Runbook: https://gitlab.com/gitlab-com/runbooks/-/blob/master/docs/ci-runners/ci-investigate-abuse.md Review and update the runbook for investigating CI abuse. Incorporate what we learned from [a recent incident](https://gitlab.com/gitlab-com/gl-infra/production/-/issues/2364). **Do not include** tactical response procedures, alerting thresholds, or details of our abuse detection/mitigation/prevention strategies. The runbooks repo is currently public (as is this issue). Publicly visible documentation should avoid revealing info that helps abusers evade detection and mitigation. Also, update the runbook's contextual information. For example, runners no longer execute in Digital Ocean, and some runner-managers reuse their ephemeral runner VMs more than once, so we must more carefully correlate the timespan of the abuse to the job being executed.