ForgeMT is an enterprise-grade GitHub Actions runner platform for AWS. It provides:
ForgeMT allows organizations running thousands of CI/CD pipelines daily to scale without hitting performance, cost, or security limits.
ForgeMT is ideal for organizations that:
Solution | Cost | Security | Maintenance | Custom Env |
---|---|---|---|---|
GitHub Hosted | High volume cost | Standard | None | Limited |
Basic Self-Hosted | EC2 costs | Manual setup | High | Full |
ForgeMT | Optimized | Enterprise | Low | Full |
ForgeMT separates the control plane from the tenant plane:
Control Plane: Manages the deployment, provisioning, scaling, and monitoring of all runners. Built with OpenTofu/Terraform, Helm (ARC), and centralized IAM/OIDC, it ensures automated and secure operations across tenants.
Tenant Plane: Runs ephemeral CI/CD jobs. Tenants access their AWS resources via short-lived IAM roles using OIDC trust relationships. All runners are automatically deployed by the control plane, and tenants do not manage them directly.
Supported runner types:
Architecture Diagrams:
High-level view of ForgeMT multi-tenant architecture.
Deployment and lifecycle of EC2 runners.
Deployment and lifecycle of EKS (ARC) runners.
Tenant plane showing ephemeral runner usage and IAM/OIDC access.
Type | Use Case | Isolation | Scaling |
---|---|---|---|
EC2 | Full VM control, custom AMIs | Per-tenant sandbox in shared AWS accounts via IAM/OIDC | EC2 ASG + Spot/On-Demand |
EKS (ARC) | Burst workloads in containers | Per-tenant namespace (optionally node-isolated) | Karpenter + ARC |
Deploy and manage the ForgeMT infrastructure:
Prerequisites: AWS CLI configured, Terraform 1.5+, kubectl
Use ForgeMT runners in your GitHub Actions workflows:
Once onboarded by an admin, tenants use ForgeMT runners like this:
# .github/workflows/ci.yml
name: CI Pipeline
on: [push, pull_request]
jobs:
test:
runs-on: forge-ec2-medium # Your ForgeMT runner
permissions:
id-token: write # Required for OIDC
steps:
- uses: actions/checkout@v4
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: $
aws-region: us-west-2
- name: Run tests with AWS access
run: |
# Your CI/CD commands here
# Full access to AWS resources via OIDC
aws s3 ls
docker build -t myapp .
Key Benefits for Tenants:
Feature | Description |
---|---|
Ephemeral Runners | Auto-scaling EC2/EKS runners with zero idle cost |
Tenant Isolation | Secure IAM + OIDC + VPC per tenant/project |
Zero-Touch Operations | Automatic patching, upgrades, drift remediation |
Observability | Logs, metrics, dashboards per tenant |
Cost Optimization | Spot, scale-to-zero, warm pools |
Flexible Infrastructure | BYO AMIs, VPCs, subnets, instance types |
Multi-Runner Support | Mix EC2 and EKS in one deployment |
GitHub Cloud & GHES | Works with SaaS and on-prem GitHub setups |
Contributions are welcome via issues or pull requests. See CONTRIBUTING.md for details.
Built on top of:
Apache 2.0 — see LICENSE
Track progress or open issues on GitHub: https://github.com/cisco-open/forge/issues