Access private or firewall-protected Azure Container Registry from Github actions workflow

Question

What I have:

I have an Azure Container Registry (ACR) with public access, and a hosted Github action runner that builds and pushes a Docker image into that ACR.

The problem:

Azure recommends me to disable public access and implement private endpoint instead. After some researches, I see that this is probably not possible since the Github runner is not in the same VNet of the ACR, And the runner is hosted and managed by Github. Is that true?

Possible workaround Is to allow public access but with a whitelist of IP addresses (Github runner IPs), one problem there is that it's a very long list (reference)

I'm happy to get suggestions of options that I can do.

Answer 1

A self-hosted runner could solve the problem. https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners#about-self-hosted-runners

• Create a private endpoint for the ACR (using a Private DNS zone for DNS configuration is the easyest way - https://learn.microsoft.com/en-us/azure/container-registry/container-registry-private-link)
• Create a VM in the same Vnet (or in any other connected Vnet according to your network organization)
• Install the Github runner application
• Use this runner in your workflow

Ensure that The VM is able to connect to github to pick jobs https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners#communication-between-self-hosted-runners-and-github