Skip to content

ForgeMT is a secure, scalable GitHub Actions runner platform for ephemeral workloads. Designed for multi-tenant environments, it automates isolated runner provisioning on Kubernetes or EC2, with built-in OIDC, IAM, cost optimization, and deep observability.

License

Notifications You must be signed in to change notification settings

cisco-open/forge

ForgeMT: Ephemeral GitHub Runners with Secure Multi-Tenant Isolation

Release License Maintainer CI Commits since latest release Contributors Contributor-Covenant


ForgeMT is a production-grade platform for running secure, ephemeral GitHub Actions runners on AWS with strict multi-tenant isolation, cost-optimization, and observability built in.

Designed for platform teams delivering CI/CD at scale.


Quick Start


Why ForgeMT?

Traditional CI infrastructure is often:

  • Expensive due to idle runners
  • Hard to scale and operate
  • Insecure across teams
  • Difficult to monitor

ForgeMT solves these problems:

  • Isolates tenants using IAM, OIDC, and VPC segmentation
  • Automates runner lifecycle and scaling
  • Integrates with GitHub Apps for secure access
  • Centralizes observability per tenant
  • Minimizes costs with spot instances and scale-to-zero

Core Features

Feature Description
Ephemeral Runners Auto-scaling EC2 or EKS runners with no idle cost
Tenant Isolation Secure IAM + OIDC + VPC per team or project
Zero-Touch Operations Automatic patching, drift remediation, upgrades
Built-in Observability Logs, metrics, dashboards by tenant
Cost Optimization Spot instances, scale-to-zero, warm pool support
Flexible Infrastructure BYO AMIs, VPCs, subnets, instance types
Multi-Runner Support Mix EC2 and EKS runners in one deployment
GitHub Cloud and GHES Works with SaaS and on-prem GitHub setups

How ForgeMT Works

  1. Platform Setup:
    Deploy the ForgeMT control plane using OpenTofu or Terraform.
    Define IAM roles, OIDC trust, and VPC segmentation.
    Optionally manage configurations with Terragrunt.

  2. Tenant Onboarding:
    Create a GitHub App for each tenant.
    Define a tenant module configuration with desired runner settings.
    Install the GitHub App into the appropriate GitHub org or repos.
    Push GitHub workflows — ForgeMT provisions and scales runners automatically.


Deployment Examples


Architecture Overview

ForgeMT coordinates GitHub runner infrastructure with:

  • OpenTofu or Terraform for infrastructure as code
  • Terragrunt for environment layering (optional)
  • Helm for deploying ARC (actions-runner-controller)
  • AWS IAM, OIDC, VPCs for isolation and security
  • GitHub Apps for scoped access per tenant

ForgeMT responsibilities include:

  • Centralized provisioning of runners
  • Secure tenant-level boundaries
  • Auto-scaling and lifecycle management
  • Per-tenant observability and access control

Learn More


Contributing

We welcome contributions of all kinds. You can submit issues, pull requests, and suggestions.

See CONTRIBUTING.md for full guidelines.


Acknowledgements

ForgeMT builds on the work of:


License

Apache 2.0 License — see LICENSE for details.


Contact

Open issues and track progress on GitHub:
https://github.com/cisco-open/forge/issues

About

ForgeMT is a secure, scalable GitHub Actions runner platform for ephemeral workloads. Designed for multi-tenant environments, it automates isolated runner provisioning on Kubernetes or EC2, with built-in OIDC, IAM, cost optimization, and deep observability.

Topics

Resources

License

Code of conduct

Security policy

Stars

Watchers

Forks

Contributors 2

  •  
  •