The Actions Runner Controller (ARC) 0.12.0 release introduces several enhancements including: public preview support for Red Hat OpenShift Kubernetes clusters and vault-based secret management, improvements to Docker-in-Docker (DinD) container mode, and a series of quality of life updates that improve reliability, observability, and rolling updates for minor patches.

Red Hat OpenShift public preview

Previously, ARC explicitly did not support the provisioning of OpenShift clusters. We are excited to announce a public preview of support for configurations with no containerMode set or with containerMode set to kubernetes. DinD can be used, but is not recommended until future release milestones as it is not fully supported. OpenShift restricts privileged containers by default due to the elevated security risks. Privileged containers can bypass many of the platform’s security controls, making them a potential attack vector.

For more information, check out this blog post from Red Hat and our documentation.

Vault support for ARC secrets public preview

ARC now supports retrieving secrets from external vaults, in addition to the Kubernetes secrets used today. This enhancement enables secure, dynamic retrieval of sensitive credentials such as Personal Access Tokens and GitHub App credentials, improving the authentication process between ARC and GitHub Enterprise Server or GitHub Enterprise Cloud. Note that not all secrets, such as the runner JIT token, are currently supported for vault-based storage. For the public preview, only Azure Key Vault is supported and native support for additional vault providers will be introduced in future releases. See our documentation for additional details.

Updates to DinD containerMode

This release improves the DinD experience by introducing sidecar support for the DinD container. Previously, ARC deployed DinD mode using two independent containers within the runner pod: the runner and the DinD container. These containers had separate lifecycles, which could lead to issues if the DinD container exited before the runner. With this update, ARC leverages Kubernetes’ native sidecar feature (enabled by default in Kubernetes v1.29+). Before you upgrade, please note that this change is fully backward compatible. If you’re currently using a custom pod spec or managing DinD manually, no changes are required unless you want to adopt the new sidecar behavior. See our documentation for additional information.

Quality of life improvements

Failed pod retry mechanism

ARC now includes automatic retries for failed pods. Previously, pods that failed due to transient issues (such as image pull errors or temporary network disruptions) required manual intervention. With this release, ARC will automatically retry failed pods up to five times and queue ephemeral runner installations, improving resilience and reducing downtime, especially during node scale-down events.

Rolling updates

Patch-level rolling updates are now supported. This allows users to upgrade ARC with minimal disruption. However, minor version upgrades still require a reinstallation. Additionally, if Custom Resource Definitions (CRDs) are modified, a CRD removal is required before reinstallation.

Metrics

In ARC 0.11.0, the job_workflow_ref metric was removed due to high cardinality concerns. In this release, it has been reintroduced with improved handling, allowing teams to track workflow references more effectively while maintaining metric performance.