Cirrus CI Shuts Down, GitHub Actions Custom Images GA, GitLab PAT Scoping

Here is the synthesized newsletter issue:

OpenAI acquired Cirrus Labs in an acqui-hire targeting the team's virtualization expertise — specifically Tart, their Apple Silicon VM tooling. Cirrus CI services shut down June 1, 2026; existing customers are supported through current contract periods.
Tart, Vetu, and Orchard are being relicensed under more permissive licenses with licensing fees waived, leaving the virtualization tooling available for community development post-shutdown. Likely use case for OpenAI: macOS VM sandboxing for Codex.
Migration targets being discussed: GitHub Actions, Buildkite, and self-hosted runners. Open-source projects that relied on Cirrus CI's historically free tier are most exposed — several FreeBSD CI setups have no direct drop-in replacement.

Custom images for GitHub-hosted runners exited public preview on March 26, ending the per-job tooling reinstall cycle. The snapshot keyword bakes Node runtimes, language SDKs, internal certificates, and custom binaries into a persistent VM image that subsequent jobs consume directly.
The build loop is three steps: configure an image-generation runner, run a workflow with snapshot, then point a runner group at the resulting image. GitHub auto-increments minor versions on each successful build; teams can pin to a major version or auto-consume latest. GitHub recommends weekly image regeneration to pull security patches.
The feature is gated to larger runners on Team or Enterprise Cloud plans — Linux x64, Linux ARM64, and Windows x64 only. Images live in GitHub's own storage under Actions policy settings, not in an external registry. Teams that need to reuse images across CI providers must manage that separately.

OIDC tokens now support repository custom properties (GA as of April 2, previously public preview since March 12): trust policies can scope on custom property values — environment type, team ownership, compliance tier — eliminating per-repository cloud role configuration overhead at scale.
Service container entrypoint and command overrides are now available as explicit YAML keys matching Docker Compose syntax, removing a long-standing workaround for containerized test dependencies.
Azure private networking VNET failover entered public preview: configure a secondary Azure subnet — optionally in a different region — for automatic or manual failover when the primary subnet is unavailable.
Release information now appears in the issue sidebar when an issue is linked via a merged PR: shows the first release that shipped that PR with Latest or Pre-release badges, closing the manual PR → release → issue tracing gap.

Harness launched Environment Management inside its Internal Developer Portal, connecting IaCM, CD, and IDP into a unified environment lifecycle system. Developers provision production-like environments from standardized blueprints in minutes without tickets or manual pipeline stitching.
Three capabilities drive the value: drift detection (surfaces differences between a blueprint definition and the running environment state), TTL policies for automatic ephemeral environment teardown, and full lifecycle control (update, pause, resume, teardown) with a complete audit trail.
Infrastructure provisioning runs through Harness IaCM; deployments flow through Harness CD — the two paths share the same governance layer. Platform teams define blueprints once with RBAC and versioning embedded; developers consume from a catalog. Boomi's engineering team describes it as "a simple, single action for developers so they don't have to worry about underlying parameters or pipelines."

GitLab's fine-grained Personal Access Token permissions are now in beta, covering approximately 75% of the REST API. Tokens can be scoped to specific resources and actions rather than broad permission sets — directly reducing the blast radius of a leaked pipeline token.
Release Evidence now automatically includes packages published to the GitLab package registry when the package version matches the release tag. Artifacts and releases are linked without manual association, giving release engineers a verifiable artifact-to-release chain out of the box.
SAST scanning is now available via Security Configuration Profiles without requiring changes to .gitlab-ci.yml files — useful for rolling out static analysis to projects that haven't yet adopted pipeline-embedded scanning.

Monorepos are now used by 63% of companies with 50+ developers, per a 2026 survey. Tool selection breaks cleanly by scale: Turborepo for 5–50 JS/TS packages (quick setup, content-aware caching, Vercel integration), Nx for larger or polyglot repos, Bazel for 1,000+ engineer organizations requiring hermetic builds and absolute correctness.
Nx benchmarks 16% faster than Turborepo on a single machine and more than twice as fast with Nx Agents for distributed CI. The nx affected command limits rebuilds to the dependency graph impact of a change; remote caching via Vercel or Nx Cloud combined with affected-only builds cuts pipeline times 60–80%. Mercari reduced Turborepo task durations 50% with self-hosted remote caching.
Bazel's action-level caching enables minimal rebuilds across massive polyglot codebases — Stripe migrated 300+ services and JPMorgan Chase consolidated 850+ microservices onto it. The tradeoff: explicit dependency declarations and a steep learning curve that typically requires dedicated build engineering investment.

Get CI/CD & Release Engineering Briefing in your inbox