chore: Custom GitHub runner image with Unreal docker pre-installed#1340
chore: Custom GitHub runner image with Unreal docker pre-installed#1340tustanivsky wants to merge 13 commits into
1 issue
security-review: Found 1 issue (1 low)
Low
Unfiltered `push` trigger runs branch-controlled scripts on snapshot-persistent self-hosted image runners - `.github/workflows/custom-image-linux.yml:5`
The custom-image-* workflows trigger on any push with no branches: filter, check out the pushed ref, and run repo-local scripts (./scripts/clean-storage-linux.sh / clean-storage-win.ps1) on persistent self-hosted runners (unreal-image-creating-runner-*) whose disk is captured via snapshot: into a base image reused by future jobs. A contributor with write access can push a modified script to any feature branch to execute code on the runner before the snapshot boundary, persistently poisoning every downstream runner image. Add a branches: [main] filter so only trusted refs build the images.
⏱ 1m 6s · 132.4k in / 11.6k out · $0.45
Annotations
Check notice on line 5 in .github/workflows/custom-image-linux.yml
sentry-warden / warden: security-review
Unfiltered `push` trigger runs branch-controlled scripts on snapshot-persistent self-hosted image runners
The `custom-image-*` workflows trigger on any `push` with no `branches:` filter, check out the pushed ref, and run repo-local scripts (`./scripts/clean-storage-linux.sh` / `clean-storage-win.ps1`) on persistent self-hosted runners (`unreal-image-creating-runner-*`) whose disk is captured via `snapshot:` into a base image reused by future jobs. A contributor with write access can push a modified script to any feature branch to execute code on the runner before the snapshot boundary, persistently poisoning every downstream runner image. Add a `branches: [main]` filter so only trusted refs build the images.