Show HN: GhostBox – Borrow a disposable little machine from the Global Free Tier (ghost.charity)
I built this because I was always creating machines on GH actions to test builds on different OS, and I wanted a tight CLI that could do it. I always saw Actions as this great resources and ephemeral machines you could do dev work in just were a natural way for me to work, so this grew out of that workflow.
I didn't expect it to blow up, so it wasn't 100% finished when I posted it. But it should stabilize pretty quickly.
Happy to know what you think and talk about it.
60 comments
[ 2.9 ms ] story [ 96.6 ms ] threadBasically any golang/any language cli application preferably-static can be dropped and ran in ghostbox plus xterm in browser (and additionally cloudflare tunnels) or perhaps directly to give a web link.
Anyone can then click on that web link to then try out the cli application. Think jujutsu and others too and they can do this upto 90 minutes.
Feel free to pick up on this idea as more importantly than not, I would personally love to see an idea like this, even something with asciinema to finally show how an app feels and looks.
Can you please tell me more about what is the structure behind Ghostbox and on what service does it run upon? Hetzner/OVH or something else? I would be interested to know more about the infrastructural decisions behind it and does it run on firecrackers, quite so many questions!
This is a really cool project, thanks for making this and have a nice day!
$ curl -fsSL https://www.ghost.charity/install.sh | bash Checking for Ghostbox updates... curl: (22) The requested URL returned error: 404 Could not fetch ghost-linux-x64.tar.gz from https://github.com/DO-SAY-GO/ghostbox-releases/releases/late...
We need more of these. There are too many sandboxes that charge insane prices.
Curious what this runs on though and it would be great if this was completely open source.
Great work!
We need more of this because compute is trending infinitely cheaper. Maybe not today, maybe not tomorrow - but inference and training of AI will eventually breakthrough to optimal and cost way less. The oversupply of compute will provide "baseload" compute for all. GH was just way ahead of its time with free action minutes on every account. The Global Free Tier, is coming :)
In fact, it's already here, it's just not evenly distributed yet :)
If you choose a specific company's free tier, you can rely on reputation and switch if they misbehave (e.g. they exfiltrate your secrets, log all your activities, build a profile on your workload behavior, etc). But if you don't know where your workload being deployed, the operator has less incentive to treat your compute with respect.
Means this is really only useful for nearly-public workloads, where tampering is not a critical failure mode.
The multi-provider angle is an interesting future direction. I built it atop Actions because that's what I use everyday, but I'm sure other similar things exist.
The main driver for me was I always felt actions had so much potential for a modicum of easier use, that would give huge benefits to my workflwos. Ghost CLI is that little bit easier.
> Ghostbox is software for launching short-lived development machines using third-party infrastructure such as GitHub Actions, tunnels, shells, agents, and related developer tools.
So this will go down, just like GitHub Actions since it abuses the subsidised free tier of GitHub Actions to run a service like this and it is likely against the GitHub TOS.
[0] https://www.ghost.charity/terms
ghost doesn't "abuses the subsidised free tier". When you run ghost it uses your free minutes, not someone else's.
In reality, the % of Actions total global minutes that would be used for these hybrid "human and/or agent real-time" workflow where you drop into a machine would be tiny compared to the bulk p95 which is automated workflows for CI.
This is for where you want to drop into a consistent environment and get into the weeds or have your agent debug what's going on, or use the security isolation to develop safely in Actions cloud rather than rooting your laptop with an agent perhaps.
GH Actions provides compute for software development workflows, that's the product.
ghost orchestrates access to your own Actions minutes for your own workflows. "Abusing free compute" is a misframing lie lol --
Weird that the true abuse here was folks lying like that then abusing the report/flag button on the repo to get it auto-disabled.
The broader concept seems to be "ephemeral environments", which is related to sandboxing, which is in turn is related to testing/debugging...
Related:
https://github.com/topics/ephemeral-environments
https://blog.invisiblethings.org/papers/2015/state_harmful.p...
And (sad but true) "open source" is 0% evidence of goodness - as the whole industry of "supply chain attack protection" can enthusiastically attest.
Just so you know, in building this I ran hundreds of rust crates dozens of times on my personal laptop. In building BrowserBox I've run millions of times npm packages.
ghost is actually a thing that helps with this risk - precisely because it provides isolated hybride (CI/automated + human in the loop/AI) dev flows, easily on your existing GH Actions minutes. Free minutes! (Thanks GH <3). How does it help? Because it's an isolated machine. Not even your ssh key is on it (SSH agent forwarding), but you can clone your repos and run CI/builds/dev/agents, and even gate secrets using GH's existing surface for this.
It's a goto way to do dev securely - and protect against the very thing you (and many) falsely suspect ghost of. A paradox! But also a great opportunity to discuss where ghost helps - with the precise thing ppl mistook as doing. :)
If you're super concerned - do a "ghost bootstrap" - create a workflow that creates a machine with a shape you want and add's tmate. Use tmate to ssh in. Download ghost, create an ssh key, add it as a deploy key to a repo you want to work on (if wf is not already in that repo), and then ssh into the ghost machine from your other runner machine (which could also be a VPS from "trad cloud", just sayin).
Think about it: why would I spend 10+ years developing software in the open (see my GH: https://github.com/crisdosaygo) and building a business on (primarily) security/browsing products only to throw it all away to do whatever it is people are imagining here? Think about it. Why would I steal anything from anyone? So sell a secret? To access a private repo? From some rando? How profitable could that be? It sounds ridiculous. And most important for me: I never have, am not, and would never do because I'm not a bad person. None of the fear makes sense: it's all totally unjust to level that at me in any way.
ghost aligns with ToS: it's a CLI porcelain driving the user’s own GitHub account to use Actions minutes for their own dev workflows.
There was abuse on this thread tho - not just the fake accusations against ghost and me, but people abusing the GH flag/report button on its repos, leading to them being auto-disabled. I trust GH will restore it once they look at it.
In the meantime - if there’s a specific clause you think applies, you're welcome to share. I think it's a classic case of crowd madness.
Ghostbox uses the your own GitHub account and Actions minutes for development workflows.
It sounds like Github Actions is the first choice, if it's unavailable (or if Github blocks GhostBox in the future), are each of the alternatives viable as a more or less drop-in replacement? Or would there be loss of functionality?
Those are the questions I had when reading through the site so I think some basic technical docs would go a long way to help people understand the project and decide to give it a try. I like the cute/whimsical branding but I'll admit to doing a little internal eye-roll when I clicked that link expecting technical specifics and instead read:
It's a neat idea though, and I've definitely had moments where I wished I could just spin up a free, temporary VM/container to do something but didn't feel like researching the current free-tier landscape and filling out a sign-up form and stuff.[1] https://www.ghost.charity/#gft
Ghostbox uses the your own GitHub account and Actions minutes for your own development workflows.
AI=generated article that asks you to download and run some random binary. Github account is just more AI slop. Everything to me just screams that it's a malware. Or this is normal here?
"botted" and "malware" are accusations, not arguments. You have no basis for that, stop abusively trying to launder your weird-ass character attacks as suspicion/critique.
What did you imagine it was?
Ghostbox helps a you run dev workflows in your own GitHub account, using your own Actions minutes.