From 0d43554dd62f609ca15de25c7a3d199be0bb2f0d Mon Sep 17 00:00:00 2001 From: Vaughan Jones Date: Tue, 19 May 2026 09:16:47 +1000 Subject: [PATCH] ci: use github-hosted runners for public repo security MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Public repositories accept pull requests from untrusted contributors. A workflow that executes PR-author code on self-hosted or managed runner infrastructure exposes that infrastructure — secrets, network position, cached credentials, neighbouring jobs — to whoever opened the PR. Switch all jobs in build-and-test.yml from runs-on.com (4cpu-linux-x64) to GitHub-hosted ubuntu-latest. GitHub-hosted runners are ephemeral, network-isolated, and discarded after each job, which is the only safe execution environment for untrusted code from forks. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/build-and-test.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build-and-test.yml b/.github/workflows/build-and-test.yml index 6f04c67c8..775ce2bb8 100644 --- a/.github/workflows/build-and-test.yml +++ b/.github/workflows/build-and-test.yml @@ -13,7 +13,7 @@ on: jobs: test: name: test-node-${{ matrix.node-version }} - runs-on: runs-on,runner=4cpu-linux-x64 + runs-on: ubuntu-latest permissions: contents: read strategy: @@ -49,7 +49,7 @@ jobs: path: ./test-reports test-summary-publish: - runs-on: runs-on,runner=4cpu-linux-x64 + runs-on: ubuntu-latest needs: [test] permissions: contents: read @@ -60,7 +60,7 @@ jobs: paths: ./test-reports/**/*.xml lint-check: - runs-on: runs-on,runner=4cpu-linux-x64 + runs-on: ubuntu-latest permissions: contents: read steps: @@ -71,7 +71,7 @@ jobs: run: pnpm lint:check publish: - runs-on: runs-on,runner=4cpu-linux-x64 + runs-on: ubuntu-latest if: github.event_name == 'release' needs: - test