I can’t find it right now, but there used to be a warning about not self-hosting runners for public repos. Anyone could fork your repo, and the fork would inherit your runners, and then they could change the pipeline to RCE on your runner.
Has that been fixed?
I went to a completely private gitlab instead, with mirroring up to github for anything that needed to be public.
Edit: seems to maybe not be an issue anymore, at the very least it doesn’t seem to affect that repo. Still, for anyone else, make sure forks and MRs can’t cause action to run automatically on your runner, because that would be very bad.
I can’t find it right now, but there used to be a warning about not self-hosting runners for public repos. Anyone could fork your repo, and the fork would inherit your runners, and then they could change the pipeline to RCE on your runner.
Has that been fixed?
I went to a completely private gitlab instead, with mirroring up to github for anything that needed to be public.
Edit: seems to maybe not be an issue anymore, at the very least it doesn’t seem to affect that repo. Still, for anyone else, make sure forks and MRs can’t cause action to run automatically on your runner, because that would be very bad.