Skip to content

Add self-hosted runner infrastructure with monitoring and security best practices#56

Draft
Copilot wants to merge 3 commits intomasterfrom
copilot/install-manage-workflows
Draft

Add self-hosted runner infrastructure with monitoring and security best practices#56
Copilot wants to merge 3 commits intomasterfrom
copilot/install-manage-workflows

Conversation

Copy link

Copilot AI commented Feb 11, 2026
edited
Loading

Existing workflows used GitHub-hosted runners only. No infrastructure existed for self-hosted runners. Added complete self-hosted runner management system with security-first design.

Workflows

self-hosted-runner-setup.yml

  • Manual runner diagnostics (health checks, system info, runner details)
  • On-demand via workflow_dispatch

self-hosted-runner-health.yml

  • Automated weekly monitoring (disk/memory/CPU checks)
  • Alert thresholds: disk >80%, memory <20%
  • Scheduled cleanup of artifacts >7 days

self-hosted-example.yml

  • Reference implementation showing mixed runner strategies
  • Dynamic runner selection via workflow inputs
  • Examples: GPU workloads, integration tests, build optimization
# Pattern: Quick checks on GitHub-hosted, heavy builds on self-hosted
jobs:
  lint:
    runs-on: ubuntu-latest
  build:
    runs-on: [self-hosted, linux, high-cpu]

Documentation

  • SELF_HOSTED_RUNNERS.md (12.8 KB): Complete setup guide for Linux/macOS/Windows, security hardening, auto-scaling strategies (Kubernetes ARC, cloud providers), troubleshooting
  • SELF_HOSTED_RUNNERS_QUICKSTART.md (3.2 KB): Fast path to setup, security checklist, common issues
  • workflows/README.md (7.3 KB): Central reference for all workflows, trigger conditions, timeouts, usage patterns
  • IMPLEMENTATION_SUMMARY.md (8.7 KB): Architecture overview, benefits analysis, adoption path
  • WORKFLOWS_BEST_PRACTICES.md: Added self-hosted section (when to use, security requirements, monitoring)

Security

Enhanced .gitignore with runner-specific entries:

  • Runner credentials (.credentials, .credentials_rsaparams)
  • Work directories (_work/, _diag/)
  • Configuration files (runner.env, .runner)

Documentation emphasizes:

  • Never use self-hosted runners on public repos (risk of malicious fork execution)
  • Run as unprivileged users
  • Ephemeral runners for sensitive operations
  • Network isolation and access control via runner groups

Design Decisions

  • Zero impact adoption: All existing workflows unchanged, use GitHub-hosted runners
  • Optional opt-in: Self-hosted runners enabled per-workflow via runs-on configuration
  • Mixed strategies supported: Combine GitHub-hosted (fast checks) with self-hosted (resource-intensive builds)
  • Monitoring built-in: Health checks, alerting, automated cleanup before day 1

Current state: Infrastructure ready, all workflows on GitHub-hosted runners. Enables migration to self-hosted when resource constraints or custom requirements emerge.

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Copilot AI and others added 2 commits February 11, 2026 19:44
@Kushmanmb
Add self-hosted runner workflows and comprehensive documentation
33f9143 
Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>
@Kushmanmb
Add comprehensive documentation and implementation summary
63de231 
Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>
Copilot AI changed the title [WIP] Add workflows management and comprehensive .gitignore Add self-hosted runner infrastructure with monitoring and security best practices Feb 11, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Kushmanmb Yaketh (Kushmanmb) Awaiting requested review from Kushmanmb

Assignees

@Kushmanmb Yaketh (Kushmanmb)

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Kushmanmb