My migration from GitHub to Gitea became stalled when I realized that you can tie self-hosted Actions runners to
-
My migration from GitHub to Gitea became stalled when I realized that you can tie self-hosted Actions runners to
* Repos (per repo token)
* Orgs
* not to the Pro Account with all reposIf you migrate, you have a parallel setup.
Gitea allows global runners. It's by far less complex. Which is a strength.
To self-host a combined GitHub and Gitea Actions runner, I need to queue jobs. Per repo as well.
I also need to keep the jobs compatible.
To archive this, I use Dagger(.io). My GitHub Action YAML only defines the triggers in GitHub (on push etc.). Dagger works locally, on-prem and in the cloud. It's a compatibility layer that is much more sane than YAML.
With Dagger and a custom queue, it's possible to move away from Actions without much effort. But there is a certain vendor lock-in effect with GitHub Actions.
The other consideration is, that cloud-hosted GitHub Actions runners exist for Linux (AArch64, x86), Windows (same), macOS (x86, Silicon). And they are super cheap.
To get the best out of both worlds:
1. use Dagger where it's possible
2. build a custom combined builder queue -
My migration from GitHub to Gitea became stalled when I realized that you can tie self-hosted Actions runners to
* Repos (per repo token)
* Orgs
* not to the Pro Account with all reposIf you migrate, you have a parallel setup.
Gitea allows global runners. It's by far less complex. Which is a strength.
To self-host a combined GitHub and Gitea Actions runner, I need to queue jobs. Per repo as well.
I also need to keep the jobs compatible.
To archive this, I use Dagger(.io). My GitHub Action YAML only defines the triggers in GitHub (on push etc.). Dagger works locally, on-prem and in the cloud. It's a compatibility layer that is much more sane than YAML.
With Dagger and a custom queue, it's possible to move away from Actions without much effort. But there is a certain vendor lock-in effect with GitHub Actions.
The other consideration is, that cloud-hosted GitHub Actions runners exist for Linux (AArch64, x86), Windows (same), macOS (x86, Silicon). And they are super cheap.
To get the best out of both worlds:
1. use Dagger where it's possible
2. build a custom combined builder queue
Self-Hosting Infisical: A Guide to Securing Your Homelab'...
Learn how to self-host Infisical to secure your homelab secrets. Step-by-step tutorial covers Docker deployment, backup key protection, and just-in-time secret injection.
Infisical Blog (infisical.com)
I am thinking of using Infisical over Vault after the license change / IBM acquisition.
I think Vault is unnecessarily complex, and I have seen IBM simplifying software.
-
R relay@relay.infosec.exchange shared this topic
-
Self-Hosting Infisical: A Guide to Securing Your Homelab'...
Learn how to self-host Infisical to secure your homelab secrets. Step-by-step tutorial covers Docker deployment, backup key protection, and just-in-time secret injection.
Infisical Blog (infisical.com)
I am thinking of using Infisical over Vault after the license change / IBM acquisition.
I think Vault is unnecessarily complex, and I have seen IBM simplifying software.
Decided to deploy Infisical with `pyinfra`(not using Ansible because of Yaml hell).
`pyinfra` is faster.
Since we can use `uv` easily nowadays, the whole venv setup also becomes much simpler.
Good stuff.
#ansible #pyinfra #yaml #infisical
-
Decided to deploy Infisical with `pyinfra`(not using Ansible because of Yaml hell).
`pyinfra` is faster.
Since we can use `uv` easily nowadays, the whole venv setup also becomes much simpler.
Good stuff.
#ansible #pyinfra #yaml #infisical
GitHub - Infisical/agent-vault: A HTTP credential proxy and vault for AI agents like Claude Code, OpenClaw, Hermes, custom agents + harnesses, and more.
A HTTP credential proxy and vault for AI agents like Claude Code, OpenClaw, Hermes, custom agents + harnesses, and more. - Infisical/agent-vault
GitHub (github.com)
This looks fascinating.
An open-source credential broker by Infisical that sits between your agents and the APIs they call.
Agents should not possess credentials. Agent Vault eliminates credential exfiltration risk with brokered access.And that can be self-hosted or operated as SaaS. Going to follow this up next week, looking to see if this scales for larger dev teams.
The best defense against supply-chain compromise is being able to manage credentials. For many new AI threats, that will be the same.
