# Pattern: Quarantined Build Runner Status: seed Readiness target: RL3 production Primary owners: Railiance platform, product repos Genesis family: Supply chain ## Problem Build jobs often process untrusted code while also having access to secrets, registries, signing keys, or deployment credentials. ## Context Use this pattern for CI/CD runners, release builders, image builders, dependency test jobs, and signing workflows. ## Forces - Builds need network and artifact access. - Pull requests may contain untrusted code. - Signing and deployment credentials are high impact. - Runners need cleanup and isolation between jobs. ## Solution Run build jobs in isolated, least-privilege environments with limited secrets, scoped network access, clean workspaces, and separate trusted release/signing stages. ## Verification - Untrusted jobs cannot access release or deployment secrets. - Runner workspaces are isolated and cleaned. - Network and registry access are scoped. - Signing happens only in trusted release contexts. ## Related Patterns - SLSA Build Provenance. - Signed Container Images. - Dependency Update Bot. - Protected Main Branch.