What Is a JIT Runner? Just-in-Time Runner Registration
A JIT (just-in-time) runner is launched with a single-use registration config generated moments before boot, so the runner can pick up exactly one job and then disappear.
GitHub supports a just-in-time registration flow built for ephemeral runners. Instead of a reusable registration token, you generate a one-time config tied to a single runner, which is ideal for autoscaled, single-use machines.
The two registration models
Classic registration uses a registration token to add a runner to a repo or org, often reused for long-lived runners. JIT registration generates a one-time config for a specific runner that runs once and is removed, with no lingering registration to clean up.
Why JIT suits ephemeral runners
Because the config is single-use, there is no stale runner registration left behind when the machine is torn down. That keeps your runner list clean and avoids "ghost" offline runners accumulating in the GitHub UI.
The security angle
A JIT config is scoped and short-lived, so a leaked config is far less dangerous than a long-lived registration token that could enroll arbitrary runners. Single-use credentials are a smaller blast radius.
JIT and cold starts
JIT registration is the cold-start path: generate the config, launch the instance, register, run. Pairing JIT for overflow with a warm pool for the common case gives you clean single-use runners without paying cold starts every time.
JIT on managed runners
Managed platforms use JIT registration under the hood so each ephemeral runner enrolls cleanly for one job and leaves nothing behind. On Latchkey this is automatic - you never generate configs or clean up stale registrations yourself.
Key takeaways
- A JIT runner uses a one-time config generated just before launch.
- It avoids stale registrations left behind by ephemeral machines.
- Single-use credentials shrink the security blast radius.
- JIT is typically the cold-start path, complemented by warm pools.