Skip to content

Add pipeline self-hosted runner persistence gates#1722

Open
DENGXUELIN wants to merge 1 commit into
UnitOneAI:mainfrom
DENGXUELIN:improve/pipeline-self-hosted-runner-persistence-1576
Open

Add pipeline self-hosted runner persistence gates#1722
DENGXUELIN wants to merge 1 commit into
UnitOneAI:mainfrom
DENGXUELIN:improve/pipeline-self-hosted-runner-persistence-1576

Conversation

@DENGXUELIN

@DENGXUELIN DENGXUELIN commented Jun 8, 2026

Copy link
Copy Markdown

Skill Improvement ($50-150 Bounty)

Skill Modified

Skill name: pipeline-security
Skill path: skills/devsecops/pipeline-security/

What Was Wrong

The skill covered pipeline risks but did not require reviewers to distinguish hosted ephemeral runners from persistent self-hosted runners. That can miss persistence and trust-boundary risks where untrusted PR code, shared runner labels, reusable workspaces, caches, Docker state, network access, OIDC, and secrets survive across jobs or repositories.

What This PR Fixes

This PR adds self-hosted runner lifecycle and trust-boundary evidence gates, including:

  • runner group and label exposure checks
  • untrusted PR execution and pull_request_target checkout checks
  • persistent workspace/cache/Docker/service-container cleanup requirements
  • secrets, OIDC, package publish, internal network, and privileged runtime evidence
  • severity/reporting fields for runner persistence findings

Evidence

Before (skill misses this / false positive on this):

A workflow can run untrusted PR code on a long-lived self-hosted runner with broad labels, privileged Docker, shared caches, OIDC, and internal network access without the skill forcing evidence of cleanup and isolation.

After (now correctly handled):

The skill now requires runner lifecycle, trust-boundary, cleanup, privilege, secret, network, and cache evidence before accepting self-hosted runner usage as safe.

Test Cases Added/Updated

  • Added vulnerable test cases (tests/vulnerable/)
  • Added benign test cases (tests/benign/)
  • Existing tests still pass

Added:

  • skills/devsecops/pipeline-security/tests/vulnerable/self-hosted-runner-persistent-pr.yml
  • skills/devsecops/pipeline-security/tests/benign/self-hosted-runner-ephemeral-deploy.yml

Validation performed locally:

  • git merge-tree --write-tree origin/main HEAD
  • git diff --check origin/main...HEAD
  • Markdown fence-balance check for changed files
  • ASCII check for added lines

Bounty Tier

  • Minor ($50) - Doc update, small logic tweak, typo fix
  • Moderate ($100) - New edge case coverage, FP reduction with evidence
  • Substantial ($150) - Rewritten detection logic, major coverage expansion

Bounty Info

  • I have read and agree to the CONTRIBUTING.md bounty terms
  • Preferred payment method: PayPal; details can be provided privately after maintainer acceptance.

Closes #1576

@DENGXUELIN DENGXUELIN mentioned this pull request Jun 8, 2026
Open
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[REVIEW] pipeline-security: add self-hosted runner persistence and trust-boundary gates

1 participant

@DENGXUELIN