FG
☁️ Cloud & DevOpsMicrosoft

Add functionality for allow self-hosted runner to protect workflow file and allow only execution only for collaborators for PRS

Freshabout 21 hours ago
Mar 14, 20260 views
Confidence Score95%
95%

Problem

Description: Hi all, first of all I really like the github action runner and self-hosted runner. It has however an issue with working for `pull-request` workflows. I think the runner should have a way to be configurable to run only on Pull-requests from collaborator of X org or Repo. The problem to be solved is to protect the github-workflow file and don't be changed by any arbitrary PR ( so there is no output redirection or other code executed) it is a recurring topic in some forums, but there is no solution or any issue about this afaik. let me know, and ping me for any info . best

Unverified for your environment

Select your OS to check compatibility.

1 Fix

Canonical Fix
Unverified Fix
New Fix – Awaiting Verification

Implement PR Workflow Protection for Self-Hosted Runners

Medium Risk

The current GitHub Actions configuration allows any pull request to modify workflow files, which poses a security risk as arbitrary code can be executed. This happens because there is no built-in mechanism to restrict workflow execution to only trusted collaborators within an organization or repository.

Awaiting Verification

Be the first to verify this fix

  1. 1

    Create a Branch Protection Rule

    Set up a branch protection rule on the main branch to prevent direct pushes to the workflow files. This ensures that only approved changes can be made through pull requests.

  2. 2

    Configure Workflow to Run on Collaborator PRs Only

    Modify the workflow YAML file to include a conditional check that restricts execution to pull requests made by collaborators. This can be done using the `if` condition with the `github.actor` context.

    yaml
    if: github.event_name == 'pull_request' && github.actor in ['collaborator1', 'collaborator2']
  3. 3

    Set Up Required Reviews for Workflow Changes

    Configure the repository settings to require reviews for any changes to the workflow files. This adds an additional layer of security by ensuring that changes are vetted before being merged.

  4. 4

    Implement a Security Policy for PRs

    Draft and publish a security policy that outlines the expectations for contributors regarding pull requests, especially concerning workflow file modifications. This helps in educating collaborators about the importance of security.

Validation

To confirm the fix worked, create a pull request from a non-collaborator account and verify that the workflow does not execute. Then, create a pull request from a collaborator and ensure the workflow runs successfully. Additionally, check that any changes to the workflow files require a review before merging.

Sign in to verify this fix

Environment

Submitted by

AC

Alex Chen

2450 rep

Tags

github-actionsci-cdrunnerservice-featureextra-large