Open
Description
Code of Conduct
- I have read and agree to the GitHub Docs project's Code of Conduct
What article on docs.github.com is affected?
https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#creating-a-self-hosted-runner-group-for-an-organization
https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions
What part(s) of the article would you like to see updated?
- There is a gap in the documentation around Runner Groups, specifically around workflow restrictions.
- Upon testing myself, I found if you restrict a runner group to a workflow and then call that workflow in a different repo, then the runner group is available/works for only the portion where you called the approved workflow
- This has big security hardening implications. Enabling workflows to be shared across an organization, while ensuring that only code you trust always runs on your shared self-hosted runners in a group
- Only mention I could find of this is this brief blog post without any mention in the actual documentation: https://github.blog/changelog/2022-03-21-github-actions-restrict-self-hosted-runner-groups-to-specific-workflows/
- I think the first article should have more info on workflow restrictions and calling restricted workflows. The second article should include a recommendation for restricting workflows with runner groups and then calling those restricted workflows when sharing workflows across an org
Additional information
No response