Air-gapped and offline notes

Runaway orchestrates GitHub Actions runners. The hub has to reach github.com (or your GitHub host) to register runners, poll for queued jobs, and clean up after them. A fully air-gapped, no- GitHub deployment isn’t a supported mode — there’d be no GitHub for the runners to talk to.

That said, restricted-egress networks are workable, and Runaway is deliberately quiet about what it reaches beyond GitHub.

What Runaway does not do

• It doesn’t phone home by default. Anonymous telemetry is opt-in and off by default — no ping leaves the hub unless you turn it on in Settings.
• It fetches no remote data at boot. Things like pricing tables are vendored into the build, not downloaded at startup, so the hub doesn’t depend on reaching a third party to come up.

Note

The only outbound dependency Runaway requires is GitHub itself. There is no Runaway-operated service the hub must reach to function.

Restricted-egress networks

If your hosts can’t pull images or packages from the public internet directly:

• Pull images through a mirror. The agent and runner images can come from a local registry mirror or pull-through cache instead of the public registry. See Registry mirror.
• Route package downloads through your own proxies. Point package managers at your internal registry proxies per scale set, so jobs pull dependencies from your network. See Custom environment variables.

These cover the common “egress locked down, GitHub reachable” case. If GitHub is unreachable, the runners have nothing to do.

What’s next

Registry mirror Pull agent and runner images through a cache.

Custom environment variables Route package managers through your own proxies.