Security is Job Zero for Sprinters. Sprinters’ approach can be summarized as a combination of the principle of least privilege, data austerity and defense in depth.
Let’s dive deeper into the two main parts of the system: the Sprinters platform and the Sprinters runner instances on your AWS account.
The Sprinters platform runs on Sprinters’ own infrastructure and handles events sent by GitHub and launches runner instances in your AWS account.
To be able to operate, Sprinters needs to access to your GitHub account and your AWS account.
Sprinters also needs to store
All data stored by Sprinters is encrypted at rest. All data transferred by Sprinters is encrypted while in motion.
Communication between Sprinters and your browser is fully encrypted with TLS 1.3 or 1.2.
Sprinters strictly adheres to the principle of least-privilege and only requests this absolute minimum set of permissions to be able to operate:
Permission | Access | Scope | Usage |
---|---|---|---|
metadata |
read | repository | Mandatory permission for all GitHub Apps |
actions |
read | repository | Get details about workflow jobs and workflow runs to check whether Sprinters should launch a runner |
write | repository | Cancel a workflow run in case there was an issue with a runner | |
administration |
write | repository | Create a registration token for a new runner to ensure it can interact with GitHub Actions |
email addresses |
read | user | Notify you in case an issue with a runner needs your attention |
Sprinters has:
Communication between Sprinters and GitHub is fully encrypted with TLS 1.3.
Sprinters strictly adheres to the principle of least-privilege and only requests this absolute minimum set of permissions to be able to operate:
Action | Usage |
---|---|
ec2:RunInstances |
Launch ephemeral EC2 instances for your runners |
ec2:CreateTags |
Tag those EC2 instances as runners |
ec2:DescribeInstances |
List runner EC2 instances and check whether they are running |
ec2:ModifyVolume |
Optimize boot speed of runner EC2 instances |
ec2:TerminateInstances |
Clean up runner EC2 instances in case they fail to gracefully shut down |
ec2:DescribeSpotPriceHistory |
Automatically select cheapest availability zone for spot instances and calculate savings |
Sprinters has:
To be able to operate, Sprinters needs to access to your AWS account.
By default, Sprinters will use secure cross-account IAM roles to obtain temporary short-lived credentials to access your AWS account.
This is made possible through a trust policy that grants permission to Sprinters’ AWS account to assume an IAM role in your AWS accounts with the permissions defined above. To prevent the confused deputy problem , this trust policy is secured with an external id.
Alternatively, Sprinters also gives you the possibility to store an access key to access your AWS account. This access key is fully encrypted with AES-256 GCM. Each account has a distinct encryption key. All keys are themselves also encrypted.
Communication between Sprinters and AWS is fully encrypted with TLS 1.3.
Runner instances run on your AWS account within the privacy of your VPC. Services your jobs rely on no longer need to be exposed over the public internet.
To ensure a 100% clean environment for every job, each runner is launched using a new ephemeral EC2 instance and a security group that prohibits ingress.
The image is based on GitHub’s official runner image .
The instance doesn’t listen on any ports. The runner software doesn’t communicate with Sprinters. It only opens an outbound HTTPS connection to GitHub in order to receive job steps and send back execution logs.
The boot volume, where the software is installed, is read-only, guaranteeing integrity.
Writes are automatically redirected to an ephemeral encrypted temp volume which is reformatted on every boot and destroyed when the instance terminates.
Swap space is also allocated on another ephemeral encrypted volume which is also wiped on every boot and destroyed when the instance terminates.
Sprinters has no access to the contents of these volumes.