There’s a lot that custom runner images can do for your security. This post shows how pre-job scripts in custom runner images can enforce workflow validation that workflow authors can’t bypass – so only approved workflows run on your GitHub Actions runners.

GitHub finally let us build custom runner images, and today I’m going to be exploring what that means and how you can use it. I’ll show you how to bake your own images, add pre-job hooks that can setup and validate your environment before your workflow starts, and take advantage of caching to speed up your builds and reduce network egress.