> The biggest mitigation is that gitea documentation discourages you from using action runners from untrusted users.
replyThis recommendation seems incompatible with third-party collaboration, at least on its face!
Potentially, but for many projects things like that are tools that you want to control access to anyway. Anyone wanting to update the CI/CD process who isn't a trusted part of the project should be having their changes properly reviewed by someone who is anyway, at which point the reviewer is the trusted user not the random external entity.
reply