jmuehlner commented on PR #811: URL: https://github.com/apache/guacamole-client/pull/811#issuecomment-1483110259
> > Ok, looks like it is indeed only the first time that the workflow needs to be approved. > > So long as the build itself can somehow be guaranteed to not be able to impact the repository, the runner it runs on, etc., then this is probably OK as long as we can always manually stop the build. > > If there is any possibility that the build could be used maliciously, then implicit approval for follow-up builds would be deal-breaking IMHO. It would be far too easy for someone to open a PR, await approval of that PR's build, and then push new and malicious changes. So it looks like github itself [requires workflow approvals for new users (and does some sort of github-initiated banning of malicious contributors)](https://github.blog/2021-04-22-github-actions-update-helping-maintainers-combat-bad-actors/). The rest would be up to the configuration of the runner. It won't be able to make changes to the repo unless it has the appropriate credentials as [exemplified here](https://stackoverflow.com/questions/57921401/push-to-origin-from-github-action/58393457#58393457). The same goes for doing bad things to the runner - a malicious user can run whatever sort of nasty things that the Apache runner is configured to let them do. **TLDR** There's probably no way to guarantee that a user can't mine cryptocurrency or such, but they shouldn't be able to destroy the runner or push bad changes to the repo itself. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
