Start a Hello World server and expose it with different tunnels, all from an issue.
You can bring your own server to run an ephemeral server on a GitHub Actions runner and get a shareable URL—from a single GitHub issue. Pick the OS, pick a tunnel, check ON in the issue - and the server will start. A bot replies with the link or SSH command for Tailscale.
Ariadne is how you can explore different tunneling front-ends, plus let people play with your app in an easy, zero-config set up on free infrastructure.
-
Fork this repo → Fork »
-
Enable Actions → Settings » Actions » choose I understand my workflows
-
Enable Issues → Settings » Features » Issues ensure Issues is checked.
-
From your new repo, create the Tunnel Sandbox issue → Configure your server »
- Pick OS (Ubuntu / macOS / Windows)
- Pick a tunnel (Cloudflare, localhost.run, ngrok, Tailscale, Tor, Tunnelmole)
- Check ON
-
Watch the bot’s comment for your access link/command. To create a different host you don't have to open a new issue, just toggle the checkboxes to restart or re-run with different options.
Tip
Start here: Fork » • Enable Actions » • Enable Issues » • Get Started »
If your chosen tunnel needs a token, add it under Actions secrets: Open Secrets »
– ngrok → NGROK_AUTHTOKEN • Tailscale → TAILSCALE_AUTHKEY (ephemeral)
Warning
Public URL = public. Don’t serve secrets. Sessions are ephemeral and auto‑stop.
Note
Works on Ubuntu, macOS, Windows with tunnels: Cloudflare, localhost.run, ngrok, Tailscale, Tor, and Tunnelmole
- Issue‑driven UX — anyone can spin a demo by ticking checkboxes.
- Multi‑OS — Ubuntu, macOS, Windows runners.
- Multi‑Tunnel — pick the edge you want (public URL vs private tailnet vs Tor).
- Auto status — bot comment shows the link/command and required next steps.
- Debug on failure — short‑lived
tmaterescue shell for triage. - Hard cap — sessions stop at 80 minutes max (configurable lower).
We ship a tiny Node “Hello World” for the demo. To expose your service instead:
- Edit the workflow file
- Start your app before the tunnel step (Docker/Python/Go/etc.).
- Make sure it listens on the configured port (default 8080), or change the config.
- The tunnel simply forwards that port to a public URL (or tailnet for Tailscale, or
.onionfor Tor).
Note
The Control Panel stays the same—only your app steps change.
Most tunnels are zero‑config. Only two need secrets:
- ngrok → add
NGROK_AUTHTOKEN(repo: Actions secrets »). - Tailscale → add ephemeral
TAILSCALE_AUTHKEY(repo: Actions secrets »). Ensure your ACLs permit SSH to the runner’s tag.
Everything else (Cloudflare, localhost.run, Tunnelmole, Tor) auto‑installs as needed.
Important
ngrok requires a token. If NGROK_AUTHTOKEN is missing, the run fails early and the bot comment explains how to add it.
| Tunnel | Public link? | Setup (Runner → User) | Typical perf | Reliability/NAT | Privacy / Exposure | Best for |
|---|---|---|---|---|---|---|
| Cloudflare Tunnel (docs) | Yes (*.trycloudflare.com) |
Auto‑install client → click URL | Good–Very good | High | Public at edge; origin private | Quick public demos |
| localhost.run (site) | Yes (http(s)://…lhr.life) |
SSH reverse tunnel → URL appears | OK–Good | Medium | Public at edge | Free, zero‑config link |
| Tunnelmole (site) | Yes (https://…tunnelmole.net/.com) |
Auto‑install client → click URL | Good | High | Public at edge; origin private | OSS ngrok‑style demos; easy URLs |
| ngrok * (site) | Yes (*.ngrok‑free.app) |
Client + auth token required → click URL | Good–Very good | High | Public at edge; interstitial page | Webhooks & shareable demos |
| Tailscale † (site) | No public URL | Runner joins tailnet → SSH port‑forward | LAN‑like, low latency | Very high | Private to your tailnet | Private team access/debug |
| Tor ‡ (site) | Yes (.onion) |
Hidden service → onion URL | Variable (higher latency) | High | Pseudonymous; Tor‑only | Privacy‑focused access |
Notes:
- * ngrok requires a repo secret
NGROK_AUTHTOKEN. Without it, the ngrok path is blocked and the bot comment tells you how to fix it. - † Tailscale SSH on Windows is not yet supported by Tailscale; we show an informational message (runner still joins the tailnet).
- ‡ Tor links require the Tor Browser at the access point.
| Tunnel | Ubuntu | macOS | Windows |
|---|---|---|---|
| Cloudflare Tunnel | ✅ | ✅ | ✅ |
| localhost.run | ✅ | ✅ | ✅ |
| Tunnelmole | ✅ | ✅ | ✅ |
| ngrok * | ✅ | ✅ | ✅ |
| Tailscale † | ✅ | ✅ | ℹ️ |
| Tor | ✅ | ✅ | ✅ |
ℹ️ Tailscale on Windows: the runner joins the tailnet, but Tailscale SSH has upstream limitations; the workflow posts guidance in the status comment.
- Parse — a script reads the issue’s checkboxes + optional YAML (
port,minutes). - Run — selected OS runner boots; your app (or demo server) starts; chosen tunnel activates.
- Comment — we upsert a status comment with the access method and any required instructions.
- Keep‑alive — holds up to your requested time (max 80 min), then exits.
On errors, we dump concise logs and open a time‑boxed tmate shell.
Important
ngrok (token required)
- Add a repository secret named
NGROK_AUTHTOKEN. If it’s missing, the run fails early and the status comment tells you how to fix it. - Create a free ngrok account → then add
NGROK_AUTHTOKENhere: Actions secrets »
Note
Tailscale (private, no public URL)
- Add an ephemeral
TAILSCALE_AUTHKEYas an Actions repo secret. - Your access device and the runner must be on the same tailnet.
- Enable Tailscale SSH and update ACLs to allow “accept” for SSH to the runner’s tag.
- Tip: Turn off other VPNs (ExpressVPN, NordVPN, etc.) while using Tailscale to avoid dropped tailnet packets.
Tip
Tor (requires Tor Browser)
- Use the Tor Browser to open the
.onionURL the bot posts. - The
.onionsite might not be findable right away, sometimes takes a minute to appear.
Tip
Want tunnel comparisons (perf, NAT, privacy)? See Tunnels supported above.
- Open the sandbox issue now → New Issue with template
- Enable Actions → Repo Settings » Actions
- Add secrets → Repo Settings » Secrets (Actions)
- Workflow →
.github/workflows/tunnel-sandbox.yml - Parser →
.github/scripts/parse_issue_body.sh - Issue template →
.github/ISSUE_TEMPLATE/tunnel-sandbox.md
Forked repos can tweak defaults (port, cap), edit the Control Panel copy, or add/remove tunnels without changing the UX.
- Runners are ephemeral; files vanish when the job ends.
- Public tunnels are… public. Don’t expose credentials.
- Loops are bounded; timeouts prevent hangs; max runtime is capped.
Can I demo my own project? Yes—start your app before the tunnel step and listen on the configured port.
Stable subdomains?
Possible with some tunnels (e.g., ngrok reserved domain, Cloudflare with account, Tunnelmole paid plan). Tor .onion lasts for the session.
Cost? Uses your GitHub Actions minutes (about 2,000 free minutes/month on personal accounts).
Why? As a way to explore different tunneling front-ends, and to let people play with your app in an easy, zero-config set up on free infrastructure. And also a way to demonstate to people code that they can use to set up these tunnels, across platforms and on infra.