✧✦Catherine✦✧the expectation of being able to run docker whenever in CI jobs is probably the single worst outcome of free GitHub Actions minutes because reproducing it in a bring-your-own-compute environment is borderline impossible unless you make every machine single-tenant
even if you make every machine single-tenant, most configurations of Forgejo Actions runners would enable malware to escape the build container, persist itself and infect all future releases
Lixou 🏝️@whitequark isn’t there something like bsds jail or bwrap for that? Or is that still not secure enough? What would the threat be there? O.o
@lixou it uses docker/podman by default but I don't trust Linux containers enough