Just as cloud agnosticism means you should be able to bootstrap your infra in different clouds, that also includes your ci/cd. As a greybeard sysadmin, my advice is to start separating your ci/cd from the platforms you run on.

https://www.slingacademy.com/article/git-post-receive-hook-a...

Another of my tricks is to tie in your containerization there too, system-nspawn is what I'm using at the moment, but it can apply to others.