Which ports does a self hosted runner need? #26630
-
I’m playing with the idea of self-hosting a runner since there is one Action that I need to take (fairly rarely) that runs more than 6h on a 2 core system. Not ideal, but oh well. In order to minimize the risk I want to completely isolate that runner in its own DMZ, but it’s unclear how the communication between the runner and GitHub works. Is there a document that describes this beyond “it uses https to communiate” - do I need any inbound ports? Or is all communication runner-initiated and all I need is outbound tcp/443? Any additional documentation on this would be appreciated. |
Beta Was this translation helpful? Give feedback.
Replies: 3 comments
-
Thanks for your feedback! Self-hosted runner is a new feature of github action, typical usage is documented in this link. The runners connect back to GitHub, no need for inbound firewall holes. (Outbound https 443 is all that’s needed.) |
Beta Was this translation helpful? Give feedback.
-
So only outbound is needed from the runner? Thank you. |
Beta Was this translation helpful? Give feedback.
-
Self-hosted runners use HTTPS long poll with a connection timeout of 50 seconds. When that timeout occurs, a new connection is opened. This means you do not need to allow GitHub to make inbound connections to your runner. More here |
Beta Was this translation helpful? Give feedback.
Thanks for your feedback!
Self-hosted runner is a new feature of github action, typical usage is documented in this link.
The runners connect back to GitHub, no need for inbound firewall holes. (Outbound https 443 is all that’s needed.)