DEV Community: Tuan Saad The latest articles on DEV Community by Tuan Saad (@tuan_saad_bd99b8fecac2e88). https://dev.to/tuan_saad_bd99b8fecac2e88 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F2637443%2F8d13b04a-fd4d-495a-a195-c275205f8a06.jpg DEV Community: Tuan Saad https://dev.to/tuan_saad_bd99b8fecac2e88 en How to Configure Container App jobs as GitHub Action runners Tuan Saad Fri, 15 Aug 2025 22:04:24 +0000 https://dev.to/tuan_saad_bd99b8fecac2e88/how-to-configure-container-app-jobs-as-github-runners-2m29 https://dev.to/tuan_saad_bd99b8fecac2e88/how-to-configure-container-app-jobs-as-github-runners-2m29 <h1> Azure Container Apps GitHub Actions Runner Setup Guide </h1> <h2> Overview </h2> <p>Tired of paying for CI/CD runners that sit idle? Azure Container Apps jobs automatically spin up GitHub runners only when your workflows run, then shut them down when finished. You only pay for actual usage while keeping pipelines secure in private networks—no more expensive always-on VMs eating your budget</p> <p>This guide will help you set up a GitHub Actions self-hosted runner using Azure Container Apps. The runner will automatically scale based on your GitHub workflow queue and execute your CI/CD pipelines in isolated containers.</p> <h2> Prerequisites </h2> <p>Before starting, ensure you have:</p> <ul> <li>Azure CLI installed and configured</li> <li>An active Azure subscription</li> <li>A GitHub repository with Actions enabled</li> <li>GitHub Personal Access Token (PAT) with appropriate permissions</li> </ul> <h2> Required Permissions for GitHub PAT </h2> <p>Your GitHub Personal Access Token needs the following scopes:</p> <ul> <li> <code>repo</code> (Full control of private repositories)</li> <li> <code>workflow</code> (Update GitHub Action workflows)</li> <li> <code>admin:org</code> (if using organization-level runners)</li> </ul> <h2> Step 1: Install Azure Container Apps Extension </h2> <p>First, add the Container Apps extension to Azure CLI:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>az extension add <span class="nt">--name</span> containerapp <span class="nt">--upgrade</span> </code></pre> </div> <h2> Step 2: Configure Environment Variables </h2> <p>Set up your configuration variables. Replace the placeholder values with your actual information:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Resource configuration</span> <span class="nv">RESOURCE_GROUP</span><span class="o">=</span><span class="s2">"jobs-sample"</span> <span class="nv">LOCATION</span><span class="o">=</span><span class="s2">"northcentralus"</span> <span class="nv">ENVIRONMENT</span><span class="o">=</span><span class="s2">"env-jobs-sample"</span> <span class="nv">JOB_NAME</span><span class="o">=</span><span class="s2">"github-actions-runner-job"</span> <span class="c"># GitHub configuration</span> <span class="nv">GITHUB_PAT</span><span class="o">=</span><span class="s2">"your_github_personal_access_token_here"</span> <span class="nv">REPO_OWNER</span><span class="o">=</span><span class="s2">"your-github-username"</span> <span class="nv">REPO_NAME</span><span class="o">=</span><span class="s2">"your-repository-name"</span> <span class="c"># Container configuration</span> <span class="nv">CONTAINER_IMAGE_NAME</span><span class="o">=</span><span class="s2">"github-actions-runner:1.0"</span> <span class="nv">CONTAINER_REGISTRY_NAME</span><span class="o">=</span><span class="s2">"your-unique-registry-name"</span> <span class="c"># Identity configuration</span> <span class="nv">IDENTITY</span><span class="o">=</span><span class="s2">"github-actions-runner-identity"</span> </code></pre> </div> <p>⚠️ <strong>Security Note</strong>: Never commit your GitHub PAT to version control. Consider using Azure Key Vault for production environments.</p> <h2> Step 3: Create Azure Container Registry </h2> <p>Create a container registry to store your runner image.<br> I've installed all the required:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>az acr create <span class="se">\</span> <span class="nt">--name</span> <span class="s2">"</span><span class="nv">$CONTAINER_REGISTRY_NAME</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">--resource-group</span> <span class="s2">"</span><span class="nv">$RESOURCE_GROUP</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">--location</span> <span class="s2">"</span><span class="nv">$LOCATION</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">--sku</span> Basic </code></pre> </div> <h2> Step 4: Configure Registry Authentication </h2> <p>Enable authentication-as-ARM for your container registry:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>az acr config authentication-as-arm show <span class="nt">--registry</span> <span class="s2">"</span><span class="nv">$CONTAINER_REGISTRY_NAME</span><span class="s2">"</span> </code></pre> </div> <h2> Step 5: Build the Runner Container Image </h2> <p>Build your GitHub Actions runner container image from the repository:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>az acr build <span class="se">\</span> <span class="nt">--registry</span> <span class="s2">"</span><span class="nv">$CONTAINER_REGISTRY_NAME</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">--image</span> github-actions-runner:2.1 <span class="se">\</span> <span class="nt">--file</span> <span class="s2">"Dockerfile.github"</span> <span class="se">\</span> <span class="s2">"https://github.com/TuanLikeminds/container-apps-ci-cd-runner-tutorial.git"</span> </code></pre> </div> <p>I've customized the Dockerfile used to build the github-actions running container image that can be found at <a href="https://github.com/Azure-Samples/container-apps-ci-cd-runner-tutorial/blob/main/Dockerfile.github" rel="noopener noreferrer">https://github.com/Azure-Samples/container-apps-ci-cd-runner-tutorial/blob/main/Dockerfile.github</a></p> <p>Pre-installed the Azure-CLI, Kubectl, and Helm binaries required by the actions runner docker container by installing Azure CLI and Kubectl. See below<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>FROM ghcr.io/actions/actions-runner:2.304.0 <span class="c"># for latest release, see https://github.com/actions/runner/releases</span> USER root <span class="c"># install curl and jq</span> RUN apt-get update <span class="o">&amp;&amp;</span> apt-get <span class="nb">install</span> <span class="nt">-y</span> curl jq apt-transport-https ca-certificates gnupg lsb-release git <span class="o">&amp;&amp;</span> <span class="se">\</span> apt-get clean <span class="o">&amp;&amp;</span> <span class="se">\</span> <span class="nb">rm</span> <span class="nt">-rf</span> /var/lib/apt/lists/<span class="k">*</span> <span class="c"># install Azure CLI</span> <span class="c"># https://learn.microsoft.com/en-us/cli/azure/install-azure-cli-linux?view=azure-cli-latest&amp;pivots=apt#option-1-install-with-one-command</span> RUN curl <span class="nt">-sL</span> https://aka.ms/InstallAzureCLIDeb | bash <span class="o">&amp;&amp;</span> curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash RUN az aks install-cli RUN curl <span class="nt">-LO</span> https://storage.googleapis.com/kubernetes-release/release/<span class="si">$(</span>curl <span class="nt">-s</span> https://storage.googleapis.com/kubernetes-release/release/stable.txt<span class="si">)</span>/bin/linux/amd64/kubectl <span class="o">&amp;&amp;</span> <span class="se">\</span> <span class="nb">chmod</span> +x ./kubectl <span class="o">&amp;&amp;</span> <span class="se">\</span> <span class="nb">mv</span> ./kubectl /usr/local/bin/kubectl COPY github-actions-runner/entrypoint.sh ./entrypoint.sh RUN <span class="nb">chmod</span> +x ./entrypoint.sh USER runner ENTRYPOINT <span class="o">[</span><span class="s2">"./entrypoint.sh"</span><span class="o">]</span> </code></pre> </div> <h2> Step 6: Create the Container App Job </h2> <p>Create the container app job with auto-scaling configuration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>az containerapp job create <span class="se">\</span> <span class="nt">--name</span> <span class="s2">"</span><span class="nv">$JOB_NAME</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">--resource-group</span> <span class="s2">"</span><span class="nv">$RESOURCE_GROUP</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">--environment</span> <span class="s2">"</span><span class="nv">$ENVIRONMENT</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">--trigger-type</span> Event <span class="se">\</span> <span class="nt">--replica-timeout</span> 1800 <span class="se">\</span> <span class="nt">--replica-retry-limit</span> 0 <span class="se">\</span> <span class="nt">--replica-completion-count</span> 1 <span class="se">\</span> <span class="nt">--parallelism</span> 1 <span class="se">\</span> <span class="nt">--image</span> <span class="s2">"</span><span class="nv">$CONTAINER_REGISTRY_NAME</span><span class="s2">.azurecr.io/</span><span class="nv">$CONTAINER_IMAGE_NAME</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">--min-executions</span> 0 <span class="se">\</span> <span class="nt">--max-executions</span> 10 <span class="se">\</span> <span class="nt">--polling-interval</span> 30 <span class="se">\</span> <span class="nt">--scale-rule-name</span> <span class="s2">"github-runner"</span> <span class="se">\</span> <span class="nt">--scale-rule-type</span> <span class="s2">"github-runner"</span> <span class="se">\</span> <span class="nt">--scale-rule-metadata</span> <span class="s2">"githubAPIURL=https://api.github.com"</span> <span class="s2">"owner=</span><span class="nv">$REPO_OWNER</span><span class="s2">"</span> <span class="s2">"runnerScope=repo"</span> <span class="s2">"repos=</span><span class="nv">$REPO_NAME</span><span class="s2">"</span> <span class="s2">"targetWorkflowQueueLength=1"</span> <span class="se">\</span> <span class="nt">--scale-rule-auth</span> <span class="s2">"personalAccessToken=personal-access-token"</span> <span class="se">\</span> <span class="nt">--cpu</span> <span class="s2">"2.0"</span> <span class="se">\</span> <span class="nt">--memory</span> <span class="s2">"4Gi"</span> <span class="se">\</span> <span class="nt">--secrets</span> <span class="s2">"personal-access-token=</span><span class="nv">$GITHUB_PAT</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">--env-vars</span> <span class="s2">"GITHUB_PAT=secretref:personal-access-token"</span> <span class="s2">"GH_URL=https://github.com/</span><span class="nv">$REPO_OWNER</span><span class="s2">/</span><span class="nv">$REPO_NAME</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">--registry-server</span> <span class="s2">"</span><span class="nv">$CONTAINER_REGISTRY_NAME</span><span class="s2">.azurecr.io"</span> <span class="se">\</span> <span class="nt">--mi-user-assigned</span> <span class="s2">"</span><span class="nv">$IDENTITY_ID</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">--registry-identity</span> <span class="s2">"</span><span class="nv">$IDENTITY_ID</span><span class="s2">"</span> </code></pre> </div> <h3> Key Configuration Parameters Explained </h3> <ul> <li> <strong>replica-timeout</strong>: Maximum time (30 minutes) a job can run</li> <li> <strong>min-executions/max-executions</strong>: Scaling limits (0-10 concurrent runners)</li> <li> <strong>polling-interval</strong>: How often to check for new workflows (30 seconds)</li> <li> <strong>targetWorkflowQueueLength</strong>: Triggers scaling when queue length reaches 1</li> <li> <strong>cpu/memory</strong>: Resource allocation per runner instance</li> </ul> <h2> Step 7: Configure Role Assignments </h2> <p>Set up the necessary permissions for your identities. You'll need to replace the GUIDs with your actual identity IDs:</p> <h3> For Container Registry Access </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Replace with your managed identity ID</span> <span class="nv">IDENTITY_ID</span><span class="o">=</span><span class="s2">"your-managed-identity-id"</span> <span class="c"># ACR Pull permissions</span> az role assignment create <span class="se">\</span> <span class="nt">--assignee</span> <span class="s2">"</span><span class="nv">$IDENTITY_ID</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">--role</span> AcrPull <span class="se">\</span> <span class="nt">--scope</span> <span class="s2">"/subscriptions/your-subscription-id/resourceGroups/</span><span class="nv">$RESOURCE_GROUP</span><span class="s2">/providers/Microsoft.ContainerRegistry/registries/</span><span class="nv">$CONTAINER_REGISTRY_NAME</span><span class="s2">"</span> <span class="c"># ACR Push permissions (if needed for building images)</span> az role assignment create <span class="se">\</span> <span class="nt">--assignee</span> <span class="s2">"</span><span class="nv">$IDENTITY_ID</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">--role</span> AcrPush <span class="se">\</span> <span class="nt">--scope</span> <span class="s2">"/subscriptions/your-subscription-id/resourceGroups/</span><span class="nv">$RESOURCE_GROUP</span><span class="s2">/providers/Microsoft.ContainerRegistry/registries/</span><span class="nv">$CONTAINER_REGISTRY_NAME</span><span class="s2">"</span> </code></pre> </div> <h3> For AKS Access (if deploying to Kubernetes) </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>az role assignment create <span class="se">\</span> <span class="nt">--assignee</span> <span class="s2">"</span><span class="nv">$IDENTITY_ID</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">--role</span> <span class="s2">"Azure Kubernetes Service RBAC Admin"</span> <span class="se">\</span> <span class="nt">--scope</span> <span class="s2">"/subscriptions/your-subscription-id/resourceGroups/your-aks-resource-group/providers/Microsoft.ContainerService/managedClusters/your-aks-cluster-name"</span> </code></pre> </div> <h2> Step 8: Verify Setup </h2> <p>After completing the setup, verify your configuration:</p> <ol> <li> <p><strong>Check Container App Job Status</strong>:<br> </p> <pre class="highlight shell"><code>az containerapp job show <span class="nt">--name</span> <span class="s2">"</span><span class="nv">$JOB_NAME</span><span class="s2">"</span> <span class="nt">--resource-group</span> <span class="s2">"</span><span class="nv">$RESOURCE_GROUP</span><span class="s2">"</span> </code></pre> </li> <li> <p><strong>Monitor Logs</strong>:<br> </p> <pre class="highlight shell"><code>az containerapp job logs show <span class="nt">--name</span> <span class="s2">"</span><span class="nv">$JOB_NAME</span><span class="s2">"</span> <span class="nt">--resource-group</span> <span class="s2">"</span><span class="nv">$RESOURCE_GROUP</span><span class="s2">"</span> </code></pre> </li> <li><p><strong>GitHub Repository</strong>: Check your repository's Actions tab for the new self-hosted runner.</p></li> </ol> <h2> How It Works </h2> <ol> <li> <strong>Trigger</strong>: When a workflow is queued in your GitHub repository</li> <li> <strong>Scale</strong>: Container Apps detects the queue and starts a new runner instance</li> <li> <strong>Execute</strong>: The runner picks up and executes the workflow</li> <li> <strong>Clean Up</strong>: After completion, the runner instance is terminated</li> <li> <strong>Scale Down</strong>: When no workflows are queued, the system scales to zero</li> </ol> <h2> Troubleshooting </h2> <h3> Common Issues </h3> <ol> <li> <strong>Runner Not Appearing in GitHub</strong>: <ul> <li>Verify your GitHub PAT has correct permissions</li> <li>Check the REPO_OWNER and REPO_NAME variables</li> <li>Review container logs for authentication errors</li> </ul> </li> <li> <strong>Scaling Issues</strong>: <ul> <li>Ensure polling-interval and scale rule metadata are correctly configured</li> <li>Check if targetWorkflowQueueLength matches your needs</li> </ul> </li> <li> <strong>Container Registry Access</strong>: <ul> <li>Verify role assignments for your managed identity</li> <li>Ensure the container image exists in your registry</li> </ul> </li> </ol> <h3> Useful Commands </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># View job executions</span> az containerapp job execution list <span class="nt">--name</span> <span class="s2">"</span><span class="nv">$JOB_NAME</span><span class="s2">"</span> <span class="nt">--resource-group</span> <span class="s2">"</span><span class="nv">$RESOURCE_GROUP</span><span class="s2">"</span> <span class="c"># Get detailed logs</span> az containerapp job logs show <span class="nt">--name</span> <span class="s2">"</span><span class="nv">$JOB_NAME</span><span class="s2">"</span> <span class="nt">--resource-group</span> <span class="s2">"</span><span class="nv">$RESOURCE_GROUP</span><span class="s2">"</span> <span class="nt">--follow</span> <span class="c"># Update job configuration</span> az containerapp job update <span class="nt">--name</span> <span class="s2">"</span><span class="nv">$JOB_NAME</span><span class="s2">"</span> <span class="nt">--resource-group</span> <span class="s2">"</span><span class="nv">$RESOURCE_GROUP</span><span class="s2">"</span> <span class="nt">--image</span> <span class="s2">"new-image:tag"</span> </code></pre> </div> <h2> Security Best Practices </h2> <ol> <li> <strong>Use Managed Identities</strong>: Avoid storing credentials in environment variables</li> <li> <strong>Least Privilege</strong>: Grant only necessary permissions to your identities</li> <li> <strong>Regular Token Rotation</strong>: Rotate GitHub PATs regularly</li> <li> <strong>Network Security</strong>: Consider using private endpoints for production</li> <li> <strong>Resource Limits</strong>: Set appropriate CPU and memory limits</li> </ol> <h2> Cost Optimization </h2> <ul> <li> <strong>Scale to Zero</strong>: Runners automatically scale down when not in use</li> <li> <strong>Resource Sizing</strong>: Adjust CPU/memory based on your workflow requirements</li> <li> <strong>Regional Deployment</strong>: Choose regions close to your development team</li> <li> <strong>Monitoring</strong>: Use Azure Monitor to track usage and optimize</li> </ul> <h2> Next Steps </h2> <ul> <li>Set up monitoring and alerting for your runners</li> <li>Configure network policies for enhanced security</li> <li>Implement GitOps workflows using your new runners</li> <li>Consider setting up multiple runner pools for different workload types</li> </ul> <p><strong>Note</strong>: Remember to replace all placeholder values (subscription IDs, resource names, GitHub information) with your actual configuration before running the commands.</p>