Skip to content

Add self-hosted runner infrastructure with monitoring and security best practices #56

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
Copilot wants to merge 3 commits into
base: master
Choose a base branch
from
Draft

Add self-hosted runner infrastructure with monitoring and security best practices #56

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
085736a
Initial plan
Copilot Feb 11, 2026
33f9143
Add self-hosted runner workflows and comprehensive documentation
Copilot Feb 11, 2026
63de231
Add comprehensive documentation and implementation summary
Copilot Feb 11, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
283 changes: 283 additions & 0 deletions .github/IMPLEMENTATION_SUMMARY.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,283 @@
# GitHub Actions & Self-Hosted Runners - Implementation Summary

This document summarizes the comprehensive GitHub Actions workflows and self-hosted runner infrastructure implemented for this repository.

## What Was Implemented

### 1. Self-Hosted Runner Management Workflows

#### `self-hosted-runner-setup.yml`
- **Purpose:** Manual runner management and diagnostics
- **Features:**
- Health checks on demand
- Runner information display
- System diagnostics (disk, memory, CPU)
- Instructions for runner configuration
- **Trigger:** Manual (workflow_dispatch)

#### `self-hosted-runner-health.yml`
- **Purpose:** Automated runner health monitoring
- **Features:**
- Scheduled weekly health checks (Mondays 9 AM UTC)
- Disk space monitoring with alerts
- Memory usage tracking
- Verification of required tools (Node.js, Yarn, Docker)
- Automatic cleanup of old artifacts
- **Trigger:** Manual + Weekly schedule

#### `self-hosted-example.yml`
- **Purpose:** Reference implementation for self-hosted runner usage
- **Features:**
- Dynamic runner selection (GitHub-hosted vs self-hosted)
- Mixed strategy (quick checks on GitHub-hosted, heavy builds on self-hosted)
- Examples for GPU workloads
- Integration test patterns
- Job dependency management
- **Trigger:** Manual with configurable runner type

### 2. Comprehensive Documentation

#### `SELF_HOSTED_RUNNERS.md` (12.8 KB)
Complete guide covering:
- When to use self-hosted vs GitHub-hosted runners
- Prerequisites and hardware requirements
- Step-by-step setup instructions for Linux/macOS/Windows
- Runner configuration (labels, groups, environment variables)
- Security best practices (critical for production use)
- Monitoring and maintenance procedures
- Auto-scaling strategies (Kubernetes, cloud providers)
- Troubleshooting common issues
- Example workflow patterns

#### `SELF_HOSTED_RUNNERS_QUICKSTART.md` (3.2 KB)
Quick reference guide with:
- Condensed setup steps
- Essential commands
- Security checklist
- Common troubleshooting
- Links to detailed documentation

#### `workflows/README.md` (7.3 KB)
Central documentation for all workflows:
- Overview of all workflows in the repository
- Trigger conditions and timeouts
- Runner configurations
- Best practices implementation
- Usage instructions
- Troubleshooting guide

#### Updated `WORKFLOWS_BEST_PRACTICES.md`
Added comprehensive section on:
- When to use self-hosted runners
- Self-hosted runner best practices
- Security considerations
- Monitoring strategies
- Fallback patterns

### 3. Enhanced .gitignore

Added GitHub Actions runner-specific entries:
```gitignore
# GitHub Actions and Runners
.github/actions-runner/
actions-runner/
_work/
_diag/
runner-config.local.yml
.runner
.credentials
.credentials_rsaparams
runner.env
.env.runner
```

This prevents accidentally committing:
- Runner binaries and configuration
- Runner credentials
- Work directories with sensitive data
- Diagnostic files

## Existing Workflows (Already Implemented)

The repository already had excellent workflows following best practices:

1. **node.js.yml** - Node.js CI (build & lint)
2. **main.yml** - Unit tests
3. **e2e-tests.yml** - End-to-end tests with Playwright
4. **bearer.yml** - Security scanning
5. **file-size-checker.yml** - Large file detection
6. **update-algolia.yml** - Search index updates

All existing workflows include:
- ✅ Latest action versions (checkout@v4, setup-node@v4)
- ✅ Explicit minimal permissions
- ✅ Concurrency control
- ✅ Appropriate timeouts
- ✅ Efficient caching with Yarn

## Security Highlights

### Critical Security Practices Documented

1. **Never use self-hosted runners for public repositories** ⚠️
- Malicious code in forks can compromise runners
- Clearly documented with warnings

2. **Run runners as unprivileged users**
- Instructions for creating dedicated users
- Prevents privilege escalation

3. **Network isolation**
- Firewall configuration guidance
- Proxy setup instructions

4. **Ephemeral runners**
- Disposable runners for sensitive operations
- Configuration examples provided

5. **Regular updates**
- Automated health monitoring
- Update procedures documented

6. **Access control**
- Runner groups for organization-level access control
- Repository-specific runner configurations

## Usage Patterns

### For GitHub-Hosted Runners (Current Default)
```yaml
runs-on: ubuntu-latest
```
- All current workflows use this
- Suitable for most standard operations
- No additional setup required

### For Self-Hosted Runners (When Configured)
```yaml
runs-on: [self-hosted, linux, x64]
```
- Opt-in per workflow/job
- Requires runner setup (see docs)
- Recommended for resource-intensive jobs

### Mixed Strategy (Recommended)
```yaml
jobs:
quick-checks:
runs-on: ubuntu-latest # Fast, minimal setup

heavy-build:
runs-on: [self-hosted, linux] # Resource-intensive
```

## Getting Started with Self-Hosted Runners

For users wanting to set up self-hosted runners:

1. **Read the documentation**
- Start with `SELF_HOSTED_RUNNERS_QUICKSTART.md`
- Review security section in `SELF_HOSTED_RUNNERS.md`

2. **Prepare infrastructure**
- Dedicated machine (VM or physical)
- Minimum 4 GB RAM, 20 GB disk
- Network access to GitHub

3. **Follow setup guide**
- Repository Settings → Actions → Runners → New self-hosted runner
- Follow GitHub's provided commands
- Install required dependencies (Node.js, Yarn)

4. **Test the setup**
- Run `self-hosted-runner-setup.yml` workflow
- Choose "health-check" action
- Verify all checks pass

5. **Update workflows**
- Modify `runs-on` in workflows as needed
- Use `self-hosted-example.yml` as reference
- Test with small changes first

## Monitoring and Maintenance

### Automated Monitoring
- Weekly health checks via `self-hosted-runner-health.yml`
- Alerts for disk space, memory issues
- Runner process verification

### Manual Checks
- On-demand via `self-hosted-runner-setup.yml`
- Health check action
- Runner information display

### Maintenance Schedule
- **Weekly:** Check runner status, review logs
- **Monthly:** Update runner version, clean artifacts
- **Quarterly:** Security audit, OS updates

## Benefits

### Current Setup (GitHub-Hosted)
- ✅ Zero maintenance
- ✅ Automatic updates
- ✅ Isolated environments
- ✅ Suitable for public repositories

### With Self-Hosted Runners (When Configured)
- ✅ Custom hardware/software
- ✅ Network access to private resources
- ✅ Cost optimization for high volumes
- ✅ More resources (CPU, memory, disk)
- ✅ Reduced queue times

## File Structure

```
.github/
├── workflows/
│ ├── README.md # All workflows documentation
│ ├── self-hosted-runner-setup.yml # Manual runner management
│ ├── self-hosted-runner-health.yml # Automated health monitoring
│ ├── self-hosted-example.yml # Example implementation
│ ├── node.js.yml # Existing: Build & lint
│ ├── main.yml # Existing: Unit tests
│ ├── e2e-tests.yml # Existing: E2E tests
│ ├── bearer.yml # Existing: Security scan
│ ├── file-size-checker.yml # Existing: File size check
│ └── update-algolia.yml # Existing: Search updates
├── actions/
│ └── setup-node-yarn/ # Existing: Composite action
├── WORKFLOWS_BEST_PRACTICES.md # Enhanced: Added self-hosted section
├── SELF_HOSTED_RUNNERS.md # New: Complete guide
└── SELF_HOSTED_RUNNERS_QUICKSTART.md # New: Quick reference
```

## Next Steps

### Immediate (No Self-Hosted Runners Yet)
- ✅ All workflows work with GitHub-hosted runners
- ✅ Documentation is ready for future self-hosted setup
- ✅ Example workflows demonstrate patterns
- ✅ Monitoring infrastructure in place

### When Ready to Add Self-Hosted Runners
1. Review security requirements
2. Provision hardware/VMs
3. Follow setup guide
4. Test with example workflow
5. Uncomment self-hosted jobs in health monitoring
6. Gradually migrate resource-intensive jobs

## Conclusion

This implementation provides:

1. **Complete self-hosted runner infrastructure** ready to use when needed
2. **Comprehensive documentation** covering all aspects of setup, security, and maintenance
3. **Automated monitoring** to ensure runner health
4. **Example workflows** demonstrating best practices
5. **Enhanced security** through improved .gitignore
6. **Flexibility** to use GitHub-hosted or self-hosted runners per workflow/job

The repository now has enterprise-grade CI/CD infrastructure with clear paths for scaling as needs grow.
Loading
Loading