{"id":815,"date":"2026-02-22T12:16:54","date_gmt":"2026-02-22T11:16:54","guid":{"rendered":"https:\/\/secure-pipelines.com\/ci-cd-security\/lab-ephemeral-self-hosted-runners-actions-runner-controller-2\/"},"modified":"2026-03-25T09:55:27","modified_gmt":"2026-03-25T08:55:27","slug":"lab-ephemeral-self-hosted-runners-actions-runner-controller","status":"publish","type":"post","link":"https:\/\/secure-pipelines.com\/ar\/ci-cd-security\/lab-ephemeral-self-hosted-runners-actions-runner-controller\/","title":{"rendered":"\u0645\u062e\u062a\u0628\u0631: \u062a\u0634\u063a\u064a\u0644 Runners \u0630\u0627\u062a\u064a\u0629 \u0627\u0644\u0627\u0633\u062a\u0636\u0627\u0641\u0629 \u0645\u0624\u0642\u062a\u0629 \u0644\u0640 GitHub Actions \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 Actions Runner Controller"},"content":{"rendered":"<h2>\u0646\u0638\u0631\u0629 \u0639\u0627\u0645\u0629<\/h2>\n<p>\u062a\u064f\u0639\u062f GitHub-hosted runners \u0645\u0634\u062a\u0631\u0643\u0629 \u0648\u0645\u0624\u0642\u062a\u0629 \u0628\u0634\u0643\u0644 \u0627\u0641\u062a\u0631\u0627\u0636\u064a \u2014 \u062d\u064a\u062b \u064a\u062d\u0635\u0644 \u0643\u0644 \u0645\u0647\u0645\u0629 (job) \u0639\u0644\u0649 \u0622\u0644\u0629 \u0627\u0641\u062a\u0631\u0627\u0636\u064a\u0629 \u062c\u062f\u064a\u062f\u0629 \u064a\u062a\u0645 \u062a\u062f\u0645\u064a\u0631\u0647\u0627 \u0628\u0639\u062f \u0627\u0643\u062a\u0645\u0627\u0644 \u0627\u0644\u0645\u0647\u0645\u0629. \u0623\u0645\u0627 Self-hosted runners\u060c \u0641\u0647\u064a \u062f\u0627\u0626\u0645\u0629 \u0648\u0645\u0634\u062a\u0631\u0643\u0629 \u0639\u0628\u0631 \u0639\u0645\u0644\u064a\u0627\u062a \u062a\u0634\u063a\u064a\u0644 \u0633\u064a\u0631 \u0627\u0644\u0639\u0645\u0644 \u0627\u0644\u0645\u062e\u062a\u0644\u0641\u0629. \u064a\u064f\u0634\u0643\u0651\u0644 \u0647\u0630\u0627 \u062e\u0637\u0631\u0627\u064b \u0623\u0645\u0646\u064a\u0627\u064b \u0643\u0628\u064a\u0631\u0627\u064b: \u062d\u064a\u062b \u064a\u0645\u0643\u0646 \u0623\u0646 \u062a\u062a\u0633\u0631\u0628 \u0627\u0644\u0623\u0633\u0631\u0627\u0631 (secrets) \u0648\u0627\u0644\u0631\u0645\u0648\u0632 (tokens) \u0648\u0645\u062e\u0631\u062c\u0627\u062a \u0627\u0644\u0628\u0646\u0627\u0621 (build artifacts) \u0645\u0646 \u0645\u0647\u0645\u0629 \u0625\u0644\u0649 \u0623\u062e\u0631\u0649. \u064a\u0645\u0643\u0646 \u0644\u0633\u064a\u0631 \u0639\u0645\u0644 \u0645\u062e\u062a\u0631\u0642 \u0623\u0646 \u064a\u064f\u0644\u0648\u0651\u062b \u0628\u064a\u0626\u0629 \u0627\u0644\u062a\u0634\u063a\u064a\u0644 \u0644\u062c\u0645\u064a\u0639 \u0627\u0644\u0645\u0647\u0627\u0645 \u0627\u0644\u0645\u0633\u062a\u0642\u0628\u0644\u064a\u0629.<\/p>\n<p>\u064a\u062d\u0644 <strong>Actions Runner Controller (ARC)<\/strong> \u0647\u0630\u0647 \u0627\u0644\u0645\u0634\u0643\u0644\u0629. ARC \u0647\u0648 \u0645\u0634\u063a\u0651\u0644 \u0623\u0635\u0644\u064a \u0644\u0640 Kubernetes \u064a\u0645\u0646\u062d\u0643 runners \u0645\u0624\u0642\u062a\u0629\u060c \u0642\u0627\u0628\u0644\u0629 \u0644\u0644\u062a\u0648\u0633\u0639 \u0627\u0644\u062a\u0644\u0642\u0627\u0626\u064a\u060c \u0648\u0645\u0628\u0646\u064a\u0629 \u0639\u0644\u0649 \u0627\u0644\u062d\u0627\u0648\u064a\u0627\u062a. \u062a\u062d\u0635\u0644 \u0643\u0644 \u0645\u0647\u0645\u0629 \u0639\u0644\u0649 pod \u062c\u062f\u064a\u062f \u064a\u062a\u0645 \u062a\u062f\u0645\u064a\u0631\u0647 \u0639\u0646\u062f \u0627\u0643\u062a\u0645\u0627\u0644 \u0627\u0644\u0645\u0647\u0645\u0629 \u2014 \u062a\u0645\u0627\u0645\u0627\u064b \u0645\u062b\u0644 GitHub-hosted runners\u060c \u0648\u0644\u0643\u0646\u0647\u0627 \u062a\u0639\u0645\u0644 \u0639\u0644\u0649 \u0628\u0646\u064a\u062a\u0643 \u0627\u0644\u062a\u062d\u062a\u064a\u0629 \u0627\u0644\u062e\u0627\u0635\u0629 \u0645\u0639 \u0623\u062f\u0648\u0627\u062a\u0643 \u0648\u0633\u064a\u0627\u0633\u0627\u062a \u0627\u0644\u0634\u0628\u0643\u0629 \u0627\u0644\u062e\u0627\u0635\u0629 \u0628\u0643.<\/p>\n<p>\u0641\u064a \u0647\u0630\u0627 \u0627\u0644\u0645\u062e\u062a\u0628\u0631 \u0627\u0644\u0639\u0645\u0644\u064a\u060c \u0633\u062a\u0642\u0648\u0645 \u0628\u0640:<\/p>\n<ul>\n<li>\u0646\u0634\u0631 ARC \u0639\u0644\u0649 \u0645\u062c\u0645\u0648\u0639\u0629 Kubernetes \u0645\u062d\u0644\u064a\u0629<\/li>\n<li>\u062a\u0643\u0648\u064a\u0646 \u0645\u062c\u0645\u0648\u0639\u0627\u062a runners \u0645\u0624\u0642\u062a\u0629 \u0642\u0627\u0628\u0644\u0629 \u0644\u0644\u062a\u0648\u0633\u0639<\/li>\n<li>\u0625\u062b\u0628\u0627\u062a \u0627\u0644\u0639\u0632\u0644 \u0628\u064a\u0646 \u0627\u0644\u0645\u0647\u0627\u0645 (\u0627\u0644\u0645\u064a\u0632\u0629 \u0627\u0644\u0623\u0645\u0646\u064a\u0629 \u0627\u0644\u0623\u0633\u0627\u0633\u064a\u0629)<\/li>\n<li>\u0628\u0646\u0627\u0621 \u0635\u0648\u0631 runners \u0645\u062e\u0635\u0635\u0629<\/li>\n<li>\u062a\u0637\u0628\u064a\u0642 \u0639\u0632\u0644 \u0645\u062c\u0645\u0648\u0639\u0627\u062a runners \u0644\u0641\u0635\u0644 \u0627\u0644\u0645\u0647\u0627\u0645<\/li>\n<li>\u062a\u0643\u0648\u064a\u0646 \u0627\u0644\u062a\u0648\u0633\u0639 \u0627\u0644\u062a\u0644\u0642\u0627\u0626\u064a<\/li>\n<li>\u062a\u0637\u0628\u064a\u0642 \u0633\u064a\u0627\u0633\u0627\u062a \u0627\u0644\u0634\u0628\u0643\u0629 \u0644\u062a\u0642\u064a\u064a\u062f \u0648\u0635\u0648\u0644 runners \u0625\u0644\u0649 \u0627\u0644\u0634\u0628\u0643\u0629<\/li>\n<\/ul>\n<h2>\u0627\u0644\u0645\u062a\u0637\u0644\u0628\u0627\u062a \u0627\u0644\u0623\u0633\u0627\u0633\u064a\u0629<\/h2>\n<p>\u0642\u0628\u0644 \u0628\u062f\u0621 \u0647\u0630\u0627 \u0627\u0644\u0645\u062e\u062a\u0628\u0631\u060c \u062a\u0623\u0643\u062f \u0645\u0646 \u062a\u0648\u0641\u0631 \u0645\u0627 \u064a\u0644\u064a:<\/p>\n<ul>\n<li><strong>\u0645\u062c\u0645\u0648\u0639\u0629 Kubernetes<\/strong> \u2014 <a href=\"https:\/\/kind.sigs.k8s.io\/\" target=\"_blank\" rel=\"noopener\">kind<\/a> \u0623\u0648 <a href=\"https:\/\/minikube.sigs.k8s.io\/\" target=\"_blank\" rel=\"noopener\">minikube<\/a> \u0623\u0648 \u0645\u062c\u0645\u0648\u0639\u0629 \u0633\u062d\u0627\u0628\u064a\u0629 \u0645\u064f\u062f\u0627\u0631\u0629 (EKS \u0623\u0648 GKE \u0623\u0648 AKS)<\/li>\n<li><strong>Helm 3<\/strong> \u2014 \u0627\u0644\u062a\u062b\u0628\u064a\u062a \u0645\u0646 <a href=\"https:\/\/helm.sh\/docs\/intro\/install\/\" target=\"_blank\" rel=\"noopener\">helm.sh<\/a><\/li>\n<li><strong>kubectl<\/strong> \u2014 \u0645\u064f\u0647\u064a\u0623 \u0644\u0644\u062a\u0648\u0627\u0635\u0644 \u0645\u0639 \u0645\u062c\u0645\u0648\u0639\u062a\u0643<\/li>\n<li><strong>\u062d\u0633\u0627\u0628 GitHub<\/strong> \u2014 \u0645\u0639 \u0635\u0644\u0627\u062d\u064a\u0627\u062a \u0627\u0644\u0645\u0633\u0624\u0648\u0644 \u0639\u0644\u0649 \u0645\u0633\u062a\u0648\u062f\u0639 \u0623\u0648 \u0645\u0646\u0638\u0645\u0629<\/li>\n<li><strong>GitHub App \u0623\u0648 Personal Access Token (PAT)<\/strong> \u2014 \u0628\u0635\u0644\u0627\u062d\u064a\u0627\u062a <code>repo<\/code> \u0648 <code>admin:org<\/code> (PAT) \u0623\u0648 \u0635\u0644\u0627\u062d\u064a\u0627\u062a GitHub App \u0627\u0644\u0645\u0646\u0627\u0633\u0628\u0629<\/li>\n<li><strong>Docker<\/strong> \u2014 \u0644\u0628\u0646\u0627\u0621 \u0635\u0648\u0631 runners \u0627\u0644\u0645\u062e\u0635\u0635\u0629 (\u0627\u0644\u062a\u0645\u0631\u064a\u0646 4)<\/li>\n<\/ul>\n<h2>\u0625\u0639\u062f\u0627\u062f \u0627\u0644\u0628\u064a\u0626\u0629<\/h2>\n<p>\u0633\u0646\u0633\u062a\u062e\u062f\u0645 <strong>kind<\/strong> (Kubernetes in Docker) \u0644\u0625\u0646\u0634\u0627\u0621 \u0645\u062c\u0645\u0648\u0639\u0629 \u0645\u062d\u0644\u064a\u0629. \u0647\u0630\u0627 \u064a\u062c\u0639\u0644 \u0627\u0644\u0645\u062e\u062a\u0628\u0631 \u0645\u0633\u062a\u0642\u0644\u0627\u064b \u0648\u0633\u0647\u0644 \u0627\u0644\u062a\u0646\u0638\u064a\u0641.<\/p>\n<h3>\u0625\u0646\u0634\u0627\u0621 \u0645\u062c\u0645\u0648\u0639\u0629 kind<\/h3>\n<pre><code>kind create cluster --name arc-lab<\/code><\/pre>\n<p>\u062a\u062d\u0642\u0642 \u0645\u0646 \u0623\u0646 \u0627\u0644\u0645\u062c\u0645\u0648\u0639\u0629 \u062a\u0639\u0645\u0644:<\/p>\n<pre><code>kubectl cluster-info --context kind-arc-lab<\/code><\/pre>\n<h3>\u0625\u0646\u0634\u0627\u0621 \u0645\u0633\u062a\u0648\u062f\u0639 GitHub \u0644\u0644\u0627\u062e\u062a\u0628\u0627\u0631<\/h3>\n<p>\u0623\u0646\u0634\u0626 \u0645\u0633\u062a\u0648\u062f\u0639\u0627\u064b \u062c\u062f\u064a\u062f\u0627\u064b (\u0645\u062b\u0644 <code>arc-lab-test<\/code>) \u0641\u064a \u062d\u0633\u0627\u0628\u0643 \u0639\u0644\u0649 GitHub. \u0623\u0636\u0641 \u0645\u0644\u0641 \u0633\u064a\u0631 \u0639\u0645\u0644 \u0628\u0633\u064a\u0637 \u0641\u064a <code>.github\/workflows\/test.yml<\/code>:<\/p>\n<pre><code>name: ARC Test Workflow\non:\n  push:\n    branches: [main]\n  workflow_dispatch:\n\njobs:\n  test:\n    runs-on: ubuntu-latest\n    steps:\n      - name: Hello from GitHub-hosted runner\n        run: echo \"This runs on a GitHub-hosted runner\"<\/code><\/pre>\n<p>\u0627\u062f\u0641\u0639 \u0647\u0630\u0627 \u0625\u0644\u0649 \u0645\u0633\u062a\u0648\u062f\u0639\u0643. \u0633\u0646\u0639\u062f\u0651\u0644\u0647 \u0644\u0627\u062d\u0642\u0627\u064b \u0644\u064a\u0633\u062a\u0647\u062f\u0641 runners \u0627\u0644\u062e\u0627\u0635\u0629 \u0628\u0640 ARC.<\/p>\n<h2>\u0627\u0644\u062a\u0645\u0631\u064a\u0646 1: \u062a\u062b\u0628\u064a\u062a ARC \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 Helm<\/h2>\n<p>\u064a\u0633\u062a\u062e\u062f\u0645 Actions Runner Controller v2 \u0645\u062e\u0637\u0637\u0627\u062a Helm \u0644\u0646\u0634\u0631 \u0645\u0643\u0648\u0646\u064a\u0646: <strong>\u0648\u062d\u062f\u0629 \u062a\u062d\u0643\u0645 (controller)<\/strong> \u062a\u062f\u064a\u0631 \u062f\u0648\u0631\u0629 \u062d\u064a\u0627\u0629 pods \u0627\u0644\u0640 runner\u060c \u0648\u0645\u062c\u0645\u0648\u0639\u0629 \u0648\u0627\u062d\u062f\u0629 \u0623\u0648 \u0623\u0643\u062b\u0631 \u0645\u0646 <strong>runner scale sets<\/strong> \u0627\u0644\u062a\u064a \u062a\u0633\u062c\u0644 \u0645\u0639 GitHub \u0648\u062a\u0642\u0628\u0644 \u0627\u0644\u0645\u0647\u0627\u0645.<\/p>\n<h3>\u0627\u0644\u062e\u0637\u0648\u0629 1: \u0625\u0636\u0627\u0641\u0629 \u0645\u0633\u062a\u0648\u062f\u0639 Helm<\/h3>\n<pre><code>helm repo add actions-runner-controller \\\n  https:\/\/actions-runner-controller.github.io\/actions-runner-controller\nhelm repo update<\/code><\/pre>\n<h3>\u0627\u0644\u062e\u0637\u0648\u0629 2: \u062a\u0643\u0648\u064a\u0646 \u0627\u0644\u0645\u0635\u0627\u062f\u0642\u0629<\/h3>\n<p>\u064a\u062d\u062a\u0627\u062c ARC \u0625\u0644\u0649 \u0627\u0644\u0645\u0635\u0627\u062f\u0642\u0629 \u0645\u0639 GitHub API. \u0644\u062f\u064a\u0643 \u062e\u064a\u0627\u0631\u0627\u0646:<\/p>\n<p><strong>\u0627\u0644\u062e\u064a\u0627\u0631 \u0623: GitHub App (\u0645\u064f\u0648\u0635\u0649 \u0628\u0647 \u0644\u0644\u0625\u0646\u062a\u0627\u062c)<\/strong><\/p>\n<p>\u0623\u0646\u0634\u0626 GitHub App \u0641\u064a \u0625\u0639\u062f\u0627\u062f\u0627\u062a \u0645\u0646\u0638\u0645\u062a\u0643 \u0623\u0648 \u062d\u0633\u0627\u0628\u0643:<\/p>\n<ol>\n<li>\u0627\u0646\u062a\u0642\u0644 \u0625\u0644\u0649 <strong>Settings &#8594; Developer settings &#8594; GitHub Apps &#8594; New GitHub App<\/strong><\/li>\n<li>\u0639\u064a\u0651\u0646 \u0627\u0644\u0635\u0644\u0627\u062d\u064a\u0627\u062a \u0627\u0644\u062a\u0627\u0644\u064a\u0629:\n<ul>\n<li>Repository: <code>Actions<\/code> (\u0642\u0631\u0627\u0621\u0629)\u060c <code>Administration<\/code> (\u0642\u0631\u0627\u0621\u0629\/\u0643\u062a\u0627\u0628\u0629)\u060c <code>Metadata<\/code> (\u0642\u0631\u0627\u0621\u0629)<\/li>\n<li>Organization: <code>Self-hosted runners<\/code> (\u0642\u0631\u0627\u0621\u0629\/\u0643\u062a\u0627\u0628\u0629)<\/li>\n<\/ul>\n<\/li>\n<li>\u0623\u0646\u0634\u0626 \u0645\u0641\u062a\u0627\u062d\u0627\u064b \u062e\u0627\u0635\u0627\u064b \u0648\u0642\u0645 \u0628\u062a\u0646\u0632\u064a\u0644\u0647<\/li>\n<li>\u062b\u0628\u0651\u062a \u0627\u0644\u062a\u0637\u0628\u064a\u0642 \u0639\u0644\u0649 \u0645\u0646\u0638\u0645\u062a\u0643 \u0623\u0648 \u0645\u0633\u062a\u0648\u062f\u0639\u0643<\/li>\n<li>\u0633\u062c\u0651\u0644 App ID \u0648 Installation ID<\/li>\n<\/ol>\n<p><strong>\u0627\u0644\u062e\u064a\u0627\u0631 \u0628: Personal Access Token (\u0623\u0628\u0633\u0637 \u0644\u0644\u0645\u062e\u062a\u0628\u0631\u0627\u062a)<\/strong><\/p>\n<p>\u0623\u0646\u0634\u0626 PAT (\u0643\u0644\u0627\u0633\u064a\u0643\u064a) \u0628\u0635\u0644\u0627\u062d\u064a\u0627\u062a <code>repo<\/code> \u0648 <code>admin:org<\/code>\u060c \u0623\u0648 PAT \u062f\u0642\u064a\u0642 \u0627\u0644\u0635\u0644\u0627\u062d\u064a\u0627\u062a \u0645\u0639 \u0623\u0630\u0648\u0646\u0627\u062a Actions \u0648 Administration. \u0644\u0647\u0630\u0627 \u0627\u0644\u0645\u062e\u062a\u0628\u0631\u060c \u0633\u0646\u0633\u062a\u062e\u062f\u0645 PAT \u0644\u0644\u0628\u0633\u0627\u0637\u0629.<\/p>\n<h3>\u0627\u0644\u062e\u0637\u0648\u0629 3: \u062a\u062b\u0628\u064a\u062a \u0648\u062d\u062f\u0629 \u062a\u062d\u0643\u0645 ARC<\/h3>\n<pre><code>helm install arc \\\n  actions-runner-controller\/gha-runner-scale-set-controller \\\n  --namespace arc-systems \\\n  --create-namespace<\/code><\/pre>\n<p>\u062a\u062d\u0642\u0642 \u0645\u0646 \u0623\u0646 \u0648\u062d\u062f\u0629 \u0627\u0644\u062a\u062d\u0643\u0645 \u062a\u0639\u0645\u0644:<\/p>\n<pre><code>kubectl get pods -n arc-systems<\/code><\/pre>\n<p>\u064a\u062c\u0628 \u0623\u0646 \u062a\u0631\u0649 \u0645\u062e\u0631\u062c\u0627\u062a \u0645\u0634\u0627\u0628\u0647\u0629 \u0644\u0640:<\/p>\n<pre><code>NAME                                     READY   STATUS    RESTARTS   AGE\narc-gha-runner-scale-set-controller-xxx  1\/1     Running   0          30s<\/code><\/pre>\n<h3>\u0627\u0644\u062e\u0637\u0648\u0629 4: \u062a\u062b\u0628\u064a\u062a Runner Scale Set<\/h3>\n<p>\u0627\u0644\u0622\u0646 \u0627\u0646\u0634\u0631 runner scale set \u0627\u0644\u062a\u064a \u062a\u0633\u062c\u0644 \u0645\u0639 \u0645\u0633\u062a\u0648\u062f\u0639\u0643 \u0639\u0644\u0649 GitHub:<\/p>\n<pre><code>helm install arc-runner-set \\\n  actions-runner-controller\/gha-runner-scale-set \\\n  --namespace arc-runners \\\n  --create-namespace \\\n  --set githubConfigUrl=\"https:\/\/github.com\/&lt;org&gt;\/&lt;repo&gt;\" \\\n  --set githubConfigSecret.github_token=\"&lt;PAT&gt;\"<\/code><\/pre>\n<p>\u0627\u0633\u062a\u0628\u062f\u0644 <code>&lt;org&gt;\/&lt;repo&gt;<\/code> \u0628\u0645\u0633\u0627\u0631 \u0645\u0633\u062a\u0648\u062f\u0639\u0643 \u0648 <code>&lt;PAT&gt;<\/code> \u0628\u0631\u0645\u0632 \u0627\u0644\u0648\u0635\u0648\u0644 \u0627\u0644\u0634\u062e\u0635\u064a \u0627\u0644\u062e\u0627\u0635 \u0628\u0643.<\/p>\n<p>\u062a\u062d\u0642\u0642 \u0645\u0646 runner scale set:<\/p>\n<pre><code>kubectl get pods -n arc-runners<\/code><\/pre>\n<p>\u0641\u064a \u0647\u0630\u0647 \u0627\u0644\u0645\u0631\u062d\u0644\u0629\u060c \u0642\u062f \u0644\u0627 \u062a\u0648\u062c\u062f pods \u0644\u0644\u0640 runner \u0628\u0639\u062f \u2014 \u064a\u0633\u062a\u062e\u062f\u0645 ARC \u0646\u0645\u0648\u0630\u062c \u0627\u0644\u062a\u0648\u0633\u0639 \u0625\u0644\u0649 \u0627\u0644\u0635\u0641\u0631. \u064a\u062a\u0645 \u0625\u0646\u0634\u0627\u0621 Pods \u0641\u0642\u0637 \u0639\u0646\u062f \u0648\u0636\u0639 \u0627\u0644\u0645\u0647\u0627\u0645 \u0641\u064a \u0642\u0627\u0626\u0645\u0629 \u0627\u0644\u0627\u0646\u062a\u0638\u0627\u0631.<\/p>\n<h3>\u0627\u0644\u062e\u0637\u0648\u0629 5: \u0627\u0644\u062a\u062d\u0642\u0642 \u0641\u064a GitHub<\/h3>\n<p>\u0627\u0646\u062a\u0642\u0644 \u0625\u0644\u0649 \u0645\u0633\u062a\u0648\u062f\u0639\u0643 \u0639\u0644\u0649 GitHub: <strong>Settings &#8594; Actions &#8594; Runners<\/strong>. \u064a\u062c\u0628 \u0623\u0646 \u062a\u0631\u0649 runner scale set \u0645\u062f\u0631\u062c\u0629 \u0628\u0627\u0633\u0645 <code>arc-runner-set<\/code>. \u062a\u064f\u0638\u0647\u0631 \u0627\u0644\u062d\u0627\u0644\u0629 \u0623\u0646\u0647\u0627 \u062c\u0627\u0647\u0632\u0629 \u0644\u0642\u0628\u0648\u0644 \u0627\u0644\u0645\u0647\u0627\u0645.<\/p>\n<h2>\u0627\u0644\u062a\u0645\u0631\u064a\u0646 2: \u062a\u0634\u063a\u064a\u0644 \u0633\u064a\u0631 \u0639\u0645\u0644 \u0639\u0644\u0649 ARC Runners<\/h2>\n<p>\u0627\u0644\u0622\u0646 \u062d\u062f\u0651\u062b \u0633\u064a\u0631 \u0627\u0644\u0639\u0645\u0644 \u0627\u0644\u062a\u062c\u0631\u064a\u0628\u064a \u0644\u064a\u0633\u062a\u0647\u062f\u0641 runner scale set \u0627\u0644\u062e\u0627\u0635\u0629 \u0628\u0640 ARC \u0628\u062f\u0644\u0627\u064b \u0645\u0646 GitHub-hosted runners.<\/p>\n<h3>\u0627\u0644\u062e\u0637\u0648\u0629 1: \u062a\u062d\u062f\u064a\u062b \u0633\u064a\u0631 \u0627\u0644\u0639\u0645\u0644<\/h3>\n<p>\u0639\u062f\u0651\u0644 <code>.github\/workflows\/test.yml<\/code> \u0644\u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u062a\u0633\u0645\u064a\u0629 ARC runner:<\/p>\n<pre><code>name: ARC Test Workflow\non:\n  push:\n    branches: [main]\n  workflow_dispatch:\n\njobs:\n  test:\n    runs-on: arc-runner-set\n    steps:\n      - name: Hello from ARC runner\n        run: |\n          echo \"This runs on an ephemeral ARC runner!\"\n          echo \"Hostname: $(hostname)\"\n          echo \"Runner OS: $(uname -a)\"\n      - name: Show environment\n        run: env | sort<\/code><\/pre>\n<p>\u0627\u0644\u062a\u063a\u064a\u064a\u0631 \u0627\u0644\u0631\u0626\u064a\u0633\u064a \u0647\u0648 <code>runs-on: arc-runner-set<\/code> \u2014 \u0648\u0627\u0644\u0630\u064a \u064a\u062a\u0637\u0627\u0628\u0642 \u0645\u0639 \u0627\u0633\u0645 \u0625\u0635\u062f\u0627\u0631 Helm \u0644\u0640 runner scale set.<\/p>\n<h3>\u0627\u0644\u062e\u0637\u0648\u0629 2: \u062a\u0634\u063a\u064a\u0644 \u0633\u064a\u0631 \u0627\u0644\u0639\u0645\u0644<\/h3>\n<p>\u0627\u062f\u0641\u0639 \u0645\u0644\u0641 \u0633\u064a\u0631 \u0627\u0644\u0639\u0645\u0644 \u0627\u0644\u0645\u062d\u062f\u0651\u062b \u0623\u0648 \u0627\u0633\u062a\u062e\u062f\u0645 \u0632\u0631 &#8220;Run workflow&#8221; (workflow_dispatch) \u0641\u064a \u0648\u0627\u062c\u0647\u0629 GitHub Actions.<\/p>\n<h3>\u0627\u0644\u062e\u0637\u0648\u0629 3: \u0645\u0631\u0627\u0642\u0628\u0629 Pod \u0627\u0644\u0640 Runner<\/h3>\n<p>\u0631\u0627\u0642\u0628 \u0645\u0633\u0627\u062d\u0629 \u0627\u0644\u0623\u0633\u0645\u0627\u0621 <code>arc-runners<\/code> \u0623\u062b\u0646\u0627\u0621 \u062a\u0634\u063a\u064a\u0644 \u0633\u064a\u0631 \u0627\u0644\u0639\u0645\u0644:<\/p>\n<pre><code>kubectl get pods -n arc-runners -w<\/code><\/pre>\n<p>\u0633\u062a\u0631\u0649 pod \u064a\u062a\u0645 \u0625\u0646\u0634\u0627\u0624\u0647 \u0644\u0644\u0645\u0647\u0645\u0629:<\/p>\n<pre><code>NAME                          READY   STATUS    RESTARTS   AGE\narc-runner-set-xxxxx-runner   1\/1     Running   0          5s<\/code><\/pre>\n<p>\u0628\u0639\u062f \u0627\u0643\u062a\u0645\u0627\u0644 \u0627\u0644\u0645\u0647\u0645\u0629\u060c \u064a\u062a\u0645 \u0625\u0646\u0647\u0627\u0621 Pod \u0648\u0625\u0632\u0627\u0644\u062a\u0647:<\/p>\n<pre><code>NAME                          READY   STATUS      RESTARTS   AGE\narc-runner-set-xxxxx-runner   0\/1     Completed   0          45s<\/code><\/pre>\n<p>\u0634\u063a\u0651\u0644 <code>kubectl get pods -n arc-runners<\/code> \u0645\u0631\u0629 \u0623\u062e\u0631\u0649 \u2014 \u0627\u062e\u062a\u0641\u0649 Pod. \u0647\u0630\u0627 \u0647\u0648 \u0627\u0644\u0646\u0645\u0648\u0630\u062c \u0627\u0644\u0645\u0624\u0642\u062a: \u0643\u0644 \u0645\u0647\u0645\u0629 \u062a\u062d\u0635\u0644 \u0639\u0644\u0649 \u062d\u0627\u0648\u064a\u0629 \u062c\u062f\u064a\u062f\u0629\u060c \u0648\u064a\u062a\u0645 \u062a\u062f\u0645\u064a\u0631 \u0627\u0644\u062d\u0627\u0648\u064a\u0629 \u0639\u0646\u062f \u0627\u0646\u062a\u0647\u0627\u0621 \u0627\u0644\u0645\u0647\u0645\u0629. \u0644\u0627 \u064a\u0648\u062c\u062f \u0627\u0633\u062a\u0645\u0631\u0627\u0631\u064a\u0629 \u0644\u0644\u062d\u0627\u0644\u0629 \u0628\u064a\u0646 \u0627\u0644\u0645\u0647\u0627\u0645.<\/p>\n<h2>\u0627\u0644\u062a\u0645\u0631\u064a\u0646 3: \u0625\u062b\u0628\u0627\u062a \u0627\u0644\u0623\u0645\u0627\u0646 \u0627\u0644\u0645\u0624\u0642\u062a<\/h2>\n<p>\u064a\u0648\u0636\u062d \u0647\u0630\u0627 \u0627\u0644\u062a\u0645\u0631\u064a\u0646 \u0627\u0644\u0645\u064a\u0632\u0629 \u0627\u0644\u0623\u0645\u0646\u064a\u0629 \u0627\u0644\u0623\u0633\u0627\u0633\u064a\u0629 \u0644\u0644\u0640 runners \u0627\u0644\u0645\u0624\u0642\u062a\u0629: <strong>\u0639\u062f\u0645 \u0648\u062c\u0648\u062f \u062a\u0644\u0648\u062b \u0628\u064a\u0646 \u0627\u0644\u0645\u0647\u0627\u0645<\/strong>.<\/p>\n<h3>\u0627\u0644\u062e\u0637\u0648\u0629 1: \u0625\u0646\u0634\u0627\u0621 \u0633\u064a\u0631 \u0639\u0645\u0644 \u064a\u0643\u062a\u0628 \u0628\u064a\u0627\u0646\u0627\u062a \u062d\u0633\u0627\u0633\u0629<\/h3>\n<p>\u0623\u0646\u0634\u0626 <code>.github\/workflows\/ephemeral-test.yml<\/code>:<\/p>\n<pre><code>name: Ephemeral Security Test\non: workflow_dispatch\n\njobs:\n  write-secret:\n    runs-on: arc-runner-set\n    steps:\n      - name: Write sensitive data\n        run: |\n          echo \"SECRET_API_KEY=sk-prod-abc123xyz\" &gt; \/tmp\/secret-data\n          echo \"DB_PASSWORD=super-secret-password\" &gt;&gt; \/tmp\/secret-data\n          echo \"Written sensitive data to \/tmp\/secret-data\"\n          cat \/tmp\/secret-data\n\n  read-secret:\n    runs-on: arc-runner-set\n    needs: write-secret\n    steps:\n      - name: Attempt to read previous job data\n        run: |\n          echo \"Checking if \/tmp\/secret-data exists from previous job...\"\n          if [ -f \/tmp\/secret-data ]; then\n            echo \"SECURITY RISK: Found data from previous job!\"\n            cat \/tmp\/secret-data\n          else\n            echo \"SECURE: \/tmp\/secret-data does not exist.\"\n            echo \"Each job gets a fresh container \u2014 no cross-job contamination.\"\n          fi<\/code><\/pre>\n<h3>\u0627\u0644\u062e\u0637\u0648\u0629 2: \u062a\u0634\u063a\u064a\u0644 \u0633\u064a\u0631 \u0627\u0644\u0639\u0645\u0644<\/h3>\n<p>\u0634\u063a\u0651\u0644 \u0633\u064a\u0631 \u0627\u0644\u0639\u0645\u0644 \u0639\u0628\u0631 <code>workflow_dispatch<\/code>. \u062a\u0643\u062a\u0628 \u0627\u0644\u0645\u0647\u0645\u0629 \u0627\u0644\u0623\u0648\u0644\u0649 (<code>write-secret<\/code>) \u0628\u064a\u0627\u0646\u0627\u062a \u062d\u0633\u0627\u0633\u0629 \u0625\u0644\u0649 <code>\/tmp\/secret-data<\/code>. \u062a\u0639\u0645\u0644 \u0627\u0644\u0645\u0647\u0645\u0629 \u0627\u0644\u062b\u0627\u0646\u064a\u0629 (<code>read-secret<\/code>) \u0641\u064a pod \u062c\u062f\u064a\u062f \u0648\u062a\u062d\u0627\u0648\u0644 \u0642\u0631\u0627\u0621\u0629 \u0630\u0644\u0643 \u0627\u0644\u0645\u0644\u0641.<\/p>\n<h3>\u0627\u0644\u062e\u0637\u0648\u0629 3: \u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u0627\u0644\u0646\u062a\u0627\u0626\u062c<\/h3>\n<p>\u0641\u064a \u0633\u062c\u0644\u0627\u062a GitHub Actions\u060c \u0633\u062a\u0631\u0649:<\/p>\n<ul>\n<li><strong>\u0645\u0647\u0645\u0629 write-secret:<\/strong> \u062a\u0643\u062a\u0628 \u0627\u0644\u0645\u0644\u0641 \u0628\u0646\u062c\u0627\u062d \u0648\u062a\u0637\u0628\u0639 \u0627\u0644\u0645\u062d\u062a\u0648\u064a\u0627\u062a<\/li>\n<li><strong>\u0645\u0647\u0645\u0629 read-secret:<\/strong> \u0627\u0644\u0645\u0644\u0641 \u063a\u064a\u0631 \u0645\u0648\u062c\u0648\u062f \u2014 \u0627\u0644\u0645\u062e\u0631\u062c\u0627\u062a \u062a\u064f\u0638\u0647\u0631 <code>SECURE: \/tmp\/secret-data does not exist.<\/code><\/li>\n<\/ul>\n<p>\u0643\u0644 \u0645\u0647\u0645\u0629 \u0639\u0645\u0644\u062a \u0641\u064a pod \u0645\u0646\u0641\u0635\u0644 \u062a\u0645 \u0625\u0646\u0634\u0627\u0624\u0647 \u062d\u062f\u064a\u062b\u0627\u064b. \u0639\u0646\u062f\u0645\u0627 \u062a\u0645 \u062a\u062f\u0645\u064a\u0631 pod <code>write-secret<\/code>\u060c \u062a\u0645 \u062a\u062f\u0645\u064a\u0631 \u062c\u0645\u064a\u0639 \u0627\u0644\u0628\u064a\u0627\u0646\u0627\u062a \u2014 \u0628\u0645\u0627 \u0641\u064a \u0630\u0644\u0643 \u0627\u0644\u0645\u0644\u0641 \u0627\u0644\u062d\u0633\u0627\u0633 \u2014 \u0645\u0639\u0647.<\/p>\n<h3>\u0644\u0645\u0627\u0630\u0627 \u0647\u0630\u0627 \u0645\u0647\u0645<\/h3>\n<p>\u0639\u0644\u0649 <strong>runner \u0630\u0627\u062a\u064a \u0627\u0644\u0627\u0633\u062a\u0636\u0627\u0641\u0629 \u062f\u0627\u0626\u0645<\/strong>\u060c \u0633\u064a\u0628\u0642\u0649 \u0645\u0644\u0641 <code>\/tmp\/secret-data<\/code> \u0639\u0644\u0649 \u0627\u0644\u0642\u0631\u0635 \u0639\u0646\u062f \u062a\u0634\u063a\u064a\u0644 \u0627\u0644\u0645\u0647\u0645\u0629 \u0627\u0644\u062b\u0627\u0646\u064a\u0629. \u064a\u0645\u0643\u0646 \u0644\u0633\u064a\u0631 \u0639\u0645\u0644 \u062e\u0628\u064a\u062b \u0641\u064a \u0637\u0644\u0628 \u0633\u062d\u0628 (pull request) \u0642\u0631\u0627\u0621\u0629 \u0627\u0644\u0623\u0633\u0631\u0627\u0631 \u0648\u0627\u0644\u0631\u0645\u0648\u0632 \u0648\u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0644\u0627\u0639\u062a\u0645\u0627\u062f \u0627\u0644\u062a\u064a \u062a\u0631\u0643\u062a\u0647\u0627 \u0627\u0644\u0645\u0647\u0627\u0645 \u0627\u0644\u0633\u0627\u0628\u0642\u0629. \u0645\u0639 runners \u0627\u0644\u0645\u0624\u0642\u062a\u0629\u060c \u064a\u062a\u0645 \u0627\u0644\u0642\u0636\u0627\u0621 \u0639\u0644\u0649 \u0647\u0630\u0627 \u0627\u0644\u0645\u062a\u062c\u0647 \u0627\u0644\u0647\u062c\u0648\u0645\u064a.<\/p>\n<h2>\u0627\u0644\u062a\u0645\u0631\u064a\u0646 4: \u0635\u0648\u0631 Runner \u0627\u0644\u0645\u062e\u0635\u0635\u0629<\/h2>\n<p>\u062a\u0633\u062a\u062e\u062f\u0645 ARC runners \u0635\u0648\u0631\u0629 \u062d\u0627\u0648\u064a\u0629 \u0623\u0633\u0627\u0633\u064a\u0629. \u0644\u0644\u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u0641\u064a \u0627\u0644\u0639\u0627\u0644\u0645 \u0627\u0644\u062d\u0642\u064a\u0642\u064a\u060c \u062a\u062d\u062a\u0627\u062c \u0625\u0644\u0649 \u062a\u062e\u0635\u064a\u0635 \u0647\u0630\u0647 \u0627\u0644\u0635\u0648\u0631\u0629 \u0644\u062a\u0636\u0645\u064a\u0646 \u0623\u062f\u0648\u0627\u062a \u0627\u0644\u0628\u0646\u0627\u0621 \u0627\u0644\u062e\u0627\u0635\u0629 \u0628\u0643.<\/p>\n<h3>\u0627\u0644\u062e\u0637\u0648\u0629 1: \u0625\u0646\u0634\u0627\u0621 Dockerfile \u0645\u062e\u0635\u0635<\/h3>\n<p>\u0623\u0646\u0634\u0626 <code>Dockerfile<\/code> \u0644\u0640 runner \u0627\u0644\u0645\u062e\u0635\u0635 \u0627\u0644\u062e\u0627\u0635 \u0628\u0643:<\/p>\n<pre><code>FROM ghcr.io\/actions\/actions-runner:latest\n\nUSER root\n\n# Install build tools\nRUN apt-get update &amp;&amp; apt-get install -y \\\n    curl \\\n    wget \\\n    git \\\n    jq \\\n    unzip \\\n    build-essential \\\n    &amp;&amp; rm -rf \/var\/lib\/apt\/lists\/*\n\n# Install Go\nRUN wget -q https:\/\/go.dev\/dl\/go1.22.4.linux-amd64.tar.gz \\\n    &amp;&amp; tar -C \/usr\/local -xzf go1.22.4.linux-amd64.tar.gz \\\n    &amp;&amp; rm go1.22.4.linux-amd64.tar.gz\nENV PATH=\"$PATH:\/usr\/local\/go\/bin\"\n\n# Install cosign\nRUN curl -sSL -o \/usr\/local\/bin\/cosign \\\n    https:\/\/github.com\/sigstore\/cosign\/releases\/latest\/download\/cosign-linux-amd64 \\\n    &amp;&amp; chmod +x \/usr\/local\/bin\/cosign\n\n# Install Docker CLI (for Docker-in-Docker workflows)\nRUN curl -fsSL https:\/\/get.docker.com | sh\n\nUSER runner<\/code><\/pre>\n<h3>\u0627\u0644\u062e\u0637\u0648\u0629 2: \u0628\u0646\u0627\u0621 \u0627\u0644\u0635\u0648\u0631\u0629 \u0648\u062f\u0641\u0639\u0647\u0627<\/h3>\n<pre><code># Build the image\ndocker build -t ghcr.io\/&lt;org&gt;\/custom-runner:latest .\n\n# Authenticate to GitHub Container Registry\necho \"&lt;PAT&gt;\" | docker login ghcr.io -u &lt;username&gt; --password-stdin\n\n# Push the image\ndocker push ghcr.io\/&lt;org&gt;\/custom-runner:latest<\/code><\/pre>\n<h3>\u0627\u0644\u062e\u0637\u0648\u0629 3: \u062a\u0643\u0648\u064a\u0646 ARC \u0644\u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u0627\u0644\u0635\u0648\u0631\u0629 \u0627\u0644\u0645\u062e\u0635\u0635\u0629<\/h3>\n<p>\u0623\u0646\u0634\u0626 \u0645\u0644\u0641 \u0642\u064a\u0645 <code>custom-runner-values.yaml<\/code>:<\/p>\n<pre><code>githubConfigUrl: \"https:\/\/github.com\/&lt;org&gt;\/&lt;repo&gt;\"\ngithubConfigSecret:\n  github_token: \"&lt;PAT&gt;\"\n\ntemplate:\n  spec:\n    containers:\n      - name: runner\n        image: ghcr.io\/&lt;org&gt;\/custom-runner:latest\n        command: [\"\/home\/runner\/run.sh\"]\n        resources:\n          requests:\n            cpu: \"500m\"\n            memory: \"512Mi\"\n          limits:\n            cpu: \"2\"\n            memory: \"2Gi\"<\/code><\/pre>\n<p>\u0642\u0645 \u0628\u062a\u0631\u0642\u064a\u0629 runner scale set \u0628\u0627\u0644\u0635\u0648\u0631\u0629 \u0627\u0644\u0645\u062e\u0635\u0635\u0629:<\/p>\n<pre><code>helm upgrade arc-runner-set \\\n  actions-runner-controller\/gha-runner-scale-set \\\n  --namespace arc-runners \\\n  -f custom-runner-values.yaml<\/code><\/pre>\n<h3>\u0627\u0644\u062e\u0637\u0648\u0629 4: \u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u0627\u0644\u0623\u062f\u0648\u0627\u062a \u0627\u0644\u0645\u062e\u0635\u0635\u0629<\/h3>\n<p>\u0623\u0646\u0634\u0626 \u0633\u064a\u0631 \u0639\u0645\u0644 \u064a\u0633\u062a\u062e\u062f\u0645 \u0627\u0644\u0623\u062f\u0648\u0627\u062a \u0627\u0644\u0645\u062e\u0635\u0635\u0629:<\/p>\n<pre><code>name: Custom Runner Tools Test\non: workflow_dispatch\n\njobs:\n  verify-tools:\n    runs-on: arc-runner-set\n    steps:\n      - name: Verify Go\n        run: go version\n      - name: Verify cosign\n        run: cosign version\n      - name: Verify Docker CLI\n        run: docker --version<\/code><\/pre>\n<p><strong>\u0627\u0644\u0641\u0627\u0626\u062f\u0629 \u0627\u0644\u0623\u0645\u0646\u064a\u0629:<\/strong> \u0645\u0646 \u062e\u0644\u0627\u0644 \u0628\u0646\u0627\u0621 \u0635\u0648\u0631\u0629 runner \u0627\u0644\u062e\u0627\u0635\u0629 \u0628\u0643\u060c \u062a\u062a\u062d\u0643\u0645 \u0628\u0627\u0644\u0636\u0628\u0637 \u0641\u064a \u0627\u0644\u0623\u062f\u0648\u0627\u062a \u0648\u0627\u0644\u0627\u0639\u062a\u0645\u0627\u062f\u064a\u0627\u062a \u0627\u0644\u0645\u0648\u062c\u0648\u062f\u0629 \u0641\u064a \u0628\u064a\u0626\u0629 \u0627\u0644\u0628\u0646\u0627\u0621. \u0644\u0627 \u062a\u0648\u062c\u062f \u0645\u0644\u0641\u0627\u062a \u062b\u0646\u0627\u0626\u064a\u0629 \u063a\u064a\u0631 \u0645\u062a\u0648\u0642\u0639\u0629\u060c \u0648\u0644\u0627 \u0628\u0631\u0627\u0645\u062c \u0645\u062b\u0628\u062a\u0629 \u0645\u0633\u0628\u0642\u0627\u064b \u0644\u0645 \u062a\u0648\u0627\u0641\u0642 \u0639\u0644\u064a\u0647\u0627\u060c \u0648\u064a\u0645\u0643\u0646\u0643 \u062a\u062b\u0628\u064a\u062a \u0643\u0644 \u0623\u062f\u0627\u0629 \u0639\u0644\u0649 \u0625\u0635\u062f\u0627\u0631 \u0645\u062d\u062f\u062f. \u064a\u0645\u0643\u0646\u0643 \u0623\u064a\u0636\u0627\u064b \u0641\u062d\u0635 \u0627\u0644\u0635\u0648\u0631\u0629 \u0628\u062d\u062b\u0627\u064b \u0639\u0646 \u0627\u0644\u062b\u063a\u0631\u0627\u062a \u0627\u0644\u0623\u0645\u0646\u064a\u0629 \u0642\u0628\u0644 \u0646\u0634\u0631\u0647\u0627.<\/p>\n<h2>\u0627\u0644\u062a\u0645\u0631\u064a\u0646 5: \u0639\u0632\u0644 \u0645\u062c\u0645\u0648\u0639\u0627\u062a Runner<\/h2>\n<p>\u062a\u062a\u0645\u062a\u0639 \u0633\u064a\u0631 \u0627\u0644\u0639\u0645\u0644 \u0627\u0644\u0645\u062e\u062a\u0644\u0641\u0629 \u0628\u0645\u0633\u062a\u0648\u064a\u0627\u062a \u062b\u0642\u0629 \u0645\u062e\u062a\u0644\u0641\u0629. \u0644\u0627 \u064a\u0646\u0628\u063a\u064a \u0623\u0646 \u064a\u0643\u0648\u0646 \u0644\u062a\u062d\u0642\u0642 \u0637\u0644\u0628\u0627\u062a \u0627\u0644\u0633\u062d\u0628 (pull request) \u0648\u0635\u0648\u0644 \u0625\u0644\u0649 \u0623\u0633\u0631\u0627\u0631 \u0627\u0644\u0625\u0646\u062a\u0627\u062c. \u062a\u062d\u062a\u0627\u062c \u0633\u064a\u0631 \u0639\u0645\u0644 \u0627\u0644\u0646\u0634\u0631 \u0625\u0644\u0649 \u0627\u0644\u0623\u0633\u0631\u0627\u0631 \u0648\u0644\u0643\u0646 \u064a\u062c\u0628 \u0623\u0646 \u062a\u0639\u0645\u0644 \u0641\u0642\u0637 \u0645\u0646 \u0627\u0644\u0641\u0631\u0639 \u0627\u0644\u0631\u0626\u064a\u0633\u064a. \u064a\u062a\u064a\u062d \u0644\u0643 ARC \u062a\u0646\u0641\u064a\u0630 \u0647\u0630\u0627 \u0627\u0644\u0641\u0635\u0644 \u0645\u0646 \u062e\u0644\u0627\u0644 \u0625\u0646\u0634\u0627\u0621 \u0645\u062c\u0645\u0648\u0639\u0627\u062a runner scale sets \u0645\u062a\u0645\u064a\u0632\u0629 \u0628\u062a\u0633\u0645\u064a\u0627\u062a \u0648\u062a\u0643\u0648\u064a\u0646\u0627\u062a \u0645\u062e\u062a\u0644\u0641\u0629.<\/p>\n<h3>\u0627\u0644\u062e\u0637\u0648\u0629 1: \u0625\u0646\u0634\u0627\u0621 Runner Scale Set \u0644\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u0637\u0644\u0628\u0627\u062a \u0627\u0644\u0633\u062d\u0628<\/h3>\n<p>\u0623\u0646\u0634\u0626 <code>pr-runner-values.yaml<\/code>:<\/p>\n<pre><code>githubConfigUrl: \"https:\/\/github.com\/&lt;org&gt;\/&lt;repo&gt;\"\ngithubConfigSecret:\n  github_token: \"&lt;PAT&gt;\"\n\ntemplate:\n  spec:\n    containers:\n      - name: runner\n        image: ghcr.io\/&lt;org&gt;\/custom-runner:latest\n        command: [\"\/home\/runner\/run.sh\"]\n        env:\n          - name: RUNNER_GROUP\n            value: \"pr-validation\"\n        resources:\n          requests:\n            cpu: \"250m\"\n            memory: \"256Mi\"\n          limits:\n            cpu: \"1\"\n            memory: \"1Gi\"<\/code><\/pre>\n<pre><code>helm install arc-runner-pr \\\n  actions-runner-controller\/gha-runner-scale-set \\\n  --namespace arc-runners \\\n  -f pr-runner-values.yaml<\/code><\/pre>\n<h3>\u0627\u0644\u062e\u0637\u0648\u0629 2: \u0625\u0646\u0634\u0627\u0621 Runner Scale Set \u0644\u0644\u0646\u0634\u0631<\/h3>\n<p>\u0623\u0646\u0634\u0626 <code>deploy-runner-values.yaml<\/code>:<\/p>\n<pre><code>githubConfigUrl: \"https:\/\/github.com\/&lt;org&gt;\/&lt;repo&gt;\"\ngithubConfigSecret:\n  github_token: \"&lt;PAT&gt;\"\n\ntemplate:\n  spec:\n    containers:\n      - name: runner\n        image: ghcr.io\/&lt;org&gt;\/custom-runner:latest\n        command: [\"\/home\/runner\/run.sh\"]\n        env:\n          - name: RUNNER_GROUP\n            value: \"deployment\"\n        resources:\n          requests:\n            cpu: \"500m\"\n            memory: \"512Mi\"\n          limits:\n            cpu: \"2\"\n            memory: \"2Gi\"\n    serviceAccountName: deploy-runner-sa\n    nodeSelector:\n      runner-type: deployment<\/code><\/pre>\n<pre><code>helm install arc-runner-deploy \\\n  actions-runner-controller\/gha-runner-scale-set \\\n  --namespace arc-runners \\\n  -f deploy-runner-values.yaml<\/code><\/pre>\n<h3>\u0627\u0644\u062e\u0637\u0648\u0629 3: \u062a\u0643\u0648\u064a\u0646 \u0633\u064a\u0631 \u0627\u0644\u0639\u0645\u0644 \u0644\u0644\u0639\u0632\u0644<\/h3>\n<p>\u0627\u0633\u062a\u062e\u062f\u0645 \u062a\u0633\u0645\u064a\u0627\u062a runner \u0645\u062e\u062a\u0644\u0641\u0629 \u0628\u0646\u0627\u0621\u064b \u0639\u0644\u0649 \u0645\u062d\u0641\u0651\u0632 \u0633\u064a\u0631 \u0627\u0644\u0639\u0645\u0644:<\/p>\n<pre><code>name: CI\/CD Pipeline\non:\n  pull_request:\n    branches: [main]\n  push:\n    branches: [main]\n\njobs:\n  validate:\n    if: github.event_name == 'pull_request'\n    runs-on: arc-runner-pr\n    steps:\n      - uses: actions\/checkout@v4\n      - name: Run tests\n        run: make test\n      - name: Run linter\n        run: make lint\n\n  deploy:\n    if: github.ref == 'refs\/heads\/main' &amp;&amp; github.event_name == 'push'\n    runs-on: arc-runner-deploy\n    steps:\n      - uses: actions\/checkout@v4\n      - name: Deploy to production\n        run: make deploy\n        env:\n          DEPLOY_TOKEN: ${{ secrets.DEPLOY_TOKEN }}<\/code><\/pre>\n<p>\u064a\u0646\u0641\u0630 \u0647\u0630\u0627 <strong>\u0641\u0635\u0644 \u0627\u0644\u0645\u0647\u0627\u0645 \u0639\u0644\u0649 \u0645\u0633\u062a\u0648\u0649 \u0627\u0644\u0640 runner<\/strong>. \u062a\u0639\u0645\u0644 \u0645\u0647\u0627\u0645 \u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u0637\u0644\u0628\u0627\u062a \u0627\u0644\u0633\u062d\u0628 \u0639\u0644\u0649 runners \u0644\u064a\u0633 \u0644\u0647\u0627 \u0648\u0635\u0648\u0644 \u0625\u0644\u0649 \u0623\u0633\u0631\u0627\u0631 \u0627\u0644\u0646\u0634\u0631 \u0623\u0648 \u0634\u0631\u0627\u0626\u062d \u0627\u0644\u0634\u0628\u0643\u0629 \u0627\u0644\u0645\u062a\u0645\u064a\u0632\u0629. \u062a\u0639\u0645\u0644 \u0645\u0647\u0627\u0645 \u0627\u0644\u0646\u0634\u0631 \u0639\u0644\u0649 \u0645\u062c\u0645\u0648\u0639\u0629 \u0645\u0646\u0641\u0635\u0644\u0629 \u0645\u0646 runners \u0627\u0644\u062a\u064a \u062a\u0645\u062a\u0644\u0643 \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0644\u0627\u0639\u062a\u0645\u0627\u062f \u0627\u0644\u0644\u0627\u0632\u0645\u0629 \u0648\u0627\u0644\u0648\u0635\u0648\u0644 \u0625\u0644\u0649 \u0627\u0644\u0634\u0628\u0643\u0629\u060c \u0648\u0644\u0643\u0646\u0647\u0627 \u062a\u0639\u0645\u0644 \u0641\u0642\u0637 \u0639\u0646\u062f \u0627\u0644\u062f\u0641\u0639 \u0625\u0644\u0649 main.<\/p>\n<h2>\u0627\u0644\u062a\u0645\u0631\u064a\u0646 6: \u0627\u0644\u062a\u0648\u0633\u0639 \u0627\u0644\u062a\u0644\u0642\u0627\u0626\u064a<\/h2>\n<p>\u064a\u062f\u0639\u0645 ARC \u0627\u0644\u062a\u0648\u0633\u0639 \u0627\u0644\u062a\u0644\u0642\u0627\u0626\u064a \u0628\u0634\u0643\u0644 \u0623\u0635\u0644\u064a. \u064a\u062a\u0645 \u0625\u0646\u0634\u0627\u0621 pods \u0627\u0644\u0640 runner \u0639\u0646\u062f \u0627\u0644\u0637\u0644\u0628 \u0648\u062a\u062f\u0645\u064a\u0631\u0647\u0627 \u0639\u0646\u062f \u0639\u062f\u0645 \u0627\u0644\u0646\u0634\u0627\u0637. \u064a\u0645\u0643\u0646\u0643 \u062a\u0643\u0648\u064a\u0646 \u0627\u0644\u062d\u062f \u0627\u0644\u0623\u062f\u0646\u0649 \u0648\u0627\u0644\u0623\u0642\u0635\u0649 \u0644\u0644\u0646\u0633\u062e \u0644\u0644\u062a\u062d\u0643\u0645 \u0641\u064a \u0627\u0644\u062a\u0643\u0644\u0641\u0629 \u0648\u0627\u0644\u0627\u0633\u062a\u062c\u0627\u0628\u0629.<\/p>\n<h3>\u0627\u0644\u062e\u0637\u0648\u0629 1: \u062a\u0643\u0648\u064a\u0646 \u0645\u0639\u0644\u0645\u0627\u062a \u0627\u0644\u062a\u0648\u0633\u0639 \u0627\u0644\u062a\u0644\u0642\u0627\u0626\u064a<\/h3>\n<p>\u062d\u062f\u0651\u062b \u0645\u0644\u0641 \u0642\u064a\u0645 runner scale set \u0627\u0644\u062e\u0627\u0635 \u0628\u0643 \u0644\u064a\u0634\u0645\u0644 \u0645\u0639\u0644\u0645\u0627\u062a \u0627\u0644\u062a\u0648\u0633\u0639:<\/p>\n<pre><code>githubConfigUrl: \"https:\/\/github.com\/&lt;org&gt;\/&lt;repo&gt;\"\ngithubConfigSecret:\n  github_token: \"&lt;PAT&gt;\"\n\nminRunners: 0\nmaxRunners: 10\n\ntemplate:\n  spec:\n    containers:\n      - name: runner\n        image: ghcr.io\/actions\/actions-runner:latest\n        command: [\"\/home\/runner\/run.sh\"]<\/code><\/pre>\n<pre><code>helm upgrade arc-runner-set \\\n  actions-runner-controller\/gha-runner-scale-set \\\n  --namespace arc-runners \\\n  -f autoscale-values.yaml<\/code><\/pre>\n<h3>\u0627\u0644\u062e\u0637\u0648\u0629 2: \u062a\u0648\u0644\u064a\u062f \u0627\u0644\u062d\u0645\u0644<\/h3>\n<p>\u0623\u0646\u0634\u0626 \u0633\u064a\u0631 \u0639\u0645\u0644 \u064a\u064f\u0637\u0644\u0642 \u0639\u062f\u0629 \u0645\u0647\u0627\u0645 \u0645\u062a\u0648\u0627\u0632\u064a\u0629:<\/p>\n<pre><code>name: Autoscale Test\non: workflow_dispatch\n\njobs:\n  parallel-job:\n    runs-on: arc-runner-set\n    strategy:\n      matrix:\n        id: [1, 2, 3, 4, 5]\n    steps:\n      - name: Simulate work\n        run: |\n          echo \"Job ${{ matrix.id }} running on $(hostname)\"\n          sleep 60<\/code><\/pre>\n<p>\u0634\u063a\u0651\u0644 \u0633\u064a\u0631 \u0627\u0644\u0639\u0645\u0644 \u0647\u0630\u0627 \u0648\u0631\u0627\u0642\u0628 \u062a\u0648\u0633\u0639 \u0627\u0644\u0640 pods:<\/p>\n<pre><code>kubectl get pods -n arc-runners -w<\/code><\/pre>\n<p>\u0633\u062a\u0631\u0649 \u062e\u0645\u0633 pods \u064a\u062a\u0645 \u0625\u0646\u0634\u0627\u0624\u0647\u0627 \u2014 \u0648\u0627\u062d\u062f\u0629 \u0644\u0643\u0644 \u0645\u0647\u0645\u0629 matrix:<\/p>\n<pre><code>NAME                              READY   STATUS    RESTARTS   AGE\narc-runner-set-abcde-runner       1\/1     Running   0          5s\narc-runner-set-fghij-runner       1\/1     Running   0          5s\narc-runner-set-klmno-runner       1\/1     Running   0          5s\narc-runner-set-pqrst-runner       1\/1     Running   0          5s\narc-runner-set-uvwxy-runner       1\/1     Running   0          5s<\/code><\/pre>\n<p>\u0628\u0639\u062f \u0627\u0643\u062a\u0645\u0627\u0644 \u0627\u0644\u0645\u0647\u0627\u0645 (60 \u062b\u0627\u0646\u064a\u0629)\u060c \u064a\u062a\u0645 \u0625\u0646\u0647\u0627\u0621 \u062c\u0645\u064a\u0639 \u0627\u0644\u0640 pods. \u062a\u0639\u0648\u062f \u0645\u0633\u0627\u062d\u0629 \u0627\u0644\u0623\u0633\u0645\u0627\u0621 \u0625\u0644\u0649 \u0635\u0641\u0631 pods.<\/p>\n<h3>\u0627\u0644\u062e\u0637\u0648\u0629 3: \u062a\u0643\u0648\u064a\u0646 \u062a\u0623\u062e\u064a\u0631 \u062a\u0642\u0644\u064a\u0635 \u0627\u0644\u062d\u062c\u0645<\/h3>\n<p>\u0644\u062a\u062d\u0633\u064a\u0646 \u0627\u0644\u062a\u0643\u0644\u0641\u0629\u060c \u0642\u062f \u062a\u0631\u063a\u0628 \u0641\u064a \u0628\u0642\u0627\u0621 \u0627\u0644\u0640 pods \u062c\u0627\u0647\u0632\u0629 \u0644\u0641\u062a\u0631\u0629 \u0642\u0635\u064a\u0631\u0629 \u0628\u0639\u062f \u0627\u0643\u062a\u0645\u0627\u0644 \u0627\u0644\u0645\u0647\u0645\u0629. \u0647\u0630\u0627 \u064a\u062a\u062c\u0646\u0628 \u062a\u0623\u062e\u0631 \u0627\u0644\u0628\u062f\u0621 \u0627\u0644\u0628\u0627\u0631\u062f \u0644\u0623\u062d\u0645\u0627\u0644 \u0627\u0644\u0639\u0645\u0644 \u0627\u0644\u0645\u062a\u0642\u0637\u0639\u0629. \u0633\u0644\u0648\u0643 \u0627\u0644\u062a\u0648\u0633\u0639 \u0625\u0644\u0649 \u0627\u0644\u0635\u0641\u0631 \u0641\u064a ARC \u0647\u0648 \u0627\u0644\u062e\u064a\u0627\u0631 \u0627\u0644\u0627\u0641\u062a\u0631\u0627\u0636\u064a \u0648\u0627\u0644\u0623\u0643\u062b\u0631 \u0623\u0645\u0627\u0646\u0627\u064b. \u0625\u0630\u0627 \u0643\u0646\u062a \u062a\u062d\u062a\u0627\u062c runners \u062c\u0627\u0647\u0632\u0629\u060c \u0627\u062c\u0639\u0644 \u0627\u0644\u0646\u0627\u0641\u0630\u0629 \u0642\u0635\u064a\u0631\u0629 (\u0623\u0642\u0644 \u0645\u0646 5 \u062f\u0642\u0627\u0626\u0642) \u0648\u062a\u0623\u0643\u062f \u0645\u0646 \u0623\u0646 \u0627\u0644\u0648\u0636\u0639 \u0627\u0644\u0645\u0624\u0642\u062a \u0644\u0627 \u064a\u0632\u0627\u0644 \u0645\u0641\u0631\u0648\u0636\u0627\u064b.<\/p>\n<h2>\u0627\u0644\u062a\u0645\u0631\u064a\u0646 7: \u0633\u064a\u0627\u0633\u0627\u062a \u0627\u0644\u0634\u0628\u0643\u0629 \u0644\u0640 Runners<\/h2>\n<p>\u062a\u062a\u064a\u062d \u0644\u0643 Kubernetes NetworkPolicies \u062a\u0642\u064a\u064a\u062f \u0648\u0635\u0648\u0644 pods \u0627\u0644\u0640 runner \u0625\u0644\u0649 \u0627\u0644\u0634\u0628\u0643\u0629. \u0647\u0630\u0627 \u062f\u0641\u0627\u0639 \u062d\u0627\u0633\u0645 \u0636\u062f \u062a\u0633\u0631\u064a\u0628 \u0627\u0644\u0628\u064a\u0627\u0646\u0627\u062a \u0645\u0646 \u0639\u0645\u0644\u064a\u0627\u062a \u0627\u0644\u0628\u0646\u0627\u0621 \u0627\u0644\u0645\u062e\u062a\u0631\u0642\u0629.<\/p>\n<h3>\u0627\u0644\u062e\u0637\u0648\u0629 1: \u0625\u0646\u0634\u0627\u0621 NetworkPolicy<\/h3>\n<p>\u0637\u0628\u0651\u0642 NetworkPolicy \u0627\u0644\u062a\u0627\u0644\u064a\u0629 \u0639\u0644\u0649 \u0645\u0633\u0627\u062d\u0629 \u0627\u0644\u0623\u0633\u0645\u0627\u0621 <code>arc-runners<\/code>:<\/p>\n<pre><code>apiVersion: networking.k8s.io\/v1\nkind: NetworkPolicy\nmetadata:\n  name: runner-egress-policy\n  namespace: arc-runners\nspec:\n  podSelector: {}\n  policyTypes:\n    - Egress\n  egress:\n    # Allow DNS resolution\n    - to:\n        - namespaceSelector: {}\n      ports:\n        - protocol: UDP\n          port: 53\n        - protocol: TCP\n          port: 53\n    # Allow GitHub API and Actions services\n    - to:\n        - ipBlock:\n            cidr: 140.82.112.0\/20\n        - ipBlock:\n            cidr: 143.55.64.0\/20\n        - ipBlock:\n            cidr: 185.199.108.0\/22\n        - ipBlock:\n            cidr: 4.0.0.0\/8\n      ports:\n        - protocol: TCP\n          port: 443\n    # Allow your container registry (example: ghcr.io)\n    - to:\n        - ipBlock:\n            cidr: 140.82.112.0\/20\n      ports:\n        - protocol: TCP\n          port: 443\n    # Allow your artifact storage (replace with your CIDR)\n    # - to:\n    #     - ipBlock:\n    #         cidr: 10.0.0.0\/8\n    #   ports:\n    #     - protocol: TCP\n    #       port: 443<\/code><\/pre>\n<pre><code>kubectl apply -f runner-network-policy.yaml<\/code><\/pre>\n<p><strong>\u0645\u0644\u0627\u062d\u0638\u0629:<\/strong> \u062a\u0646\u0634\u0631 GitHub \u0646\u0637\u0627\u0642\u0627\u062a IP \u0627\u0644\u062e\u0627\u0635\u0629 \u0628\u0647\u0627 \u0639\u0644\u0649 <a href=\"https:\/\/api.github.com\/meta\" target=\"_blank\" rel=\"noopener\">https:\/\/api.github.com\/meta<\/a>. \u0627\u0633\u062a\u062e\u062f\u0645 \u0646\u0637\u0627\u0642\u0627\u062a <code>actions<\/code> \u0648 <code>api<\/code>. \u0627\u0644\u0646\u0637\u0627\u0642\u0627\u062a CIDR \u0623\u0639\u0644\u0627\u0647 \u0647\u064a \u0623\u0645\u062b\u0644\u0629 \u2014 \u062a\u062d\u0642\u0642 \u0645\u0646 \u0627\u0644\u0646\u0637\u0627\u0642\u0627\u062a \u0627\u0644\u062d\u0627\u0644\u064a\u0629 \u0648\u062d\u062f\u0651\u062b\u0647\u0627 \u0648\u0641\u0642\u0627\u064b \u0644\u0630\u0644\u0643.<\/p>\n<h3>\u0627\u0644\u062e\u0637\u0648\u0629 2: \u0627\u062e\u062a\u0628\u0627\u0631 NetworkPolicy<\/h3>\n<p>\u0623\u0646\u0634\u0626 \u0633\u064a\u0631 \u0639\u0645\u0644 \u064a\u062d\u0627\u0648\u0644 \u0627\u0644\u0648\u0635\u0648\u0644 \u0625\u0644\u0649 \u0639\u0646\u0648\u0627\u0646 URL \u062e\u0627\u0631\u062c\u064a:<\/p>\n<pre><code>name: Network Policy Test\non: workflow_dispatch\n\njobs:\n  test-network:\n    runs-on: arc-runner-set\n    steps:\n      - name: Test GitHub API (should work)\n        run: curl -s -o \/dev\/null -w \"%{http_code}\" https:\/\/api.github.com\n\n      - name: Test external URL (should be blocked)\n        run: |\n          if curl -s --connect-timeout 5 https:\/\/evil-exfiltration-server.example.com; then\n            echo \"FAIL: External access was allowed\"\n            exit 1\n          else\n            echo \"PASS: External access was blocked by NetworkPolicy\"\n          fi<\/code><\/pre>\n<p>\u0639\u0646\u062f \u062a\u0634\u063a\u064a\u0644 \u0633\u064a\u0631 \u0627\u0644\u0639\u0645\u0644 \u0647\u0630\u0627:<\/p>\n<ul>\n<li>\u064a\u0646\u062c\u062d \u0637\u0644\u0628 GitHub API (HTTP 200) \u0644\u0623\u0646 NetworkPolicy \u062a\u0633\u0645\u062d \u0628\u062d\u0631\u0643\u0629 \u0627\u0644\u0645\u0631\u0648\u0631 \u0625\u0644\u0649 \u0646\u0637\u0627\u0642\u0627\u062a IP \u0627\u0644\u062e\u0627\u0635\u0629 \u0628\u0640 GitHub.<\/li>\n<li>\u062a\u0646\u062a\u0647\u064a \u0645\u0647\u0644\u0629 \u0637\u0644\u0628 URL \u0627\u0644\u062e\u0627\u0631\u062c\u064a \u0648\u064a\u0641\u0634\u0644 \u0644\u0623\u0646\u0647 \u0644\u064a\u0633 \u0641\u064a \u0642\u0627\u0626\u0645\u0629 \u0627\u0644\u062e\u0631\u0648\u062c \u0627\u0644\u0645\u0633\u0645\u0648\u062d \u0628\u0647\u0627.<\/li>\n<\/ul>\n<p>\u064a\u0645\u0646\u0639 \u0647\u0630\u0627 \u0639\u0645\u0644\u064a\u0629 \u0628\u0646\u0627\u0621 \u0645\u062e\u062a\u0631\u0642\u0629 \u0645\u0646 \u062a\u0633\u0631\u064a\u0628 \u0627\u0644\u0643\u0648\u062f \u0627\u0644\u0645\u0635\u062f\u0631\u064a \u0623\u0648 \u0627\u0644\u0623\u0633\u0631\u0627\u0631 \u0623\u0648 \u0645\u062e\u0631\u062c\u0627\u062a \u0627\u0644\u0628\u0646\u0627\u0621 \u0625\u0644\u0649 \u062e\u0627\u062f\u0645 \u064a\u0633\u064a\u0637\u0631 \u0639\u0644\u064a\u0647 \u0627\u0644\u0645\u0647\u0627\u062c\u0645. \u062d\u062a\u0649 \u0644\u0648 \u0642\u0627\u0645\u062a \u0627\u0639\u062a\u0645\u0627\u062f\u064a\u0629 \u062e\u0628\u064a\u062b\u0629 \u0628\u062a\u0634\u063a\u064a\u0644 \u0643\u0648\u062f \u0639\u0634\u0648\u0627\u0626\u064a \u0623\u062b\u0646\u0627\u0621 \u0627\u0644\u0628\u0646\u0627\u0621\u060c \u0641\u0644\u0627 \u064a\u0645\u0643\u0646\u0647\u0627 \u0627\u0644\u0627\u062a\u0635\u0627\u0644 \u0628\u0627\u0644\u062e\u0627\u0631\u062c.<\/p>\n<h2>\u0627\u0644\u062a\u0646\u0638\u064a\u0641<\/h2>\n<p>\u0623\u0632\u0644 \u062c\u0645\u064a\u0639 \u0627\u0644\u0645\u0648\u0627\u0631\u062f \u0627\u0644\u062a\u064a \u062a\u0645 \u0625\u0646\u0634\u0627\u0624\u0647\u0627 \u062e\u0644\u0627\u0644 \u0647\u0630\u0627 \u0627\u0644\u0645\u062e\u062a\u0628\u0631:<\/p>\n<pre><code># Delete Helm releases\nhelm uninstall arc-runner-set -n arc-runners\nhelm uninstall arc-runner-pr -n arc-runners\nhelm uninstall arc-runner-deploy -n arc-runners\nhelm uninstall arc -n arc-systems\n\n# Delete namespaces\nkubectl delete namespace arc-runners\nkubectl delete namespace arc-systems\n\n# Delete the kind cluster\nkind delete cluster --name arc-lab<\/code><\/pre>\n<p>\u0625\u0630\u0627 \u0623\u0646\u0634\u0623\u062a GitHub App \u0644\u0647\u0630\u0627 \u0627\u0644\u0645\u062e\u062a\u0628\u0631\u060c \u064a\u0645\u0643\u0646\u0643 \u062d\u0630\u0641\u0647 \u0645\u0646 <strong>Settings &#8594; Developer settings &#8594; GitHub Apps<\/strong>. \u0642\u0645 \u0628\u0625\u0644\u063a\u0627\u0621 \u0623\u064a PATs \u0623\u0646\u0634\u0623\u062a\u0647\u0627.<\/p>\n<h2>\u0627\u0644\u0646\u0642\u0627\u0637 \u0627\u0644\u0631\u0626\u064a\u0633\u064a\u0629<\/h2>\n<ul>\n<li><strong>\u062a\u0642\u0636\u064a Runners \u0627\u0644\u0645\u0624\u0642\u062a\u0629 \u0639\u0644\u0649 \u0627\u0644\u062a\u0644\u0648\u062b \u0628\u064a\u0646 \u0627\u0644\u0645\u0647\u0627\u0645.<\/strong> \u062a\u062d\u0635\u0644 \u0643\u0644 \u0645\u0647\u0645\u0629 \u0639\u0644\u0649 \u062d\u0627\u0648\u064a\u0629 \u062c\u062f\u064a\u062f\u0629 \u2014 \u064a\u062a\u0645 \u062a\u062f\u0645\u064a\u0631 \u0627\u0644\u0623\u0633\u0631\u0627\u0631 \u0648\u0627\u0644\u0631\u0645\u0648\u0632 \u0648\u0645\u062e\u0631\u062c\u0627\u062a \u0627\u0644\u0628\u0646\u0627\u0621 \u0639\u0646\u062f \u0627\u0643\u062a\u0645\u0627\u0644 \u0627\u0644\u0645\u0647\u0645\u0629.<\/li>\n<li><strong>\u064a\u0648\u0641\u0631 ARC \u0641\u0648\u0627\u0626\u062f runners \u0630\u0627\u062a\u064a\u0629 \u0627\u0644\u0627\u0633\u062a\u0636\u0627\u0641\u0629 \u062f\u0648\u0646 \u0627\u0644\u0645\u062e\u0627\u0637\u0631 \u0627\u0644\u0623\u0645\u0646\u064a\u0629.<\/strong> \u062a\u062d\u0635\u0644 \u0639\u0644\u0649 \u0623\u062f\u0648\u0627\u062a \u0645\u062e\u0635\u0635\u0629 \u0648\u0648\u0635\u0648\u0644 \u0625\u0644\u0649 \u0634\u0628\u0643\u0629 \u062e\u0627\u0635\u0629 \u0648\u0627\u0644\u062a\u062d\u0643\u0645 \u0641\u064a \u0627\u0644\u062a\u0643\u0627\u0644\u064a\u0641 \u0645\u0639 \u0627\u0644\u062d\u0641\u0627\u0638 \u0639\u0644\u0649 \u0646\u0645\u0648\u0630\u062c \u0627\u0644\u0623\u0645\u0627\u0646 \u0627\u0644\u0645\u0624\u0642\u062a.<\/li>\n<li><strong>\u062a\u0645\u0646\u062d\u0643 \u0635\u0648\u0631 runner \u0627\u0644\u0645\u062e\u0635\u0635\u0629 \u062a\u062d\u0643\u0645\u0627\u064b \u0643\u0627\u0645\u0644\u0627\u064b \u0641\u064a \u0628\u064a\u0626\u0629 \u0627\u0644\u0628\u0646\u0627\u0621.<\/strong> \u062b\u0628\u0651\u062a \u0625\u0635\u062f\u0627\u0631\u0627\u062a \u0627\u0644\u0623\u062f\u0648\u0627\u062a\u060c \u0648\u0627\u0641\u062d\u0635 \u0627\u0644\u062b\u063a\u0631\u0627\u062a \u0627\u0644\u0623\u0645\u0646\u064a\u0629\u060c \u0648\u062a\u062e\u0644\u0635 \u0645\u0646 \u0645\u062e\u0627\u0637\u0631 \u0633\u0644\u0633\u0644\u0629 \u0627\u0644\u062a\u0648\u0631\u064a\u062f \u0645\u0646 \u0627\u0644\u0628\u0631\u0627\u0645\u062c \u0627\u0644\u0645\u062b\u0628\u062a\u0629 \u0645\u0633\u0628\u0642\u0627\u064b.<\/li>\n<li><strong>\u064a\u0637\u0628\u0651\u0642 \u0639\u0632\u0644 \u0645\u062c\u0645\u0648\u0639\u0627\u062a runner \u0641\u0635\u0644 \u0627\u0644\u0645\u0647\u0627\u0645.<\/strong> \u062a\u0639\u0645\u0644 \u0633\u064a\u0631 \u0639\u0645\u0644 \u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u0637\u0644\u0628\u0627\u062a \u0627\u0644\u0633\u062d\u0628 \u0648\u0627\u0644\u0646\u0634\u0631 \u0639\u0644\u0649 \u0645\u062c\u0645\u0648\u0639\u0627\u062a runner \u0645\u0646\u0641\u0635\u0644\u0629 \u0628\u0635\u0644\u0627\u062d\u064a\u0627\u062a \u0648\u0648\u0635\u0648\u0644 \u0634\u0628\u0643\u064a \u0645\u062e\u062a\u0644\u0641.<\/li>\n<li><strong>\u0633\u064a\u0627\u0633\u0627\u062a \u0627\u0644\u0634\u0628\u0643\u0629 \u0647\u064a \u0637\u0628\u0642\u0629 \u062f\u0641\u0627\u0639 \u062d\u0627\u0633\u0645\u0629.<\/strong> \u064a\u0645\u0646\u0639 \u062a\u0642\u064a\u064a\u062f \u062e\u0631\u0648\u062c runner \u062a\u0633\u0631\u064a\u0628 \u0627\u0644\u0628\u064a\u0627\u0646\u0627\u062a \u062d\u062a\u0649 \u0644\u0648 \u062a\u0645 \u0627\u062e\u062a\u0631\u0627\u0642 \u062e\u0637\u0648\u0629 \u0628\u0646\u0627\u0621.<\/li>\n<li><strong>\u064a\u0642\u0644\u0644 \u0627\u0644\u062a\u0648\u0633\u0639 \u0627\u0644\u062a\u0644\u0642\u0627\u0626\u064a \u0625\u0644\u0649 \u0627\u0644\u0635\u0641\u0631 \u0645\u0646 \u0627\u0644\u062a\u0643\u0644\u0641\u0629 \u0648\u0633\u0637\u062d \u0627\u0644\u0647\u062c\u0648\u0645.<\/strong> \u062a\u0648\u062c\u062f pods \u0627\u0644\u0640 runner \u0641\u0642\u0637 \u0644\u0645\u062f\u0629 \u0627\u0644\u0645\u0647\u0645\u0629 \u2014 \u0644\u0627 \u062a\u0648\u062c\u062f \u0628\u0646\u064a\u0629 \u062a\u062d\u062a\u064a\u0629 \u062f\u0627\u0626\u0645\u0629 \u0644\u0644\u0635\u064a\u0627\u0646\u0629 \u0623\u0648 \u0627\u0644\u062a\u0623\u0645\u064a\u0646.<\/li>\n<\/ul>\n<h2>\u0627\u0644\u062e\u0637\u0648\u0627\u062a \u0627\u0644\u062a\u0627\u0644\u064a\u0629<\/h2>\n<p>\u0648\u0627\u0635\u0644 \u062a\u0639\u0632\u064a\u0632 \u0648\u0636\u0639\u0643 \u0627\u0644\u0623\u0645\u0646\u064a \u0644\u0640 CI\/CD \u0645\u0639 \u0647\u0630\u0647 \u0627\u0644\u0623\u062f\u0644\u0629 \u0630\u0627\u062a \u0627\u0644\u0635\u0644\u0629:<\/p>\n<ul>\n<li><a href=\"https:\/\/secure-pipelines.com\/ar\/ci-cd-security\/securing-github-actions-runners\/\">\u062a\u0623\u0645\u064a\u0646 GitHub Actions Runners<\/a> \u2014 \u062a\u0639\u0645\u0642 \u0641\u064a \u0623\u0641\u0636\u0644 \u0645\u0645\u0627\u0631\u0633\u0627\u062a \u0623\u0645\u0627\u0646 runner \u0648\u0625\u062f\u0627\u0631\u0629 \u0627\u0644\u0631\u0645\u0648\u0632 \u0648\u0627\u0644\u0645\u0631\u0627\u0642\u0628\u0629 \u0644\u0643\u0644 \u0645\u0646 GitHub-hosted \u0648 self-hosted runners.<\/li>\n<li><a href=\"https:\/\/secure-pipelines.com\/ar\/ci-cd-security\/separation-of-duties-least-privilege-ci-cd-pipelines\/\">\u0641\u0635\u0644 \u0627\u0644\u0645\u0647\u0627\u0645 \u0648\u0645\u0628\u062f\u0623 \u0627\u0644\u0635\u0644\u0627\u062d\u064a\u0627\u062a \u0627\u0644\u0623\u0642\u0644 \u0641\u064a \u062e\u0637\u0648\u0637 \u0623\u0646\u0627\u0628\u064a\u0628 CI\/CD<\/a> \u2014 \u062f\u0644\u064a\u0644 \u0634\u0627\u0645\u0644 \u0644\u062a\u0637\u0628\u064a\u0642 \u0645\u0628\u0627\u062f\u0626 \u0627\u0644\u0635\u0644\u0627\u062d\u064a\u0627\u062a \u0627\u0644\u0623\u0642\u0644 \u0639\u0628\u0631 \u062e\u0637 \u0623\u0646\u0627\u0628\u064a\u0628 CI\/CD \u0628\u0627\u0644\u0643\u0627\u0645\u0644\u060c \u0645\u0646 \u0627\u0644\u062a\u062d\u0643\u0645 \u0641\u064a \u0627\u0644\u0645\u0635\u062f\u0631 \u0625\u0644\u0649 \u0646\u0634\u0631 \u0627\u0644\u0625\u0646\u062a\u0627\u062c.<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>\u0646\u0638\u0631\u0629 \u0639\u0627\u0645\u0629 \u062a\u064f\u0639\u062f GitHub-hosted runners \u0645\u0634\u062a\u0631\u0643\u0629 \u0648\u0645\u0624\u0642\u062a\u0629 \u0628\u0634\u0643\u0644 \u0627\u0641\u062a\u0631\u0627\u0636\u064a \u2014 \u062d\u064a\u062b \u064a\u062d\u0635\u0644 \u0643\u0644 \u0645\u0647\u0645\u0629 (job) \u0639\u0644\u0649 \u0622\u0644\u0629 \u0627\u0641\u062a\u0631\u0627\u0636\u064a\u0629 \u062c\u062f\u064a\u062f\u0629 \u064a\u062a\u0645 \u062a\u062f\u0645\u064a\u0631\u0647\u0627 \u0628\u0639\u062f \u0627\u0643\u062a\u0645\u0627\u0644 \u0627\u0644\u0645\u0647\u0645\u0629. \u0623\u0645\u0627 Self-hosted runners\u060c \u0641\u0647\u064a \u062f\u0627\u0626\u0645\u0629 \u0648\u0645\u0634\u062a\u0631\u0643\u0629 \u0639\u0628\u0631 \u0639\u0645\u0644\u064a\u0627\u062a \u062a\u0634\u063a\u064a\u0644 \u0633\u064a\u0631 \u0627\u0644\u0639\u0645\u0644 \u0627\u0644\u0645\u062e\u062a\u0644\u0641\u0629. \u064a\u064f\u0634\u0643\u0651\u0644 \u0647\u0630\u0627 \u062e\u0637\u0631\u0627\u064b \u0623\u0645\u0646\u064a\u0627\u064b \u0643\u0628\u064a\u0631\u0627\u064b: \u062d\u064a\u062b \u064a\u0645\u0643\u0646 \u0623\u0646 \u062a\u062a\u0633\u0631\u0628 \u0627\u0644\u0623\u0633\u0631\u0627\u0631 (secrets) \u0648\u0627\u0644\u0631\u0645\u0648\u0632 (tokens) \u0648\u0645\u062e\u0631\u062c\u0627\u062a \u0627\u0644\u0628\u0646\u0627\u0621 (build artifacts) \u0645\u0646 \u0645\u0647\u0645\u0629 &#8230; <a title=\"\u0645\u062e\u062a\u0628\u0631: \u062a\u0634\u063a\u064a\u0644 Runners \u0630\u0627\u062a\u064a\u0629 \u0627\u0644\u0627\u0633\u062a\u0636\u0627\u0641\u0629 \u0645\u0624\u0642\u062a\u0629 \u0644\u0640 GitHub Actions \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 Actions Runner Controller\" class=\"read-more\" href=\"https:\/\/secure-pipelines.com\/ar\/ci-cd-security\/lab-ephemeral-self-hosted-runners-actions-runner-controller\/\" aria-label=\"Read more about \u0645\u062e\u062a\u0628\u0631: \u062a\u0634\u063a\u064a\u0644 Runners \u0630\u0627\u062a\u064a\u0629 \u0627\u0644\u0627\u0633\u062a\u0636\u0627\u0641\u0629 \u0645\u0624\u0642\u062a\u0629 \u0644\u0640 GitHub Actions \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 Actions Runner Controller\">\u0627\u0642\u0631\u0623 \u0627\u0644\u0645\u0632\u064a\u062f<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26,29],"tags":[],"post_folder":[],"class_list":["post-815","post","type-post","status-publish","format-standard","hentry","category-ci-cd-security","category-github-actions"],"_links":{"self":[{"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/posts\/815","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/comments?post=815"}],"version-history":[{"count":1,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/posts\/815\/revisions"}],"predecessor-version":[{"id":817,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/posts\/815\/revisions\/817"}],"wp:attachment":[{"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/media?parent=815"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/categories?post=815"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/tags?post=815"},{"taxonomy":"post_folder","embeddable":true,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/post_folder?post=815"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}