For building Phabricator itself for Harbormaster v2 / Drydock v1, we need an isolated build tier ("secure build") outside of the cluster with no privileges. This is "build, for secure", not "build, that is secure". We might have a cluster "build" tier eventually for normal instances.
Although builds will be isolated from services, they won't be isolated from one another. That is, anyone who can run a build can interfere with anything else happening on the same machine. Two attacks I can come up with are:
# Add a bitcoin miner to `phabricator/`, add a "unit test" that runs the miner indefinitely, `arc diff` it, mine bitcoins huehuehwahue~~~11
# Add a script which looks at other builds for secret stuff and emails it to you (or whatever).
To prevent (1), I think we can do autobuilds only for #community members. This could get more subtle eventually.
To prevent (2), we can't build important things on this tier, but none of the important things (like rKEYSTORE) have unit tests anyway so this is sort of moot.