Pulumi-managed runners

Every Pulumi Deployment runs in a container image on a workflow runner — the compute that executes your Pulumi program. By default, deployments run on Pulumi-managed (Pulumi-hosted) runners, so there is nothing to provision. If you need to run on your own infrastructure instead, see Customer-managed runners.

Two settings control how a run works:

• The image: a Pulumi-managed Linux image by default, or a custom image when your project needs extra tools.
• The runner: Pulumi-managed by default, or customer-managed when you need to run on your own infrastructure.

Hardware and operating system

When a deployment runs on a Pulumi-managed workflow runner, it executes inside a Linux container with the following resources:

With the default executor image, the container’s operating system is Debian, regardless of the operating system of the host it runs on. If you supply a custom executor image, the operating system is whatever that image is built on. If a deployment depends on a specific OS, package manager, or system library, match it to the image you use.

These specifications apply to Pulumi-managed workflow runners. Customer-managed workflow runners run on infrastructure you provision, so their hardware and operating system are whatever you configure.

Security and isolation

Deployments run on single-use virtual machines; compute and storage are never shared across runs. Security features like OIDC let you fine-tune credential scope, lifetime, and expiration at a per-deployment level. If you require more isolation — for example, running inside your own private network — use customer-managed runners. The same isolation applies to every workflow type supported by workflow runners, including Insights discovery scans and policy evaluations.

Dependency caching

When using Pulumi-managed runners, you can speed up deployments with dependency caching, which stores your downloaded dependencies between runs.