Just to add to this point. I have been running a separate namespace for CI and it is possible to limit total CPU and memory use for each namespace. This saved me from having to run a VM. Everything (even junk) goes onto k8s isolated by separate namespaces.
If limits and namespaces like this are interesting to you, the k8s resources to read up on are ResourceQuota and LimitRange.
I am not sure if it is best practice, but this is what I do and it might provide some inspiration:
This has the advantage that Gitops and normal git repositories are separate. I think that a similar principle would work with docker compose instead of k8s.
The person that found this is a hero.
Whenever I see slightly weird behaviour, there is a temptation to just move on because there isn't enough time, running software is complicated, and there is something else I want to do. I will try to change my attitude in future in case it uncovers a backdoor like this -- it would be educational too.
The manifest of my Kubernetes cluster is managed in a Git repository and is automatically deployed via a GitOps tool named Flux CD. When I push changes to the repository, such as adding a new application or upgrading Docker images, the deployment occurs within a few minutes.
This is the way.
Although I use Flux ImageUpdateAutomation instead of Renovate Bot. Did you consider using Flux to do auto updates? Are there any downsides that made you choose Renovate Bot instead?
Despite using Tokio underneath, I think that Actix does NOT do work stealing and uses mostly separate threads:
Given this architecture, I think the article might inaccurate when it says that Actix handlers must be Send + Sync. See also: https://www.reddit.com/r/rust/comments/14cbe1u/why_does_actixwebs_handler_not_require_send/
Actix is a bit weird, but it has been around, and used in production, for a relatively long time.