Skip to content

The anatomy of an AI Job deployment

What actually happens between clicking Publish and your AI Job being ready to run? Here is the short version of the pipeline.

From repository to running AI Job

When you publish an AI Job, HollowHost runs an asynchronous, multi-stage flow:

  1. Validation — we confirm the GitHub repository (and, when set, the branch and sub-path) is reachable and well-formed. Status moves from VALIDATING to VALIDATED.
  2. Build — a container image is built from your code in an isolated build environment, then pushed to a private registry.
  3. Provision — your AI Job gets a dedicated execution role scoped strictly to its own resources, plus its own logs and secrets boundary.
  4. Deploy — the image is deployed and your AI Job flips to DEPLOYED, ready to be triggered manually or on a cron schedule.

Isolation by default

Every AI Job runs under its own least-privilege execution role. There is no cross-job access and no privilege escalation: a job can read only its own secrets, write only its own logs, and nothing else.

GitHub tokens never touch the final image layers, and are never stored in plaintext — they flow through the build as a short-lived build secret only.

Want the full picture? The security model is documented in detail in the docs.