Self hosted runner with public repository

I’m wanting to run benchmarking of a public repository on non-Github hardware, and I know that is discouraged due to security concerns, see documentation.

If we:

  • configure the action in a private repo
  • only run code on the write-moderated master branch

does that sufficiently alleviate the security concerns?

Thanks for your feedback :slight_smile:

The problem is that the runner is available for every one.

It’s hard to recommend for using it since there can be various scenarios where users could try to leverage some scenarios and get on to the self-hosted box.

You would also have to think about pull requests (via forks as well), someone could add/edit a workflow to use self-hosted and gain access to the box.

In a super locked down repository, with no secrets possibly, locked down to folks with write access, may be, but then again, we generally vote against it as it comes with own risks.