Self-Hosted vs GitHub-Hosted Runners for Kubernetes CI/CD: What’s Best?

Hey everyone! I'm looking for some advice on integrating GitHub Actions with my Kubernetes setup. Currently, I've got a Proxmox cluster with a few VMs dedicated to K8s, and I'm weighing the pros and cons of using GitHub-hosted runners versus self-hosted runners within my cluster. My main concerns revolve around security and how to structure my CI/CD pipelines efficiently.

Here's the current overview of my infrastructure:
- **Proxmox cluster** with 2 servers running high availability.
- **4 VMs** for Kubernetes: 1 control plane and 3 workers distributed for resiliency.
- **Network setup** managed by a Mikrotik firewall.

I'm aiming to run CI/CD pipelines for builds/deployments, and I'd like to ensure secure access from the runners to the Kubernetes API without exposing it to the internet.

Here are the key questions I have:
1. When using GitHub-hosted runners, should I expose the API port 6443, or consider using tools like GitOps for changes, or set up a VPN?
2. If I opt for self-hosted runners on Kubernetes, what potential issues should I be aware of in terms of high availability, security boundaries, and maintenance?
3. What would you suggest as the best and most secure CI/CD approach - GitHub-hosted with GitOps, tunneling, fully self-hosted, or something else?

I'd really appreciate input from anyone who has experience with a similar setup, especially regarding runner integration and API server exposure. Thank you!