This task is for tracking the setup of GitLab Runners in a trusted environment.
In T286958 we discussed the long term requirements for GitLab Runners. One class of Runners should run in production environments (eqiad, codfw) and execute jobs which handle sensitive credentials and produce artifacts running in production. See also https://wikitech.wikimedia.org/wiki/GitLab/Gitlab_Runner#Specific_GitLab_Runners.
I would like to reuse the existing puppet code for the Shared Runners in WMCS. I think we could start with VMs on Genti and later order dedicated machines and/or migrate to //some// Kubernetes platform.
The Runners must not be used by arbitrary jobs but only by certain projects and branches. So this runners will be setup as Specific Runners, probably executing only jobs for protected branches.