Hello!
We're making changes to the GitLab CI infrastructure you should know about. TL;DR: new OSUOSL runners, tags are now lowercase, clarification on the "tpa" tag.
First, we're adopting a few CI runners provided by the good people at OSUOSL. Two new amd64 runners are joining the fleet and will be executing untagged jobs across our instance. This should help relieve the pressure on our existing runners, specifically related to delays in job processing when large simulations would run.
In addition, we also gain three new runners running on arm64, ppc64le and s390x architectures, again from OSUOSL.
Secondly, we've updated the tags on our existing runners in order for both TPA and OSUOSL runners to improve consistency. In short, we've lower-cased the former "Linux" and "TPA" tags, which are now "linux" and "tpa". If you have CI jobs with the old uppercase tags, please make sure to update your .gitlab-ci.yml files. Also refer to the CI documentation for further details on the available tags:
https://gitlab.torproject.org/tpo/tpa/team/-/wikis/service/ci#runner-tags
Finally, note that the OSUOSL runners are *not* marked "tpa", because we do not manage the underlying virtual machines. In that sense they are slightly less "trusted" because we do not control the runner's configuration, so if you want to limit certain jobs to those "trusted" runners, be sure to limit your jobs to the `tpa` tag.
In general, you shouldn't really *trust* GitLab or GitLab CI for anything else than running tests. Builds should be verified out of band with reproducible builds. You can reproduce a local GitLab CI environment by installing gitlab-runner and executing jobs locally, without having to trust the entire GitLab installation or foreign runners. As a reminder, it is your responsibility to ensure the integrity of your code and artifacts, see those links for a further discussion:
https://gitlab.torproject.org/tpo/tpa/gitlab/-/issues/81 https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/gitlab#git-reposito... https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/git#security-concer...
This work was done as part of this ticket:
https://gitlab.torproject.org/tpo/tpa/team/-/issues/40780
Feedback is welcome there, but new issues should probably be reported in a new ticket. In any case, let us know if anything seems off.
A.
PS: Note that those runners are not *yet* online, but we expect them to become live within a few days. The above ticket will be updated when that happens.