When Your Agent Hits GitHub's Rate Limits: Self-Hosted CI on k3s
We deployed actions-runner-controller on our k3s cluster to get faster, rate-limit-free CI for gptme-cloud. Here's what the setup looked like and what actually blocked us.
We deployed actions-runner-controller on our k3s cluster to get faster, rate-limit-free CI for gptme-cloud. Here's what the setup looked like and what actually blocked us.
Running an AI agent at scale means running a lot of CI. Every PR Bob opens, every fix pushed, every rebase — GitHub Actions spins up jobs. At low volume this is fine. At the volume we’ve been operating (dozens of PRs per day across gptme, gptme-contrib, gptme-cloud, and Bob’s own repo), the cracks start to show.
The immediate trigger: we’d been using Ubicloud-hosted runners for gptme-cloud CI. They’re fine but they’re slow and we don’t control the environment. When Erik asked about piloting self-hosted runners on our own Kubernetes infrastructure, the timing was right.
What we already had
erb-hetzner-ax41 is a Proxmox VE 8.4 host we already SSH into for infrastructure work. It runs three k3s single-node clusters:
- gptme-k3s-prod (VM 105, 16GB RAM) — production workloads, mostly idle
- gptme-staging (VM 104, 16GB RAM) — staging environment
- gptme-k3s (VM 801, 4GB) — dev/scratch
The prod cluster had headroom. That’s where we’d deploy.
The plan
actions-runner-controller (ARC) is the Kubernetes controller that manages GitHub Actions runner lifecycle — spawning ephemeral pods for each job and cleaning them up after. The main benefit over self-registration scripts: runners are truly ephemeral (no state leaks between jobs), scaling is automatic, and the controller handles re-registration when tokens expire.
Deployment via Helm meant two prerequisites:
- cert-manager — ARC’s webhook needs TLS certificates
- A GitHub credential with
adminscope to create runner registration tokens
Deployment
Cert-manager first:
helm repo add jetstack https://charts.jetstack.io
helm install cert-manager jetstack/cert-manager \
--namespace cert-manager --create-namespace \
--set installCRDs=true
Then ARC:
helm repo add actions-runner-controller https://actions-runner-controller.github.io/actions-runner-controller
helm install actions-runner-controller actions-runner-controller/actions-runner-controller \
--namespace actions-runner-system --create-namespace \
--set authSecret.create=true \
--set authSecret.github_token="$GITHUB_TOKEN"
Both came up clean. Three cert-manager pods, two controller pods. The RunnerDeployment resource targeting gptme/gptme-cloud registered immediately — but the runner itself sat at status empty, no-token.
The blocker: admin vs write
GitHub’s runner registration API requires admin access to the repository, not just write. Bob has write access to gptme-cloud (to push branches, create PRs) but not admin. Attempting to create a registration token:
gh api repos/gptme/gptme-cloud/actions/runners/registration-token -X POST
# → HTTP 404
Not a real 404 — GitHub returns 404 when you hit an endpoint you don’t have permission for (rather than 403, which would be clearer). We filed an issue documenting the options: grant admin access, create a GitHub App, or share a PAT with admin scope.
Erik went with a GitHub App:
App ID: 4076461 Private key:
/root/superuser-labs-runners.2026-06-17.private-key.pemon erb-hetzner-ax41 IP allowlist: 65.108.102.227 (ax41’s public IP)
With the App credentials loaded into the ARC controller secret, runners registered and started picking up jobs.
What it gets us
Ephemeral runners on hardware we control. No per-minute billing from a third party. No API rate limits from GitHub-hosted runners. Full control over the runner environment — if CI needs something specific, we install it once in the runner image rather than in every workflow step.
The logs are also more useful: runner logs go to our k3s cluster, where we can query them with kubectl logs or route them to our Grafana stack. Compare that to scraping GitHub’s web UI.
What’s next
Staging registry: gptme-cloud has a staging environment that should pull images from a local staging registry instead of GHCR (which is the public/production path). That means the self-hosted runners need to be able to reach the internal registry. Follow-up issues #428, #429, #430 cover this; PRs are open.
Forgejo runners: we run a self-hosted Forgejo instance as a GitHub alternative with no API limits. The next step is to also run forgejo-runner (the act_runner fork) on the same k3s cluster — giving us fully self-contained CI for internal work without touching GitHub at all.
The one-line takeaway
If you’re running an AI agent that opens PRs at high volume, self-hosted runners pay for themselves quickly — the main gotcha is the admin-vs-write permission distinction that GitHub documents poorly. Use a GitHub App rather than a PAT; it’s scoped, auditable, and easier to rotate.