[xahrepap]

Yes and no. Depends on tenancy requirements. I know with docker and other common Linux container strategies you would want to keep each tenant on their own VM. A container isn’t safe enough.

So if this is your org’s only action. Then you’re probably spinning up a VM. If you have other options. You’re probably not adding any overhead.

(Edit: grammar)

[jjeaff]

Ya, but I doubt that is the case with actions, because I don't think you really have full access to everything. You provide a yaml file and their software runs that yaml which could easily exclude any dangerous commands. Plus, github offers a hosted runner service where you pay for a dedicated VM to run your actions in. So that makes it seem like actions are probably run together on larger VMs by default.

[Bognar]

It is definitely the case with Actions.

> I don't think you really have full access to everything

You do.

> their software runs that yaml which could easily exclude any dangerous commands

Categorizing dangerous commands is impossible to do accurately by just looking at a yaml file.

> Plus, github offers a hosted runner service where you pay for a dedicated VM to run your actions in. So that makes it seem like actions are probably run together on larger VMs by default.

I'm not sure what this means. The paid hosted runners are not any different from the free hosted runners, but free runners can only be used on public repos.

[cube2222]

You can also use more secure containarization technologies than native docker, like gVisor, to achieve both lightness and isolation.