How to Access Private Sonatype Nexus Repositories from GitHub Actions

Published on November 5, 2025 | Written by Andreas

Sonatype Nexus is a powerhouse for artifact management, serving as a universal repository manager for teams. Nexus boasts extensive support for a wide array of package formats, such as:

  • Ansible
  • CocoaPods
  • Debian
  • Docker
  • Gradle
  • Helm
  • Maven
  • npm
  • PyPi
  • RPM

Many organizations rely on Nexus to host their internal, proprietary artifacts. For security, this often means the Nexus server is deployed within a private network, isolated from the public internet. This post addresses a frequent hurdle: how can your GitHub Actions CI/CD pipelines access a Sonatype Nexus repository operating in a restricted network?

Connecting GitHub Actions to a private repository manager inside a VPC

The Challenge: GitHub-hosted runners can’t access private Nexus servers

GitHub Actions jobs run on GitHub-hosted runners by default. These runners live in a public cloud environment, separate from your corporate network. Because they are external, they have no network route to your internal resources.

As a result, any workflow step attempting to fetch or publish an artifact to your private Nexus server will inevitably time out or fail due to connectivity issues.

Diagram showing public GitHub runners failing to connect to a Nexus server in a private VPC.

The Solution: Use self-hosted runners inside your VPC

The solution is to switch from GitHub-hosted to self-hosted runners. This gives you complete control over the job’s execution environment.

You can deploy these runners straight into your AWS VPC (Virtual Private Cloud). Once the runner is inside your private network, it has the required network path to communicate directly with your Sonatype Nexus server, enabling CI/CD jobs to pull and push packages without issue.

Diagram showing a self-hosted runner inside the VPC successfully connecting to the Nexus server.

This strategy works perfectly for two primary scenarios:

  • Sonatype Nexus is deployed within the same VPC on AWS.
  • Sonatype Nexus is running in an on-premises network that is linked to your AWS VPC (e.g., via VPN or Direct Connect).

You might assume that configuring self-hosted runners on AWS is a complex undertaking. It doesn’t need to be. You can be up and running in about 10 minutes.

HyperEnv: The Fast-Track to Self-Hosted Runners

We created HyperEnv to streamline the deployment of self-hosted GitHub Actions runners on AWS.

It’s a secure, scalable, and fault-tolerant solution that provisions ephemeral EC2 instances on-demand to run your jobs. The architecture is designed for peak efficiency:

  • Serverless Backend: Manages orchestration using API Gateway, Lambda, Step Functions, and DynamoDB.
  • On-Demand Compute: Uses EC2 and EBS for powerful, cost-effective job execution.

Architecture diagram of HyperEnv launching EC2 runners on-demand in AWS

You can deploy the entire production-ready solution in about 10 minutes using our setup guide.

To connect to your Nexus instance, be sure to choose the Fulfilment Option named Bring Your Own VPC during setup. You will then provide your existing VpcId and SubnetIds. This instructs HyperEnv to launch the runners within your private network, granting them immediate access to your Sonatype Nexus server.

Summary

Stuck because your GitHub-hosted runners can’t access your Sonatype Nexus repository in a private network? The solution is simple: deploy self-hosted runners directly into your VPC to create the necessary network bridge. HyperEnv is the quickest way to implement this, providing a secure, scalable, and ephemeral runner system inside your VPC in about 10 minutes.

Try HyperEnv today!

Self-hosting GitHub runners on AWS has never been easier.

Deploy in 10 min Book a demo