This repository has been archived on 2026-07-08. You can view files and clone it. You cannot open issues or pull requests or push a commit.
Files
infospace-bench/infospaces/patterns-of-it-securita-architecture/artifacts/entities/pattern-quarantined-build-runner.md

44 lines
1.1 KiB
Markdown

# Pattern: Quarantined Build Runner
Status: seed
Readiness target: RL3 production
Primary owners: Railiance platform, product repos
Genesis family: Supply chain
## Problem
Build jobs often process untrusted code while also having access to
secrets, registries, signing keys, or deployment credentials.
## Context
Use this pattern for CI/CD runners, release builders, image builders,
dependency test jobs, and signing workflows.
## Forces
- Builds need network and artifact access.
- Pull requests may contain untrusted code.
- Signing and deployment credentials are high impact.
- Runners need cleanup and isolation between jobs.
## Solution
Run build jobs in isolated, least-privilege environments with limited
secrets, scoped network access, clean workspaces, and separate trusted
release/signing stages.
## Verification
- Untrusted jobs cannot access release or deployment secrets.
- Runner workspaces are isolated and cleaned.
- Network and registry access are scoped.
- Signing happens only in trusted release contexts.
## Related Patterns
- SLSA Build Provenance.
- Signed Container Images.
- Dependency Update Bot.
- Protected Main Branch.