diff --git a/nixos/doc/manual/release-notes/rl-2311.section.md b/nixos/doc/manual/release-notes/rl-2311.section.md
index c4ed81e0b5b6..eb6fb6fc6e45 100644
--- a/nixos/doc/manual/release-notes/rl-2311.section.md
+++ b/nixos/doc/manual/release-notes/rl-2311.section.md
@@ -221,6 +221,8 @@ The module update takes care of the new config syntax and the data itself (user
 
 - `services.prometheus.exporters` has a new [exporter](https://github.com/hipages/php-fpm_exporter) to monitor PHP-FPM processes, see [#240394](https://github.com/NixOS/nixpkgs/pull/240394) for more details.
 
+- `services.github-runner` / `services.github-runners.<name>` gained the option `nodeRuntimes`. The option defaults to `[ "node20" ]`, i.e., the service supports Node.js 20 GitHub Actions only. The list of Node.js versions accepted by `nodeRuntimes` tracks the versions the upstream GitHub Actions runner supports. See [#249103](https://github.com/NixOS/nixpkgs/pull/249103) for details.
+
 - `programs.gnupg.agent.pinentryFlavor` is now set in `/etc/gnupg/gpg-agent.conf`, and will no longer take precedence over a `pinentry-program` set in `~/.gnupg/gpg-agent.conf`.
 
 - `services.influxdb2` now supports doing an automatic initial setup and provisioning of users, organizations, buckets and authentication tokens, see [#249502](https://github.com/NixOS/nixpkgs/pull/249502) for more details.
diff --git a/nixos/modules/services/continuous-integration/github-runner/options.nix b/nixos/modules/services/continuous-integration/github-runner/options.nix
index ce8809213724..f2887c7711b3 100644
--- a/nixos/modules/services/continuous-integration/github-runner/options.nix
+++ b/nixos/modules/services/continuous-integration/github-runner/options.nix
@@ -208,4 +208,12 @@ with lib;
     '';
     default = null;
   };
+
+  nodeRuntimes = mkOption {
+    type = with types; nonEmptyListOf (enum [ "node16" "node20" ]);
+    default = [ "node20" ];
+    description = mdDoc ''
+      List of Node.js runtimes the runner should support.
+    '';
+  };
 }
diff --git a/nixos/modules/services/continuous-integration/github-runner/service.nix b/nixos/modules/services/continuous-integration/github-runner/service.nix
index 55df83362cb6..535df7f68e07 100644
--- a/nixos/modules/services/continuous-integration/github-runner/service.nix
+++ b/nixos/modules/services/continuous-integration/github-runner/service.nix
@@ -22,6 +22,7 @@ with lib;
 
 let
   workDir = if cfg.workDir == null then runtimeDir else cfg.workDir;
+  package = cfg.package.override { inherit (cfg) nodeRuntimes; };
 in
 {
   description = "GitHub Actions runner";
@@ -47,7 +48,7 @@ in
 
   serviceConfig = mkMerge [
     {
-      ExecStart = "${cfg.package}/bin/Runner.Listener run --startuptype service";
+      ExecStart = "${package}/bin/Runner.Listener run --startuptype service";
 
       # Does the following, sequentially:
       # - If the module configuration or the token has changed, purge the state directory,
@@ -149,7 +150,7 @@ in
               else
                 args+=(--token "$token")
               fi
-              ${cfg.package}/bin/Runner.Listener configure "''${args[@]}"
+              ${package}/bin/Runner.Listener configure "''${args[@]}"
               # Move the automatically created _diag dir to the logs dir
               mkdir -p  "$STATE_DIRECTORY/_diag"
               cp    -r  "$STATE_DIRECTORY/_diag/." "$LOGS_DIRECTORY/"
diff --git a/pkgs/development/tools/continuous-integration/github-runner/default.nix b/pkgs/development/tools/continuous-integration/github-runner/default.nix
index 6ccc923ec30d..0b1a21c2852b 100644
--- a/pkgs/development/tools/continuous-integration/github-runner/default.nix
+++ b/pkgs/development/tools/continuous-integration/github-runner/default.nix
@@ -9,21 +9,28 @@
 , glibcLocales
 , lib
 , nixosTests
-, nodejs_16
 , stdenv
 , which
 , buildPackages
 , runtimeShell
+  # List of Node.js runtimes the package should support
+, nodeRuntimes ? [ "node20" ]
+, nodejs_16
+, nodejs_20
 }:
+
+# Node.js runtimes supported by upstream
+assert builtins.all (x: builtins.elem x [ "node16" "node20" ]) nodeRuntimes;
+
 buildDotnetModule rec {
   pname = "github-runner";
-  version = "2.307.1";
+  version = "2.308.0";
 
   src = fetchFromGitHub {
     owner = "actions";
     repo = "runner";
     rev = "v${version}";
-    hash = "sha256-h/JcOw7p/loBD6aj7NeZyqK3GtapNkjWTYw0G6OCmVQ=";
+    hash = "sha256-LrHScQbBkRPSNsfPxvE2+K9tON8xuR0e4JpKVuI+Gu0=";
     leaveDotGit = true;
     postFetch = ''
       git -C $out rev-parse --short HEAD > $out/.git-revision
@@ -31,7 +38,7 @@ buildDotnetModule rec {
     '';
   };
 
-  # The git commit is read during the build and some tests depends on a git repo to be present
+  # The git commit is read during the build and some tests depend on a git repo to be present
   # https://github.com/actions/runner/blob/22d1938ac420a4cb9e3255e47a91c2e43c38db29/src/dir.proj#L5
   unpackPhase = ''
     cp -r $src $TMPDIR/src
@@ -178,6 +185,7 @@ buildDotnetModule rec {
     ++ lib.optionals (stdenv.hostPlatform.system == "aarch64-linux") [
       # "JavaScript Actions in Alpine containers are only supported on x64 Linux runners. Detected Linux Arm64"
       "GitHub.Runner.Common.Tests.Worker.StepHostL0.DetermineNodeRuntimeVersionInAlpineContainerAsync"
+      "GitHub.Runner.Common.Tests.Worker.StepHostL0.DetermineNode20RuntimeVersionInAlpineContainerAsync"
     ]
     ++ lib.optionals DOTNET_SYSTEM_GLOBALIZATION_INVARIANT [
       "GitHub.Runner.Common.Tests.ProcessExtensionL0.SuccessReadProcessEnv"
@@ -185,13 +193,19 @@ buildDotnetModule rec {
       "GitHub.Runner.Common.Tests.Worker.VariablesL0.Constructor_SetsOrdinalIgnoreCaseComparer"
       "GitHub.Runner.Common.Tests.Worker.WorkerL0.DispatchCancellation"
       "GitHub.Runner.Common.Tests.Worker.WorkerL0.DispatchRunNewJob"
+    ]
+    ++ lib.optionals (!lib.elem "node16" nodeRuntimes) [
+      "GitHub.Runner.Common.Tests.ProcessExtensionL0.SuccessReadProcessEnv"
     ];
 
   testProjectFile = [ "src/Test/Test.csproj" ];
 
   preCheck = ''
     mkdir -p _layout/externals
+  '' + lib.optionalString (lib.elem "node16" nodeRuntimes) ''
     ln -s ${nodejs_16} _layout/externals/node16
+  '' + lib.optionalString (lib.elem "node20" nodeRuntimes) ''
+    ln -s ${nodejs_20} _layout/externals/node20
   '';
 
   postInstall = ''
@@ -224,12 +238,15 @@ buildDotnetModule rec {
       --replace './externals' "$out/lib/externals" \
       --replace './bin/RunnerService.js' "$out/lib/github-runner/RunnerService.js"
 
-    # The upstream package includes Node 16 and expects it at the path
-    # externals/node16. As opposed to the official releases, we don't
+    # The upstream package includes Node and expects it at the path
+    # externals/node$version. As opposed to the official releases, we don't
     # link the Alpine Node flavors.
     mkdir -p $out/lib/externals
+  '' + lib.optionalString (lib.elem "node16" nodeRuntimes) ''
     ln -s ${nodejs_16} $out/lib/externals/node16
-
+  '' + lib.optionalString (lib.elem "node20" nodeRuntimes) ''
+    ln -s ${nodejs_20} $out/lib/externals/node20
+  '' + ''
     # Install Nodejs scripts called from workflows
     install -D src/Misc/layoutbin/hashFiles/index.js $out/lib/github-runner/hashFiles/index.js
     mkdir -p $out/lib/github-runner/checkScripts