Taken from https://trello.com/c/so9pit0P/10-scriptworker-provisioner: With mac and windows signing, aiui we have tests that require signed packages. This implies dep signing, which is good for robustness. However, with the added load, we'll likely need a much larger pool of signing scriptworkers. When idle, it would be nice to shut down some of the idle ones. Most likely these will be on-demand instances that we just shut down and spin back up when we need, rather than spot instances we spin up on the fly. If we are shutting these down for any real length of time, we may want to block spinning up scriptworker until puppet has run once since boot.