Skip to content

On-demand self-hosted AWS EC2 runner for GitHub Actions

License

Notifications You must be signed in to change notification settings

ottimis/ec2-github-runner

 
 

Repository files navigation

On-demand self-hosted AWS EC2 runner for GitHub Actions

⭐️ Organization level oriented ⭐️

⚠️ This project is a fork of the original [machulav/ec2-github-runner], that seems to be abandoned and repository level oriented.

New features

  • Support for AWS SDK 3
  • Support for autoshutdown of the runner after a period of inactivity
  • Search for existing runners before starting a new one

If you like the project, please consider supporting Ukraine in a war against russian occupants. Any help would be much appreciated!


Start your EC2 self-hosted runner right before you need it. Run the job on it. Finally, you can stop it when you finish or wait for it to be automatically stopped after a period of inactivity. And all this automatically as a part of your GitHub Actions workflow.

GitHub Actions self-hosted EC2 runner

See below the YAML code of the depicted workflow.

Table of Contents

Use cases

Access private resources in your VPC

The action can start the EC2 runner in any subnet of your VPC that you need - public or private. In this way, you can easily access any private resources in your VPC from your GitHub Actions workflow.

For example, you can access your database in the private subnet to run the database migration.

Customize hardware configuration

GitHub provides one fixed hardware configuration for their Linux virtual machines: 2-core CPU, 7 GB of RAM, 14 GB of SSD disk space.

Some of your CI workloads may require more powerful hardware than GitHub-hosted runners provide. In the action, you can configure any EC2 instance type for your runner that AWS provides.

For example, you may run a c5.4xlarge EC2 runner for some of your compute-intensive workloads. Or r5.xlarge EC2 runner for workloads that process large data sets in memory.

Save costs

If your CI workloads don't need the power of the GitHub-hosted runners and the execution takes more than a couple of minutes, you can consider running it on a cheaper and less powerful instance from AWS.

According to GitHub's documentation, you don't need to pay for the jobs handled by the self-hosted runners:

Self-hosted runners are free to use with GitHub Actions, but you are responsible for the cost of maintaining your runner machines.

So you will be charged by GitHub only for the time the self-hosted runner start and stop. EC2 self-hosted runner will handle everything else so that you will pay for it to AWS, which can be less expensive than the price for the GitHub-hosted runner.

Usage

How to start

Use the following steps to prepare your workflow for running on your EC2 self-hosted runner:

1. Prepare IAM user with AWS access keys

  1. Create new AWS access keys for the new or an existing IAM user with the following least-privilege minimum required permissions:

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "ec2:RunInstances",
            "ec2:TerminateInstances",
            "ec2:DescribeInstances",
            "ec2:DescribeInstanceStatus"
          ],
          "Resource": "*"
        }
      ]
    }
    

    If you plan to attach an IAM role to the EC2 runner with the iam-role-name parameter, you will need to allow additional permissions:

    {
     "Version": "2012-10-17",
     "Statement": [
       {
         "Effect": "Allow",
         "Action": [
           "ec2:ReplaceIamInstanceProfileAssociation",
           "ec2:AssociateIamInstanceProfile"
         ],
         "Resource": "*"
       },
       {
         "Effect": "Allow",
         "Action": "iam:PassRole",
         "Resource": "*"
       }
     ]
    }
    

    If you use the aws-resource-tags parameter, you will also need to allow the permissions to create tags:

    {
     "Version": "2012-10-17",
     "Statement": [
       {
         "Effect": "Allow",
         "Action": [
           "ec2:CreateTags"
         ],
         "Resource": "*",
         "Condition": {
           "StringEquals": {
             "ec2:CreateAction": "RunInstances"
           }
         }
       }
     ]
    }
    

    If you use the ec2-reuse-instance parameter, you will also need to allow the permissions to describe tags:

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "ec2:DescribeTags"
          ],
          "Resource": "*"
        }
      ]
    }
    

If you use the ec2-auto-termination parameter, you will also need to allow the permissions to put metric alarm on CloudWatch:

{
 "Version": "2012-10-17",
 "Statement": [
   {
     "Effect": "Allow",
     "Action": [
       "cloudwatch:PutMetricAlarm"
     ],
     "Resource": "*"
   }
 ]
}

These example policies above are provided as a guide. They can and most likely should be limited even more by specifying the resources you use.

  1. Add the keys to GitHub secrets or use OIDC to authenticate user and assume role with previous policies.
  2. Use the aws-actions/configure-aws-credentials action to set up the keys as environment variables.

2. Prepare GitHub personal access token

  1. Create a new GitHub personal access token with the repo and admin:org scope. The action will use the token for self-hosted runners management in the GitHub account on the organization level.
  2. Add the token to GitHub secrets.

3. Prepare EC2 image

  1. Create a new EC2 instance based on any Linux distribution you need.

  2. Connect to the instance using SSH, install docker and git, then enable docker service.

    For Amazon Linux 2, it looks like the following:

     sudo yum update -y && \
     sudo yum install docker -y && \
     sudo yum install git -y && \
     sudo yum install libicu -y && \
     sudo systemctl enable docker
    

    For other Linux distributions, it could be slightly different.

  3. Install any other tools required for your workflow.

  4. Create a new EC2 image (AMI) from the instance.

  5. Remove the instance if not required anymore after the image is created.

Alternatively, you can use a vanilla EC2 AMI and set up the dependencies via pre-runner-script in the workflow YAML file. See example in the pre-runner-script documentation below.

4. Prepare VPC with subnet and security group

  1. Create a new VPC and a new subnet in it. Or use the existing VPC and subnet.
  2. Create a new security group for the runners in the VPC. Only the outbound traffic on port 443 should be allowed for pulling jobs from GitHub. No inbound traffic is required.

5. Configure the GitHub workflow

  1. Create a new GitHub Actions workflow or edit the existing one.
  2. Use the documentation and example below to configure your workflow.

Now you're ready to go!

Inputs

              Name               Required Description
mode Always required. Specify here which mode you want to use:
- start - to start a new runner;
- stop - to stop the previously created runner.
github-token Always required. GitHub Personal Access Token with the repo scope assigned.
github-runner-group Optional. Used only with the start mode. Name of the runner group.

The runner will be added to the group with this name.
ec2-image-id Required if you use the start mode. EC2 Image Id (AMI).

The new runner will be launched from this image.

The action is compatible with Amazon Linux 2 images.
ec2-instance-type Required if you use the start mode. EC2 Instance Type.
subnet-id Required if you use the start mode. VPC Subnet Id.

The subnet should belong to the same VPC as the specified security group.
security-group-id Required if you use the start mode. EC2 Security Group Id.

The security group should belong to the same VPC as the specified subnet.

Only the outbound traffic for port 443 should be allowed. No inbound traffic is required.
label Required if you use the stop mode. Name of the unique label assigned to the runner.

The label is provided by the output of the action in the start mode.

The label is used to remove the runner from GitHub when the runner is not needed anymore.
ec2-instance-id Required if you use the stop mode. EC2 Instance Id of the created runner.

The id is provided by the output of the action in the start mode.

The id is used to terminate the EC2 instance when the runner is not needed anymore.
ec2-reuse-instance Optional. Used only with the start mode. Reuse the existing EC2 instance if tags match.
iam-role-name Optional. Used only with the start mode. IAM role name to attach to the created EC2 runner.

This allows the runner to have permissions to run additional actions within the AWS account, without having to manage additional GitHub secrets and AWS users.

Setting this requires additional AWS permissions for the role launching the instance (see above).
aws-resource-tags Optional. Used only with the start mode. Specifies tags to add to the EC2 instance and any attached storage.

This field is a stringified JSON array of tag objects, each containing a Key and Value field (see example below).

Setting this requires additional AWS permissions for the role launching the instance (see above).
ec2-region Optional. Used only with the start mode. AWS Region where the EC2 instance will be launched.
runner-home-dir Optional. Used only with the start mode. Specifies a directory where pre-installed actions-runner software and scripts are located.

pre-runner-script Optional. Used only with the start mode. Specifies bash commands to run before the runner starts. It's useful for installing dependencies with apt-get, yum, dnf, etc. For example:
          - name: Start EC2 runner
with:
mode: start
...
pre-runner-script: |
sudo yum update -y && \
sudo yum install docker git libicu -y
sudo systemctl enable docker
auto-termination Optional. Used only with the start mode. Automatically terminate the runner after the job is completed.
termination-delay Optional. Used only with the start mode. The delay in seconds before the runner is terminated after the job is completed.


Environment variables

In addition to the inputs described above, the action also requires the following environment variables to access your AWS account:

  • AWS_DEFAULT_REGION
  • AWS_REGION
  • AWS_ACCESS_KEY_ID
  • AWS_SECRET_ACCESS_KEY

We recommend using aws-actions/configure-aws-credentials action right before running the step for creating a self-hosted runner. This action perfectly does the job of setting the required environment variables.

Outputs

              Name               Description
label Name of the unique label assigned to the runner.

The label is used in two cases:
- to use as the input of runs-on property for the following jobs;
- to remove the runner from GitHub when it is not needed anymore.
ec2-instance-id EC2 Instance Id of the created runner.

The id is used to terminate the EC2 instance when the runner is not needed anymore.

Example

The workflow showed in the picture above and declared in do-the-job.yml looks like this:

name: do-the-job
on: pull_request
jobs:
  start-runner:
    name: Start self-hosted EC2 runner
    runs-on: ubuntu-latest
    outputs:
      label: ${{ steps.start-ec2-runner.outputs.label }}
      ec2-instance-id: ${{ steps.start-ec2-runner.outputs.ec2-instance-id }}
    steps:
      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v1
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: ${{ secrets.AWS_REGION }}
      - name: Start EC2 runner
        id: start-ec2-runner
        uses: machulav/ec2-github-runner@v2
        with:
          mode: start
          ec2-image-id: 'ami-0c7c5083246fe12c2'
          ec2-instance-type: 't3.micro'
          ec2-reuse-instance: 'true'
          ec2-region: 'eu-south-1'
          subnet-id: 'subnet-056d7186c65b6adf0'
          security-group-id: 'sg-0ea074c6c05b7badd'
          aws-resource-tags: '[{"Key": "Runner", "Value": "1"}]'
          runner-home-dir: '/home/ubuntu/actions-runner'
          auto-termination: 'true'
          termination-delay: '10'
          github-token: ${{ secrets.GITHUB_TOKEN }}
          github-runner-group: 'default'
  do-the-job:
    name: Do the job on the runner
    needs: start-runner # required to start the main job when the runner is ready
    runs-on: ${{ needs.start-runner.outputs.label }} # run the job on the newly created runner
    steps:
      - name: Hello World
        run: echo 'Hello World!'
  # Optional job to stop the runner after the main job is done  
  stop-runner:
    name: Stop self-hosted EC2 runner
    needs:
      - start-runner # required to get output from the start-runner job
      - do-the-job # required to wait when the main job is done
    runs-on: ubuntu-latest
    if: ${{ always() }} # required to stop the runner even if the error happened in the previous jobs
    steps:
      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v1
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: ${{ secrets.AWS_REGION }}
      - name: Stop EC2 runner
        uses: machulav/ec2-github-runner@v2
        with:
          mode: stop
          github-token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}
          label: ${{ needs.start-runner.outputs.label }}
          ec2-instance-id: ${{ needs.start-runner.outputs.ec2-instance-id }}

Self-hosted runner security with public repositories

We recommend that you do not use self-hosted runners with public repositories.

Forks of your public repository can potentially run dangerous code on your self-hosted runner machine by creating a pull request that executes the code in a workflow.

Please find more details about this security note on GitHub documentation.

License Summary

This code is made available under the MIT license.

About

On-demand self-hosted AWS EC2 runner for GitHub Actions

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • JavaScript 100.0%