Might not even be lawful
"GitLab will expect users to provide a valid credit or debit card number to use shared runners on its platform."
Under the dreaded GDPR, it's quite possibly not allowable to collect payment card details (which are personal data) where no payment is required for provision of the service. Some other control that doesn't involve personal data which is not strictly necessary for provision of the service would be lawful. As if MS actually cared about the legality of this though...
Biting the hand that feeds IT
