runs-on

v3.0.8 Feature

This release adds 3 notable features for engineering teams evaluating rollout.

Published 15d Pipelines

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

aws ci-cd cloudformation ec2-spot github-runners on-premise

+2 more

self-hosted self-hosted-runners

Affected surfaces

auth

Summary

AI summary

Updates Spotlight, Other fixes, and Terraform across a mixed release.

Changes in this release

Type	Severity	Summary	CVE
Feature
Feature	Medium	Improved GitHub runner registration recovery handles 409 name conflicts by retrying. Improved GitHub runner registration recovery handles 409 name conflicts by retrying. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high	—
Feature	Medium	Filtered GitHub workflow_job webhooks at ingress to skip jobs without RunsOn or Dependabot labels. Filtered GitHub workflow_job webhooks at ingress to skip jobs without RunsOn or Dependabot labels. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high	—
Feature	Medium	Refreshed generated Terraform module documentation and examples for v3.0.8. Refreshed generated Terraform module documentation and examples for v3.0.8. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: low	—
Dependency	Medium	Updated runtime dependencies for agent, CLI, config, server, and supporting tools. Updated runtime dependencies for agent, CLI, config, server, and supporting tools. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high	—
Performance	Medium	Stopped OpenTelemetry collector before runner shutdown to allow log and trace flushing. Stopped OpenTelemetry collector before runner shutdown to allow log and trace flushing. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high	—
Bugfix
Bugfix	Medium	Skipped RunsOn RAID setup when AMI already claims instance-store disks, preventing boot failures. Skipped RunsOn RAID setup when AMI already claims instance-store disks, preventing boot failures. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high	—
Bugfix	Medium	Used strongly consistent DynamoDB job reads during broker handoffs to avoid missing pending work. Used strongly consistent DynamoDB job reads during broker handoffs to avoid missing pending work. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high	—
Bugfix	Medium	Fixed release mirror branch detection and publication helpers for mirrored repositories. Fixed release mirror branch detection and publication helpers for mirrored repositories. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high	—
Bugfix	Medium	Fixed ownership of the agent .aws directory for AWS credential usage and updates. Fixed ownership of the agent .aws directory for AWS credential usage and updates. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: low	—
Bugfix	Medium	Fixed ownership of the agent .aws directory, enabling runner jobs to use and update AWS credentials. Fixed ownership of the agent .aws directory, enabling runner jobs to use and update AWS credentials. Source: granite4.1:30b@2026-05-19-audit Confidence: low	—
Refactor	Medium	Moved StepSecurity integration setup into per-job boot after mount points are ready. Moved StepSecurity integration setup into per-job boot after mount points are ready. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high	—
Refactor	Medium	Applied same GitHub workflow_job ingress filtering to Terraform-managed webhook Lambdas. Applied same GitHub workflow_job ingress filtering to Terraform-managed webhook Lambdas. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high	—

Full changelog

Spotlight

Improved GitHub runner registration recovery so 409 name conflicts during JIT re-mint rotate to a fresh attempt instead of failing the job terminally.
Moved StepSecurity integration setup into per-job boot after mount points are ready, so integrations initialize with the right job context.
Skipped RunsOn RAID setup when an AMI has already claimed instance-store disks, avoiding boot failures on images such as AWS DLAMI.
Stopped the OpenTelemetry collector before runner shutdown so pending logs and traces have a chance to flush cleanly.
Updated runtime dependencies for the agent, CLI, config, server, and supporting tools.

CloudFormation

Filtered GitHub workflow_job webhooks at ingress so jobs without RunsOn or Dependabot labels are accepted but not enqueued, reducing queue noise and unnecessary reconciliation work.

Terraform

Applied the same GitHub workflow_job ingress filtering to Terraform-managed webhook Lambdas.
Refreshed generated Terraform module documentation and examples for v3.0.8.

Other fixes

Used strongly consistent DynamoDB job reads during broker handoffs so fresh pending work is not missed until the recovery tick.
Fixed ownership of the agent .aws directory so runner jobs can use and update AWS credentials created during setup.
Fixed release mirror branch detection and publication helpers used for mirrored repositories.

Release resources

Upgrade guide: https://runs-on.com/guides/upgrade/
CloudFormation template: https://runs-on.s3.eu-west-1.amazonaws.com/cloudformation/template-v3.0.8.yaml

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track runs-on

Get notified when new releases ship.

About runs-on

Self-hosted GitHub Actions runners made simple. For AWS. 10x cheaper, 40% faster, and unlimited caching. Best alternative to Actions Runner Controller.

All releases →