Which ports does a self hosted runner need?

I’m playing with the idea of self-hosting a runner since there is one Action that I need to take (fairly rarely) that runs more than 6h on a 2 core system. Not ideal, but oh well.

In order to minimize the risk I want to completely isolate that runner in its own DMZ, but it’s unclear how the communication between the runner and GitHub works. Is there a document that describes this beyond “it uses https to communiate” - do I need any inbound ports? Or is all communication runner-initiated and all I need is outbound tcp/443?

Any additional documentation on this would be appreciated.

Thanks for your feedback!

Self-hosted runner is a new feature of github action, typical usage is documented in this link.

The runners connect back to GitHub, no need for inbound firewall holes. (Outbound https 443 is all that’s needed.)


Host github.com
Hostname ssh.github.com
Port 443
You can test that this works by connecting once more to GitHub:

$ ssh -T git@github.com
> Hi username! You’ve successfully authenticated, but GitHub does not
> provide shell access.

So only outbound is needed from the runner?
The runner is pooling for new job to run?
From the security point of view is awesome, can you confirm this please?

Thank you.