Skip to content

Commit 998345a

Browse files
GeiserXGeiserX
andauthored
security: block fork PRs from running on the self-hosted runner (#10)
Jobs triggered on pull_request that run on the self-hosted runner could execute untrusted fork PR code on the runner host. Add an if: guard so these jobs run only for same-repo events (push, schedule, workflow_dispatch, and PRs from branches in this repo), never for fork PRs. Runner stays self-hosted for trusted runs. Co-authored-by: GeiserX <drumsergio@gmail.com>
1 parent 10ede48 commit 998345a

1 file changed

Lines changed: 8 additions & 0 deletions

File tree

.github/workflows/main.yml

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,10 @@ on:
77
jobs:
88
lint:
99
runs-on: [self-hosted, Linux, X64]
10+
# Do not run untrusted fork PR code on the self-hosted runner.
11+
if: >-
12+
github.event_name != 'pull_request' ||
13+
github.event.pull_request.head.repo.full_name == github.repository
1014
steps:
1115
- uses: actions/checkout@v6
1216
- uses: GeiserX/awesome-lint-extra@v1.1.0
@@ -16,6 +20,10 @@ jobs:
1620
check_alphabetical: 'true'
1721
links:
1822
runs-on: [self-hosted, Linux, X64]
23+
# Do not run untrusted fork PR code on the self-hosted runner.
24+
if: >-
25+
github.event_name != 'pull_request' ||
26+
github.event.pull_request.head.repo.full_name == github.repository
1927
continue-on-error: true
2028
steps:
2129
- uses: actions/checkout@v6

0 commit comments

Comments
 (0)