Actions Runtime Security
CI security is a critical topic, as CI is often granted access to critical resources and holds sensitive assets like code and keys. We have worked to harden the Worktree Actions runtime such that it can be trusted to execute your workflows securely.
Every job on Worktree Actions is isolated on its own ephemeral cloud instance which is provisioned on-demand at the start of the Actions workflow. We employ multiple cloud providers to facilitate this; the choice of cloud provider is randomized and based on various internal factors such as current load and cost balancing.
| Cloud Provider | Region | Supported Images | Native Architectures |
|---|---|---|---|
| DigitalOcean | Toronto (tor1) | ubuntu-22.04 | linux/amd64 |
| AWS | Montréal (ca-central-1) | ubuntu-22.04 | linux/amd64 |
These ephemeral VMs are a clean and up-to-date installation of Debian 12 with Docker Engine installed. Each Actions step is executed in a Docker container which mimics the GitHub Actions runner environment. Any steps which themselves utilize Docker mount the Docker Socket from the host VM into this runtime container.
While the actions have effective root access to the ephemeral VM, the VM is entirely dedicated to a single Actions workflow and has no shared details, tokens, or secrets beyond what is configured for the run itself.
Actions workflows are coordinated by one or more "orchestrator" nodes which are operated by Worktree and coordinate many workflows concurrently across the platform. These nodes handle all of the integration with Worktree, provision and de-provision the ephemeral VMs, and execute the jobs on the ephemeral VMs. No public code is executed on the orchestrator nodes.
Security of the Worktree Actions platform is our highest priority. If you believe you have found a vulnerability or have concerns, please reach out to security@worktree.ca and we'll be in touch as soon as possible.