The starting point Several of our internal tools run on a private server managed by our infrastructure team. These applications are publicly reachable. Apache handles TLS termination and routes traffic to the appropriate Docker Compose stack. Access is gated through our own SSO, so they are internal in terms of who can use them, not in terms of network topology. What is not public is the server itself: it is accessible only through WireGuard, and the deployment pipeline must operate within that constraint. This setup works well for day-to-day access, but it creates an interesting challenge for automated deployments. GitHub Actions runners are ephemeral cloud machines. They have no persistent identity on our network and no way to reach a server that is not publicly accessible—at least not without some help.…