Support for "Private Actions" on Public Repos

I have a few projects that I would love to share and keep open source, and for the past few weeks I have been using Actions as an easy way to compile and share my projects. I love the tight intergration of the repo and the CI/CD system without having to host my own solution (for a while I used Jenkins). I recently tried using a self-hosted runner on one of my work repos to run some basic scripts, and got the idea to try and run a build of one of my larger projects the same way, as it was too big (~40GB when compiling is done, its a Yocto build. Actual Linux image is about 120MB) and took way to long to compile on a GitHub hosted runner. The issue is I would like to keep the project open source without risking my build PC’s integrity on a self-hosted action. Is this something you guys are considering? I would love the ablility to do this, as it would also allow better testing of the Action I am developing that is designed for self-hosted machines.

1 Like

Hi @chand1012 ,

Glad to see you in Github Community Forum!

It’s not recommend that use self-hosted runners with public repositories.

Forks of your public repository can potentially run dangerous code on your self-hosted runner machine by creating a pull request that executes the code in a workflow.Untrusted workflows running on your self-hosted runner poses significant security risks for your machine and network environment, especially if your machine persists its environment between jobs.  Please check the doc for more details.

What about use private repository for self-hosted runner , but sync the repo content to another public one as an alternative?

Thanks.

At the moment I do have two seperate repos, one public and one private. On my local setup I have one repo but with the two different repos as different remotes. I run 

git push origin master && git push private master

to update both, but I think there could be a lot of uses for either having private actions or tightenting up the security in self hosted actions. Another idea I had for this was by default having no one’s code run on the self-hosted actions but direct contributors, and any other code having to be reviewed before exectution.

Thanks @chand1012 . Your idea is helpful!

According to the policy, please share your idea here where github product manager will take a review.