Skip to main content

ADR-015: Use of GitHub Actions Runner Controller in Cloud Platform

Status

❌ Rejected

Context:

Our organisation aimed to implement GitHub Actions Runner Controller within our cloud platform to manage CI/CD processes efficiently for private repositories. This approach was expected to increase autonomy, reduce costs, and avoid limitations set by external CI/CD services.

Decision:

After carefully considering it, we have decided not to implement GitHub Actions Runner Controller on our Cloud Platform. This decision is based on the incompatibility between GitHub Actions’ requirements and our Cloud Platform’s security policies.

  • GitHub Actions Requirement: GitHub Actions necessitates that runners operate as the root user in a Docker environment. This is essential for the correct functioning of GitHub Actions (GitHub Documentation).

  • Cloud Platform Policy: Our Cloud Platform strictly prohibits the creation of pods that operate as the root user or have access to the root file system. This policy is crucial for maintaining the platform’s security and preventing potential vulnerabilities.

Consequences:

  1. Security Maintenance: By adhering to our Cloud Platform’s security policies, we maintain the high-security standards essential for our organization’s operations.

  2. Operational Consistency: This decision ensures consistency in our operational practices and avoids setting a precedent for policy exceptions.

Alternatives Considered:

  1. Policy Exception for GitHub Actions: This was deemed too risky due to the potential security vulnerabilities it could introduce.

  2. Use of External CI/CD Services: Continuation with external CI/CD services like GitHub-hosted runners, albeit with limitations in control and potential cost implications.

  3. Exploring Other CI/CD Tools: Investigating other CI/CD tools that comply with our security policies and can be integrated into our Cloud Platform.

Decision Rationale:

The primary rationale behind this decision is the commitment to maintaining the highest level of security and integrity in our Cloud Platform operations. The potential security risks associated with running GitHub Actions runners as root users are in direct conflict with our established security policies.

Future Considerations:

This decision should be revisited if either GitHub Actions changes its requirements to be more aligned with our security policies, or if our Cloud Platform evolves to accommodate such requirements in a secure manner.

Investigation 24/07/2024

Investigated the impact of internal github actions minutes quota saturation on repositories across the organisation. We were able to relieve pressure on the quota using non-infrastructural solutions, such as tuning down high minutes consuming pipelines and converting some internal repositories to public repositories. It was found that those repositories most affected by quota saturation run priveleged workloads, which we cannot currently facilitate an infrastructural solution for (see decision above). There are several internal repositories which don’t conduct priveleged operations in their CICD, and therefore we could potentially deploy non-priveleged failover infrastrcutre for, however these repositories are less affected by running out of minutes at this time. The conclusion of this investigation was that there currently isn’t a strong enough argument to create a failover solution for this issue, and non-infrastructural solutions should suffice in controlling gha minutes quota consumption by internal repositories for the forseeable future.

This page was last reviewed on 28 November 2024. It needs to be reviewed again on 28 May 2025 by the page owner #operations-engineering-alerts .