Closed lrettig closed 1 year ago
Some ideas regarding security on self-hosted runners:
@fasmat Sorry for jumping on this. "GitHub Actions runners" got my attention.
You can achieve the above mentioned requirements with https://cirun.io It creates on demand runners for GitHub Actions on your cloud and manages the complete lifecycle. You simply connect your cloud provider and define what runners you need in a simple yaml
file and that's it.
See https://docs.cirun.io/reference/examples.html#aws for example.
@aktech I don't think any of these cloud providers currently support Apple Silicon VMs do they?
Ah, I see I didn't notice the mention on Silicon VM, only linux at the moment.
Good to know, thanks
Changes need to be approved before they can trigger a CI build on self-hosted runners
This is definitely must have :) I would, however, not go for approval but rather a comment (or similar) like "ok to test" that is valid only for a given subset of changes. (so pushing again invalidates).
The runners have been added. So far the only security measurement that we can have is to make sure that
is marked in any repo that requires self-hosted runner.
There are M1 runners and linux arm64 available. Examples of use in poet repo.
Ideally we'd like arm64 runners for both Linux and macOS, to test go-spacemesh and other critical infrastructure on. I set up a Linux-based self-hosted runner already, but the main task is to make it secure, since GitHub strongly recommends not enabling these for public repos. For more see:
CC @andres-spacemesh @fasmat