feat(runner): add support for ephemeral mode

- Introduces ephemeral mode configuration through the `GITHUB_RUNNER_EPHEMERAL` environment variable.
- In ephemeral mode, each runner processes only one job before deregistering, providing isolated environments.
- Enhances security and supports autoscaling by ensuring no job state or secrets persist between runs.
- Updates documentation with usage instructions and environment variable details.

Author: winromulus

CLAUDE.md

@@ -156,6 +156,15 @@ Both registries receive multi-architecture manifests supporting AMD64 and ARM64.
    - `fix: correct installation issue` (patch version bump)
    - `feat!: breaking change` or `+semver:major` (major version bump)
 
+### Ephemeral Mode Support
+
+The runner supports ephemeral mode through the `GITHUB_RUNNER_EPHEMERAL` environment variable:
+- When set to `"true"`, the runner will be configured with the `--ephemeral` flag
+- Each runner will process only one job before automatically deregistering
+- This provides clean, isolated environments for each workflow run
+- Ideal for autoscaling scenarios and enhanced security requirements
+- No job state or secrets persist between runs
+
 ### CI/CD Pipeline Details
 
 The pipeline (`pipeline.yaml`) consists of:

README.md

@@ -72,6 +72,22 @@ docker run -d \
   emberstack/github-actions-runner:latest
 ```
 
+#### Ephemeral Mode (Single Job)
+```bash
+docker run -d \
+  --name github-runner \
+  -e GITHUB_RUNNER_URL="https://github.com/your-org/your-repo" \
+  -e GITHUB_RUNNER_PAT="your-personal-access-token" \
+  -e GITHUB_RUNNER_EPHEMERAL="true" \
+  emberstack/github-actions-runner:latest
+```
+
+In ephemeral mode, the runner will:
+- Process only one job and then automatically deregister
+- Provide a clean, isolated environment for each workflow run
+- Be ideal for autoscaling scenarios and enhanced security
+- Ensure no job state or secrets persist between runs
+
 #### Environment Variables
 - `GITHUB_RUNNER_URL` (required): Repository, organization, or enterprise URL
 - `GITHUB_RUNNER_PAT` or `GITHUB_RUNNER_TOKEN` (required): Authentication token
@@ -81,6 +97,7 @@ docker run -d \
 - `GITHUB_RUNNER_WORKDIR` (optional): Working directory for jobs
 - `GITHUB_RUNNER_GID` (optional): Custom GID to create github-actions-runner group
 - `GITHUB_RUNNER_DOCKER_SOCK` (optional): Set to "true" to auto-configure Docker socket access
+- `GITHUB_RUNNER_EPHEMERAL` (optional): Set to "true" to configure runner in ephemeral mode (single job only)
 
 ##### Pre-configured Environment Variables
 The following environment variables are set in the Docker image:

src/entrypoint.sh

@@ -113,6 +113,12 @@ configure_runner() {
         CONFIG_CMD="${CONFIG_CMD} --work \"${GITHUB_RUNNER_WORKDIR}\""
     fi
 
+    # Add ephemeral flag if requested
+    if [ "${GITHUB_RUNNER_EPHEMERAL}" = "true" ]; then
+        CONFIG_CMD="${CONFIG_CMD} --ephemeral"
+        echo "Configuring runner in ephemeral mode (will process only one job)"
+    fi
+    
     # Execute configuration
     eval ${CONFIG_CMD}
 }