Prevent unsupervised code running on self-hosted runner

We intend to use self-hosted runners along with Github-hosted runners. For security reasons, we would like code to be reviewed before being executed on our self-hosted runners. We have setup our actions to achieve this: only when a pull request is approved (with a certain label attached), the jobs that run on the self-hosted runner can be triggered.

However, we realize that in people could just change the yml files, remove any constraint we put in there, and they can get arbitrary code to run on our self-hosted runners. This is definitely not acceptable.

I feel this would be a common requirement for self-hosted runner. I am wondering if there is a solution. Thanks.

@qinsoon,

For the security, we recommend that you do not use self-hosted runners with public repositories.

In the private repositories, if you are the owners or administrators, you can just invite the trusted people or teams as members into the repositories, and you also can manage the access permissions of each member.
roles

Thanks for the reply. I thought there might be a way to achieve this, like file locking (prevent people from changing action ymls) or manually triggering jobs on self-hosted runners from bot. It seems none is provided.

@qinsoon,

Currently, GitHub does not have the build-in features that can lock specified files or directories to prevent people from changing these files.

If your projects really need this feature, I recommend you directly report a feature request here. That will allow you to directly interact with the appropriate engineering team, and make it more convenient for the engineering team to collect and categorize your suggestions.