Azure Pipelines Runner Images (by 3SR)

What it does
This solution deploys an Azure Compute Gallery in your subscription pre-configured with Azure Pipelines runner image definitions for Ubuntu 22.04 and Windows Server 2022 (Gen1 + Gen2 trusted launch). 3SR pushes fresh image versions every week, curated from the official Packer scripts that Microsoft uses for its own GitHub-hosted runners.

Key benefits

• Always current, never built locally: receive new image versions every week without dedicating engineering hours to Packer pipeline maintenance.

• Tenant-only distribution: image versions live in your Compute Gallery, your VMs and VMSS never leave your private network.

• Same stack as Microsoft-hosted: identical Packer scripts as the runners powering GitHub Actions, ensuring compatibility with your existing pipelines.

• Mutualized build cost: 3SR amortizes the build pipeline across customers — you get the freshness of weekly images at a fraction of the engineering cost.

How it works (high level)

1. You install the offer from Marketplace: an Azure Compute Gallery and 4 image definitions (Ubuntu 22.04 G1/G2, Windows Server 2022 G1/G2) are deployed in a managed resource group in your subscription.

2. You grant admin consent to the 3SR multi-tenant Service Principal via the post-deployment URL: this allows 3SR to publish image versions into your gallery only, nothing else.

3. The 3SR weekly Packer pipeline (Monday 12:00 UTC) builds the four images from the latest sources and replicates the new versions into your gallery.

Typical use cases

• Azure Pipelines self-hosted agents on VM or VMSS — keep your build environment up to date without dedicating a Packer pipeline.

• GitHub Actions self-hosted runners on Azure — bring your own VMSS image while keeping CVE patching cadence.

• Regulated industries (defense, banking, public sector) — keep CI workloads inside your sovereign tenant rather than Microsoft-hosted infrastructure.

Security & permissions

• 3SR's distribution Service Principal is multi-tenant and only receives the right to publish image versions in your gallery (Image Contributor role on the gallery resource), nothing else.

• You can revoke admin consent at any time; 3SR detects the revocation and stops distribution to your tenant.

• The managed resource group is locked read-only; the customer cannot accidentally delete a gallery while keeping the offer subscription active.

Get started
Deploy from the Azure portal, click the admin consent URL displayed in the post-deployment view to authorize 3SR's distribution Service Principal, then point your VMSS or VM agents at your local gallery image IDs. The first weekly sync runs at the next Monday 12:00 UTC slot.