You’re one of a kind 😉 jokes aside, there are many factors. It is always good have more choices and not being limited, especially if the limitations are in place because of abusers
Seems like self-hosted might be the way to go in the really soon. 🤔
I don't like the idea of running and managing my own Jenkins server because a few bad actors are exploiting CI pipelines.
Its a good opportunity to learn more on devops for me. If you want something hands off you can use the AWS / DO / azure cloud plugin to create and destroy VMs on demand. If this isn't your thing you can always pay for the CI services themselves.
Personally, I'd recommend terraform or Ansible specifically for the creation of cloud resources. The Jenkins agent would be able to launch those using plug-ins.
/developer|entrepreneur/i
Always looking for new developer talent, even those with zero experience, as you never know who's got the potential to become a great developer.
This isn't always enough. If you have an open-source project that allows pull requests, and automatically runs tests against these, someone can weasel in there and inject a miner in that process.
They get the rewards, you get stuck with the tab.
The most insulting part of this is the amount gained by the attacker is usually a fraction of the cost to you. For each $1 you spend on CI services they might make a tenth of a cent, or in many cases even less. To make any amount of money at all they need to operate at a huge scale, which is why this problem is so bad.
There are other problems with letting the CI run on PRs without supervision. For example, someone could try to steal credentials being used in the build. I don't recommend doing this.
I just pay for my CI. One of the few things that can be done.
Sure, but there are other scenarios in which users may not be able to do so… like for example for OSS projects
I pay for CI on my OSS projects.
You’re one of a kind 😉 jokes aside, there are many factors. It is always good have more choices and not being limited, especially if the limitations are in place because of abusers
Seems like self-hosted might be the way to go in the really soon. 🤔
I don't like the idea of running and managing my own Jenkins server because a few bad actors are exploiting CI pipelines.
Its a good opportunity to learn more on devops for me. If you want something hands off you can use the AWS / DO / azure cloud plugin to create and destroy VMs on demand. If this isn't your thing you can always pay for the CI services themselves.
Personally, I'd recommend terraform or Ansible specifically for the creation of cloud resources. The Jenkins agent would be able to launch those using plug-ins.
Yes I create the master using terraform, but the agents are spun up on demand. Keeps the costs reasonably low without loosing out on performance.
This isn't always enough. If you have an open-source project that allows pull requests, and automatically runs tests against these, someone can weasel in there and inject a miner in that process.
They get the rewards, you get stuck with the tab.
The most insulting part of this is the amount gained by the attacker is usually a fraction of the cost to you. For each $1 you spend on CI services they might make a tenth of a cent, or in many cases even less. To make any amount of money at all they need to operate at a huge scale, which is why this problem is so bad.
There are other problems with letting the CI run on PRs without supervision. For example, someone could try to steal credentials being used in the build. I don't recommend doing this.
Letting strangers run arbitrary code in PRs with responsibility falling under the repository owner was always gunna turn out bad surely?