Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add runner-level config to enforce PR security #783

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

Add runner-level config to enforce PR security #783

wants to merge 1 commit into from

Commits on Sep 12, 2023

  1. Add runner-level config to enforce PR security 

    This allows self-hosted runners to limit who can run jobs to give "just
enough protection" to allow using self-hosted runners with public repos.

By default, the current behaviour is unchanged -- all jobs passed to the
runner are executed.

If the `.runner` config file has this block added to it:

```
  "pullRequestSecurity": {}
```

Then by only PRs from "CONTRIBUTORS" and "OWNERS" can run (as defined by
the field in
https://docs.github.com/en/free-pro-team@latest/graphql/reference/objects#pullrequest
-- nothing for us to have to work out ourselves.)

It is also possible to explicitly list users that are allowed to run
jobs on this worker:

```
  "pullRequestSecurity": {
    "allowedAuthors": ["ashb"]
  }
```

Or to _only_ allow the given users, but not all contributors:

```
  "pullRequestSecurity": {
    "allowContributors": false,
    "allowedAuthors": ["ashb"]
  }
```

Owners of the repo are always allowed to run jobs.

If an allowed user pushes a commit to a PR from a non-allowed user, than
_that_ build will be allowed to run on the self-hosted runner.
    @ashb
    ashb committed Sep 12, 2023
    Configuration menu
    Copy the full SHA
    eaa6f8f View commit details
    Browse the repository at this point in the history