From dd13d9bbb19c78bbe4d4af0d22b6285ef9ed99ae Mon Sep 17 00:00:00 2001
From: GeiserX <drumsergio@gmail.com>
Date: Mon, 22 Jun 2026 23:27:30 +0200
Subject: [PATCH] security: block fork PRs from running on the self-hosted
 runner

Jobs triggered on pull_request that run on the self-hosted runner could
execute untrusted fork PR code on the runner host. Add an if: guard so
these jobs run only for same-repo events (push, schedule, workflow_dispatch,
and PRs from branches in this repo), never for fork PRs. Runner stays
self-hosted for trusted runs.
---
 .github/workflows/ci.yml | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 607c65a..9e1b9ab 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -12,6 +12,10 @@ permissions:
 jobs:
   build:
     runs-on: [self-hosted, Linux, X64]
+    # Do not run untrusted fork PR code on the self-hosted runner.
+    if: >-
+      github.event_name != 'pull_request' ||
+      github.event.pull_request.head.repo.full_name == github.repository
     strategy:
       matrix:
         node-version: [20, 22]
@@ -28,6 +32,10 @@ jobs:
 
   coverage:
     runs-on: [self-hosted, Linux, X64]
+    # Do not run untrusted fork PR code on the self-hosted runner.
+    if: >-
+      github.event_name != 'pull_request' ||
+      github.event.pull_request.head.repo.full_name == github.repository
     steps:
       - uses: actions/checkout@v6
       - uses: actions/setup-node@v6
@@ -45,6 +53,10 @@ jobs:
 
   docker:
     runs-on: [self-hosted, Linux, X64]
+    # Do not run untrusted fork PR code on the self-hosted runner.
+    if: >-
+      github.event_name != 'pull_request' ||
+      github.event.pull_request.head.repo.full_name == github.repository
     steps:
       - uses: actions/checkout@v6
       - name: Build Docker image