Skip to content
Latchkey

How to Avoid Self-Hosted Runners on Public Repositories

GitHub itself warns against self-hosted runners on public repos because a fork PR can execute untrusted code on your machine.

A public repository lets anyone open a pull request, and a pull_request workflow can run their code on your self-hosted runner. Restrict runners to private repos and disable fork workflow auto-run.

Steps

  • Only register self-hosted runners on private or internal repositories.
  • Under Settings to Actions to General, set fork PRs to "Require approval for all outside collaborators".
  • For orgs, restrict which repos may use self-hosted runner groups.

Fork approval workflow guard

.github/workflows/ci.yml
# Belt-and-suspenders: refuse to run on a fork event on self-hosted
jobs:
  build:
    if: github.event.pull_request.head.repo.full_name == github.repository
    runs-on: self-hosted
    steps:
      - uses: actions/checkout@v4
      - run: npm ci && npm test

Gotchas

  • GitHub-hosted runners are ephemeral and isolated, so they are the safer default for public repos.
  • Even "require approval" is weak; a maintainer approving a malicious PR still runs it on your host.
  • Latchkey managed runners are ephemeral and isolated per job, which removes most of this class of risk.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →