What I’m Building Now

Last updated: November 8, 2025 · New York, NY

Role & Focus

Title
Founding Backend Engineer
Company
Variant Security
Initiative
“Multirunners” — multi-tenant, autoscaling GitHub Actions runners
Mission
Ephemeral, isolated CI at scale for customer orgs with zero shared hosts

I’m building a multi-tenant GitHub Actions runner platform on AWS EKS using Actions Runner Controller (ARC) and Autoscaling Runner Scale Sets (RSETs), managed end-to-end via Terraform. Each customer installs one shared GitHub App; we use their installation_id to isolate job queues and provision a dedicated Runner Scale Set per tenant.

Current Snapshot

  • Ephemeral runners: one pod per job; no reuse.
  • Strict isolation: one RSET per tenant org.
  • Routing by runs-on: rset-<tenant>-build.
  • ARC + RSET controllers installed via Helm (Terraform provider).
  • EKS node groups autoscale via Cluster Autoscaler.
  • Dev → Staging → Prod; declarative promotion.
  • Secrets: GitHub App keys in K8s Secret (moving to AWS Secrets Manager).
  • DIND enabled at RSET for common Docker builds.
  • Onboarding: provide org + installation_id → Terraform provisions tenant.
  • Teardown: remove Helm release + Secret; preserve GitHub logs.
  • Observability: controller logs/metrics; SLOs WIP.

Architecture (at a glance)


GitHub App (single shared) ──► Tenant installs → installation_id
                                     │
                                     ▼
                        Terraform creates K8s Secret
                                     │
                                     ▼
                 Helm (Terraform) deploys tenant RSET
                                     │
                                     ▼
          gha-rs listener polls tenant queue (by installation)
                                     │
                                     ▼
         ARC registers ephemeral runner → executes job → self-destruct

Infra: AWS EKS + Node Groups + Cluster Autoscaler (IRSA)
Controllers: ARC + gha-runner-scale-set-controller (Helm)
Routing: runs-on: rset-<tenant>-build (by RSET name, not labels)

Tech Stack

Cloud
AWS (EKS, EC2, IAM, IRSA)
K8s
ARC, gha-runner-scale-set-controller, Cluster Autoscaler
IaC
Terraform 1.7+, Helm provider
Runners
Ephemeral pods (DIND enabled)
Secrets
K8s Secret → AWS Secrets Manager (planned)
Envs
dev / staging / prod (isolated)

What I’m actively doing

  • Hardening Terraform modules for infra, controllers, and per-tenant RSETs.
  • Automating tenant onboarding from installation_id to working runs-on.
  • Cost controls: right-size node groups; evaluate spot with taints/tolerations.
  • DX: simple “add-tenant” pipeline and kubectl verification scripts.
  • Observability: controller metrics and basic SLOs (queue latency, job start time).

Recent Milestones

  • Manual proof via Helm/kubectl (end-to-end jobs across tenants).
  • Terraformized EKS + ARC + RSET controllers.
  • Per-tenant RSETs with isolation via installation_id.
  • Enabled DIND to unblock typical Docker build workflows.

Contact

Curious about this platform or building internal CI at scale? Contact me.