This is only tangentially related, but information on the runtime environment of gitlab.com's shared runners is a little obtuse. Is using a shared runner with a private repository a no-go if I want to keep my repo private? All I can find is the cryptic warning "GitLab Runners do not offer secure isolation between projects that they do builds for. You are TRUSTING all GitLab users who can push code to project A, B or C to run shell scripts on the machine hosting runner X." I take this to mean that I have to trust everyone who can push code to the shared runner, which for all intents and purposes is anyone with a gitlab account.
This was problem in the past. Since we use Docker we have fairly good separation of builds. You are not able to fetch someone other source unless you find or use linux kernel exploit. This will get improved further with upcoming upgrades to shared runners offering: https://gitlab.com/gitlab-com/www-gitlab-com/merge_requests/.... Most likely we will run the builds only once on the VM.