Reading this, its not clear how your blog posts relates:

1. You run git clone inside the GCR function, so, you have at the very least a user token for the git provider

2. RCE exploit basically used the external tools, like a static analysis checker, which again, is inside your GCR function

3. As a contrived example, if I could RCE `console.log(process.env)` then seemingly I could do `fetch(mywebsite....`

I get it, you can hand wave some amount of "VPC" and "sandbox" here. But, you're still executing code, explicitly labeling it "untrusted" and "sandboxed" doesn't excuse it.