forge

ForgeMT

Release License Maintainer CI Commits since latest release Contributors


What is ForgeMT

ForgeMT is an enterprise-grade GitHub Actions runner platform for AWS. It provides:

ForgeMT allows organizations running thousands of CI/CD pipelines daily to scale without hitting performance, cost, or security limits.

Architecture Diagram


Who Should Use ForgeMT?

ForgeMT is ideal for organizations that:


Key Benefits


How It Compares

Solution Cost Security Maintenance Custom Env
GitHub Hosted High volume cost Standard None Limited
Basic Self-Hosted EC2 costs Manual setup High Full
ForgeMT Optimized Enterprise Low Full

Architecture Overview

ForgeMT separates the control plane from the tenant plane:

Architecture Diagrams:

Multi-Tenant Overview High-level view of ForgeMT multi-tenant architecture.

EC2 Runner Architecture Deployment and lifecycle of EC2 runners.

EKS Runner Architecture Deployment and lifecycle of EKS (ARC) runners.

Tenant Overview Tenant plane showing ephemeral runner usage and IAM/OIDC access.


Runner Types

Type Use Case Isolation Scaling
EC2 Full VM control, custom AMIs Per-tenant sandbox in shared AWS accounts via IAM/OIDC EC2 ASG + Spot/On-Demand
EKS (ARC) Burst workloads in containers Per-tenant namespace (optionally node-isolated) Karpenter + ARC

Two User Personas

🔧 Platform Administrator

👩‍💻 Development Team (Tenant)


Quick Start

For Platform Administrators

Deploy and manage the ForgeMT infrastructure:

Prerequisites: AWS CLI configured, Terraform 1.5+, kubectl

For Development Teams (Tenants)

Use ForgeMT runners in your GitHub Actions workflows:


Sample Tenant Usage

Once onboarded by an admin, tenants use ForgeMT runners like this:

# .github/workflows/ci.yml
name: CI Pipeline
on: [push, pull_request]

jobs:
  test:
    runs-on: forge-ec2-medium  # Your ForgeMT runner
    permissions:
      id-token: write  # Required for OIDC
    steps:
      - uses: actions/checkout@v4

      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: $
          aws-region: us-west-2

      - name: Run tests with AWS access
        run: |
          # Your CI/CD commands here
          # Full access to AWS resources via OIDC
          aws s3 ls
          docker build -t myapp .

Key Benefits for Tenants:


Core Features

Feature Description
Ephemeral Runners Auto-scaling EC2/EKS runners with zero idle cost
Tenant Isolation Secure IAM + OIDC + VPC per tenant/project
Zero-Touch Operations Automatic patching, upgrades, drift remediation
Observability Logs, metrics, dashboards per tenant
Cost Optimization Spot, scale-to-zero, warm pools
Flexible Infrastructure BYO AMIs, VPCs, subnets, instance types
Multi-Runner Support Mix EC2 and EKS in one deployment
GitHub Cloud & GHES Works with SaaS and on-prem GitHub setups

Learn More


Contributing

Contributions are welcome via issues or pull requests. See CONTRIBUTING.md for details.


Acknowledgements

Built on top of:


License

Apache 2.0 — see LICENSE


Contact

Track progress or open issues on GitHub: https://github.com/cisco-open/forge/issues