CI/CD presents a significant risk and it's not like CI/CD vendors have never had a security incident. Not to mention the unpublished access a member of their staff may have to interfer with your runners or pull your access tokens/secrets.
If an org is more comfortable having their own people assume this risk, I think the gitlab helm chart is better solution. At the same time, a small org, without the resources to properly look after this in-house, should use a SaaS vendor.
Plus Atlassian is located in Australia [1], and the Australian government passed a bill that requires a backdoor to all software products [2]. So if you care about security, it makes more sense to self-host.
> Australian government passed a bill that requires a backdoor to all software products
That's not quite accurate. There is now a legal mechanism that allows certain government agencies to force you to add a backdoor to your product. But until you are given a notice you don't need to do anything, and you can provide aggregated statistics to your users of how many requests you've been given. There are also some weasel-word caveats (the backdoor cannot be a "systemic vulnerability" but there has been much disagreement about whether this limitation actually means anything -- in my view it's basically meaningless within the context of a single company's product).
There is currently a review process open for the TOLA Act that closes in April[1], so any fellow Australians on HN should submit their comments -- there are only 65 submissions so far (and only 27 are by individuals).
The saas and self-hosted versions don't even have the same features.
For example, there's a two year old open "high priority" ticket for adding the ability to restrict pushes to branch patterns, yet still allow new branches to be created, for the saas product. The self-hosted version has apparently had this feature before the ticket was opened.
CI/CD presents a significant risk and it's not like CI/CD vendors have never had a security incident. Not to mention the unpublished access a member of their staff may have to interfer with your runners or pull your access tokens/secrets.
If an org is more comfortable having their own people assume this risk, I think the gitlab helm chart is better solution. At the same time, a small org, without the resources to properly look after this in-house, should use a SaaS vendor.