Skip to content

Self-hosted runner security with public repositories #26722

Discussion options

You must be logged in to vote

Yeah, you are right. If your workflows is not triggered by pull request event, then dangerous code on fork repos could not run on your self-hosted runner.

Only collaborators has permission to push to your public repositories directly. If you could make sure your collaborators are safe , then workflows triggered by push event is secure.  

Replies: 14 suggested answers 3 replies

Comment options

You must be logged in to vote
0 replies
Answer selected
Comment options

You must be logged in to vote
0 replies
Comment options

You must be logged in to vote
0 replies
Comment options

You must be logged in to vote
0 replies
Comment options

You must be logged in to vote
2 replies
@karussell
Comment options

@karussell
Comment options

Comment options

You must be logged in to vote
1 reply
@karussell
Comment options

Comment options

You must be logged in to vote
0 replies
Comment options

You must be logged in to vote
0 replies
Comment options

You must be logged in to vote
0 replies
Comment options

You must be logged in to vote
0 replies
Comment options

You must be logged in to vote
0 replies
Comment options

You must be logged in to vote
0 replies
Comment options

You must be logged in to vote
0 replies
Comment options

You must be logged in to vote
0 replies
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment