forge

ForgeMT: Ephemeral GitHub Runners with Secure Multi-Tenant Isolation

---

ForgeMT is a production-grade platform for running secure, ephemeral GitHub Actions runners on AWS with strict multi-tenant isolation, cost-optimization, and observability built in.

Designed for platform teams delivering CI/CD at scale.

---

Quick Start

• Deploy Your First Tenant
  Minimal setup for bootstrapping ForgeMT.

• All Deployment Scenarios
  Includes Splunk, EKS, BYO AMIs, and advanced patterns.

• Tenant Usage Guide
  Covers onboarding, GitHub App setup, and day-2 operations.

---

Why ForgeMT?

Traditional CI infrastructure is often:

• Expensive due to idle runners
• Hard to scale and operate
• Insecure across teams
• Difficult to monitor

ForgeMT solves these problems:

• Isolates tenants using IAM, OIDC, and VPC segmentation
• Automates runner lifecycle and scaling
• Integrates with GitHub Apps for secure access
• Centralizes observability per tenant
• Minimizes costs with spot instances and scale-to-zero

---

Core Features

Feature	Description
Ephemeral Runners	Auto-scaling EC2 or EKS runners with no idle cost
Tenant Isolation	Secure IAM + OIDC + VPC per team or project
Zero-Touch Operations	Automatic patching, drift remediation, upgrades
Built-in Observability	Logs, metrics, dashboards by tenant
Cost Optimization	Spot instances, scale-to-zero, warm pool support
Flexible Infrastructure	BYO AMIs, VPCs, subnets, instance types
Multi-Runner Support	Mix EC2 and EKS runners in one deployment
GitHub Cloud and GHES	Works with SaaS and on-prem GitHub setups

---

How ForgeMT Works

1. Platform Setup:
   Deploy the ForgeMT control plane using OpenTofu or Terraform.
   Define IAM roles, OIDC trust, and VPC segmentation.
   Optionally manage configurations with Terragrunt.

2. Tenant Onboarding:
   Create a GitHub App for each tenant.
   Define a tenant module configuration with desired runner settings.
   Install the GitHub App into the appropriate GitHub org or repos.
   Push GitHub workflows — ForgeMT provisions and scales runners automatically.

• See the Tenant Usage Guide for full details.

---

Deployment Examples

• Deploy Your First Tenant — Minimal setup to get started.
• All Deployment Scenarios — EKS, Splunk, integrations, and more.

---

Architecture Overview

ForgeMT coordinates GitHub runner infrastructure with:

• OpenTofu or Terraform for infrastructure as code
• Terragrunt for environment layering (optional)
• Helm for deploying ARC (actions-runner-controller)
• AWS IAM, OIDC, VPCs for isolation and security
• GitHub Apps for scoped access per tenant

ForgeMT responsibilities include:

• Centralized provisioning of runners
• Secure tenant-level boundaries
• Auto-scaling and lifecycle management
• Per-tenant observability and access control

---

Learn More

• Technical Case Study
• Full Documentation

---

Contributing

We welcome contributions of all kinds. You can submit issues, pull requests, and suggestions.

See CONTRIBUTING.md for full guidelines.

---

Acknowledgements

ForgeMT builds on the work of:

• terraform-aws-github-runner
• actions-runner-controller

---

License

Apache 2.0 License — see LICENSE for details.

---

Contact

Open issues and track progress on GitHub:
https://github.com/cisco-open/forge/issues

This site is open source. Improve this page.