Overview
Blacksmith Security
Ephemeral VMs with Firecracker
GitHub Actions that run on Blacksmith have KVM hardware isolation, are built on a memory-safe stack and run directly on our metal. The execution of each Github Action job is isolated in a virtual-machine (VM), and all state is destroyed on completion leaving behind no residue. Under-the-hood we use Firecracker to manage these ephemeral VMs. Firecracker is maintained by AWS and runs millions of untrusted workloads for AWS Lambda and Fargate.
Data
We use the official GitHub Actions runner binary to execute your jobs. We don’t store any data from your runs, and our GitHub app doesn’t have access to your secrets.
Network Security and Tailscale
Our network is secured with Tailscale, a VPN service that utilizes WireGuard, an open-sourced framework for encrypted virtual private networks. Tailscale enhances our network’s security by establishing secure, encrypted connections, crucial for protecting job data and internal communications.
GitHub JIT Tokens
We use just-in-time (JIT) tokens for each job executed as part of a GitHub Action. These tokens can only be used for a single execution after which they are removed from the repository, organization, or enterprise, thereby reducing exposure and enhancing security.
Commitment to Security
Blacksmith takes security very seriously and it is top of mind when we work on our product, infrastructure, and processes.
Permissions and Visibility
Our GitHub app requires read and write access to actions, workflows, code, pull requests, checks, and self-hosted runners. These permissions also enable us to examine logs for specific jobs in case of debugging.
Upon triggering a job through events like push, pull_request, or workflow_dispatch, our control plane receives a webhook from GitHub to execute the job on Blacksmith runners. This payload includes metadata such as the repository name, sender information, workflow name, and job name. After the job is completed, we receive another webhook that includes the job status, the status of each step, step names, and the duration of each step.