Actions/Workflow security consideration - PR `on pull_request` workflows

[gerbrent]

I am suspecting some potential security implications via Actions/Workflows and wondered about opening conversations around it.

There has recently been a Workflow added from a permissioned contributor from a submitted PR, in this case @elreydetoda in PR #353 :

Note the Building Prod Container Workflow, which exists in #353 in this file

And here, being run automagically, or as requested:

This likely due to the newly-added on pull_request via #385, and that @elreydetoda has some repo permissions, otherwise a first-time outside contributor would produce this message:

(this is the view of the PR for contributor w write permissions)

This got me thinking about how GH Actions is running PR-submitted Workflows, despite not necessarily having been approved by any other repo contributor/admin. A potential security issue?

A worthwhile read that I believe pertains to our exact situation: https://stackoverflow.com/questions/64553739/how-to-prevent-github-actions-workflow-being-triggered-by-a-forked-repository-ev

GitHub still recommends that you do not use self-hosted runners with public repositories. They specifically state self-hosted runners should almost never be used for public repositories on Github

• GitHub Docs - Hardening for self-hosted runners

Looking for input! Is my concern reasonable? Am I missing something? Is there a better way?