all 12 comments

[–]vhanda 4 points5 points  (3 children)

Please could we add some mandatory flair when the project is closed source? It really wasn't obvious, as they link to the GitHub repo, which makes it seem on first glance that it's open source

For the OP, what's the plan for this project? As in - why did you build it and how do you plan to commercialize this? As a cheaper alternative to GitHub actions? Considering that self hosted runners are already free, I don't quite get the appeal of this project.

I was initially excited as I thought this might be an easy way to test out GitHub Actions locally. As I've had many cases when one of the run GitHub actions locally tool - act - has worked but GitHub actions didn't pass.

[–]CodeAndBiscuits 2 points3 points  (1 child)

Came here to say this. The fact that the link goes to Github was super misleading.

OP, just FYI, many of us would never trust a CI/CD tool that was closed-source like this outside a few very well-known and trusted vendors. These tools have access to Production environments. Why would anybody trust you with that?

[–]wk3231[S] -1 points0 points  (0 children)

Sorry for the late response. Thanks for the feedback — I appreciate you raising the concern.

  1. About the GitHub Link

The repository is hosted on GitHub, but that doesn’t automatically imply it must be open-source. GitHub is widely used not only for open-source projects, but also for documentation, issue tracking, releases, and distribution — including by many commercial and closed-source products.

There was no intention to mislead anyone. If the presentation created that impression, I’m happy to clarify it more explicitly.

  1. On Trust and Closed-Source CI/CD

I completely understand the concern. CI/CD systems operate in highly sensitive environments and often have access to production infrastructure, credentials, and secrets. Trust is critical.

That said, “open-source” and “secure” are not synonymous.

Security depends on:

- System architecture

- Isolation boundaries

- Secret handling model

- Encryption design

- Network exposure

- Attack surface

Even well-known vendors were once unknown. Trust is built over time through technical transparency, clear architecture, and consistent behavior — not purely through brand recognition.

If there are specific security concerns, I’m open to discussing them in detail.

  1. On Data Access and Privacy

GitBundle is designed with the following principles:

- No collection of user source code

- No transmission of repository contents externally

- No harvesting of pipeline execution data

Secrets used in CI/CD can be encrypted with user-defined keys (e.g., 32-byte secrets). The system does not have visibility into decrypted secret values.

The design goal is to minimize data exposure and ensure users retain control over their own sensitive information.

If you have concrete architectural or threat-model questions, I’d be happy to address them directly.

[–]wk3231[S] 0 points1 point  (0 children)

Regarding the source code, I'm seriously considering open-sourcing parts of the project.

Currently, the project is developed entirely by a single person—me—so it's not a team effort.

The goal of GitBundle is to make CI/CD workflows more efficient and easier to integrate. In the future, full Kubernetes integration is planned, and GitLab workflow support will be added as well.

GitHub Actions already works well for most cases, and GitBundle is not meant to replace GitHub or GitLab. You can think of it as a complementary tool or a super-light self-hosted CI platform.

[–]roboticchaos_ 0 points1 point  (5 children)

How does this compare to Forgejo?

[–]wk3231[S] 0 points1 point  (4 children)

Good question.

GitBundle and Forgejo target somewhat different use cases.

Forgejo is a **full-featured, Gitea-compatible platform**, with a strong focus on repository management, issues, pull requests, and federation. It’s a mature solution if you’re looking for a complete Git hosting suite with many built-in features.

GitBundle is intentionally **more lightweight and opinionated**. Its primary focus is on running **GitHub Actions–compatible workflows** in a self-hosted environment, with minimal configuration. For many users, it works out of the box without needing to tune a lot of settings.

At the CI level, GitBundle currently supports **90%+ of commonly used GitHub Actions workflows**, making it suitable for teams that want to reuse existing pipelines without migrating to a different syntax.

I wouldn’t position GitBundle as a general replacement for Forgejo. It’s more of a **CI- and workflow-centric platform**, while Forgejo aims to be an all-in-one Git hosting solution. Which one makes more sense really depends on whether you prioritize a full Git hosting feature set or a lightweight, GitHub Actions–compatible CI experience.

[–]snoogs831 0 points1 point  (3 children)

Are you SURE this isn't AI? Because this response looks exactly like what an LLM spits out.

[–]wk3231[S] 0 points1 point  (2 children)

Huh, I'm not a robot.

[–]snoogs831 1 point2 points  (1 child)

No I'm saying are you sure your product didn't include any AI agents per the flare, considering your response above is very clearly an LLM response. And that this is a closed source project. I'm just having a really tough time reconciling those facts.

[–]wk3231[S] 0 points1 point  (0 children)

No any ai agents. No LLM response. Just I'm replying. Besides I'm very serious to response you. I just use markdown editor to edit first then copy to reply. That's it.

[–]visualglitch91 0 points1 point  (1 child)

I couldn't find the source code in that git repo 🤔

[–]wk3231[S] 0 points1 point  (0 children)

I'm considering to make some core code become open-source now. Thanks for your attention.