-
-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Deploy a "simple" Github runner #268
Comments
For various reasons exposed in https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#self-hosted-runner-security, I recommend to:
On this machine I would setup Github runner application manually, and install missing packages if needed (e.g. install Docker since we use this in our zimit job). WDYT? |
Code coming from non-org members should go through validation before running the workflows. This is our approach to secure things. Doing this allows us to run workflows in a secure manner at the exact place where they make sense (on public repositories too). |
From my PoV, this seems a bit fragile to resort only to proper workflow configuration and code review. First because code review of workflow is hard, especially regarding security. Second because all our maintainers (e.g. GSoC students, ...) have write access to their repo(s), and hence are not subject to the workflow validation. I understand that not having the workflow in a public repository is a pain. Maybe a middle-ground is to continue working on existing public repos but still create a dedicated virtual machine with "nothing" on it, considering this machine might be compromised at any point in time? |
I'm in favour of this and had the feeling this is already what you propose (you have written "create a new Cloud instance"). |
Do you have any idea of which specs we should target for the new VM? I would recommend 1 CPU and 8G RAM, with at least 40-50G SSD disk). Do you have more insight? Should we continue with Scaleway (despite recent support issues) or continue to test Hetzner (since this is not a critical service at all)? |
I'm going to interpret the absence of feedback as an implicit "do the best you can, I don't know and we will fix what's wrong afterwards". |
Machine finally re-provisionned on amd64 (CX32), zimit daily tests needs chrome-for-tests ... which is available only on amd64 on Linux, not arm64 ... Price difference is negligible, IPs kept identical. Procedure is documented at https://github.com/kiwix/operations/wiki/Restore-Github-Runner-VM |
This is still not working ... because Youtube is still blocking us ... they have probably blacklisted the whole AS IP ranges from Hetzner ... Not sure how to move this forward: use ProtonVPN (or something else) to mask our IP (not sure it is very reliable for accessing Youtube) or move to another cloud provider? |
Not specifically tested with ProtonVPN but in my experience, all VPN IPs are painful to use on such platforms: captcha, etc which is to be expected since those are shared across a large number of users. I wouldn't go that route. |
I've deleted the github-runner from Hetzner for now so that we do not pay for something useless. |
For openzim/zimit#402, we would like to deploy a simple Github runner.
This runner might be used for few other cases where this runner will be superior to Github runners. This is probably going to be rare cases since we have to maintain our own image, we do not have access to Github runner images.
TbC how this should be done (Docker container on one of our k8s node? which node? dedicated small cloud instance? ...)
The text was updated successfully, but these errors were encountered: