consider security levels for runners
Wikimedia foundation have an interesting approach to GitLab runner security:
https://wikitech.wikimedia.org/wiki/GitLab/Gitlab_Runner/Security_Evaluation
Basically, they have three levels:
- nothing: you bring your own runners, that would be the equivalent of everyone not under the
tpo/
namespace for us - members-only: access to shared runners
- special projects: allow-list of select projects which are the only ones with access to hardened runners, and only on the protected branch
There's all sorts of hardening on those runners, which include:
- image restrictions: an allow-list of images that are allowed to be used for jobs
- non-root gitlab-runner
- (planned) rootless docker (see #129 (moved) for our effort at podman, which could do this as well)