I’ve been considering moving away from gitlab for a long time, but so far, as far as I know, it’s still the only service that supports ephemeral self hosted runners. with gitlab it can utilize docker-machine to spin up vps on demand and ensure only a single job runs on each vps before it gets destroyed again.
@example
I believe gitea/forgejo has feature parity with any github-ish runner [1] so you should be able to use your gitlab runner.
Otherwise, unless I am misunderstanding you, checkout forgejo runner using docker-in-docker [2]
I might have misread, but you wanted VPS to be spun up pr. job or just a docker container pr. job? Spinning up a whole VPS seems a little unusual, do you interface with a hypervisor or what are you doing?
I’m indeed talking about spinning up full vps. with untrusted workloads I’d rather have the best isolation reasonably possible. effectively, this is similar to how Github hosted runners work. my gitlab is currently primarily working by spinning up Hetzner cloud vps on demand, but I’ve also used this with proxmox before.
if I have very sensitive secrets accessible to my ci pipeline I want to minimize the risk of leakage through compromise of CI environments to a minimum.
I’ve been considering moving away from gitlab for a long time, but so far, as far as I know, it’s still the only service that supports ephemeral self hosted runners. with gitlab it can utilize docker-machine to spin up vps on demand and ensure only a single job runs on each vps before it gets destroyed again.
@example
I believe gitea/forgejo has feature parity with any github-ish runner [1] so you should be able to use your gitlab runner.
Otherwise, unless I am misunderstanding you, checkout forgejo runner using docker-in-docker [2]
I might have misread, but you wanted VPS to be spun up pr. job or just a docker container pr. job? Spinning up a whole VPS seems a little unusual, do you interface with a hypervisor or what are you doing?
[1] https://forgejo.org/docs/next/admin/actions/#other-runners
[2] https://code.forgejo.org/forgejo/runner/src/branch/main/examples/docker-compose
I’m indeed talking about spinning up full vps. with untrusted workloads I’d rather have the best isolation reasonably possible. effectively, this is similar to how Github hosted runners work. my gitlab is currently primarily working by spinning up Hetzner cloud vps on demand, but I’ve also used this with proxmox before.
if I have very sensitive secrets accessible to my ci pipeline I want to minimize the risk of leakage through compromise of CI environments to a minimum.
@example Understood; we also do it at work through Proxmox but that is in-house shenanigans.
Is there an existing solution for this for GitLab or did you also have to built it yourself?
EDIT: Ah found it. Looks super nifty. I don’t know any equivalent!