From 98b7452adfcc92c2494733a27deb8d462d1b3856 Mon Sep 17 00:00:00 2001 From: GeiserX Date: Mon, 22 Jun 2026 23:16:12 +0200 Subject: [PATCH] security: block fork PRs from running on the self-hosted runner Jobs triggered on pull_request that run on the self-hosted runner could execute untrusted fork PR code on the runner host. Add an if: guard so these jobs run only for same-repo events (push, schedule, workflow_dispatch, and PRs from branches in this repo), never for fork PRs. Runner stays self-hosted for trusted runs. --- .github/workflows/main.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 5a34e41..ab7b5f0 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -18,6 +18,10 @@ jobs: test: name: Test runs-on: [self-hosted, Linux, X64] + # Do not run untrusted fork PR code on the self-hosted runner. + if: >- + github.event_name != 'pull_request' || + github.event.pull_request.head.repo.full_name == github.repository strategy: matrix: python-version: ["3.10", "3.11", "3.12", "3.13"]