ForgeMT is a production-grade platform for running secure, ephemeral GitHub Actions runners on AWS with strict multi-tenant isolation, cost-optimization, and observability built in.
Designed for platform teams delivering CI/CD at scale.
-
Deploy Your First Tenant
Minimal setup for bootstrapping ForgeMT. -
All Deployment Scenarios
Includes Splunk, EKS, BYO AMIs, and advanced patterns. -
Tenant Usage Guide
Covers onboarding, GitHub App setup, and day-2 operations.
Traditional CI infrastructure is often:
- Expensive due to idle runners
- Hard to scale and operate
- Insecure across teams
- Difficult to monitor
ForgeMT solves these problems:
- Isolates tenants using IAM, OIDC, and VPC segmentation
- Automates runner lifecycle and scaling
- Integrates with GitHub Apps for secure access
- Centralizes observability per tenant
- Minimizes costs with spot instances and scale-to-zero
| Feature | Description |
|---|---|
| Ephemeral Runners | Auto-scaling EC2 or EKS runners with no idle cost |
| Tenant Isolation | Secure IAM + OIDC + VPC per team or project |
| Zero-Touch Operations | Automatic patching, drift remediation, upgrades |
| Built-in Observability | Logs, metrics, dashboards by tenant |
| Cost Optimization | Spot instances, scale-to-zero, warm pool support |
| Flexible Infrastructure | BYO AMIs, VPCs, subnets, instance types |
| Multi-Runner Support | Mix EC2 and EKS runners in one deployment |
| GitHub Cloud and GHES | Works with SaaS and on-prem GitHub setups |
-
Platform Setup:
Deploy the ForgeMT control plane using OpenTofu or Terraform.
Define IAM roles, OIDC trust, and VPC segmentation.
Optionally manage configurations with Terragrunt. -
Tenant Onboarding:
Create a GitHub App for each tenant.
Define a tenant module configuration with desired runner settings.
Install the GitHub App into the appropriate GitHub org or repos.
Push GitHub workflows — ForgeMT provisions and scales runners automatically.
- See the Tenant Usage Guide for full details.
- Deploy Your First Tenant — Minimal setup to get started.
- All Deployment Scenarios — EKS, Splunk, integrations, and more.
ForgeMT coordinates GitHub runner infrastructure with:
- OpenTofu or Terraform for infrastructure as code
- Terragrunt for environment layering (optional)
- Helm for deploying ARC (actions-runner-controller)
- AWS IAM, OIDC, VPCs for isolation and security
- GitHub Apps for scoped access per tenant
ForgeMT responsibilities include:
- Centralized provisioning of runners
- Secure tenant-level boundaries
- Auto-scaling and lifecycle management
- Per-tenant observability and access control
We welcome contributions of all kinds. You can submit issues, pull requests, and suggestions.
See CONTRIBUTING.md for full guidelines.
ForgeMT builds on the work of:
Apache 2.0 License — see LICENSE for details.
Open issues and track progress on GitHub:
https://github.com/cisco-open/forge/issues