Shipfox
Shipfox Runners

Public GitHub repositories

Enable Shipfox runners on public repositories while maintaining strong security guarantees

Shipfox registers its runners under the Default runner group (ID 1) of your GitHub Organization. However, GitHub disables self-hosted runners for public repositories by default, including managed services like Shipfox.

To use Shipfox with public repositories, you'll need to explicitly allow it in your organization's runner settings.

Enable Shipfox runners on public repositories

To allow public repos to use Shipfox runners:

Go to your GitHub Organization’s runner group settings:
https://github.com/organizations/[YOUR_ORGANIZATION]/settings/actions/runner-groups/1
Check the box labelled Allow public repositories

Security Considerations

Shipfox runners offer the same isolation guarantees as GitHub-hosted runners.

GitHub advises caution with self-hosted runners on public repositories due to the risk of untrusted pull requests compromising infrastructure, especially with insecure setups like ARC on Kubernetes.

Shipfox is built differently:

  • Each job runs inside an ephemeral, isolated virtual machine
  • No reuse between runs or repositories
  • No persistent access to your infrastructure

This design ensures safe usage on public repositories, even for external contributions. Secrets and cloud credentials remain secure.

Static IP runners

Allowlist Shipfox runners by assigning them static IPs

Specificities

Shipfox runners aim to be 100% compatible with GitHub actions hosted runners.