How to prevent GitHub Actions workflow being triggered by a forked repository events?
It recently occurred to me that the on pull_request event for GitHub actions can be triggered by absolutely anyone if you have a public repository.
i.e.:
- Someone clones my repository
- They add a
something.ymlfile to.github/workflowsthat runs on thepull_requestevent - They create a pull request
The action that they specify in a pull request is then run. If you have a self-hosted runner then literally any person on the planet can run shell commands on your server in the context of the self-hosted runner's user.
If this works as I think it does, any human on the planet can run arbitrary code on your server simply with a pull request. I tried this and it seems to be the case.
How can I whitelist hooks that actions can be triggered by on a repository? Or otherwise, how can I safely use Github Actions with a public repository and a self-hosted runner. I have seen the warning... I just assumed that I had to be careful not to accept pull requests from unknown provenance.
A configuration option was added to help secure self-hosted runners. If you have a public repository and a self-hosted runner, then you should always enable the option "Require approval for all outside collaborators" as seen in the Actions configuration screen below.
The new default is to require approval for all first-time contributors to run workflows.
However, GitHub still recommends that you do not use self-hosted runners with public repositories. They specifically state self-hosted runners should almost never be used for public repositories on Github As also mentioned on that page is to use CodeOwners to monitor changes to the directory that your workflow files are stored in (.github/workflows).
- Workflow is not shown so I cannot run it manually (Github Actions)
- How to share variable value from a reusable to its caller workflow
- Files are not updated after the Jenkins Build success triggered by the GitHub Actions
- GitHub multiple workflows fail to run
- dotnet publish for ASP.NET Core MVC doesn't correctly handle wwwroot folder
- Github Action on pull_request - process files changed in the current commit
- GitHub Actions: How to call a reusable workflow as a step?
- Job "waiting for pending jobs" is skipped
- How to solve "Permission permission_denied: read_package" in a GitHub Actions workflow targeting the GitHub packages registry?
- Failed to deploy Next.js site on GitHub Pages
- GitHub action chaosaffe/split-tests cannot be download in private project
- Get connectionString value from az storage account show in github action
- Github actions: using two different kinds of self-hosted runners
- How to share dependencies installation with reusable workflow in github actions
- Choose CPU processor (intel or AMD) of machine hosting action runner
- GitHub action for golangci-lint fails with can't load fmt
- Cannot use gvenzl/oracle-free oracle free image in Github actions
- Is there any way to deploy an Azure resource group as part of the resources deployed into it using Bicep and GitHub Actions (azure/arm-deploy@v2)?
- Deploying a Python App to Azure App Service with Github Actions
- How allow github actions to access database on vnet
- workflow_run use files from current branch
- Accessing node_modules in composite action on GitHub
- Delete a workflow from GitHub Actions
- HeadlessException in Github Actions
- Get run id after triggering a github workflow dispatch event
- Github dispatches workflow Invalid request
- Prohibit workflow dispatch from running on branches other than main
- How to trigger github action when PR is merged and Workflow dispatch?
- Invoke GitHub Actions workflow manually and pass parameters
- Is there a way to restrict what branch an action can be run on?