Hey everyone,
I just set up a self-hosted GitHub Actions runner in my homelab and wrote about it in my self-hosted blog! This is my second blog entry, so I would really appreciate any feedback or suggestions to help improve my writing is more than welcome.
You can check out the post here: https://cachaza.cc/blog/02-self-hosted-ci-cd
There is no auth needed for gh runners? Like a secret shared between them and the repo? I would guess repo secrets are not shared when forked… right?
I think it was when you create a merge request back, that the original repo would then run the forked branch on the original runners.
From what I can tell, its now been much more locked down, so its better, but still worth being careful about.
More discussion: https://www.reddit.com/r/github/comments/1eslk2d/forks_and_selfhosted_action_runners/
The other potential risk is that the github action author maliciously modifies their code in a later version, but that is solved with version pinning the actions.