Code of Conduct
What article on docs.github.com is affected?
https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#creating-a-self-hosted-runner-group-for-an-organization
https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions
What part(s) of the article would you like to see updated?
- There is a gap in the documentation around Runner Groups, specifically around workflow restrictions.
- Upon testing myself, I found if you restrict a runner group to a workflow and then call that workflow in a different repo, then the runner group is available/works for only the portion where you called the approved workflow
- This has big security hardening implications. Enabling workflows to be shared across an organization, while ensuring that only code you trust always runs on your shared self-hosted runners in a group
- Only mention I could find of this is this brief blog post without any mention in the actual documentation: https://github.blog/changelog/2022-03-21-github-actions-restrict-self-hosted-runner-groups-to-specific-workflows/
- I think the first article should have more info on workflow restrictions and calling restricted workflows. The second article should include a recommendation for restricting workflows with runner groups and then calling those restricted workflows when sharing workflows across an org
Additional information
No response
Code of Conduct
What article on docs.github.com is affected?
https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#creating-a-self-hosted-runner-group-for-an-organization
https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions
What part(s) of the article would you like to see updated?
Additional information
No response