We intend to use self-hosted runners along with Github-hosted runners. For security reasons, we would like code to be reviewed before being executed on our self-hosted runners. We have setup our actions to achieve this: only when a pull request is approved (with a certain label attached), the jobs that run on the self-hosted runner can be triggered.
However, we realize that in people could just change the yml files, remove any constraint we put in there, and they can get arbitrary code to run on our self-hosted runners. This is definitely not acceptable.
I feel this would be a common requirement for self-hosted runner. I am wondering if there is a solution. Thanks.