Self-Hosted Runners vs Cloud Runners: Cost and Security
At small scale, cloud runners win on simplicity. At scale, self-hosted earn back their operational cost in budget alone.
Cloud runners pros/cons
Cloud runners: zero ops; pay per minute; no security boundary work.
Cost: $0.008/min for GitHub-hosted; $250/runner-month at heavy use.
Self-hosted pros/cons
- Self-hosted: pay only the underlying compute; you own ops.
- Cost: $30-100/runner-month for the EC2/GKE node; minus the spare capacity you can pack on.
Cost crossover
Crossover: ~50,000 CI minutes/month for the team.
Below: cloud is cheaper given the ops cost. Above: self-hosted wins the dollar math.
Security model
Self-hosted security: ephemeral runners (deleted after each job); private network access; OIDC for cloud auth.
Static long-lived runners + secrets in env = vulnerability.
Antipatterns
- Self-hosted without ephemerality. One bad job poisons all subsequent.
- Cloud runners forever as you scale. Cost balloons.
- Self-hosted in default-allow networks. Lateral movement risk.
What to do this week
Three moves. (1) Apply this to one pipeline first. (2) Measure deploy frequency / MTTR before/after. (3) Document the outcome so the next team starts from data.