(no title)

At Namespace (namespace.so), we also take things one step further: GitHub jobs run under a cgroup with a subset of privileges by default.

Running a job with full capabilities, requires an explicit opt-in, you need to enable "privileged" mode.

Building a secure system requires many layers of protection, and we believe that the runtime should provide more of these layers out of the box (while managing the impact to the user experience).

(Disclaimer: I'm a founder at Namespace)