I've just learnt about GitHub Actions and I think it's super fantastic.
One thing that struck me hard at the beginning was, when I was setting up the self-hosted runner, GitHub asks me to run a bunch of command on my local machine which apparently is in private network and it's not exposed to the internet (inbound - meaning the www cannot reach it).
However, after installing what GitHub asks me to install, it seems like a webhook is set up successfully and every time there's push/merge to my master (set up in GitHub action file), the worker from my computer knows and start pulling the newest version of the repo and start installing dependencies and other CI/CD stuff.
Now what I'm curious is how does GitHub actually talks to my VM while it's in a private network?
I've never been a networking guy, so I'm not so sure why this is possible. But it's fascinating.
It's not that GitHub is connecting to your self-hosted runner (inbound) but the self-hosted runner itself connecting to GitHub (outbound). This is why it works. It's your VM (with the runner in the private network) talking to GitHub. The communication direction is reversed. After your self-hosted runner connects to GitHub, both parties keep the connection open. That allows all the events to be pushed to your runner through the connection by the GitHub repository if something happens (PR is opened, a commit was made, etc...). The connection remains open while the runner is operating. Of course, if something bad happens to the network and the connection is broken the communication will stop working. To fix that the runner periodically sends ping packets to GitHub to validate the connection is working and attempts to reconnect if it's not.
You can read more about the communication workflow in the official documentation.