I am trying to host a new project with Gitlab. It is a private Python project. I was able to test some initial tests with Gitlab CI.

I don't use cache while running tests,

While exploring the runner section in settings, there is a warning shown,

GitLab Runners do not offer secure isolation between projects that they do builds for. You are TRUSTING all GitLab users who can push code to project A, B or C to run shell scripts on the machine hosting runner X.

what are the security risks in using a shared test runner? Is it safe to run private projects on a shared runner? What precautions can be taken while running tests on a shared runner?

Thank you for any insight.

GitLab CI runner offers the following executor types:

• shell
• docker
• ssh
• docker-ssh
• parallels
• virtualbox

The security concerns you should have are mainly from using ssh and shell runners.

• shell is unsafe unless you're in a controlled environment.
  This is because it's, literally, a simple shell. The user running your build will have access to everything else going on for that user, and that includes other projects.
• ssh is susceptible to man-in-the-middle attacks.
  If you're dealing with private crypto keys in your builds, beware that they may be stolen.

Fortunately, http://gitlab.com seems to be sharing only docker runners.
docker runners are generally safe* because every build runs in a new container, so there's nothing to worry.

You can read further about GitLab CI Runner security here.

_{* unless you're doing the nasty privileged mode!}

Using Gitlab shared runners does not comes at no risk. As Gitlab caches the content of the repos where the runners are running, your code is still stored somewhere in the Gitlab's instances. Whoever can have access to these instances as a user capable to read the cache folder, can access to yours.

If you're already running Gitlab as SaaS, I guess it doesn't make a big difference.