diff --git a/ansible/roles/tasks-systemd/job-runner.toml b/ansible/roles/tasks-systemd/job-runner.toml
new file mode 100644
index 00000000..6daef59a
--- /dev/null
+++ b/ansible/roles/tasks-systemd/job-runner.toml
@@ -0,0 +1,25 @@
+[logs]
+driver='s3'
+
+[forge.github]
+token = [{file="/run/secrets/webhook/.config--github-token"}]
+
+[logs.s3]
+# bots lib/stores.py LOG_STORE
+url = 'https://cockpit-logs.us-east-1.linodeobjects.com/'
+key = [{file="/run/secrets/tasks/s3-keys/cockpit-logs.us-east-1.linodeobjects.com"}]
+
+[container]
+command = ['podman-remote', '--url=unix:///podman.sock']
+run-args = ['--device=/dev/kvm']
+
+[container.secrets]
+# these are *host* paths, this is podman-remote
+image-upload=[
+    '--volume=/var/lib/cockpit-secrets/tasks/s3-keys/:/run/secrets/s3-keys:ro',
+    '--env=COCKPIT_S3_KEY_DIR=/run/secrets/s3-keys',
+]
+github-token=[
+    '--volume=/var/lib/cockpit-secrets/webhook/.config--github-token:/run/secrets/github-token:ro',
+    '--env=COCKPIT_GITHUB_TOKEN_FILE=/run/secrets/github-token',
+]
diff --git a/ansible/roles/tasks-systemd/tasks/main.yml b/ansible/roles/tasks-systemd/tasks/main.yml
index 418dee89..8b9b0c92 100644
--- a/ansible/roles/tasks-systemd/tasks/main.yml
+++ b/ansible/roles/tasks-systemd/tasks/main.yml
@@ -40,6 +40,11 @@
       maxsockets=3
       cafile=/run/secrets/tasks/npm-registry.crt
 
+- name: Create job-runner configuration
+  copy:
+    src: roles/tasks-systemd/job-runner.toml
+    dest: /etc/job-runner.toml
+
 - name: Set up systemd service for cockpit/tasks
   shell: |
     export INSTANCES={{ instances | default(4) }}
diff --git a/tasks/install-service b/tasks/install-service
index 88f01293..10f667bb 100755
--- a/tasks/install-service
+++ b/tasks/install-service
@@ -65,7 +65,9 @@ ExecStart=/usr/bin/podman run --name=cockpit-tasks-%i --hostname=${CONTAINER_HOS
     --volume=\${TEST_SECRETS}/webhook:/run/secrets/webhook:ro \
     --volume=${IMAGE_STORES}:/config/image-stores:ro \
     --volume=/etc/npmrc:/etc/npmrc:ro \
+    --volume=/etc/job-runner.toml:/config/job-runner.toml:ro \
     --volume=%t/podman/podman.sock:/podman.sock:rw \
+    --env=JOB_RUNNER_CONFIG=/config/job-runner.toml \
     --env=COCKPIT_GITHUB_TOKEN_FILE=/run/secrets/webhook/.config--github-token \
     --env=COCKPIT_S3_KEY_DIR=/run/secrets/tasks/s3-keys \
     --env=COCKPIT_IMAGE_STORES_FILE=/config/image-stores \
diff --git a/tasks/run-local.sh b/tasks/run-local.sh
index d247ad7c..a04ff609 100755
--- a/tasks/run-local.sh
+++ b/tasks/run-local.sh
@@ -108,6 +108,54 @@ EOF
     fi
 }
 
+create_job_runner_config() {
+    # we never want to push to real GitHub branches in this test
+    run_args="'--volume=$MYDIR/mock-git-push:/usr/local/bin/git:ro'"
+
+    if [ "$1" = "mock" ]; then
+        forge_opts="api-url = '$GHAPI_URL_POD'"
+        # needs to run in pod network so that it can access GITHUB_API_POD
+        run_args="${run_args}, '--pod=cockpituous'"
+        run_args="${run_args}, '--env=GITHUB_API=$GHAPI_URL_POD', '--env=COCKPIT_IMAGE_UPLOAD_STORE=$S3_URL_POD/images/'"
+    elif [ "$1" = "real" ]; then
+        forge_opts=""
+    else
+        echo "ERROR: unknown job-runner config $1" >&2
+        exit 1
+    fi
+
+    cat <<EOF > $SECRETS/tasks/job-runner.toml
+[logs]
+driver='s3'
+
+[forge.github]
+token = [{file="/run/secrets/webhook/.config--github-token"}]
+$forge_opts
+
+[logs.s3]
+url = '$S3_URL_POD/logs'
+ca = [{file='/run/secrets/webhook/ca.pem'}]
+key = [{file="/run/secrets/tasks/s3-keys/localhost.localdomain"}]
+
+[container]
+command = ['podman-remote', '--url=unix:///podman.sock']
+run-args = [$run_args]
+
+[container.secrets]
+# these are *host* paths, this is podman-remote
+image-upload=[
+    '--volume=$SECRETS/tasks/s3-keys:/run/secrets/s3-keys:ro',
+    '--env=COCKPIT_S3_KEY_DIR=/run/secrets/s3-keys',
+    '--volume=$SECRETS/webhook/ca.pem:/run/secrets/ca.pem:ro',
+    '--env=COCKPIT_CA_PEM=/run/secrets/ca.pem',
+]
+github-token=[
+    '--volume=$SECRETS/webhook/.config--github-token:/run/secrets/github-token:ro',
+    '--env=COCKPIT_GITHUB_TOKEN_FILE=/run/secrets/github-token',
+]
+EOF
+}
+
 launch_containers() {
     cleanup() {
         if [ $? -ne 0 ] && [ -z "$INTERACTIVE" ] && [ -t 0 ]; then
@@ -189,6 +237,7 @@ EOF
         --env=COCKPIT_BOTS_REPO=${COCKPIT_BOTS_REPO:-} \
         --env=COCKPIT_BOTS_BRANCH=${COCKPIT_BOTS_BRANCH:-} \
         --env=COCKPIT_TESTMAP_INJECT=main/unit-tests \
+        --env=JOB_RUNNER_CONFIG=/run/secrets/tasks/job-runner.toml \
         --env=AMQP_SERVER=$AMQP_POD \
         --env=S3_LOGS_URL=$S3_URL_POD/logs/ \
         --env=COCKPIT_S3_KEY_DIR=/run/secrets/tasks/s3-keys \
@@ -251,6 +300,7 @@ test_image() {
 
 test_mock_pr() {
     podman cp "$MYDIR/mock-github" cockpituous-tasks:/work/bots/mock-github
+    create_job_runner_config mock
     podman exec -i cockpituous-tasks sh -euxc "
         cd bots
         # test mock PR against our checkout, so that cloning will work
@@ -292,6 +342,7 @@ test_mock_pr() {
 test_pr() {
     # need to use real GitHub token for this
     [ -z "$TOKEN" ] || cp -fv "$TOKEN" "$SECRETS"/webhook/.config--github-token
+    create_job_runner_config real
 
     # run the main loop in the background; we could do this with a single run-queue invocation,
     # but we want to test the cockpit-tasks script
@@ -347,6 +398,7 @@ test_pr() {
 test_mock_image_refresh() {
     podman cp "$MYDIR/mock-github" cockpituous-tasks:/work/bots/mock-github
     podman cp "$MYDIR/mock-git-push" cockpituous-tasks:/usr/local/bin/git
+    create_job_runner_config mock
 
     podman exec -i cockpituous-tasks sh -euxc "
         cd bots