Hindsight is 20/20 for sure, but for this use case confidentiality seems more important than availability.It is something of an impossible choice, but I've come to think that every service big or small gets hacked sooner or later. I'm thinking being a smaller target is better in that case.

But a smaller target might mean less funds for security, as it's basically a constant overhead.

I’m fairly confident that in the same breach scenario (laptop with admin permissions taken over), most small orgs would fare worse. The CI system would likely be behind a VPN, but the laptop would likely have those credentials, so it would not stop an attacker.

A small, 20 person org has maybe 2 people assigned to ops, so monitoring and breach detection is likely worse.

Now, a small org may be a less attractive target and some orgs can have top notch security people, but on average, the trade-off is likely not in favor of hosting your own.

I had the opposite experience with a large UK corp when moving from self-hosted Gitlab to gitlab.com.

Runners were still self hosted, but if the thing controlling them is just giving 500s all day and you’ve no influence on fixing it, then your jobs aren’t being run and your developers are sitting somewhat idle.

Github Actions has been better, but not perfect… but you can still fully self-host this if you think it’s worth it !