Closed myoung34 closed 2 years ago
oberstet
commented
2 years ago anything you need to know from ps aeuxwww running on this box? ;) never mind, actually, nothing there. also, GH has this nice feature of not running a PR automatically for first time contributors. but yeah, rm -rf / could do damage when run ..
myoung34
commented
2 years ago Yep, just looking for public repos with self hosted to flag potential issues to code owners. I cant tell what gates are in front without opening a PR though
Nothing seems insecure about yours =)
oberstet
commented
2 years ago yeah, I figured after checking your profile it would likely be a "sec test";) but thanks for replying. rgd the self-hosted CI from GH stuff: I consider this "semi secure": a first time contributor needs to have an admin look into the (first) PR before that PR is even run. after that, not anymore. which means, a PR can change the workflow and do stuff as the CI user on that box. that user has limited rights. and the credentials for publishing to PyPI or similar are not on the box, so this needs to be done by an admin from his own box. I would consider the credentials handling in workflows the area where stuff could go wrong the "most likely" .. anyways, have a good one!
myoung34
commented
2 years ago You too!
What you described is definitely a best practice but a lot of people tend to enable things without due diligence on the gates.
Ignore =)