Clarify that jobs in a workflow can compromise each other only on self-hosted runners - Githubissues

github / docs

The open-source repo for docs.github.com

https://docs.github.com

Creative Commons Attribution 4.0 International

16.37k stars 59.9k forks source link

Clarify that jobs in a workflow can compromise each other only on self-hosted runners #35317

Open neongreen opened 2 hours ago

neongreen commented 2 hours ago

Code of Conduct

[X] I have read and agree to the GitHub Docs project's Code of Conduct

What article on docs.github.com is affected?

https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#reusing-third-party-workflows

What part(s) of the article would you like to see updated?

The individual jobs in a workflow can interact with (and compromise) other jobs. For example, a job querying the environment variables used by a later job, writing files to a shared directory that a later job processes, or even more directly by interacting with the Docker socket and inspecting other running containers and executing commands in them.

My understanding is that this only applies to jobs running on self-hosted runners.

As per https://docs.github.com/en/actions/using-github-hosted-runners/using-github-hosted-runners/about-github-hosted-runners, GHA-hosted runners use a fresh VM for each job. So "shared directory" and "Docker socket" are not a thing for GHA-hosted runners.

Additional information

No response

welcome[bot] commented 2 hours ago

Thanks for opening this issue. A GitHub docs team member should be by to give feedback soon. In the meantime, please check out the contributing guidelines.