-
|
I am currently using GitHub actions for cargo-quick install builder, but I am unhappy with how their isolation works, because I am building untrusted code (see cargo-bins/cargo-quickinstall#49 for details). It looks like you can have KVM isolated runners for linux (https://cirrus-ci.org/guide/linux/#kvm-enabled-privileged-containers Can anyone help me work out how the windows containers isolated from each other? It may be that they are already isolated with hyperv, in which case it might be enough to add a note about this to https://cirrus-ci.org/guide/windows/ |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
|
Hey @alsuren, Windows containers are already executed in separate ephemeral VMs without sharing resources with other tasks. Plus the VM or the task doesn't have any elevated access especially for PRs: GitHub token for cloning is read-only and scoped to the repository, Cirrus itself stores caches and other things in a separate namespace. So it already seems pretty secure without |
Beta Was this translation helpful? Give feedback.
Hey @alsuren, Windows containers are already executed in separate ephemeral VMs without sharing resources with other tasks. Plus the VM or the task doesn't have any elevated access especially for PRs: GitHub token for cloning is read-only and scoped to the repository, Cirrus itself stores caches and other things in a separate namespace. So it already seems pretty secure without
--isolation=hyperv.