RunsOn
Last updated
Was this helpful?
Last updated
Was this helpful?
RunsOn is the modern way to self-host GitHub Actions runners at scale on AWS, with incredible cost savings and features:
10x cheaper than GitHub-hosted runners
at least 30% faster than GitHub-hosted runners
5x faster, unlimited caching with S3-local bucket
fully self-hosted in your own AWS account
no concurrency limits
native x64, arm64, GPU, and Windows support
SSH access, advanced networking, and more
RunsOn is a partner of StepSecurity and provides ready-made base images that contain the StepSecurity agent for self-hosting use.
Get a StepSecurity API Key
You need a StepSecurity Enterprise License.
If you don’t have a license, you can start a free trial at StepSecurity.
Configure RunsOn –
Get your StepSecurity API key (from Settings-> Self Hosted Runners-> Self Hosted VM -> RunsOn Integration)
Enter it in the RunsOn CloudFormation template.
Use StepSecurity images in your workflows. Here is the list of all StepSecurity images:
ubuntu24-stepsecurity-x64
ubuntu24-stepsecurity-arm64
jobs:
build:
runs-on:
- runs-on=${{ github.run_id }}
- runner=2cpu-linux-x64
- image=ubuntu24-stepsecurity-x64
Visit your StepSecurity dashboard to review the runtime insights report for network, process, and file activities.
Here is an example workflow that uses StepSecurity images with RunsOn
name: RunsOn Tests
on:
workflow_dispatch:
jobs:
test-host-outbound:
runs-on:
- runs-on=${{ github.run_id }}
- runner=2cpu-linux-x64
- image=ubuntu22-stepsecurity-x64
steps:
- name: Harden Runner
uses: step-security/harden-runner@rc
with:
egress-policy: audit
allowed-endpoints: >
github.com:443
goreleaser.com:443
- name: Checkout code
uses: actions/checkout@v3
- name: Run outbound calls from host
run: |
start_time=$(date +%s)
end_time=$((start_time + 90)) # 5 minutes = 300 seconds
while [ $(date +%s) -lt $end_time ]; do
curl -I https://www.google.com
curl -I https://goreleaser.com
sleep 10 # wait 10 seconds between calls
done
test-docker-outbound:
runs-on:
- runs-on=${{ github.run_id }}
- runner=2cpu-linux-x64
- image=ubuntu22-stepsecurity-x64
steps:
- name: Harden Runner
uses: step-security/harden-runner@rc
with:
egress-policy: block
allowed-endpoints: >
archive.ubuntu.com:80
github.com:443
goreleaser.com:443
production.cloudflare.docker.com:443
docker-images-prod.6aa30f8b08e16409b46e0173d6de2f56.r2.cloudflarestorage.com:443
*.docker.io:443
security.ubuntu.com:80
- name: Checkout code
uses: actions/checkout@v3
- name: Run outbound calls from within Docker container
continue-on-error: true
run: |
# Start the container
docker run --rm -d --name test-container ubuntu:latest sleep 90
# Install curl in the container
docker exec test-container apt-get update
docker exec test-container apt-get install -y curl
# Print /etc/resolv.conf from the container
docker exec test-container cat /etc/resolv.conf
# Make outbound calls
for i in {1..9}; do
docker exec test-container curl -I https://www.google.com
docker exec test-container curl -I https://goreleaser.com
sleep 10 # wait 10 seconds between calls
done
# Stop the container
docker stop test-container
test-docker-build-outbound:
runs-on:
- runs-on=${{ github.run_id }}
- runner=2cpu-linux-x64
- image=ubuntu22-stepsecurity-x64
steps:
- name: Harden Runner
uses: step-security/harden-runner@rc
with:
egress-policy: audit
allowed-endpoints: >
archive.ubuntu.com:80
auth.docker.io:443
github.com:443
goreleaser.com:443
production.cloudflare.docker.com:443
docker-images-prod.6aa30f8b08e16409b46e0173d6de2f56.r2.cloudflarestorage.com:443
registry-1.docker.io:443
security.ubuntu.com:80
- name: Checkout code
uses: actions/checkout@v3
- name: Build Docker image and test outbound calls during build
continue-on-error: true
run: |
# Create a Dockerfile that installs curl and makes outbound calls
cat <<EOF > Dockerfile
FROM ubuntu:latest
RUN apt-get update && apt-get install -y curl
RUN for i in {1..9}; do curl -I https://www.google.com && curl -I https://goreleaser.com; sleep 10; done
EOF
# Build the Docker image
docker build -t test-image .
# Print /etc/resolv.conf from the build container (temporary container used during build)
container_id=$(docker create test-image)
docker start $container_id
docker exec $container_id cat /etc/resolv.conf
docker stop $container_id
docker rm $container_id
- name: Print Docker logs with journalctl
run: |
sudo journalctl -u docker.service --no-pager
shell: bash
test-long-running-docker:
runs-on:
- runs-on=${{ github.run_id }}
- runner=2cpu-linux-x64
- image=ubuntu22-stepsecurity-x64
steps:
- name: Harden Runner
uses: step-security/harden-runner@rc
with:
egress-policy: block
allowed-endpoints: >
archive.ubuntu.com:80
auth.docker.io:443
github.com:443
goreleaser.com:443
production.cloudflare.docker.com:443
registry-1.docker.io:443
docker-images-prod.6aa30f8b08e16409b46e0173d6de2f56.r2.cloudflarestorage.com:443
security.ubuntu.com:80
- name: Checkout code
uses: actions/checkout@v3
- name: Run long-running Docker container with outbound calls
continue-on-error: true
run: |
# Start the long-running container
docker run --rm -d --name long-running-container ubuntu:latest bash -c "
apt-get update && apt-get install -y curl &&
while true; do
curl -I https://www.google.com;
curl -I https://goreleaser.com;
sleep 10;
done
"
# Print /etc/resolv.conf from the container
docker exec long-running-container cat /etc/resolv.conf
# Let the container run for 5 minutes
sleep 90
# Stop the container
docker stop long-running-container
You can view the security insights for this workflow run:
StepSecurity pricing is based on the number of contributing developers in protected repositories. See the pricing page for details. RunsOn integration comes at no additional cost to your existing RunsOn license.
No, Harden-Runner is optimized for low overhead. It monitors activity efficiently without slowing down builds.
No, the Harden-Runner community tier only works with GitHub-hosted runners. Self-hosted runners with RunsOn will need a StepSecurity enterprise license.