Hey everyone,
I just set up a self-hosted GitHub Actions runner in my homelab and wrote about it in my self-hosted blog! This is my second blog entry, so I would really appreciate any feedback or suggestions to help improve my writing is more than welcome.
You can check out the post here: https://cachaza.cc/blog/02-self-hosted-ci-cd
You must log in or register to comment.
I have a project on Forgejo and I’ve needed to set up a runner for compilation but I’ve been very confused so far on how everything works.
All I’ve been able to do is make a runner and connect it to my Forgejo instance, but I didn’t really know what to do from there.
That’s cool. Any reason why you went with a self-hosted GitHub runner over making the full jump to a self-hosted Gitea instance + runner?
This, but Forgejo instead of Gitea.
I tried this last week and it wasn’t very good. It was poorly documented, and when it failed out on a simple java CI, I just went back to act.
Yeah, the Forgejo documentation was dreadful when I last looked, it really showed its origin as a Gitea replacement for people already using (and understanding) Gitea.
My main reason was honestly laziness 😅 . I just went with what was quickest to set up. I also hadn’t realiced I could have two upstreams on my repo: one public-facing on GitHub (because I’m still in college and trying to build in public for future job opportunities) and another self-hosted on Gitea or GitLab for CI/CD.
That actually sounds like a great setup, so I’ll definitely look into it now. Thanks for the recommendation!
deleted by creator
I like that. I tried to get Actions in Forgejo working and that was a dead-end. So I’ve been using act manually.
Appreciate the writeup.
Thanks!!
I have a docker forgejo runner for CI with Codeberg. Where did you get stuck?
actions/setup-java@v4 would fail trying to find the java setup script at Forgejo’s runner source repo, and apparently it wasn’t there when I went to look. I’ll look at it another time when maybe all the backend is put together or there’s a way I can host the actions locally so I’m not relying on outside sources that might pollute my CI output.
With both Gitea and Forgejo, sometimes you need to hardcode the action URL, like:
https://github.com/actions/setup-java@v4I followed where it was going and it was a forgejo repo where there were some action sets but not that one. I figured they were using their own sets and hadn’t gotten around to java yet.
Well, yeah, thats why I’m saying if the action isn’t available directly from Forgejo, just write out the full action URL like the example in my last comment and pull it directly from GitHub. Most/all of the actions you’re pulling from Forgejo are originally forked from GitHub anyway. ¯\_(ツ)_/¯
Ah, OK. Now I get your point.
I can’t find it right now, but there used to be a warning about not self-hosting runners for public repos. Anyone could fork your repo, and the fork would inherit your runners, and then they could change the pipeline to RCE on your runner.
Has that been fixed?
I went to a completely private gitlab instead, with mirroring up to github for anything that needed to be public.
Edit: seems to maybe not be an issue anymore, at the very least it doesn’t seem to affect that repo. Still, for anyone else, make sure forks and MRs can’t cause action to run automatically on your runner, because that would be very bad.
There is no auth needed for gh runners? Like a secret shared between them and the repo? I would guess repo secrets are not shared when forked… right?
I think it was when you create a merge request back, that the original repo would then run the forked branch on the original runners.
From what I can tell, its now been much more locked down, so its better, but still worth being careful about.
More discussion: https://www.reddit.com/r/github/comments/1eslk2d/forks_and_selfhosted_action_runners/
The other potential risk is that the github action author maliciously modifies their code in a later version, but that is solved with version pinning the actions.
I also thought this wasn’t an issue anymore, there’s a setting in the Actions settings where you can enable or disable workflows from forked pull requests. But someone on Reddit spooked me a bit about it, so for now, I’ve made the repo private until I’m 100% sure there are no risks. I wanted it public because I was considering using GitHub Issues as a backend for blog comments, but I’ll reevaluate that. Also, thanks for the idea of running a local git server with mirroring to GitHub—I hadn’t considered having two upstreams. That could be a great setup, especially since I’m still in college and trying to build in public for future job opportunities while keeping CI/CD self-hosted.
I did create a fork and MR, and neither used your runner (sorry if that is what spooked you).
Develop local and push remote also let’s you sanitize what is public and what isnt. Keep your half-backed personal projects local, push the good stuff to github for job opportunities.
No worries! When I checked the repo, I didn’t see any forks, and my Proxmox resource usage looked normal, so I didn’t think anything bad happened. I just got cautious after a Reddit user pointed out that the config I thought was safe wasn’t actually secure.
I hadn’t thought of it that way, but it makes a lot of sense. I was just avoiding committing certain things and only pushing finished work to GitHub.
Why? It’s free if you don’t setup a custom runner and those cover your areas.
Basically, I just wanted to tinker and learn. Self-hosting my CI/CD pipeline seemed like an interesting approach, and I wanted to explore how it all works beyond just using GitHub’s free runners.
1500 action minutes/mo limit.
