How to prevent GitHub Actions workflow being triggered by a forked repository events?
The on pull_request GitHub actions event can be triggered by anyone for public repositories.
i.e. someone:
- clones repository
- adds
.github/workflows/something.ymlrunning onpull_requestevent - creates pull request
The action they specified in the pull request is then run. If you have a self-hosted runner then anyone can run arbitrary code like shell commands on your server in the context of the self-hosted runner's user.
How can I whitelist hooks that actions can be triggered by on a repository? Or otherwise, how can I safely use Github Actions with public repositories with self-hosted runners? I have seen the warning... I just assumed that I had to carefully review pull requests.
A configuration option was added to help secure self-hosted runners. If you have a public repository and a self-hosted runner, then you should always enable the option "Require approval for all outside collaborators" as seen in the Actions configuration screen below.
The new default is to require approval for all first-time contributors to run workflows.
However, GitHub still recommends that you do not use self-hosted runners with public repositories. They specifically state self-hosted runners should almost never be used for public repositories on Github As also mentioned on that page is to use CodeOwners to monitor changes to the directory that your workflow files are stored in (.github/workflows).
- Docker Build does not pass secret via --mount=type=secret
- Running canary and stable chrome versions on Cypress in CI
- GitHub Actions environment var not picked up
- How to run ansible playbook from github actions - without using external action
- Github actions to test python scripts after creating and activating conda environment not working
- Trigger workflows in a PR via gh workflows, without the action yet existing in the default branch
- How to prevent GitHub Actions workflow being triggered by a forked repository events?
- Why is this Workload Identity Pool not being created?
- How to use temporary files and folder in GitHub Actions with PowerShell Pester
- GitHub Actions Caches page empty
- Run GitHub Action on multiple environments (operating systems)
- Can I run gitea actions without docker?
- How to trigger a step manually with GitHub Actions
- `git commit` in Github Actions workflow failing: Write access to repository not granted, 403
- Azure Function deployment from GitHub action is failing in Azure/functions-action
- How to avoid invalid version numbers when publishing to TestPyPI in GitHub Actions?
- Using github actions env vars to run different base Urls in feature and staging for snowflake Cypress test
- How to get pull request number within GitHub Actions workflow
- Combine composite actions from the same repo in GitHub Actions
- Problem with Tailwind and Github Pages deployment
- how to check failure of a command in github action
- Github Actions: set-output does not seem to work
- Accessing environment variable in github actions
- Get current date and time in GitHub workflows
- : GitHub Actions: workflow_dispatch event triggers automatically on pull_request opened
- GitHub Actions - Ignore or exclude Dependabot Pull Requests
- Automatically Generate a GitHub Release Using a Property in appsettings.json for the Tag
- How to apt-get install in a GitHub Actions workflow?
- How to cache poetry install for GitHub Actions
- Name of Github action run in list