worktree BETA

Introducing Worktree Actions: A GitHub-compatible CI Platform

Published • Written by Alex Blackie
A screenshot of Worktree showing an Actions build log

We’re incredibly excited to announce the general availability of Worktree Actions. With this release, Worktree can now support the majority of common CI/CD and DevOps workflows, available on every repository for every user or organization on a paid plan.

Worktree Actions provides a GitHub Actions-compatible runtime. Migrating from GitHub Actions to Worktree Actions requires only minor tweaks to your existing workflows, and you can continue to utilize the rich ecosystem of third-party and open-source Actions on GitHub and Worktree alike.

At launch, we support the ubuntu-22.04 runtime, running on the amd64 platform. More specialized environments, performance SKUs, and CPU architectures are planned for future expansion.

We’ve published a migration guide (among other Actions-related documentation) which outlines everything that is required to transition your workflows from GitHub to Worktree Actions.

Security Architecture

Running CI/CD infrastructure is a daunting proposition. Effectively, hosted CI is “running untrusted code as a service,” which should send a shiver down any security engineer’s spine. As such, we have spent a significant amount of time building a secure runtime for our public Actions infrastructure.

Our customized Actions Runner image executes workflows on ephemeral, fully-isolated virtual machines in the cloud. Each job creates its own VM and runs on a nearly-blank Debian 12 OS image. VMs are not shared or reused between customers, and are fully destroyed at the end of every Actions run.

We accomplish this by adding “orchestrator” nodes, which schedule and process multiple Actions workflows at once, and fan-out one or more ephemeral “executor” VMs for each workflow that is processed. The untrusted code never touches the orchestrator, and is fully isolated on the ephemeral executor.

If an executor node is compromised by a malicious workflow, the VM will only last as long as the maximum job timeout, and then will be terminated automatically. Additionally, the VM has no private network access beyond its orchestrator peer, which has no open ports or exposed services.

This runtime architecture is fairly similar to GitHub’s own infrastructure for Actions. We are confident that it provides a secure and trustworthy environment both in protecting the platform from abuse, as well as protecting your workflow executions from malicious actors.

Where is all this running?

As with the rest of worktree.ca, all the VMs and services involved in Worktree Actions are located in Canadian datacentres.

For the initial launch, workflows execute on DigitalOcean c-2 Droplets, providing 2 vCPUs and 4 GiB RAM for your workflows, and are deployed in their Toronto region.

We are currently testing additional cloud providers and self-hosted deployment options as the next milestone on our roadmap for Actions.

Let us know how it goes

We’re excited for you to start using Worktree Actions, and would love to know how your experience goes, what things you found easy, what things you found difficult, and your overall feelings towards the feature.

Reach out to us at any time at hello@worktree.ca, or join our Discord for more real-time feedback or assistance.