Hacker News new | comments | ask | show | jobs | submit login

In the shared runner settings, I see this:

"GitLab Runners do not offer secure isolation between projects that they do builds for. You are TRUSTING all GitLab users who can push code to project A, B or C to run shell scripts on the machine hosting runner X."

Seems like a very strong reason to use one's own paid DigitalOcean instances for runners instead of using the free shared runners, at least for commercial projects. I was wondering if anyone from GitLab could expand further on this?

This warning is outdated for the shared runners on GitLab.com since we do not reuse runners there at all. All runners are destroyed after a since build. Please see https://gitlab.com/gitlab-org/gitlab-ce/issues/14732 for more background and our effort to update this message.

That's great to hear. Thanks.

We'd need an answer from gitlab, but that statement was there with the old infrastructure for shared runners.

It is possible that this issue is fixed with the new ones?

You're correct, we fixed this issue, the new warning will be: "Shared runners execute code of different projects on the same Runner unless you configure GitLab Runner Autoscale with MaxBuilds 1 (which it is on GitLab.com)."

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact