The gitlab-cloud-runner project uses Terraform with a broad Digital Ocean access token and Helm to provision the cloud runner infrastructure. These are sensitive operations that should be moved to the trusted runners.
However, our trusted runners will not allow use of the currently used terraform-images from the GitLab container registry, so we'll need to vendor the scripts in that image with Terraform first and publish our image to docker-registry.wikimedia.org.