A self-hosted GitHub Actions runner container image, built on top of the official ghcr.io/actions/actions-runner image with a handful of everyday CLI tools preinstalled.
The upstream runner image is intentionally minimal and does not ship curl, wget, or rsync — tools most real-world CI workflows expect to just be there. This image adds them so workflows don't have to apt install them on every run.
It is a drop-in replacement for the upstream image: anywhere ghcr.io/actions/actions-runner works, this image works.
Based on ghcr.io/actions/actions-runner, with the following additional packages installed via apt:
curl— HTTP clientwget— HTTP/FTP downloaderrsync— fast file transfer and sync
See Dockerfile for the exact build definition.
The image is published to GitHub Container Registry:
ghcr.io/enthus-appdev/github-actions-runner
Available tags:
| Tag | Description |
|---|---|
main |
Latest build from the main branch. Updated on every push. |
nightly |
Latest scheduled rebuild. Updated daily to pick up upstream base-image fixes. |
For reproducible deployments, pin to an image digest (@sha256:...) rather than a mutable tag.
Pull it with:
docker pull ghcr.io/enthus-appdev/github-actions-runner:mainThe package page on GHCR: https://github.com/enthus-appdev/github-actions-runner/pkgs/container/github-actions-runner
Every published image is signed with cosign using keyless signing against the sigstore public-good instance. The signing certificate is issued by Fulcio, bound to this repository's GitHub Actions OIDC identity, and logged to the Rekor transparency log.
You can verify an image with:
cosign verify \
--certificate-identity-regexp 'https://github.com/enthus-appdev/github-actions-runner/\.github/workflows/docker-publish\.yml@.*' \
--certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
ghcr.io/enthus-appdev/github-actions-runner:mainA successful verification proves the image was built from this repository's workflow and has not been tampered with since.
Because this image is a drop-in replacement for the upstream actions runner image, you can use it with any deployment method that supports ghcr.io/actions/actions-runner.
If you run runners on Kubernetes via Actions Runner Controller, reference the image from your AutoscalingRunnerSet (or the legacy RunnerDeployment):
apiVersion: actions.github.com/v1alpha1
kind: AutoscalingRunnerSet
metadata:
name: my-runners
spec:
template:
spec:
containers:
- name: runner
image: ghcr.io/enthus-appdev/github-actions-runner:mainSee the ARC quickstart for the full installation guide.
Since this image inherits the upstream entrypoint, registering a runner works the same way as with the upstream image. Refer to the upstream runner documentation for the current registration flow.
The image is built and published by the docker-publish.yml workflow, which runs:
- On every push to
main - On a daily schedule (
33 10 * * *UTC) — so upstream base-image and package updates get picked up even when the Dockerfile itself hasn't changed
Each run:
- Builds the image with Docker Buildx (with GitHub Actions cache)
- Pushes it to GHCR
- Signs the resulting digest with cosign (keyless)
Base-image versions and third-party action digests are kept up to date by Dependabot, which opens PRs daily.
If you need additional tools, fork the repository, edit the Dockerfile, and let the workflow rebuild on your fork. Only apt-installable packages should be added here — anything heavier (language toolchains, cloud CLIs, build-specific dependencies) is usually better installed per-job via setup-* actions, to keep the base image small and the cache hot.
Issues and pull requests are welcome. For anything larger than a dependency bump or a package addition, please open an issue first to discuss the change.
The contents of this repository are licensed under the MIT License © enthus GmbH.
The built image is derived from ghcr.io/actions/actions-runner, which is distributed by GitHub under its own license.