Ephemeral GHA Apple Silicon Runners with CiderMill
In the pyca/cryptography project we ostensibly write Python (and Rust), but in reality we are CI engineers doomed to spend 90% of all our development time building and maintaining our annoyingly large CI1. As part of that unwanted work we possess a self-hosted runner for macOS arm64 builds2.
Self-hosted runners have one big drawback3 – they lack build isolation. In the typical security model of GitHub Actions every job runs in an isolated environment. At the end of a run that environment is destroyed4 and future runs are not exposed to any products of a previous run. In a self-hosted runner, this is not true. Instead, each invocation of the runner is running on the same state-filled system that you built, with whatever mutations the last job performed still present. In some cases (e.g. closed source development using GHA) this represents an annoyance (you can’t treat all your GHA runners the same!), but can be worked around. However, in the open source world5 this represents an unacceptable security problem. CI systems run arbitrary code6 and trivial persistence on a CI runner is clearly undesirable.
For this reason, we have constrained our M1 runner to only pushes to main since we installed it, but, like professional athletes, we always want more.
