Hey everyone,
I just set up a self-hosted GitHub Actions runner in my homelab and wrote about it in my self-hosted blog! This is my second blog entry, so I would really appreciate any feedback or suggestions to help improve my writing is more than welcome.
You can check out the post here: https://cachaza.cc/blog/02-self-hosted-ci-cd
I can’t find it right now, but there used to be a warning about not self-hosting runners for public repos. Anyone could fork your repo, and the fork would inherit your runners, and then they could change the pipeline to RCE on your runner.
Has that been fixed?
I went to a completely private gitlab instead, with mirroring up to github for anything that needed to be public.
Edit: seems to maybe not be an issue anymore, at the very least it doesn’t seem to affect that repo. Still, for anyone else, make sure forks and MRs can’t cause action to run automatically on your runner, because that would be very bad.
There is no auth needed for gh runners? Like a secret shared between them and the repo? I would guess repo secrets are not shared when forked… right?
I think it was when you create a merge request back, that the original repo would then run the forked branch on the original runners.
From what I can tell, its now been much more locked down, so its better, but still worth being careful about.
More discussion: https://www.reddit.com/r/github/comments/1eslk2d/forks_and_selfhosted_action_runners/
The other potential risk is that the github action author maliciously modifies their code in a later version, but that is solved with version pinning the actions.
I also thought this wasn’t an issue anymore, there’s a setting in the Actions settings where you can enable or disable workflows from forked pull requests. But someone on Reddit spooked me a bit about it, so for now, I’ve made the repo private until I’m 100% sure there are no risks. I wanted it public because I was considering using GitHub Issues as a backend for blog comments, but I’ll reevaluate that. Also, thanks for the idea of running a local git server with mirroring to GitHub—I hadn’t considered having two upstreams. That could be a great setup, especially since I’m still in college and trying to build in public for future job opportunities while keeping CI/CD self-hosted.
I did create a fork and MR, and neither used your runner (sorry if that is what spooked you).
Develop local and push remote also let’s you sanitize what is public and what isnt. Keep your half-backed personal projects local, push the good stuff to github for job opportunities.
No worries! When I checked the repo, I didn’t see any forks, and my Proxmox resource usage looked normal, so I didn’t think anything bad happened. I just got cautious after a Reddit user pointed out that the config I thought was safe wasn’t actually secure.
I hadn’t thought of it that way, but it makes a lot of sense. I was just avoiding committing certain things and only pushing finished work to GitHub.