Docker images for self-hosted GitHub Actions runners for tempus.build —
running GitHub Actions workflows on our infrastructure via ARC gha-runner-scale-set.
Public for transparency: you can see exactly what your code runs inside.
| Image | Label | Contents |
|---|---|---|
ubuntu-24.04 |
tempus-ubuntu-24.04-4core |
runner + Node 22 + Python (3.12 + toolcache 3.10–3.14) + Go (1.25/1.26) + Rust + Docker CLI + gh + base |
ubuntu-24.04-minimal |
— | runner + base (no Node/Docker). Built and tested in CI, not published yet — only ubuntu-24.04 is pushed to ghcr |
ubuntu-24.04 matches GitHub's ubuntu-latest (Ubuntu 24.04) and the standard public runner
(4 vCPU / 16 GB). See ubuntu-24.04/README.md for details.
just lint # hadolint, shellcheck, yamllint, actionlint, gitleaks, zizmor, mdformat, markdownlint
just test # build the full image + smoke tests
just scan # build + trivy (HIGH/CRITICAL)
just ci # everything CI runs: lint + build/test/scan of both imagestest— on PR: lint + build (full + minimal) + size gate + smoke + trivy.build— on push tomain/ manual: build → smoke + trivy scan by digest → tags → cosign sign + SBOM + SLSA provenance + GitHub attestations.weekly-rebuild— weekly: rebuild for security patches + re-sign.scorecard— OpenSSF Scorecard (supply-chain posture);codeql— SAST for the workflows.ghcr-cleanup— monthly: prune untagged image versions; scheduled failures auto-open an issue.
Published tags: vYYYYMMDD and sha-<commit>, no floating :latest; the consumer (ARC scale-set)
pins tag@sha256:. How to verify the image signature/provenance — SECURITY.md.
Dev setup, checks and DCO sign-off — CONTRIBUTING.md;
community rules — CODE_OF_CONDUCT.md.
Vulnerability reports — privately via SECURITY.md, not public issues.
Apache-2.0. The tempus.build name and logo are trademarks of tempus.build and are not covered by the license.