Does this skill support Kubernetes deployments?

Yes, it includes implementation patterns for the Actions Runner Controller (ARC), which provides Kubernetes-native runner orchestration with pod-level isolation.

What is the security benefit of using gVisor with runners?

gVisor provides a user-space kernel that intercepts system calls. This adds a significant layer of defense, making it much harder for a compromised job to escape the container and attack the host system.

Can I use these patterns with public cloud providers?

Absolutely. This skill specifically includes patterns for GCP Managed Instance Groups and Packer-based image hardening to automate disposable VM runners in the cloud.

Why are ephemeral runners better than persistent runners?

Persistent runners allow state, modified files, and potential malware to survive between jobs. Ephemeral runners provide a fresh, clean environment for every job, destroying the environment immediately after completion to prevent persistence.

Ephemeral Runner Patterns

Name: Ephemeral Runner Patterns
Author: adaptive-enforcement-lab

byadaptive-enforcement-lab

0•

Deployment & DevOps

Implements secure, disposable GitHub Actions runner architectures to eliminate persistence-based security risks and ensure clean execution environments.

This skill provides standardized patterns for deploying ephemeral GitHub Actions runners, ensuring every job executes in a fresh, isolated environment. By moving away from persistent runners, it prevents malicious workflows from planting backdoors, protects against credential leakage, and reduces the overall attack surface of CI/CD pipelines. It includes production-ready configurations for Podman with gVisor, Google Cloud Platform VMs, and Actions Runner Controller (ARC) for Kubernetes, allowing teams to balance isolation levels with provisioning speed and security requirements.

Key Features

01Multi-strategy deployment including Containers, VMs, and ARC

020 GitHub stars

03Rootless container configurations with dropped capabilities

04Cloud VM autoscaling with automated self-destruct logic

05Standardized systemd templates for ephemeral orchestration

06Hardened Podman and gVisor isolation patterns

Use Cases

01Hardening CI/CD pipelines against persistent malware and supply chain attacks

02Isolating sensitive build processes from persistent environment contamination

03Optimizing self-hosted runner infrastructure for automatic cleanup and compliance

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add adaptive-enforcement-lab/claude-skills ephemeral-runner-patterns

For use in Claude.ai and ChatGPT

Download Skill