Comment on Setting Up a Self-Hosted GitHub runner for CI/CD
mumblerfish@lemmy.world 2 weeks agoThere is no auth needed for gh runners? Like a secret shared between them and the repo? I would guess repo secrets are not shared when forked… right?
Comment on Setting Up a Self-Hosted GitHub runner for CI/CD
mumblerfish@lemmy.world 2 weeks agoThere is no auth needed for gh runners? Like a secret shared between them and the repo? I would guess repo secrets are not shared when forked… right?
CameronDev@programming.dev 2 weeks ago
I think it was when you create a merge request back, that the original repo would then run the forked branch on the original runners.
From what I can tell, its now been much more locked down, so its better, but still worth being careful about.
More discussion: reddit.com/…/forks_and_selfhosted_action_runners/
The other potential risk is that the github action author maliciously modifies their code in a later version, but that is solved with version pinning the actions.