A self-hosted CI/CD runner on a VPS should be treated like part of your production delivery chain, not just a build machine. Before using it, harden the server, disable risky SSH access, limit inbound traffic, isolate runners by trust level, keep secrets out of the VPS, avoid giving Docker jobs ...
Source: [HackerNoon](https://hackernoon.com/how-to-secure-a-self-hosted-cicd-runner-on-a-vps-without-turning-it-into-a-backdoor?source=rss)