The securedrop.club GitLab CI runs on the same host, which is ok since the they run in Docker container. However, it would be really convenient for the CI jobs to be able to run containers. It allows them to magically benefit from the layer cache of the daemon running on the local machine, significantly reducing the network bandwidth and most importantly reducing the risk of transient failures due to network problems.
It is too risky to do that on the GitLab machine itself because the chances that the host will be either compromised or (more likely) broken because the tests do something wrong are too high. This is the motivation to have an independent machine exclusively dedicated to the CI runner. It is not created each time a job is scheduled: the isolation provided by the containers is good enough to assume it will only be broken occasionally.
This introduces a new kind of machine in the SecureDrop.club infrastructure. So far all machines are long lived and one of a kind. The CI runners are meant to be destroyed on a regular basis and it could be convenient to have more than one of them to run jobs in parallel.
I’m not sure how to implement that and ideas would be welcome