CI Runner Strategy

Where the rule lives

The runner standard is canonical in pla-stack: references/github-actions-runners.md. This page documents the why and the journey, not the rule. Edits to the rule land in pla-stack. Edits to the narrative land here.

TL;DR

We run all GitHub Actions on Depot. PHP setup uses a static binary by default (publicala/php-ci-static), the lorisleiva/laravel-docker container as a middle gear, and a custom container only when the community image is missing something we need.

A weekly routine sweeps the org and opens draft PRs on repos still using ubuntu-* runners. It reads the canonical rule file at runtime, so this page never has to mirror it.

How we got here

We migrated CI from GitLab to GitHub Actions (see the Overview and the Migration Guide). Once the first Laravel apps were running on Depot, two things became clear:

1. shivammathur/setup-php is slow on Depot — about 85 seconds per job, vs roughly 6 seconds on GitHub-hosted runners. Third-party runners get flagged as self-hosted, so the action falls back to a PPA install instead of using the libraries pre-baked into the GitHub-hosted image. Detail in shivammathur/setup-php#1056.
2. Container jobs were the obvious escape hatch, but we wanted to know whether Depot supported them well before standardizing.

We benchmarked options inside publicala/publicanow#7 and built publicala/php-ci-static on top of crazywhalecc/static-php-cli, producing static PHP binaries for 8.3 / 8.4 / 8.5 with the extension set we actually use. Drop-in via one curl and one chmod. Setup time fell from ~85s to a few seconds.

What Depot support said

We followed up with Depot to confirm the container path is healthy. Their support engineer (Jimmy Lindsey, 2026-04-21) confirmed:

You can also run jobs in a container with GitHub Actions [...]. The only tradeoff I can think of is that it will take some time for the runner to pull the image, but otherwise it should work how you would expect.

That validates the second and third tiers of our strategy (lorisleiva/laravel-docker and custom containers). Pull cost shows up on first-job-of-shape and amortizes after that.

Adoption

The github-actions-runners-audit routine in pla-stack runs weekly. It enumerates publicala/*, opens a draft PR (chore: use Depot runners) in any repo still on ubuntu-*, and nudges existing PRs from prior runs.

To migrate manually before the routine catches a repo, replace runs-on: ubuntu-* with runs-on: depot-ubuntu-24.04 in every workflow file. That is the whole change.

Related

• Overview § Third-Party Runners — why we picked Depot (DinD, macOS), the GitLab-tag → Depot mapping table used during cutover, and the Depot dashboard link.
• Migration Guide § Third-Party Runners — operational checklist for wiring Depot up on a new repo.
• CI/CD Translation Reference — GitLab CI to GitHub Actions translation patterns.
• GitHub Actions Pinning Policy — how we pin third-party actions (independent rule from runner choice).