How to Avoid Self-Hosted Runners on Public Repositories
GitHub itself warns against self-hosted runners on public repos because a fork PR can execute untrusted code on your machine.
A public repository lets anyone open a pull request, and a pull_request workflow can run their code on your self-hosted runner. Restrict runners to private repos and disable fork workflow auto-run.
Steps
- Only register self-hosted runners on private or internal repositories.
- Under Settings to Actions to General, set fork PRs to "Require approval for all outside collaborators".
- For orgs, restrict which repos may use self-hosted runner groups.
Fork approval workflow guard
.github/workflows/ci.yml
# Belt-and-suspenders: refuse to run on a fork event on self-hosted
jobs:
build:
if: github.event.pull_request.head.repo.full_name == github.repository
runs-on: self-hosted
steps:
- uses: actions/checkout@v4
- run: npm ci && npm testGotchas
- GitHub-hosted runners are ephemeral and isolated, so they are the safer default for public repos.
- Even "require approval" is weak; a maintainer approving a malicious PR still runs it on your host.
- Latchkey managed runners are ephemeral and isolated per job, which removes most of this class of risk.
Related guides
How to Run Ephemeral Self-Hosted RunnersConfigure self-hosted GitHub Actions runners as ephemeral with the --ephemeral flag so each runner processes…
How to Avoid Running Untrusted Code With pull_request_targetUnderstand why pull_request_target runs with repo secrets and write permissions, and never check out or execu…