Depot GitHub Actions Runners
Depot provides managed, ephemeral, single-tenant GitHub Actions runners. Drop-in replacement for GitHub-hosted runners — change the runs-on label and everything else stays the same.
Requirement: Repository must be owned by a GitHub organization (not a personal account).
Setup
- Depot dashboard → GitHub Actions → Connect to GitHub → Install Depot GitHub App
- For public repos: GitHub org settings → Actions → Runner groups → Default → "Allow public repositories"
- Update
runs-onin your workflow files
Runner Labels
Use a single label. Format: depot-{os}-{version}[-{arch}][-{size}]
Ubuntu (Intel x86 — AMD EPYC)
| Label | CPUs | RAM | Disk | $/min |
|---|---|---|---|---|
depot-ubuntu-24.04 | 2 | 8 GB | 100 GB | $0.004 |
depot-ubuntu-24.04-4 | 4 | 16 GB | 130 GB | $0.008 |
depot-ubuntu-24.04-8 | 8 | 32 GB | 150 GB | $0.016 |
depot-ubuntu-24.04-16 | 16 | 64 GB | 180 GB | $0.032 |
depot-ubuntu-24.04-32 | 32 | 128 GB | 200 GB | $0.064 |
depot-ubuntu-24.04-64 | 64 | 256 GB | 250 GB | $0.128 |
Ubuntu 22.04 also available: depot-ubuntu-22.04, depot-ubuntu-22.04-4, etc.
Ubuntu (ARM — Graviton4)
Same sizes and pricing as Intel. Add -arm suffix:
depot-ubuntu-24.04-arm, depot-ubuntu-24.04-arm-4, depot-ubuntu-24.04-arm-8, etc.
Windows Server
| Label | CPUs | RAM | $/min |
|---|---|---|---|
depot-windows-2025 | 2 | 8 GB | $0.008 |
depot-windows-2025-4 | 4 | 16 GB | $0.016 |
depot-windows-2025-8 through -64 | 8–64 | 32–256 GB | $0.032–$0.256 |
Windows Server 2022 also available: depot-windows-2022, etc.
Windows limitation: No Hyper-V. Docker does not work on Windows runners.
macOS (Apple M2)
| Label | CPUs | RAM | $/min |
|---|---|---|---|
depot-macos-15 / depot-macos-latest | 8 | 24 GB | $0.08 |
depot-macos-14 | 8 | 24 GB | $0.08 |
macOS is NOT fully elastic — fixed pool with FIFO queuing. Startup plan+ only.
Aliases
depot-ubuntu-latest → Ubuntu 24.04, depot-windows-latest → Windows 2025, depot-macos-latest → macOS 15
Migration Example
jobs:
build:
# Before:
# runs-on: ubuntu-latest
# After:
runs-on: depot-ubuntu-24.04-4
steps:
- uses: actions/checkout@v4
- run: npm ci
- run: npm test
Common Mistakes
# ❌ WRONG — multiple labels cause stability issues
runs-on: [self-hosted, depot-ubuntu-24.04]
# ✅ CORRECT — always use a single Depot runner label
runs-on: depot-ubuntu-24.04-4
Caching
Actions using the GitHub Actions cache API automatically use Depot Cache — no config changes needed. This includes actions/cache, actions/setup-node, actions/setup-python, actions/setup-java, and any action using @actions/cache.
Pre-configured build tool caches (zero config on Depot runners):
| Tool | What's pre-configured |
|---|---|
| Turborepo | TURBO_API env var set — just run turbo build |
| Bazel | ~/.bazelrc pre-populated — just run bazel build //... |
| sccache | SCCACHE_WEBDAV_ENDPOINT set — use RUSTC_WRAPPER: 'sccache' |
| Maven | settings.xml pre-populated (cache id depot-cache) |
| Pants | pants.toml pre-configured — just run pants package :: |
| moonrepo | Env vars set — just run moon run build |
Cache behavior: repository-scoped, no branch isolation, encrypted, up to 1000 MiB/s throughput, configurable retention (7/14/30 days).
To disable auto-cache: org settings → turn off "Allow Actions jobs to automatically connect to Depot Cache."
Dagger Integration
runs-on: depot-ubuntu-latest,dagger=0.15.1
Launches a dedicated Dagger Engine VM with persistent NVMe cache. Dagger CLI pre-installed. Additional $0.04/min.
Egress Filtering (Linux Only)
Configure in org settings → GitHub Actions Runners → Egress Rules. Set default rule to Allow or Deny, then add specific allow/deny rules for IPs, CIDRs, or hostnames. Not supported on macOS or Windows. Incompatible with Tailscale.
Access Private Endpoints with Tailscale
Use Tailscale when jobs need to reach private services (internal APIs, databases, private subnets) without static IP allowlists.
How it works on Depot:
- Depot GitHub Actions runners join your tailnet as ephemeral nodes at job start.
- Access is controlled with your Tailscale ACLs (recommended tag:
tag:depot-runner). - No workflow YAML changes are required just to connect runners to private endpoints.
Setup:
- In Tailscale ACLs, create a runner tag (for example
tag:depot-runner) undertagOwners. - Create a Tailscale OAuth client with
Keys > Auth Keyswrite scope and choose that tag. - In Depot org settings, open Tailscale settings and connect using the OAuth client ID/secret.
- Add ACLs allowing
tag:depot-runnerto access target hosts/subnets.
ACL examples:
{
"acls": [
{
"action": "accept",
"src": ["tag:depot-runner"],
"dst": ["database-hostname"]
}
]
}
{
"acls": [
{
"action": "accept",
"src": ["tag:depot-runner"],
"dst": ["192.0.2.0/24:*"]
}
]
}
Reference docs:
- https://depot.dev/docs/github-actions/how-to-guides/access-private-resources
- https://depot.dev/docs/integrations/tailscale
Dependabot
Enable "Dependabot on self-hosted runners" in GitHub org settings. Jobs auto-run on depot-ubuntu-latest.
Important: OIDC is not supported for Dependabot. Use token: input with a DEPOT_TOKEN secret instead.
SSH Debugging
steps:
- uses: actions/checkout@v4
- uses: mxschmitt/action-tmate@v3
- run: npm test
Troubleshooting
| Error | Fix |
|---|---|
| "No space left on device" | OS uses ~70 GB disk; upgrade to larger runner or clean disk in workflow |
| "Lost communication with server" | Check status.depot.dev; check org usage caps |
| "Operation was canceled" | Manual cancel, concurrency cancel-in-progress, or OOM — check memory in dashboard |
| "Unable to get ACTIONS_ID_TOKEN_REQUEST_URL" | Dependabot doesn't support OIDC — use DEPOT_TOKEN secret |
| Workflows not starting | Verify single runner label; check runner group allows the repo; verify Depot GitHub App permissions |
| Stuck workflows | Force cancel via GitHub API: POST /repos/{owner}/{repo}/actions/runs/{id}/force-cancel |