Public GitHub repositories
Enable Shipfox runners on public repositories while maintaining strong security guarantees
Shipfox registers its runners under the Default runner group (ID 1) of your GitHub Organization. However, GitHub disables self-hosted runners for public repositories by default, including managed services like Shipfox.
To use Shipfox with public repositories, you'll need to explicitly allow it in your organization's runner settings.
Enable Shipfox runners on public repositories
To allow public repos to use Shipfox runners:
https://github.com/organizations/[YOUR_ORGANIZATION]/settings/actions/runner-groups/1
Security Considerations
Shipfox runners offer the same isolation guarantees as GitHub-hosted runners.
GitHub advises caution with self-hosted runners on public repositories due to the risk of untrusted pull requests compromising infrastructure, especially with insecure setups like ARC on Kubernetes.
Shipfox is built differently:
- Each job runs inside an ephemeral, isolated virtual machine
- No reuse between runs or repositories
- No persistent access to your infrastructure
This design ensures safe usage on public repositories, even for external contributions. Secrets and cloud credentials remain secure.