Coming soon
GitHub starts it. You run it.
pks-github-runner
A self-hosted GitHub runner where no secret ever lives on GitHub — GitHub only triggers the job; your runner holds every credential and runs in a secure, always-warm devcontainer.
Your secrets live in someone else's CI.
To let a hosted runner build and deploy, you upload your keys to the provider and hope they stay there. Every run starts cold and reinstalls everything from scratch, so the minutes — and the bill — pile up. And the CI environment drifts from what your developers actually run locally, so “works on my machine” becomes flaky releases. We turned it inside out.
Hosted runners need your secrets on GitHub — one leak and they're gone.
Cold, ephemeral runners reinstall everything every time; every second counts against your release.
The CI environment doesn't match the developers' — the drift hides bugs until they hit production.
Look how little it takes.
GitHub triggers the job.
GitHub does one thing: it dispatches the fact that something should run. No keys, no secrets — just a signal.
Your runner picks it up locally.
It runs on hardware you own and already holds every credential. Nothing sensitive travels the other way.
It runs in your devcontainer.
The same devcontainer as your developers — kept warm between runs so nothing reinstalls. What works locally works in CI.
The release ships in minutes.
A warm environment plus local keys means sub-five-minute releases — and DORA metrics you can actually hold.
No secrets on GitHub
GitHub only dispatches the job. Every key, token and certificate stays inside your own perimeter.
Always-warm devcontainers
Containers persist between runs — no cold start, no reinstall, no wasted minutes.
The same environment your devs use
Dev, CI and CD share one devcontainer. No drift, no “works on my machine”.
DORA, in practice
Short lead time, low change-fail rate, and sub-five-minute releases — by default, not by heroics.
Runs in your secure environment
The job runs isolated on your own hardware, behind your own controls — not in someone else's cloud.
Builds on the suite
Pulls devcontainer images from your own registry and deploys onward with Coolify — owned from commit to production.
GitHub is a dispatcher, not a vault. Not one secret leaves your perimeter — control of the keys is yours alone.
The runner runs on hardware you own, in the exact devcontainer your team develops in. CI isn't a foreign environment — it's your own.
Warm and persistent by design: no per-run reinstall tax, so sub-five-minute releases are the starting point, not the goal.
Composes with the rest of the suite — registry for images, Coolify for deploy — so the whole path from commit to production is owned, end to end.
Composes with
GitHub sets the job. You own the rest.
Your secrets never leave your environment. CI and CD run in the exact devcontainer your developers work in — kept warm between runs. That makes DORA practice easy and sub-five-minute releases the norm, not the exception.