alt Hacker News> The biggest mitigation is that gitea documentation discourages you from using action runners from untrusted users.
This recommendation seems incompatible with third-party collaboration, at least on its face!
> The biggest mitigation is that gitea documentation discourages you from using action runners from untrusted users.
This recommendation seems incompatible with third-party collaboration, at least on its face!
Potentially, but for many projects things like that are tools that you want to control access to anyway. Anyone wanting to update the CI/CD process who isn't a trusted part of the project should be having their changes properly reviewed by someone who is anyway, at which point the reviewer is the trusted user not the random external entity.