Migrating GitHub Actions, Secrets, and Runners: Beyond the “Lift and Shift”

In the modern DevOps landscape, migrating CI/CD pipelines is rarely as simple as copying YAML files. When moving workflows between organizations or transitioning from legacy systems to GitHub Actions, senior engineers must account for the “gravity” of data: secrets that cannot be exported, runner architectures that differ across environments, and the governance required to keep a platform secure during transition.

A common mistake is treating GitHub Actions as a standalone script. In reality, it is a deeply integrated ecosystem. A successful migration requires a strategy for Secret Management (moving from static tokens to OIDC), Runner Provisioning (balancing the convenience of GitHub-hosted with the security of self-hosted), and Workflow Refactoring (leveraging Reusable Workflows instead of duplicating logic).

Real-World Use Cases & Patterns

Most migrations are triggered by organizational restructuring or the need for better security. For instance, a company might move from a “Monolithic Jenkins” setup to GitHub Actions to empower developers with self-service CI. The pattern here isn’t just translation; it’s modernization. This involves moving logic out of opaque Groovy scripts and into composable, version-controlled GitHub Actions. Collaboration improves because the CI definition lives alongside the code, subject to the same Pull Request (PR) and CODEOWNERS rigor as the application logic.

Common Pitfalls and Anti-Patterns

  • Hardcoded Secrets: Attempting to “migrate” secrets by temporarily placing them in code or logs. Solution: Use the GitHub CLI to bulk-upload secrets or, better yet, switch to OIDC for cloud providers (AWS/Azure/GCP).
  • Runner Over-provisioning: Moving self-hosted runners without evaluating if GitHub-hosted “larger runners” could reduce maintenance overhead.
  • Ignoring Environment Scopes: Migrating all secrets to the repository level instead of using Environments with protection rules, which leads to security vulnerabilities in production deployments.

Study Guide: Migrating Actions, Secrets, and Runners

This guide covers the technical and strategic transition of CI/CD assets within the GitHub ecosystem. It focuses on maintaining uptime and security during the move.

The Analogy: Moving a Professional Kitchen

Think of migrating GitHub Actions like moving a high-end restaurant to a new city. The Workflows (YAML) are your recipes—they tell you what to do. The Runners are your appliances (ovens, stoves)—the physical infrastructure where the work happens. The Secrets are your fresh ingredients—highly perishable and sensitive. You can pack the recipes easily, but you can’t “move” a lit flame or an open gallon of milk. You have to set up new appliances in the new location and source fresh ingredients (re-key secrets) to ensure the kitchen stays functional and safe.

Core Concepts & Terminology

1. Workflow YAML & Actions

The logic of your CI/CD. Migrating involves updating uses: tags, ensuring action versions are pinned (SHA vs. Tag), and adjusting on: triggers to match the new repository structure.

2. GitHub Secrets & Variables

Secrets are write-only. You cannot “download” a secret from GitHub once it is set. Migration requires a source of truth (like HashiCorp Vault or 1Password) to re-populate the target repository using the GitHub CLI: gh secret set NAME -b"VALUE".

3. Runners (Hosted vs. Self-Hosted)

  • GitHub-Hosted: Managed by GitHub, clean environment for every job.
  • Self-Hosted: Managed by you. Migration involves installing the runner agent on your infrastructure and registering it with the new Org/Repo using a registration token.

Real-World Scenarios

Scenario 1: Solo Developer Moving to an Org

Context: A developer moves a side project into a professional GitHub Organization.

Application: The developer must move repo-level secrets to the Org level if they are shared, or use Environments to ensure the “Production” secret isn’t used during “Feature Branch” runs.

Why it works: It introduces professional governance. Risk: Forgetting to update the permissions: block in the YAML, causing the workflow to fail in the more restrictive Org environment.

Scenario 2: Large Enterprise Migrating from Jenkins

Context: 500+ pipelines moving to GitHub Actions.

Application: Using “Reusable Workflows” to create templates for Go, Java, and Node.js projects. Self-hosted runners are deployed via Kubernetes (Actions Runner Controller – ARC) to scale based on demand.

Why it works: Centralizes maintenance. Risk: “Workflow Sprawl” where every team writes their own custom actions, making security auditing impossible.

Interview Questions & Answers

  1. How do you migrate secrets from one GitHub repo to another since they aren’t readable?

    You cannot read them via API. You must retrieve the values from your original Secret Store (Vault, AWS Secret Manager) and use the gh secret set command or the GitHub UI to recreate them in the target.

  2. What is the security risk of self-hosted runners on public repositories?

    Untrusted code from a Fork PR could run on your private infrastructure, potentially accessing internal network resources or persistent data on the runner. Always use “Required Approval” for outside contributors.

  3. When should you use an Environment Secret versus a Repository Secret?

    Environment secrets should be used for deployment credentials (e.g., PROD_AWS_KEY) to take advantage of protection rules like required reviewers. Repository secrets are for general CI tasks (e.g., Codecov tokens).

  4. What is OIDC and why is it preferred for migrations?

    OpenID Connect allows GitHub Actions to communicate with cloud providers without long-lived static secrets. It uses short-lived tokens, making it more secure and easier to migrate than managing rotating keys.

  5. How do you ensure a migrated workflow doesn’t break when a third-party Action updates?

    Pin the action to a specific commit SHA (e.g., actions/checkout@8ade135...) rather than a version tag like @v4, which can be moved.

  6. What is the purpose of the permissions: key in a workflow?

    It follows the principle of least privilege, explicitly defining what the GITHUB_TOKEN can do (e.g., contents: read, pull-requests: write). Crucial when moving to Orgs with restrictive defaults.

  7. How do you handle shared logic across 50 migrated repositories?

    Use Reusable Workflows stored in a central “devops-toolkit” repository. This allows you to update the logic in one place for all 50 repos.

  8. What is the “Actions Runner Controller” (ARC)?

    An open-source Kubernetes operator that orchestrates and scales self-hosted runners automatically based on the number of pending workflows.

  9. How do you debug a failing Action in a new environment?

    Enable “Step Debug Logging” by setting the secret ACTIONS_STEP_DEBUG to true, and check the “Runner Diagnostic Logs” for self-hosted infrastructure issues.

  10. What are “Custom Properties” in GitHub and how do they help with Actions?

    They allow you to categorize repos (e.g., production: true). You can then use these properties to target specific runners or enforce specific workflow policies during migration.

Interview Tips & Golden Nuggets

  • The “Security First” Answer: When asked about migration, always mention OIDC. It shows you understand modern security and want to eliminate static secrets.
  • Scale Awareness: Mention Actions Runner Controller (ARC) for Kubernetes if the company is large; it shows you know how to scale infrastructure.
  • The “Gotcha”: Remember that GITHUB_TOKEN permissions differ between standard repos and those inside an Organization. Always check the Org-level default settings.
  • Architecture Talk: Distinguish between Composite Actions (grouping steps) and Reusable Workflows (grouping jobs). Senior engineers know when to use which.

Runner Comparison Table

Feature GitHub-Hosted Self-Hosted Interview Talking Point
Maintenance Zero (Managed by GitHub) High (You manage OS/Updates) Total Cost of Ownership (TCO)
Security Clean VM for every run Persistent (Risk of pollution) Ephemeral vs. Persistent environments
Customization Limited (Standard tools) Infinite (Custom hardware/GPUs) Specialized workloads (e.g., AI/ML)
Networking Public Internet Can sit inside your VPC Accessing internal databases/VPNs

Migration Workflow Architecture

Source CI/Repo Audit & Map YAML Translation Secret Identification Runner Specs GitHub Target LIVE

Secret Strategy

  • Audit existing keys
  • Use Environment scopes
  • Implement OIDC for Cloud
  • Bulk upload via gh cli

Runner Selection

  • Default: GitHub-hosted
  • VPC/Internal: Self-hosted
  • Scaling: ARC (Kubernetes)
  • Security: Ephemeral mode

Automation Logic

  • Pin Actions by SHA
  • Use Reusable Workflows
  • Set explicit permissions
  • Optimize caching

Production Case Study: The “Zero-Downtime” Migration

A fintech team migrated 100+ repos from a legacy CI to GitHub Actions. They ran Parallel Pipelines for two weeks, comparing the outputs of the old system against the new GitHub Actions results. By using Self-hosted runners within their existing private cloud, they maintained strict data compliance while gaining the speed of GitHub’s native ecosystem.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top