GitLab/Gitlab Runner/Trusted Runners

From Wikitech

Trusted GitLab Runners offer CI with additional security and trust requirements. In contrast to the Shared Runners, which run in WMCS, Trusted Runners live inside WMF infrastructure. With this approach, SRE team has full control over the instance and who has access. Furthermore customization, like scaling, other disks and NICs can be done outside of the bounds of WMCS. Beside that, Shared Runners and Trusted Runners use the same puppet code (role(gitlab_runner)) with slightly different hiera configuration.

The current Trusted Runner cluster consist of six physical machines:

  • gitlab-runner1002.eqiad.wmnet
  • gitlab-runner1003.eqiad.wmnet
  • gitlab-runner1004.eqiad.wmnet
  • gitlab-runner2002.codfw.wmnet
  • gitlab-runner2003.codfw.wmnet
  • gitlab-runner2004.codfw.wmnet

See also GitLab/Gitlab Runner/Security Evaluation for all of the security measures enabled for Trusted Runners.

Request access to Trusted Runners

Access to this Runners is gated and restricted. No project has access to Trusted Runners by default. Access has to be requested on project basis. Please use the following Phabricator task template to create a access request: Task Template

Please make sure to check your project settings and especially who has maintainer permissions. You also must protect your main branch. As described in the Security Evaluation maintainer permissions ("merge", "+2") are needed to execute jobs on the Trusted Runners. Reversely this also means everyone with maintainer permissions can execute such jobs.

Access to Trusted Runners is managed by project. This is the root project where all Trusted Runners are registered. To request access, add your project to the projects.json file and open a merge request. Please add the full project path (the portion after and the reason why access is needed.

This merge request will get reviewed and and the project will be added to Trusted Runners. Adding and removing projects is automated by a python script which uses the projects.json .

Using Trusted Runners

To run a job on Trusted Runners:

  1. The project has to be authorized to use Trusted Runners (see above).
  2. The job must specify the trusted tag.
  3. The job must be for a protected branch or tag. Otherwise the job will get stuck.

For example:

  stage: trusted-build
    - echo "Compiling the code..."
    - echo "Compile complete."
    - trusted # run job on Trusted Runners
    - if: $CI_COMMIT_BRANCH == "main"

For this job to successfully run on Trusted Runners, the "main" branch must be protected.


A common pattern is to build and publish an image when a protected tag is created. This is usually expressed like the following:

   - trusted 

If you find that your job is getting stuck, make sure that tags are protected in your project configuration. The easiest approach is to protect all tags by using the "*" wildcard. Note that protecting a tag after a job is created for it won't unstick the stuck job. You will need to cancel the job and create a new tag.

Dockerfile support

Support for container builds based on Dockerfiles was added in T357612. Projects in projects.json can be defined with "dockerfile": true to get added to Trusted Runner with Dockerfile support. However this is available for a small group of special-purpose projects only (base images, spacial CI images or infrastructure images). dockerfile defaults to false as the majority of images should be build with the secure blubber build frontend.


Trusted Runners export Prometheus metrics. Dashboards are available in Grafana: gitlab-ci-overview and gitlab-runner-detail

Further Read

Related task: T295481