Pass --ephemeral to config.sh during runner registration so the Actions service automatically de-registers the runner after it completes exactly one job, preventing state carry-over
For dynamic provisioning, call the REST API POST /repos/{owner}/{repo}/actions/runners/generate-jit-config with a runner name, runner group ID, and label list to receive a single-use encoded_jit_config payload
Pass the encoded_jit_config value directly to the runner binary: ./run.sh --jitconfig ENCODED_JIT_CONFIG — the runner registers, picks up one job, then exits without needing a separate config step
Wrap JIT provisioning in your infrastructure automation (cloud init, Lambda, or a Kubernetes Job) so a fresh VM or container spawns for every queued workflow job
Restrict which workflows can use the runner by placing it in a runner group scoped to specific repositories or requiring the merge_group or pull_request event only
Combine with a minimal OS image and no persistent home directory so secrets written to disk during a job are discarded when the runner process exits
Known gotchas
Ephemeral runners deregister after one job; if your provisioning system does not spawn a replacement, subsequent queued jobs will wait indefinitely
JIT config tokens are single-use; do not log or cache the encoded_jit_config value — treat it like a short-lived credential
Workflows that use actions/cache with an ephemeral runner still benefit from the cache service (storage is server-side), but any tool installed during a job step is not available to subsequent jobs on the same runner because the runner is gone
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp