generated from coulomb/repo-seed
44 lines
1.1 KiB
Markdown
44 lines
1.1 KiB
Markdown
# Pattern: Quarantined Build Runner
|
|
|
|
Status: seed
|
|
Readiness target: RL3 production
|
|
Primary owners: Railiance platform, product repos
|
|
Genesis family: Supply chain
|
|
|
|
## Problem
|
|
|
|
Build jobs often process untrusted code while also having access to
|
|
secrets, registries, signing keys, or deployment credentials.
|
|
|
|
## Context
|
|
|
|
Use this pattern for CI/CD runners, release builders, image builders,
|
|
dependency test jobs, and signing workflows.
|
|
|
|
## Forces
|
|
|
|
- Builds need network and artifact access.
|
|
- Pull requests may contain untrusted code.
|
|
- Signing and deployment credentials are high impact.
|
|
- Runners need cleanup and isolation between jobs.
|
|
|
|
## Solution
|
|
|
|
Run build jobs in isolated, least-privilege environments with limited
|
|
secrets, scoped network access, clean workspaces, and separate trusted
|
|
release/signing stages.
|
|
|
|
## Verification
|
|
|
|
- Untrusted jobs cannot access release or deployment secrets.
|
|
- Runner workspaces are isolated and cleaned.
|
|
- Network and registry access are scoped.
|
|
- Signing happens only in trusted release contexts.
|
|
|
|
## Related Patterns
|
|
|
|
- SLSA Build Provenance.
|
|
- Signed Container Images.
|
|
- Dependency Update Bot.
|
|
- Protected Main Branch.
|