depot/depot-github-runners
skills/depot-github-runners/SKILL.md
Configures Depot-managed GitHub Actions runners as a drop-in replacement for GitHub-hosted runners. Use when setting up or migrating GitHub Actions workflows to use Depot runners, choosing runner sizes (CPU/RAM), configuring runs-on labels, setting up ARM or Windows or macOS runners, troubleshooting GitHub Actions runner issues, configuring egress filtering, using Depot Cache with GitHub Actions, or running Dagger/Dependabot on Depot runners. Also use when the user mentions depot-ubuntu, depot-windows, depot-macos runner labels, or asks about faster/cheaper GitHub Actions runners.
$ install --global
skillsauthnpx skillsauth add depot/skills depot-github-runnersInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 31, 2026, 3:03 AM27.5s2 files scanned
SKILL.md
- name:
- depot-github-runners
- description:
- >
Depot GitHub Actions Runners
Depot provides managed, ephemeral, single-tenant GitHub Actions runners. Drop-in replacement for GitHub-hosted runners — change the runs-on label and everything else stays the same.
Requirement: Repository must be owned by a GitHub organization (not a personal account).
Setup
- Depot dashboard → GitHub Actions → Connect to GitHub → Install Depot GitHub App
- For public repos: GitHub org settings → Actions → Runner groups → Default → "Allow public repositories"
- Update
runs-onin your workflow files
Org Context Check for Multi-Org Users
If a user belongs to multiple organizations and expected repos/settings/runners are not visible, verify Depot org context first:
depot org show # Current org ID
depot org list # Orgs the user belongs to
depot org switch <org-id> # Optional: set default org
For commands that support it, pass --org <org-id> to target the org where the workflow/repo lives.
Runner Labels
Use a single label. Format: depot-{os}-{version}[-{arch}][-{size}]
Ubuntu (Intel x86 — AMD EPYC)
| Label | CPUs | RAM | Disk | $/min |
|-------|------|-----|------|-------|
| depot-ubuntu-24.04 | 2 | 8 GB | 100 GB | $0.004 |
| depot-ubuntu-24.04-4 | 4 | 16 GB | 130 GB | $0.008 |
| depot-ubuntu-24.04-8 | 8 | 32 GB | 150 GB | $0.016 |
| depot-ubuntu-24.04-16 | 16 | 64 GB | 180 GB | $0.032 |
| depot-ubuntu-24.04-32 | 32 | 128 GB | 200 GB | $0.064 |
| depot-ubuntu-24.04-64 | 64 | 256 GB | 250 GB | $0.128 |
Ubuntu 22.04 also available: depot-ubuntu-22.04, depot-ubuntu-22.04-4, etc.
Ubuntu (ARM — Graviton4)
Same sizes and pricing as Intel. Add -arm suffix:
depot-ubuntu-24.04-arm, depot-ubuntu-24.04-arm-4, depot-ubuntu-24.04-arm-8, etc.
Windows Server
| Label | CPUs | RAM | $/min |
|-------|------|-----|-------|
| depot-windows-2025 | 2 | 8 GB | $0.008 |
| depot-windows-2025-4 | 4 | 16 GB | $0.016 |
| depot-windows-2025-8 through -64 | 8–64 | 32–256 GB | $0.032–$0.256 |
Windows Server 2022 also available: depot-windows-2022, etc.
Windows limitation: No Hyper-V. Docker does not work on Windows runners.
macOS (Apple M2)
| Label | CPUs | RAM | $/min |
|-------|------|-----|-------|
| depot-macos-15 / depot-macos-latest | 8 | 24 GB | $0.08 |
| depot-macos-14 | 8 | 24 GB | $0.08 |
macOS is NOT fully elastic — fixed pool with FIFO queuing.
Aliases
depot-ubuntu-latest → Ubuntu 24.04, depot-windows-latest → Windows 2025, depot-macos-latest → macOS 15
Migration Example
jobs:
build:
# Before:
# runs-on: ubuntu-latest
# After:
runs-on: depot-ubuntu-24.04-4
steps:
- uses: actions/checkout@v4
- run: npm ci
- run: npm test
Common Mistakes
# ❌ WRONG — multiple labels cause stability issues
runs-on: [self-hosted, depot-ubuntu-24.04]
# ✅ CORRECT — always use a single Depot runner label
runs-on: depot-ubuntu-24.04-4
Caching
Actions using the GitHub Actions cache API automatically use Depot Cache — no config changes needed. This includes actions/cache, actions/setup-node, actions/setup-python, actions/setup-java, and any action using @actions/cache.
Pre-configured build tool caches (zero config on Depot runners):
|Tool |What's pre-configured |
|---------|--------------------------------------------------------------|
|Turborepo|TURBO_API env var set — just run turbo build |
|Bazel |~/.bazelrc pre-populated — just run bazel build //... |
|sccache |SCCACHE_WEBDAV_ENDPOINT set — use RUSTC_WRAPPER: 'sccache'|
|Maven |settings.xml pre-populated (cache id depot-cache) |
|Pants |pants.toml pre-configured — just run pants package :: |
|moonrepo |Env vars set — just run moon run build |
Cache behavior: repository-scoped, no branch isolation, encrypted, up to 1000 MiB/s throughput, configurable retention (7/14/30 days).
To disable auto-cache: org settings → turn off "Allow Actions jobs to automatically connect to Depot Cache."
Dagger Integration
Deprecated: Dagger Engine support on Depot GitHub Actions Runners is being deprecated and will be removed in a future update. Don't recommend this integration for new workflows.
runs-on: depot-ubuntu-latest,dagger=0.15.1
Launches a dedicated Dagger Engine VM with persistent NVMe cache. Dagger CLI pre-installed. Additional $0.04/min.
Egress Filtering (Linux Only)
Configure in org settings → GitHub Actions Runners → Egress Rules. Set default rule to Allow or Deny, then add specific allow/deny rules for IPs, CIDRs, or hostnames. Not supported on macOS or Windows. Incompatible with Tailscale.
Access Private Endpoints with Tailscale
Use Tailscale when jobs need to reach private services (internal APIs, databases, private subnets) without static IP allowlists.
How it works on Depot:
- Depot GitHub Actions runners join your tailnet as ephemeral nodes at job start.
- Access is controlled with your Tailscale ACLs (recommended tag:
tag:depot-runner). - No workflow YAML changes are required just to connect runners to private endpoints.
Setup:
- In Tailscale ACLs, create a runner tag (for example
tag:depot-runner) undertagOwners. - Create a Tailscale OAuth client with
Keys > Auth Keyswrite scope and choose that tag. - In Depot org settings, open Tailscale settings and connect using the OAuth client ID/secret.
- Add ACLs allowing
tag:depot-runnerto access target hosts/subnets.
ACL examples:
{
"acls": [
{
"action": "accept",
"src": ["tag:depot-runner"],
"dst": ["database-hostname"]
}
]
}
{
"acls": [
{
"action": "accept",
"src": ["tag:depot-runner"],
"dst": ["192.0.2.0/24:*"]
}
]
}
Reference docs:
- https://depot.dev/docs/github-actions/how-to-guides/access-private-resources
- https://depot.dev/docs/integrations/tailscale
Dependabot
Enable "Dependabot on self-hosted runners" in GitHub org settings. Jobs auto-run on depot-ubuntu-latest.
Important: OIDC is not supported for Dependabot. Use token: input with a DEPOT_TOKEN secret instead.
SSH Debugging
steps:
- uses: actions/checkout@v4
- uses: mxschmitt/action-tmate@v3
- run: npm test
Troubleshooting
|Error |Fix |
|--------------------------------------------|---------------------------------------------------------------------------------------------------|
|"No space left on device" |OS uses ~70 GB disk; upgrade to larger runner or clean disk in workflow |
|"Lost communication with server" |Check status.depot.dev; check org usage caps |
|"Operation was canceled" |Manual cancel, concurrency cancel-in-progress, or OOM — check memory in dashboard |
|"Unable to get ACTIONS_ID_TOKEN_REQUEST_URL"|Dependabot doesn't support OIDC — use DEPOT_TOKEN secret |
|Workflows not starting |Verify single runner label; check runner group allows the repo; verify Depot GitHub App permissions|
|Stuck workflows |Force cancel via GitHub API: POST /repos/{owner}/{repo}/actions/runs/{id}/force-cancel |
Related Skills
depot/depot-general
tools
VerifiedTrustedCommunity
Handles Depot CLI installation, authentication, login, project setup, organization management, and API access. Use when installing the Depot CLI, logging in with `depot login`, creating or managing Depot projects, configuring API tokens or OIDC trust relationships, setting up depot.json, managing organizations, resetting build caches, or using the Depot API/SDKs. Also use when the user asks about Depot authentication methods, token types, environment variables, or general Depot platform setup that isn't specific to container builds, GitHub Actions runners, or Depot CI.
1SKILL.mdUpdated Apr 21, 2026
depot/depot-container-builds
development
VerifiedTrustedCommunity
Configures and runs Depot remote container builds using `depot build` and `depot bake`. Use when building Docker images, creating Dockerfiles with Depot, pushing images to registries, building multi-platform/multi-arch images (linux/amd64, linux/arm64), debugging container build failures, optimizing Dockerfile layer caching, using docker-bake.hcl or docker-compose builds, or migrating from `docker build` / `docker buildx build` to Depot. Also use when the user mentions depot build, depot bake, container builds, image builds, or asks about Depot's build cache, build parallelism, or ephemeral registry.
1SKILL.mdUpdated Apr 21, 2026
depot/depot-ci
development
VerifiedTrustedCommunity
Configures and manages Depot CI, a drop-in replacement for GitHub Actions that runs workflows entirely within Depot. Use when migrating GitHub Actions workflows to Depot CI, running `depot ci migrate`, managing Depot CI secrets and variables, running workflows with `depot ci run`, debugging Depot CI runs with `depot ci run list`, `depot ci status`, `depot ci logs`, or `depot ci ssh`, checking workflow compatibility, or understanding Depot CI capabilities. Also use when the user mentions .depot/ directory, depot ci commands, or asks about running GitHub Actions workflows on Depot's infrastructure without GitHub-hosted runners.
1SKILL.mdUpdated Apr 21, 2026
openclaw/taskflow
tools
VerifiedTrustedCommunity
Use when work should span one or more detached tasks but still behave like one job with a single owner context. TaskFlow is the durable flow substrate under authoring layers like Lobster, ACPX, plugins, or plain code. Keep conditional logic in the caller; use TaskFlow for flow identity, child-task linkage, waiting state, revision-checked mutations, and user-facing emergence.
357,764SKILL.mdUpdated Apr 10, 2026