Felix Pinkston
Jun 14, 2025 00:48
GitHub’s Actions Runner Controller 0.12.0 introduces support for OpenShift, vault-based secrets, and DinD improvements, enhancing security and reliability for developers.
GitHub has announced the release of Actions Runner Controller (ARC) version 0.12.0, featuring significant updates aimed at enhancing security and operational efficiency for developers. According to the GitHub Blog, this release includes public preview support for Red Hat OpenShift Kubernetes clusters, vault-based secret management, and improvements to Docker-in-Docker (DinD) container mode.
OpenShift Public Preview
The latest ARC update marks the first-time inclusion of public preview support for Red Hat OpenShift Kubernetes clusters. This support applies to configurations with no containerMode set or with containerMode set to kubernetes. While DinD can be used, GitHub advises caution as it is not fully supported yet, citing potential security risks associated with privileged containers that could bypass security controls.
Vault-Based Secret Management
The new version of ARC introduces support for retrieving secrets from external vaults, alongside existing Kubernetes secrets. This feature enhances the secure and dynamic retrieval of sensitive credentials, such as Personal Access Tokens and GitHub App credentials. Currently, only Azure Key Vault is supported, with plans to expand to additional vault providers in future releases. However, some secrets like the runner JIT token are not yet supported for vault-based storage.
Improvements to Docker-in-Docker
The update brings enhancements to the DinD container mode by introducing sidecar support, which addresses lifecycle synchronization issues between the runner and DinD container. This improvement, leveraging Kubernetes’ native sidecar feature, ensures that the DinD container no longer exits prematurely, which previously could disrupt operations.
Quality of Life Enhancements
ARC 0.12.0 brings several quality of life improvements, including an automatic retry mechanism for failed pods, reducing manual intervention for transient issues. Additionally, patch-level rolling updates are now supported, minimizing disruptions during upgrades. However, minor version upgrades still necessitate a reinstallation, especially if Custom Resource Definitions (CRDs) have been modified.
The release also reintroduces the job_workflow_ref metric with improved handling to better manage workflow reference tracking, addressing previous high cardinality concerns.
These updates are part of GitHub’s ongoing efforts to enhance the reliability and security of its development tools, ensuring developers can build and deploy applications more efficiently.
Image source: Shutterstock