Overview
This guide explains when and why self-hosted runners are required, along with alternatives and solutions to avoid them when possible.
1. GitHub-Hosted vs Self-Hosted Runners Comparison
Feature Comparison Table
| Aspect | GitHub-Hosted Runners | Self-Hosted Runners | Winner |
|---|
| Setup Complexity | None (ready to use) | High (manual setup) | GitHub-Hosted |
| Maintenance | Zero (managed by GitHub) | High (OS updates, security) | GitHub-Hosted |
| Cost | Pay per minute | Infrastructure + management cost | Depends on usage |
| Performance | Standard specs | Customizable | Self-Hosted |
| Network Access | Public internet only | Private networks | Self-Hosted |
| Security | Shared infrastructure | Dedicated/isolated | Self-Hosted |
| Compliance | Limited control | Full control | Self-Hosted |
| Scalability | Auto-scaling | Manual scaling | GitHub-Hosted |
2. Reasons Why Self-Hosted Runners Are Required
Network and Security Requirements
| Requirement | GitHub-Hosted Limitation | Self-Hosted Solution | Business Impact |
|---|
| Private Network Access | Cannot access private VNets | Direct VNet connectivity | Access internal resources |
| IP Whitelisting | Dynamic IP addresses | Static IP addresses | Firewall compliance |
| Corporate Firewall | Limited outbound access | Full firewall control | Security policy compliance |
| Private Endpoints | No access to private endpoints | Native private access | Data security |
| VPN Connectivity | Cannot connect to VPN | VPN/ExpressRoute access | Hybrid cloud scenarios |
Compliance and Governance
| Compliance Need | GitHub-Hosted Issue | Self-Hosted Advantage | Industry Examples |
|---|
| Data Residency | Data processed in GitHub’s regions | Control data location | Financial services, Healthcare |
| Audit Requirements | Limited audit capabilities | Full audit control | SOX, PCI-DSS |
| Air-Gapped Environments | Requires internet access | Can work offline | Government, Defense |
| Custom Security Tools | Cannot install custom tools | Full software control | Enterprise security |
| Regulatory Compliance | Shared responsibility model | Full compliance control | GDPR, HIPAA |
Performance and Resource Requirements
| Performance Need | GitHub-Hosted Constraint | Self-Hosted Benefit | Use Case |
|---|
| CPU/Memory | Fixed specs (2-4 cores, 7-14GB RAM) | Custom sizing | Large Terraform deployments |
| Storage | Limited disk space (14GB SSD) | Custom storage | Large artifact builds |
| Build Time | 6-hour job limit | No time limits | Long-running processes |
| Concurrent Jobs | Limited by plan | Unlimited (hardware dependent) | Parallel deployments |
| GPU Requirements | No GPU access | Custom GPU hardware | ML/AI workloads |
3. Alternative Solutions to Avoid Self-Hosted Runners
Solution 1: Hybrid Approach with Azure DevOps
| Component | Implementation | Benefit | Cost Impact |
|---|
| GitHub for Code | Source control and PR reviews | Developer experience | Low |
| Azure DevOps for Deployment | Azure-native deployment | Native Azure integration | Medium |
| GitHub Actions for CI | Build and test only | No network constraints | Low |
| Azure DevOps for CD | Production deployment | Private network access | Medium |
# GitHub Actions (CI only)
name: 'CI Pipeline'
on: [push, pull_request]
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Terraform Validate
run: terraform validate
- name: Terraform Plan
run: terraform plan
- name: Upload Plan
uses: actions/upload-artifact@v3
with:
name: terraform-plan
path: tfplan
Solution 2: Container-Based Deployment
| Approach | Description | Pros | Cons |
|---|
| Azure Container Instances | Deploy runner as container | No VM management | Limited networking |
| Azure Kubernetes Service | K8s-based runners | Auto-scaling | Complex setup |
| Docker on VM | Containerized workloads | Isolation | VM maintenance required |
# Container-based runner deployment
apiVersion: apps/v1
kind: Deployment
metadata:
name: github-runner
spec:
replicas: 3
selector:
matchLabels:
app: github-runner
template:
metadata:
labels:
app: github-runner
spec:
containers:
- name: runner
image: myregistry.azurecr.io/github-runner:latest
env:
- name: REPO_URL
value: "https://github.com/org/repo"
- name: ACCESS_TOKEN
valueFrom:
secretKeyRef:
name: github-token
key: token
Solution 3: Serverless Deployment with Azure Functions
| Component | Purpose | Trigger | Limitation |
|---|
| GitHub Webhook | Trigger deployment | Push to main | Limited to simple deployments |
| Azure Function | Execute Terraform | HTTP trigger | 10-minute timeout |
| Logic Apps | Orchestrate workflow | Event-driven | Complex pricing |
| ARM Templates | Alternative to Terraform | Native Azure | Azure-only |
Solution 4: Managed Build Services
| Service | Provider | Integration | Cost Model | Best For |
|---|
| Azure DevOps | Microsoft | Native GitHub integration | Pay per user/pipeline | Enterprise |
| GitLab CI/CD | GitLab | GitHub mirror sync | Pay per user | Multi-cloud |
| CircleCI | CircleCI | GitHub app | Pay per usage | Startups |
| Jenkins on Azure | Open source | Custom integration | Infrastructure cost | Custom needs |
4. Cost Analysis: Self-Hosted vs Alternatives
Monthly Cost Comparison (Production Workload)
| Solution | Infrastructure | Management Time | Total Monthly Cost | Break-Even Point |
|---|
| GitHub-Hosted | $0 | 0 hours | $200-500/month | Immediate |
| Self-Hosted VM | $150/month | 8 hours | $350/month | 3 months |
| Azure DevOps | $0 | 2 hours | $120/month | Immediate |
| Container Instances | $100/month | 4 hours | $220/month | 2 months |
| Kubernetes | $200/month | 12 hours | $500/month | 6 months |
Cost Factors Breakdown
| Factor | GitHub-Hosted | Self-Hosted | Azure DevOps |
|---|
| Compute Time | $0.008/minute | Fixed monthly | $0.005/minute |
| Storage | Included | $20/month | Included |
| Networking | Included | $30/month | Included |
| Management | $0 | $80/hour labor | $20/hour labor |
| Security | Shared | $100/month tools | Shared |
5. Decision Matrix: When to Use Each Option
Use GitHub-Hosted Runners When:
| Criteria | Threshold | Example Scenarios |
|---|
| Simple Deployments | < 30 minutes | Static websites, small apps |
| Public Resources | No private networks | SaaS applications |
| Low Security Requirements | Standard compliance | Development environments |
| Cost Sensitive | < $500/month budget | Startups, personal projects |
| No Custom Tools | Standard tooling | Basic CI/CD pipelines |
Use Self-Hosted Runners When:
| Criteria | Requirement | Example Scenarios |
|---|
| Private Network Access | Must access private VNets | Enterprise applications |
| High Security | Data cannot leave premises | Financial, healthcare |
| Performance Requirements | > 4 cores, > 14GB RAM | Large Terraform deployments |
| Custom Software | Proprietary tools required | Enterprise DevOps |
| Compliance | Regulatory requirements | Government, banking |
Use Hybrid Approach When:
| Criteria | Scenario | Implementation |
|---|
| Mixed Workloads | Some public, some private | CI on GitHub, CD elsewhere |
| Migration Period | Moving to cloud gradually | Parallel systems |
| Risk Mitigation | Backup deployment method | Multiple options |
6. Recommended Solutions by Use Case
Startup/Small Business
Recommendation: GitHub-Hosted Runners
Reason: Low cost, no maintenance
Alternative: Azure DevOps (if Azure-heavy)
Enterprise with Private Networks
Recommendation: Self-Hosted on Azure VM
Reason: Network access, security control
Alternative: Azure DevOps with private agents
Multi-Cloud Environment
Recommendation: Self-Hosted Kubernetes
Reason: Portability, scalability
Alternative: GitLab CI/CD
Highly Regulated Industry
Recommendation: Air-gapped self-hosted
Reason: Compliance, data residency
Alternative: Azure Government Cloud
7. Migration Strategy from Self-Hosted to GitHub-Hosted
Step-by-Step Migration Plan
| Phase | Actions | Duration | Risk Level |
|---|
| Assessment | Audit current requirements | 1 week | Low |
| Pilot | Test simple workflows | 2 weeks | Medium |
| Network Solutions | Implement alternatives | 4 weeks | High |
| Gradual Migration | Move workloads incrementally | 8 weeks | Medium |
| Decommission | Remove self-hosted infrastructure | 2 weeks | Low |
Pre-Migration Checklist
- [ ] Network Requirements: Can workflows access required resources?
- [ ] Performance Requirements: Will GitHub-hosted specs suffice?
- [ ] Security Requirements: Is shared infrastructure acceptable?
- [ ] Compliance Requirements: Any regulatory blockers?
- [ ] Cost Analysis: Is migration cost-effective?
- [ ] Tool Dependencies: Are all tools available?
8. Best Practices for Each Approach
GitHub-Hosted Runners Best Practices
| Practice | Implementation | Benefit |
|---|
| Minimize Build Time | Cache dependencies | Reduce costs |
| Use Matrix Builds | Parallel execution | Faster feedback |
| Optimize Workflows | Conditional steps | Efficiency |
| Secure Secrets | GitHub secrets | Security |
Self-Hosted Runners Best Practices
| Practice | Implementation | Benefit |
|---|
| Automate Updates | Scheduled patching | Security |
| Monitor Health | Health checks | Reliability |
| Scale Appropriately | Auto-scaling groups | Cost optimization |
| Secure Access | VPN, private networks | Security |
Conclusion
Self-hosted runners are NOT always required. The decision should be based on:
- Network Requirements – Need for private network access
- Security/Compliance – Regulatory or security requirements
- Performance Needs – Resource requirements beyond GitHub-hosted limits
- Cost Considerations – Long-term cost analysis
- Maintenance Capacity – Team’s ability to manage infrastructure
Recommended Approach:
- Start with GitHub-hosted runners for most workloads
- Use alternatives (Azure DevOps, hybrid approach) when possible
- Only use self-hosted when absolutely necessary
- Plan migration path back to managed solutions when requirements change
Transform Business with Cloud
Devolity simplifies state management with automation, strong security, and detailed auditing—ideal for efficient, reliable infrastructure delivery.
