First see Adding Github Actions to a repo
If you have a repo or a job that is inappropriate to run on a shared resource, you may contact it@tufts.edu and request ESCP to create a custom private runner. For their convenience, include a link to this page in your request.
For ESCP:
If the runner is only needed by a single repo:
...
On the system where you want the runner to run, add the gitrunner1 service account, then login and sudo su - gitrunner1 become that user.
...
Browse (or have the user browse) to the repo in the GitHub web interface. Click Settings > Actions > Runners. Create a new runner. This will only be accessible by this repo.
They give you some instructions to install and configure the runner, but you need a few modifications:
...
You will need an on-prem machine and service account to run the runner. Please contact escp-ticket@tufts.edu to create these.
After you’re able to login to the machine, and become the service account (i.e. sudo su - gitrunner1), open a web browser and browse to your repository.
In your web browser, browse to your repository.
Go to Settings > Actions > Runners > New Self-Hosted Runner.
It will give you a series of commands to paste into the terminal.
"rhel-8" or whateverCode Block $ ./config.sh --url [...] # !!!! # !!!! When prompted for name of runner group, just press enter for default. # !!!! When prompted for name of runner, use hostname_username, for example, myhost-dev-01_gitrunner1 # !!!! When prompted for additional labels, just press enter
for default. # !!!! When prompted for work folder, press Enter for default _work # !!!! # !!!!!! DON'T DO THIS! This will launch the runner once in the terminal, # !!!!!! and it will die when you logout. Instead, see below # Last step, run it! $ ./run.sh # (Yes, do this). To run as a service: # as root: # In the following, Don't just copy and paste. Edit before doing it. # runasuser=gitrunnerX # cd /home/${runasuser}/actions-runner # ./svc.sh install ${runasuser} # It will create a service, and display the service name. You can start, such as: # systemctl enable --now actions.runner.Tufts-Technology-Services.myhost-dev-01_${runasuser} # TODO!! # selinux will block the runner. # Going to have to do some of this: # https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-working_with_selinux-selinux_contexts_labeling_files#sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Persistent_Changes_semanage_fcontext
If the runner could be used by multiple repositories, create a restricted access Runner Group:
Go to the Organization. Settings > Actions > Runner groups.
Create a new runner group.
Edit the group properties, and select which permissions to apply. (Which repos are allowed to use this runner group)
Install the runner as described in the section above for a single runner, BUT when prompted for name of runner group, specify your new runner group.
After the runner has started, return to the web interface. Under “Runners,” ensure the Runner Group of the specific runner.