Show HN: GhostBox – Borrow a disposable little machine from the Global Free Tier (ghost.charity)

126 points by keepamovin ↗ HN
I built this because I was always creating machines on GH actions to test builds on different OS, and I wanted a tight CLI that could do it. I always saw Actions as this great resources and ephemeral machines you could do dev work in just were a natural way for me to work, so this grew out of that workflow.

I didn't expect it to blow up, so it wasn't 100% finished when I posted it. But it should stabilize pretty quickly.

Happy to know what you think and talk about it.

60 comments

[ 2.9 ms ] story [ 96.6 ms ] thread
Thanks, I know exactly something which has been in my mind to build which can be made possible with this.

Basically any golang/any language cli application preferably-static can be dropped and ran in ghostbox plus xterm in browser (and additionally cloudflare tunnels) or perhaps directly to give a web link.

Anyone can then click on that web link to then try out the cli application. Think jujutsu and others too and they can do this upto 90 minutes.

Feel free to pick up on this idea as more importantly than not, I would personally love to see an idea like this, even something with asciinema to finally show how an app feels and looks.

Can you please tell me more about what is the structure behind Ghostbox and on what service does it run upon? Hetzner/OVH or something else? I would be interested to know more about the infrastructural decisions behind it and does it run on firecrackers, quite so many questions!

This is a really cool project, thanks for making this and have a nice day!

@keepamovin this looks cool, but notice that your README and github links are ghosting us (404)
Its great that this is free for disposable use.

We need more of these. There are too many sandboxes that charge insane prices.

Curious what this runs on though and it would be great if this was completely open source.

Great work!

Yes, we do! Thank you for the compliment :)

We need more of this because compute is trending infinitely cheaper. Maybe not today, maybe not tomorrow - but inference and training of AI will eventually breakthrough to optimal and cost way less. The oversupply of compute will provide "baseload" compute for all. GH was just way ahead of its time with free action minutes on every account. The Global Free Tier, is coming :)

In fact, it's already here, it's just not evenly distributed yet :)

this is exactly what a bad actor would do to temp the greedy. If they are providing free ssh access, why not just use an ssh client instead of curl|sh? That's crazy! And free compute is even crazier. I guess they could make money based off training or selling whatever you put on there.
Won't the supply-side incentives misalign with demand-side's desires in this case?

If you choose a specific company's free tier, you can rely on reputation and switch if they misbehave (e.g. they exfiltrate your secrets, log all your activities, build a profile on your workload behavior, etc). But if you don't know where your workload being deployed, the operator has less incentive to treat your compute with respect.

Means this is really only useful for nearly-public workloads, where tampering is not a critical failure mode.

I think you misunderstand what ghost is. It's not a cloud service. It's a CLI tool that runs workflows from your GH account: https://news.ycombinator.com/item?id=47982915

The multi-provider angle is an interesting future direction. I built it atop Actions because that's what I use everyday, but I'm sure other similar things exist.

The main driver for me was I always felt actions had so much potential for a modicum of easier use, that would give huge benefits to my workflwos. Ghost CLI is that little bit easier.

Is there a meaningfully useful version of automatically write to an encrypted disk / RAM that could be used with a random cloud instance? Obviously the decryption key would be in RAM somewhere but as a short term best practice it might be somewhat useful
That specialized. I think on GH at least the runner you get is random and opaque to you? For encryption you could add a user-script to the ghost config, it supports that.
So that's why we will see GitHub Actions continuing to go down so frequently every day of the week. From their "terms of service" [0]

> Ghostbox is software for launching short-lived development machines using third-party infrastructure such as GitHub Actions, tunnels, shells, agents, and related developer tools.

So this will go down, just like GitHub Actions since it abuses the subsidised free tier of GitHub Actions to run a service like this and it is likely against the GitHub TOS.

[0] https://www.ghost.charity/terms

You're mistaken - ghost is not a "service". It is a CLI tool. And [0] is precisely how GH Actions runners are used everyday. It's not something other.

ghost doesn't "abuses the subsidised free tier". When you run ghost it uses your free minutes, not someone else's.

In reality, the % of Actions total global minutes that would be used for these hybrid "human and/or agent real-time" workflow where you drop into a machine would be tiny compared to the bulk p95 which is automated workflows for CI.

This is for where you want to drop into a consistent environment and get into the weeds or have your agent debug what's going on, or use the security isolation to develop safely in Actions cloud rather than rooting your laptop with an agent perhaps.

Weird to have a .charity TLD but promote abusing Github Actions as free compute.
You can dislike the joyful name, but you don't get to invent abuse from that.

GH Actions provides compute for software development workflows, that's the product.

ghost orchestrates access to your own Actions minutes for your own workflows. "Abusing free compute" is a misframing lie lol --

Weird that the true abuse here was folks lying like that then abusing the report/flag button on the repo to get it auto-disabled.

Looks like the Github repo has already been nuked, I'm guessing for violating ToS on Github actions?
An interesting set of ideas!

The broader concept seems to be "ephemeral environments", which is related to sandboxing, which is in turn is related to testing/debugging...

Related:

https://github.com/topics/ephemeral-environments

https://blog.invisiblethings.org/papers/2015/state_harmful.p...

Yes, that's about the shape of it, thanks! By controlling variables of the env (ie removing, fixing confounding factors), you can approach a more scientific process to development and testing, and make more rapid progress toward stability :)
I'd be worry about security tbf - this sounds cool until it's used to host some weird shenanigans and nobody has any kind way to tell who did what
Well it's linked to your GH account, and surely GH has logs of all the workflows that get run, so it's the same as regular Actions.
Where is the source ? This looks fishy, no way I'll run this bin..
It ain't open source. You're free not to run closed-source software (tho OS/apps might be an issue ;)), but "closed source"/proprietary is 0 evidence of bad intent.

And (sad but true) "open source" is 0% evidence of goodness - as the whole industry of "supply chain attack protection" can enthusiastically attest.

Just so you know, in building this I ran hundreds of rust crates dozens of times on my personal laptop. In building BrowserBox I've run millions of times npm packages.

ghost is actually a thing that helps with this risk - precisely because it provides isolated hybride (CI/automated + human in the loop/AI) dev flows, easily on your existing GH Actions minutes. Free minutes! (Thanks GH <3). How does it help? Because it's an isolated machine. Not even your ssh key is on it (SSH agent forwarding), but you can clone your repos and run CI/builds/dev/agents, and even gate secrets using GH's existing surface for this.

It's a goto way to do dev securely - and protect against the very thing you (and many) falsely suspect ghost of. A paradox! But also a great opportunity to discuss where ghost helps - with the precise thing ppl mistook as doing. :)

If you're super concerned - do a "ghost bootstrap" - create a workflow that creates a machine with a shape you want and add's tmate. Use tmate to ssh in. Download ghost, create an ssh key, add it as a deploy key to a repo you want to work on (if wf is not already in that repo), and then ssh into the ghost machine from your other runner machine (which could also be a VPS from "trad cloud", just sayin).

Think about it: why would I spend 10+ years developing software in the open (see my GH: https://github.com/crisdosaygo) and building a business on (primarily) security/browsing products only to throw it all away to do whatever it is people are imagining here? Think about it. Why would I steal anything from anyone? So sell a secret? To access a private repo? From some rando? How profitable could that be? It sounds ridiculous. And most important for me: I never have, am not, and would never do because I'm not a bad person. None of the fear makes sense: it's all totally unjust to level that at me in any way.

This idea is great in concept, and I think it's important to state that, but the GitHub Actions stuff is against TOS iirc + they will need to address that pretty quickly.
I appreciate your "great in concept" part.

ghost aligns with ToS: it's a CLI porcelain driving the user’s own GitHub account to use Actions minutes for their own dev workflows.

There was abuse on this thread tho - not just the fake accusations against ghost and me, but people abusing the GH flag/report button on its repos, leading to them being auto-disabled. I trust GH will restore it once they look at it.

In the meantime - if there’s a specific clause you think applies, you're welcome to share. I think it's a classic case of crowd madness.

As unreliable as GitHub actions are, this is what ruins nice things (free for public repos) for the rest of us.
I have never encountered any Actions reliability besides occasional networking stalls halting package installations. Actions has been so reliable that's what inspired me to make this. It's literally my go to test and develop platform. And I've used 10,000s of action minutes a month for a couple years on corp and personal plans.
"You dislike this use of Actions" is not the same thing as "this ruins nice things."

Ghostbox uses the your own GitHub account and Actions minutes for development workflows.

Things like this are the reason why companies like GitHub then put everything under a paid tier.
I wish the link for "Global Free Tier" [1] included an actual list of the free tiers GhostBox is using (ideally also including some kind of table/rubric for comparisons and any limitations, benefits, etc unique to each).

It sounds like Github Actions is the first choice, if it's unavailable (or if Github blocks GhostBox in the future), are each of the alternatives viable as a more or less drop-in replacement? Or would there be loss of functionality?

Those are the questions I had when reading through the site so I think some basic technical docs would go a long way to help people understand the project and decide to give it a try. I like the cute/whimsical branding but I'll admit to doing a little internal eye-roll when I clicked that link expecting technical specifics and instead read:

  > GitHub Actions is only the first place ghosts come from. There are strange little pockets of temporary compute all over the internet. Ghostbox makes them feel like one small machine. 
It's a neat idea though, and I've definitely had moments where I wished I could just spin up a free, temporary VM/container to do something but didn't feel like researching the current free-tier landscape and filling out a sign-up form and stuff.

[1] https://www.ghost.charity/#gft

GitHub is going to love this. No wonder Actions keeps getting worse and worse.
No. That’s the crowd narrative, not the actual mechanism.

Ghostbox uses the your own GitHub account and Actions minutes for your own development workflows.

Was this botted to the top of the front page?

AI=generated article that asks you to download and run some random binary. Github account is just more AI slop. Everything to me just screams that it's a malware. Or this is normal here?

or were the 'defend-microsoft' comments botted by AI, while the upvotes are organic? It's gotta be one or the other...
No, it got there organically, I wrote the copy and I've been deep in coding and tech long before AI. Wrong on all counts!

"botted" and "malware" are accusations, not arguments. You have no basis for that, stop abusively trying to launder your weird-ass character attacks as suspicion/critique.

None of the links to Github work because you're pointing at the main branch instead of your default branch ghosts-only
(comment deleted)
Just shut this down.
No. It's useful - AI workflows are the future. Actions is perfect.
Nice way to automate the unethical destruction of the commons. Shared space and community standards are for suckers.
You're mistaken - ghost is not a service consuming actions for itself - it's a CLI tool you run locally to drive workflows with sane default configs so you can easily drop into them and continue working or debugging in reliable and consistent infra, or have your agent do it. It is a better CLI for GH workflows (https://news.ycombinator.com/item?id=47982915), now whatever you were imagining.

What did you imagine it was?

Calling it "unethical destruction of the commons" does not make it so.

Ghostbox helps a you run dev workflows in your own GitHub account, using your own Actions minutes.