GitHub Actions EU Alternative 2026: Microsoft CLOUD Act, GitHub Inc. Delaware Acquisition, GitLab CI/Woodpecker CI EU-Native CI/CD
Post #1 in the sota.io EU DevOps Tools Series
GitHub Actions is the default CI/CD platform for millions of development teams worldwide. Launched in 2018, it is deeply integrated into the GitHub ecosystem — pull request checks, deployment workflows, scheduled automation, and package publishing all run through GitHub Actions runners. For EU development teams, GitHub Actions offers a compelling combination of developer ergonomics, marketplace integrations, and seamless GitHub repository access.
But GitHub is not an independent company. In 2018, Microsoft Corporation acquired GitHub, Inc. for $7.5 billion — and that acquisition has significant legal consequences for EU organisations using GitHub Actions to process source code, CI/CD secrets, and deployment credentials. This guide analyses GitHub's corporate structure, the CLOUD Act exposure that flows from its Microsoft parentage, and the EU-native CI/CD alternatives that provide genuine data sovereignty for European development teams.
GitHub Inc.: Wholly Owned Microsoft Subsidiary Since 2018
GitHub, Inc. was founded in 2008 in San Francisco, California by Tom Preston-Werner, Chris Wanstrath, PJ Hyett, and Scott Chacon. The company was originally incorporated in California and later re-domiciled. In June 2018, Microsoft Corporation announced and completed the acquisition of GitHub, Inc. for $7.5 billion in Microsoft stock — at the time the largest acquisition in Microsoft's history after LinkedIn.
| Dimension | Detail |
|---|---|
| Entity | GitHub, Inc. |
| Parent company | Microsoft Corporation |
| Parent incorporation | Washington State (Redmond, WA) |
| Parent stock exchange | NASDAQ: MSFT |
| Acquisition price | $7.5 billion (June 2018) |
| Registered users | 100+ million developers (2024) |
| CI/CD runners | US-based by default (East US, West US, West Europe options) |
| EU runner regions | West Europe (Netherlands) — but jurisdiction remains Microsoft/US |
The critical legal fact: GitHub, Inc. is a subsidiary of Microsoft Corporation, a US company. Regardless of where GitHub's servers are located, the corporate chain of control runs from GitHub, Inc. → Microsoft Corporation → US federal jurisdiction.
The CLOUD Act: How Microsoft's Jurisdiction Covers GitHub Actions
The Clarifying Lawful Overseas Use of Data Act (CLOUD Act), codified at 18 U.S.C. § 2713, requires that US providers of electronic communication services and remote computing services must disclose data to US law enforcement regardless of where the data is stored — including on EU servers, under EU data protection law.
Microsoft Corporation qualifies unambiguously as a provider of both electronic communication services (GitHub repositories, GitHub Actions, GitHub Packages) and remote computing services (GitHub Actions runners, GitHub Codespaces). The CLOUD Act obligation flows through the corporate hierarchy to GitHub, Inc. as a wholly owned subsidiary.
What GitHub Actions Processes
For EU development teams, GitHub Actions processes a substantial volume of potentially sensitive data through every workflow run:
| Data Category | GDPR Relevance | CLOUD Act Exposure |
|---|---|---|
| Source code | Commit metadata (author name, email = PII per GDPR Art.4(1)) | Full — runner logs + artifacts stored on GitHub |
| Repository secrets | API keys, database credentials, deployment tokens | Full — encrypted at rest but compellable |
| CI/CD environment variables | Service account credentials, cloud provider keys | Full |
| Build artifacts | Docker images, compiled binaries, test reports | Full |
| Deployment credentials | Kubernetes secrets, cloud access tokens | Full |
| Test data | May contain PII (fixture data, anonymised datasets) | Full |
| GitHub Actions logs | Full execution trace including secret masking | Full — retained 90 days |
The commit metadata point deserves particular attention. Under GDPR Article 4(1), an identified natural person's name and email address constitute personal data. Every git commit in a GitHub repository contains, at minimum, the author's name and email address. GitHub Actions workflows triggered by commits therefore process personal data as part of their standard operation.
GitHub's GDPR Position and Its Limits
GitHub has invested significantly in GDPR compliance documentation. GitHub, Inc. offers:
- A Data Processing Agreement (DPA) under GDPR Article 28
- Standard Contractual Clauses (SCCs) for data transfers from EU to US
- A GDPR Data Protection Addendum for enterprise customers
- GitHub Enterprise with option for self-hosted runners
These measures address the regulatory baseline for data transfer under GDPR. However, they do not — and legally cannot — override the CLOUD Act.
The fundamental tension in the GitHub position is the same as for all US cloud providers:
- GitHub's DPA promises GDPR-compliant processing
- GitHub's Terms of Service acknowledge compliance with applicable law
- "Applicable law" includes the CLOUD Act — a US federal statute
- When the FBI or DOJ serves a CLOUD Act order on Microsoft for GitHub data, Microsoft must comply — and is typically prohibited from notifying the affected customer under 18 U.S.C. § 2705(b)
The European Data Protection Board's Schrems II decision (CJEU C-311/18, July 2020) established that SCCs cannot by themselves legitimise transfers where US surveillance law creates systematic access risks. For US providers subject to CLOUD Act, this structural problem persists regardless of the quality of their GDPR documentation.
GitHub's West Europe Runners: Does EU Infrastructure Help?
GitHub Actions offers West Europe (Netherlands) as a runner region via runs-on: ubuntu-latest combined with runner group configuration in enterprise plans. However, EU infrastructure location does not resolve the CLOUD Act problem:
- The servers are operated by Microsoft Azure in the Netherlands
- Microsoft Corporation controls the data, regardless of server geography
- CLOUD Act orders compel Microsoft to produce data regardless of storage location
- The SCCs supporting the EU-to-US data transfer do not prevent compelled government access
This is the same structural issue identified by the CJEU in Schrems II with respect to US providers more broadly.
EU-Native CI/CD Alternatives
The following CI/CD platforms provide varying degrees of EU data sovereignty, from managed EU-native SaaS to fully self-hosted options:
1. GitLab CI/CD — Partial EU Option (Self-Hosted = Best)
GitLab B.V. is headquartered in Amsterdam, Netherlands — an EU-incorporated entity. GitLab offers both SaaS (gitlab.com) and self-hosted (GitLab Community Edition / Enterprise Edition) deployments.
| Aspect | GitLab Assessment |
|---|---|
| EU entity | GitLab B.V. (Amsterdam, Netherlands) |
| Parent | GitLab Inc. (San Francisco, Delaware C-Corp) — CLOUD Act applies to parent |
| GitLab.com SaaS | US-incorporated parent controls the platform |
| GitLab.com EU data residency | Available for paid tiers (EU runners, EU storage) — but parent jurisdiction remains |
| Self-hosted | Full control — no US jurisdiction if operated on EU infrastructure |
| GDPR DPA | Available |
| Best for EU sovereignty | Self-hosted on EU infrastructure (Hetzner, OVHcloud, Scaleway) |
Verdict for EU teams: GitLab SaaS inherits CLOUD Act risk from GitLab Inc. (Delaware). Self-hosted GitLab CI on EU infrastructure eliminates this risk entirely. GitLab's CI/CD feature set matches GitHub Actions in depth, with built-in container registry, security scanning, and deployment environments.
2. Woodpecker CI — FOSS, Zero Jurisdiction Risk (Self-Hosted)
Woodpecker CI is a community-maintained fork of Drone CI, fully open source (Apache 2.0 licensed). It has no corporate parent and no SaaS offering — it is deployed entirely on infrastructure you control.
| Aspect | Woodpecker CI Assessment |
|---|---|
| Corporate parent | None — community project |
| Jurisdiction | Determined entirely by your hosting infrastructure |
| GDPR exposure | Zero if hosted on EU infrastructure |
| CLOUD Act exposure | Zero |
| Integration | Works with GitHub, GitLab, Gitea, Forgejo, Bitbucket |
| Feature set | Pipeline YAML, Docker steps, plugins ecosystem |
| Maturity | Production-ready, active community |
| Documentation | Good — woodpecker-ci.org |
Verdict: Woodpecker CI is the purest EU-sovereignty option for teams comfortable with self-hosting. It can be paired with Gitea or Forgejo on EU infrastructure for a completely EU-native source + CI stack.
3. Forgejo + Codeberg — EU-Hosted FOSS Stack
Forgejo is a soft fork of Gitea, governed by the Forgejo governance organisation (FOSS-community-led, with significant European participation). Codeberg is a non-profit (Codeberg e.V., registered in Berlin, Germany) that hosts Forgejo as its primary service.
| Aspect | Forgejo / Codeberg Assessment |
|---|---|
| Codeberg entity | Codeberg e.V. (Berlin, Germany — registered association) |
| Jurisdiction | German law, EU data protection |
| Hosting | Hetzner infrastructure (Germany) |
| CLOUD Act exposure | None — German non-profit, no US parent |
| GDPR | German/EU DPA authority (BfDI) |
| CI/CD | Forgejo Actions (GitHub Actions-compatible YAML syntax) |
| Cost | Free (Codeberg SaaS) or self-hosted |
Verdict: Codeberg is the most sovereignty-complete managed option for EU open-source teams. Forgejo Actions uses GitHub Actions-compatible YAML, reducing migration friction.
4. JetBrains TeamCity — Czech Republic, EU-Native Managed
JetBrains s.r.o. is incorporated in Prague, Czech Republic — an EU member state. JetBrains TeamCity is available as both SaaS (TeamCity Cloud) and self-hosted.
| Aspect | TeamCity Assessment |
|---|---|
| Entity | JetBrains s.r.o. (Prague, Czech Republic) |
| Jurisdiction | Czech law, EU member state |
| CLOUD Act exposure | None — Czech EU entity, no US parent |
| GDPR | Czech DPA (ÚOOÚ) jurisdiction |
| CI/CD | Full enterprise CI/CD with Kotlin DSL |
| Cloud option | TeamCity Cloud — EU data residency by default |
| Cost | Free tier (100 build agents), paid enterprise |
Verdict: TeamCity Cloud is the strongest managed EU-native CI/CD option for enterprise teams that prefer SaaS over self-hosting. JetBrains' Czech incorporation provides genuine EU legal grounding.
5. Buddy — Poland, EU-Native DevOps Platform
Buddy Works S.A. is incorporated in Warsaw, Poland — an EU member state. Buddy provides a modern DevOps automation platform with pipeline-as-code and GUI-based workflow design.
| Aspect | Buddy Assessment |
|---|---|
| Entity | Buddy Works S.A. (Warsaw, Poland) |
| Jurisdiction | Polish law, EU member state |
| CLOUD Act exposure | None — Polish EU entity, no US parent |
| GDPR | Polish DPA (UODO) jurisdiction |
| Infrastructure | AWS EU (Warsaw) — subprocessor CLOUD Act risk |
| Cost | From €75/month (business) |
| Feature set | Visual pipeline builder, Git integration, Docker, Kubernetes |
Verdict: Buddy is a genuine EU alternative with a good developer experience. Note that Buddy uses AWS infrastructure — while Buddy itself is EU-incorporated, AWS subprocessor exposure exists. For maximum sovereignty, self-hosted options are preferable.
6. GitLab Self-Hosted on EU PaaS — Recommended Architecture
For teams that want a managed hosting layer without self-managing servers, deploying GitLab CE on an EU-native PaaS (Hetzner-based) combines GitLab's mature CI/CD with EU infrastructure sovereignty.
This architecture eliminates:
- US corporate parent jurisdiction over CI/CD pipelines
- CLOUD Act exposure (no US service provider in the chain)
- Schrems II SCC dependencies
Migration Considerations
Moving from GitHub Actions to EU-native CI/CD involves several practical considerations:
YAML Compatibility
| Platform | GitHub Actions YAML compatibility |
|---|---|
| Forgejo Actions | High — intentionally GitHub Actions-compatible |
| GitLab CI | Low — different syntax (.gitlab-ci.yml model) |
| Woodpecker CI | Medium — similar concepts, different key names |
| TeamCity | Low — Kotlin DSL or XML |
Runner Environments
GitHub Actions' ubuntu-latest runners are highly curated environments with hundreds of pre-installed tools. Self-hosted runners typically require explicit Docker image management. GitLab's shared runners (EU-hosted, self-hosted deployment) offer similar pre-configured environments.
Secrets Management
GitHub Actions Encrypted Secrets have EU-native equivalents:
- GitLab CI Variables — masked, protected, file-type options
- Woodpecker CI Secrets — per-pipeline or organisation-level
- HashiCorp Vault — self-hosted secrets management compatible with all platforms
GitHub Marketplace Actions
GitHub's marketplace has 20,000+ actions. EU-native platforms have smaller ecosystems but support Docker-based steps that can run any container — providing functional equivalence for most use cases.
Compliance Framework Mapping
| Requirement | GitHub Actions | GitLab Self-Hosted | Woodpecker CI | TeamCity Cloud |
|---|---|---|---|---|
| GDPR Art.28 DPA | ✓ (with SCC caveat) | ✓ | Self-managed | ✓ (JetBrains) |
| CLOUD Act-free | ✗ | ✓ (self-hosted) | ✓ | ✓ |
| EU data residency | Partial (enterprise) | ✓ | ✓ | ✓ |
| NIS2 supply chain | High risk | Low risk | Low risk | Low risk |
| Audit log access | Enterprise tier | ✓ | ✓ | ✓ |
| Source code isolation | ✗ (MS access) | ✓ | ✓ | Partial |
Conclusion: The Microsoft Acquisition Changed the Risk Calculus
Before 2018, GitHub was an independent company with its own legal identity and a narrower US government exposure surface. The Microsoft acquisition changed this permanently. GitHub, Inc. is now a wholly owned subsidiary of a NASDAQ-listed US corporation with $220 billion in annual revenue and deep US government contracts — including Azure Government, which is specifically marketed to US federal agencies.
For EU development teams subject to GDPR, this creates a clear risk assessment:
- Low-risk use case: Public open-source projects with no PII in CI/CD, where CLOUD Act exposure has limited practical impact
- Medium-risk use case: Private repositories for commercial software development, where source code is proprietary and CI/CD secrets have business value
- High-risk use case: Healthcare, financial services, legal, or public sector organisations processing personal data in CI/CD pipelines, or teams subject to NIS2, DORA, or sector-specific compliance requirements
For medium and high-risk use cases, the EU-native alternatives — particularly self-hosted GitLab on EU infrastructure, Woodpecker CI with Forgejo, or TeamCity Cloud — provide the legal grounding that GitHub Actions cannot offer under its current Microsoft parentage.
The migration investment is real: pipeline YAML, runner configuration, secrets management, and developer tooling all require adaptation. But for regulated EU organisations, the alternative — building mission-critical DevOps workflows on infrastructure that remains perpetually subject to US federal compelled access — carries a compliance risk that grows with every new pipeline dependency.
sota.io is an EU-native managed PaaS built on Hetzner infrastructure in Germany. It provides EU-sovereignty-first deployment infrastructure for development teams migrating away from US-parented cloud platforms. Deploy your first EU-native application →
EU-Native Hosting
Ready to move to EU-sovereign infrastructure?
sota.io is a German-hosted PaaS — no CLOUD Act exposure, no US jurisdiction, full GDPR compliance by design. Deploy your first app in minutes.