Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Clarify that jobs in a workflow can compromise each other only on self-hosted runners #35317

Open
1 task done
neongreen opened this issue Nov 17, 2024 · 3 comments
Open
1 task done
Labels
actions This issue or pull request should be reviewed by the docs actions team content This issue or pull request belongs to the Docs Content team needs SME This proposal needs review from a subject matter expert waiting for review Issue/PR is waiting for a writer's review

Comments

@neongreen
Copy link

Code of Conduct

What article on docs.github.com is affected?

https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#reusing-third-party-workflows

What part(s) of the article would you like to see updated?

The individual jobs in a workflow can interact with (and compromise) other jobs. For example, a job querying the environment variables used by a later job, writing files to a shared directory that a later job processes, or even more directly by interacting with the Docker socket and inspecting other running containers and executing commands in them.

My understanding is that this only applies to jobs running on self-hosted runners.

As per https://docs.github.com/en/actions/using-github-hosted-runners/using-github-hosted-runners/about-github-hosted-runners, GHA-hosted runners use a fresh VM for each job. So "shared directory" and "Docker socket" are not a thing for GHA-hosted runners.

Additional information

No response

@neongreen neongreen added the content This issue or pull request belongs to the Docs Content team label Nov 17, 2024
Copy link

welcome bot commented Nov 17, 2024

Thanks for opening this issue. A GitHub docs team member should be by to give feedback soon. In the meantime, please check out the contributing guidelines.

@github-actions github-actions bot added the triage Do not begin working on this issue until triaged by the team label Nov 17, 2024
@nguyenalex836 nguyenalex836 added actions This issue or pull request should be reviewed by the docs actions team waiting for review Issue/PR is waiting for a writer's review and removed triage Do not begin working on this issue until triaged by the team labels Nov 18, 2024
@nguyenalex836
Copy link
Contributor

@neongreen Thank you for raising this issue! I'll get this triaged for review ✨ Our team will provide feedback regarding the best next steps for this issue - thanks for your patience! 💛

@subatoi subatoi added the needs SME This proposal needs review from a subject matter expert label Nov 19, 2024
Copy link
Contributor

Thanks for opening an issue! We've triaged this issue for technical review by a subject matter expert 👀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
actions This issue or pull request should be reviewed by the docs actions team content This issue or pull request belongs to the Docs Content team needs SME This proposal needs review from a subject matter expert waiting for review Issue/PR is waiting for a writer's review
Projects
None yet
Development

No branches or pull requests

3 participants