets Manager secret in analytical-platform-management-production eu-west-2 called github/actions/self-hosted-runner/${REPOSITORY_NAME}

  2. Create a new entry in terraform/dpat-eks/production/actions-runners/${GITHUB_REPOSITORY}.tf, replacing ${GITHUB_ORGANISATION} and ${GITHUB_REPOSITORY} with the appropriate values:

    data "aws_secretsmanager_secret" "github_actions_self_hosted_runner_${GITHUB_REPOSITORY}" {
  provider = aws.analytical-platform-management-production

  name = "github/actions/self-hosted-runner/${GITHUB_REPOSITORY}"
}

data "aws_secretsmanager_secret_version" "github_actions_self_hosted_runner_${GITHUB_REPOSITORY}" {
  provider = aws.analytical-platform-management-production

  secret_id = data.aws_secretsmanager_secret.github_actions_self_hosted_runner_${GITHUB_REPOSITORY}.id
}

resource "helm_release" "${GITHUB_REPOSITORY}" {
  name      = "actions-runner-(moj|mojas)-${GITHUB_REPOSITORY}"
  repository = "oci://ghcr.io/ministryofjustice/data-platform-charts"
  version    = "2.0.0"
  chart      = "actions-runner"
  namespace  = "actions-runners"

  set {
    name  = "github.organisation"
    value = "${GITHUB_ORGANISATION}"
  }

  set {
    name  = "github.repository"
    value = "${GITHUB_REPOSITORY}"
  }

  set {
    name  = "github.token"
    value = data.aws_secretsmanager_secret_version.github_actions_self_hosted_runner_${GITHUB_REPOSITORY}.secret_string
  }

  set {
    name  = "github.runner.labels"
    value = "moj-data-platform"
  }

  set {
    name  = "serviceAccount.annotations.eks\\.amazonaws\\.com/role-arn"
    value = "arn:aws:iam::593291632749:role/${GITHUB_REPOSITORY}"
  }
}

  3. Deploy the changes using the normal pull request process

How to use a self-hosted runner

When a self-hosted runner is deployed, it will automatically register itself with GitHub. You can see the runner in the repository’s settings

To consume it in a workflow, add the following to the workflow’s runs-on section:

runs-on: [self-hosted, moj-data-platform]
This page was last reviewed on 31 October 2023. It needs to be reviewed again on 30 April 2024 by the page owner #data-platform-notifications .