CI/CD needs to be run on pull requests by non-maintainers, so the runners need to be secure. Github only runs CI on PRs if they’re from a past contributor or after maintainer approval, but this really only stops obvious crypto-currency mining or similar activities. It’s not a replacement for secure runners.
1 Like
FWIW gitea (forgejo is an unnecessary fork of gitea that was created before the runner integration was done, so likely that bit is independently developed) has some more info on the security aspects of things Frequently Asked Questions | Gitea Documentation
But in general you are allowing unvetted people to run unvetted code on your machine so you will have to assume the worst (that is not really different for gitlab and hub either).
fwiw: The forgejo folks at least have a roadmap for federation, which (eventually) would hopefully help with that.
3 Likes
Maybe recent OrganicMaps being blocked at GitHub incident might serve as a wake-up call to nudge OSMF toward looking at Forgejo (or some other FOSS) self-hosted instance, at least for core OSM projects?
9 Likes
More about that, for those who weren’t following along:
1 Like