This repo provides a Docker image suitable for running an ephemeral GitHub Actions runner in a containerized environment. An ephemeral runner will register itself, run a single job and then terminate and unregister itself, making it ideal for scalable CI/CD pipelines.
The image is based off the Runner images used by the nektos/act project, with the addition of Docker being available within the container. While it is compatible with most Github Actions, it does not have the full set of tools and environments available and requires the runners to set themselves up as needed, or to use a Docker image to provide the necessary environment.
In order to run this image, your hosting environment - either Docker or Kubernetes - must use the Sysbox runtime to provide the necessary isolation and allow for the Docker daemon within this image to run in an unprivileged container. (Installation instructions here)
The image itself runs as root initially, in order to be able to start the internal Docker daemon. The Docker daemon is separate from any external daemon, so you do not need to provide a Docker socket or API connection. When the runner is initialized, it will run the GitHub Actions runner utility as a non-privileged user, ensuring that any job run within the container does not have root access to the container. The non-privileged user does have access to the internal Docker daemon.