> Why both “runs-on” and “container” are required when I want to run a container, and what exactly does this mean? Let’s say for example that I have “runs-on: ubuntu-latest” and “container: centos-latest”. Does this mean that my requested centos-latest image will run on an ubuntu-latest virtual machine? Why do I even have to specify the host operating system (ubuntu-latest) if I plan to use a container and do everything I want to do there?

Yes, you’re exactly right - that’s what that means.

You need to specify that because the underlying virtual machine dictates the type of containers that you can run.  You need an underlying Windows virtual machine (ie, runs-on: windows-latest) to use Windows based containers.  And you need an underlying Linux virtual machine (runs-on: ubuntu-latest) to use Linux based containers.

Since we don’t know what type of container you’re trying to run until we download it, we can’t let you skip specifying a virtual machine type.  (We need to provision a virtual machine just to do that download.)

> What if someone wants to create a build matrix with different containers? To my understanding this is not possible at the moments because the build matrix somehow works only with the “runs-on” option.

That’s possible - there’s nothing special about the runs-on key in a matrix.  A matrix is really only variable substitution.  To use a matrix of different containers, you can:

jobs:
  build:
    name: Build on ${{matrix.container }}
    runs-on: ubuntu-latest
    container: ${{ matrix.container }}
    strategy:
      matrix:
        container: ['ubuntu:16.04', 'ubuntu:18.04']
    steps:
    - run: cat /etc/debian_version