Merge pull request #40880 from github/repo-sync

Repo sync

Author: docs-bot

content/actions/concepts/runners/github-hosted-runners.md

@@ -71,7 +71,9 @@ We recommend using actions to interact with the software installed on runners. T
 
 If there is a tool that you'd like to request, please open an issue at [actions/runner-images](https://github.com/actions/runner-images). This repository also contains announcements about all major software updates on runners.
 
-> [!NOTE] You can also install additional software on {% data variables.product.prodname_dotcom %}-hosted runners. See [AUTOTITLE](/actions/using-github-hosted-runners/customizing-github-hosted-runners).
+> [!NOTE]
+> * You can also install additional software on {% data variables.product.prodname_dotcom %}-hosted runners. See [AUTOTITLE](/actions/using-github-hosted-runners/customizing-github-hosted-runners).
+> * While nested virtualization is technically possible while using runners, it is not officially supported. Any use of nested VMs is experimental and done at your own risk, we offer no guarantees regarding stability, performance, or compatibility.
 
 ## Cloud hosts used by {% data variables.product.prodname_dotcom %}-hosted runners
 

content/actions/concepts/runners/support-for-arc.md

@@ -23,7 +23,7 @@ GitHub only supports the latest Autoscaling Runner Sets version of ARC. Support
 
 ## Scope of support for Actions Runner Controller
 
-If your support request is outside of the scope of what our team can help you with, we may recommend next steps to resolve your issue outside of {% data variables.contact.github_support %}. Your support request is possibly out of {% data variables.contact.github_support %}'s scope if the request is primarily about:
+To ensure a smooth adoption of Actions Runner Controller, we recommend that organizations have a Kubernetes expert on staff. Many aspects of ARC installation, including container orchestration, networking, policy application, and integration with managed Kubernetes providers, fall outside GitHub Support’s scope and require in-depth Kubernetes knowledge. If your support request is outside of the scope of what our team can help you with, we may recommend next steps to resolve your issue outside of {% data variables.contact.github_support %}. Your support request is out of {% data variables.contact.github_support %}'s scope if the request is primarily about:
 
 * The legacy community-maintained version of ARC
 * Installing, configuring, or maintaining dependencies

content/actions/tutorials/use-actions-runner-controller/deploy-runner-scale-sets.md

@@ -592,16 +592,11 @@ In Kubernetes mode, ARC uses runner container hooks to create a new pod in the s
 
 #### Prerequisites
 
-Kubernetes mode relies on persistent volumes to share job details between the runner pod and the container job pod. For more information, see the [Persistent Volumes](https://kubernetes.io/docs/concepts/storage/persistent-volumes/) section in the Kubernetes documentation.
+Kubernetes mode supports two approaches for sharing job data between the runner pod and the container job pod. You can use persistent volumes, which remain the recommended option for scenarios requiring concurrent write access, or you can use container lifecycle hooks to restore and export job filesystems between pods without relying on RWX volumes. The lifecycle hook approach improves portability and performance by leveraging local storage and is ideal for clusters without shared storage.
 
-To use Kubernetes mode, you must do the following.
+#### Configuring Kubernetes mode with persistent volumes
 
-* Create persistent volumes available for the runner pods to claim.
-* Use a solution to automatically provision persistent volumes on demand.
-
-For testing, you can use a solution like [OpenEBS](https://github.com/openebs/openebs).
-
-#### Configuring Kubernetes mode
+To use Kubernetes mode, you must create persistent volumes that the runner pods can claim and use a solution that automatically provisions these volumes on demand. For testing, you can use a solution like [OpenEBS](https://github.com/openebs/openebs).
 
 To enable Kubernetes mode, set the `containerMode.type` to `kubernetes` in your [`values.yaml`](https://github.com/actions/actions-runner-controller/blob/master/charts/gha-runner-scale-set/values.yaml) file.
 
@@ -618,26 +613,41 @@ containerMode:
 
 {% data reusables.actions.actions-runner-controller-helm-chart-options %}
 
-> [!NOTE]
-> When Kubernetes mode is enabled, workflows that are not configured with a container job will fail with an error similar to:
->
-> ```bash
-> Jobs without a job container are forbidden on this runner, please add a 'container:' to your job or contact your self-hosted runner administrator.
-> ```
->
-> To allow jobs without a job container to run, set `ACTIONS_RUNNER_REQUIRE_JOB_CONTAINER` to `false` on your runner container. This instructs the runner to disable this check.
->
-> ```yaml
-> template:
->   spec:
->     containers:
->       - name: runner
->         image: ghcr.io/actions/actions-runner:latest
->         command: ["/home/runner/run.sh"]
->         env:
->           - name: ACTIONS_RUNNER_REQUIRE_JOB_CONTAINER
->             value: "false"
-> ```
+#### Configuring Kubernetes mode with container lifecycle hooks  
+
+To enable Kubernetes mode using container lifecycle hooks, set the `containerMode.type` to `kubernetes-novolume` in your `values.yaml` file:
+
+```yaml
+containerMode:
+  type: "kubernetes-novolume"
+```
+
+>[!NOTE]
+>When using `kubernetes-novolume` mode, the container must run as `root` to support lifecycle hook operations.
+
+#### Troubleshooting Kubernetes mode
+
+When Kubernetes mode is enabled, workflows that are not configured with a container job will fail with an error similar to:
+
+ ```bash
+ Jobs without a job container are forbidden on this runner, please add a 'container:' to your job or contact your self-hosted runner administrator.
+ ```
+
+To allow jobs without a job container to run, set `ACTIONS_RUNNER_REQUIRE_JOB_CONTAINER` to `false` on your runner container. This instructs the runner to disable this check.
+> [!WARNING]
+>Allowing jobs to run without a container in `kubernetes` or `kubernetes-novolume` mode can give the >runner pod elevated privileges with the Kubernetes API server, including the ability to create pods and access secrets. Before changing this default, we recommend carefully reviewing the potential security implications.
+
+```yaml
+  template:
+    spec:
+      containers:
+        - name: runner
+          image: ghcr.io/actions/actions-runner:latest
+          command: ["/home/runner/run.sh"]
+          env:
+            - name: ACTIONS_RUNNER_REQUIRE_JOB_CONTAINER
+              value: "false"
+```
 
 ### Customizing container modes
 

content/actions/tutorials/use-actions-runner-controller/quickstart.md

@@ -24,9 +24,6 @@ In order to use ARC, ensure you have the following.
   * For a managed cloud environment, you can use AKS. For more information, see [Azure Kubernetes Service](https://azure.microsoft.com/en-us/products/kubernetes-service) in the Azure documentation.
   * For a local setup, you can use minikube or kind. For more information, see [minikube start](https://minikube.sigs.k8s.io/docs/start/) in the minikube documentation and [kind](https://kind.sigs.k8s.io/) in the kind documentation.
 
-    > [!NOTE]
-    > OpenShift clusters are currently unsupported.
-
 * Helm 3
   * For more information, see [Installing Helm](https://helm.sh/docs/intro/install/) in the Helm documentation.
 * While it is not required for ARC to be deployed, we recommend ensuring you have implemented a way to collect and retain logs from the controller, listeners, and ephemeral runners before deploying ARC in production workflows.

content/admin/data-residency/network-details-for-ghecom.md

@@ -95,6 +95,68 @@ If you use Azure private networking for {% data variables.product.company_short
 | arm64 | `centralus`, `eastus2`, `westus3` |
 | GPU | `centralus`, `eastus2`, `westus3` |
 
+### IP ranges for Azure private networking
+
+#### EU
+
+Actions IPs:
+* 74.241.192.231
+* 20.4.161.108
+* 74.241.204.117
+* 20.31.193.160
+
+EU region:
+* 108.143.197.176/28
+* 20.123.213.96/28
+* 20.224.46.144/28
+* 20.240.194.240/28
+* 20.240.220.192/28
+* 20.240.211.208/28
+
+#### Austrailia
+
+Actions IPs:
+* 4.147.140.77
+* 20.53.114.78
+
+Austraila region:
+* 4.237.73.192/28
+* 20.5.226.112/28
+* 20.248.163.176/28
+
+#### Required for all regions
+
+* `Storage` service tag
+* Communication requirements for github.com
+  * 192.30.252.0/22
+  * 185.199.108.0/22
+  * 140.82.112.0/20
+  * 143.55.64.0/20
+  * 20.201.28.151/32
+  * 20.205.243.166/32
+  * 20.87.245.0/32
+  * 4.237.22.38/32
+  * 20.207.73.82/32
+  * 20.27.177.113/32
+  * 20.200.245.247/32
+  * 20.175.192.147/32
+  * 20.233.83.145/32
+  * 20.29.134.23/32
+  * 20.199.39.232/32
+  * 20.217.135.5/32
+  * 4.225.11.198/32
+  * 4.208.26.197/32
+  * 20.26.156.215/32
+
+### Domains for Azure private networking
+
+* `*.<TENANT>.ghe.com`
+* `<TENANT>.ghe.com`
+* `github.com`
+* `*.githubusercontent.com`
+* `*.blob.core.windows.net`
+* `*.web.core.windows.net`
+
 ## IP ranges for {% data variables.product.prodname_importer_proper_name %}
 
 If you're running a migration to your enterprise with {% data variables.product.prodname_importer_proper_name %}, you may need to add certain ranges to an IP allow list. See [AUTOTITLE](/migrations/using-github-enterprise-importer/migrating-between-github-products/managing-access-for-a-migration-between-github-products#configuring-ip-allow-lists-for-migrations).

data/reusables/actions/azure-vnet-over-provisioning-resources.md

@@ -1 +1 @@
-Multiple NICs may appear for a single job in your subscription because the {% data variables.product.prodname_actions %} service over-provisions resources to run jobs. Once a runner is idle, the {% data variables.product.prodname_actions %} service automatically de-provisions the resource and removes the corresponding NIC.
+Starting in November 2025, NICs created by the {% data variables.product.prodname_actions %} service will no longer appear in your Azure subscriptions. Moving forward, NICs are now provisioned in a service subscription and assigned IP addresses from your subnet.