What kind of isolation do you need? We are building our own code so I don't see the need for isolation beyond a clear directory.

Shared runner infrastructure in a big company. It's pretty common to treat these situations as multi-tenant low trust environments.

Plenty of marketplace actions will install things and/or mutate the runner. It's a matter of time before someone does something or there's a build that doesn't cleannup after itself (e.g. leaving test processes running) that ruins the day for everyone else.

If you are in k8s, you can use the default chart provided by GitHub and get 90% of the way there.

Selh-hosted runners can be ephemeral too. With such either mount the cache as a disk or bake docker layers/images into the runner image.

This requires a lot of work from a dev inf team, though. Not as straightforward for an average team.

I won't disagree. It should be easier imo. I guess this is why a cottage industry has sprung up addressing such e.g. https://news.ycombinator.com/item?id=39930908

Now I've seen everything...

It's actually pretty easy.

Setup GitHub app. Install the arc helm charts. Install a buildkitd statefulset.

Update parans on build to use buildkitd.

That's not to say there aren't better caching strategies, but a really basic ephemeral setup is right there.

runs-ons supports custom images - https://runs-on.com/features/byoi/ and caching to S3 - https://runs-on.com/reference/caching/

I haven't used it yet but these two features make it the clear favourite for me in alternate github action runners