Our process prioritizes validating external code before CI runs.
Currently, you never run CI on external contributions.
So that means after reviewing a PR you run it locally on your computer.
I think that is a security problem more than using GitHub Action on PR from the forks.
The run of the GitHub Actions is controlled by repository settings:
You should check this option "Require approval for all outside collaborators" and the CI will only run after a CI approval (not a PR approval).
Also, the secrets are never used with a PR from forks, so using forks instead of branches is a lot more secure.
Creating PR from a branch of a repository allows access to secrets, this is a security problem.
I think you should update your security practices and policies.
https://github.com/exoscale/egoscale/pull/627#issuecomment-2082233431
Currently, you never run CI on external contributions. So that means after reviewing a PR you run it locally on your computer. I think that is a security problem more than using GitHub Action on PR from the forks.
The run of the GitHub Actions is controlled by repository settings:
https://github.com/exoscale/egoscale/settings/actions
You should check this option "Require approval for all outside collaborators" and the CI will only run after a CI approval (not a PR approval).
Also, the secrets are never used with a PR from forks, so using forks instead of branches is a lot more secure. Creating PR from a branch of a repository allows access to secrets, this is a security problem.
I think you should update your security practices and policies.
Related to https://github.com/exoscale/egoscale/pull/627