How to Audit Self-Hosted Runner Activity
You cannot investigate what you never logged; capture runner registrations, job history, and host activity centrally.
Use the org audit log for runner and workflow events, ship the runner _diag logs off-host, and record host-level process and network activity for forensics.
Steps
- Query the org audit log for runner registration and workflow events.
- Forward the runner
_diagdirectory to central logging. - Retain host process and network logs off the runner itself.
Query the audit log
Terminal
gh api -X GET \
"orgs/my-org/audit-log?phrase=action:workflows.completed_workflow_run" \
--jq '.[] | {actor, repo, created_at}'
# Ship runner diagnostics off-host
rsync -a ./_diag/ logs-host:/var/log/gh-runner/$(hostname)/Gotchas
- Logs stored only on an ephemeral host vanish when it is destroyed; forward them first.
- The audit log records control-plane events, not what a job did on the host; add host telemetry.
Related guides
How to Monitor Self-Hosted Runners for AnomaliesDetect compromised GitHub Actions jobs by monitoring self-hosted runners for unexpected outbound connections,…
How to Protect Self-Hosted Runner Registration TokensKeep GitHub Actions runner registration tokens short-lived and out of source control by minting them at provi…