Closed lrettig closed 1 year ago
fasmat
commented
1 year ago Some ideas regarding security on self-hosted runners:
aktech
commented
1 year ago @fasmat Sorry for jumping on this. "GitHub Actions runners" got my attention.
You can achieve the above mentioned requirements with https://cirun.io It creates on demand runners for GitHub Actions on your cloud and manages the complete lifecycle. You simply connect your cloud provider and define what runners you need in a simple yaml file and that's it.
See https://docs.cirun.io/reference/examples.html#aws for example.
lrettig
commented
1 year ago @aktech I don't think any of these cloud providers currently support Apple Silicon VMs do they?
aktech
commented
1 year ago Ah, I see I didn't notice the mention on Silicon VM, only linux at the moment.
lrettig
commented
1 year ago Good to know, thanks
pigmej
commented
1 year ago Changes need to be approved before they can trigger a CI build on self-hosted runners
This is definitely must have :) I would, however, not go for approval but rather a comment (or similar) like "ok to test" that is valid only for a given subset of changes. (so pushing again invalidates).
pigmej
commented
1 year ago The runners have been added. So far the only security measurement that we can have is to make sure that
is marked in any repo that requires self-hosted runner.
There are M1 runners and linux arm64 available. Examples of use in poet repo.
Ideally we'd like arm64 runners for both Linux and macOS, to test go-spacemesh and other critical infrastructure on. I set up a Linux-based self-hosted runner already, but the main task is to make it secure, since GitHub strongly recommends not enabling these for public repos. For more see:
CC @andres-spacemesh @fasmat