[I] Security Advisory: Self-Hosted Runner Risk (Skor: 100/100) [beam]

Mon, 22 Jun 2026 08:03:10 -0700 


Notime02 opened a new issue, #39059:
URL: https://github.com/apache/beam/issues/39059

   ## Security Advisory: Self-Hosted Runner Risk Tespit Edildi
   
   Merhaba,
   
   Bu repo'da **self-hosted GitHub Actions runner** kullanildigi ve **riskli 
trigger'larin** bulundugu tespit edilmistir.
   
   ### Tespit Edilen Sorunlar
   - **Risk Skoru:** 100/100
   - **Trigger'lar:** 303 workflow'da self-hosted runner var; RISKLI 
TETIKLEYICI: pull_request_target in IO_Iceberg_Integration_Tests.yml; RISKLI 
TETIKLEYICI: pull_request_target in IO_Iceberg_Integration_Tests_Dataflow.yml
   - **Workflow'lar (303 adet):**
     - `IO_Iceberg_Integration_Tests.yml`
     - `IO_Iceberg_Integration_Tests_Dataflow.yml`
     - `IO_Iceberg_Managed_Integration_Tests_Dataflow.yml`
     - `IO_Iceberg_Performance_Tests.yml`
     - `IO_Iceberg_Unit_Tests.yml`
     - `beam_CancelStaleDataflowJobs.yml`
     - `beam_CleanUpDataprocResources.yml`
     - `beam_CleanUpGCPResources.yml`
     - `beam_CleanUpPrebuiltSDKImages.yml`
     - `beam_CloudML_Benchmarks_Dataflow.yml`
     - ...ve 293 workflow daha
   
   ### Oneriler
   1. **Self-hosted runner** kullaniyorsaniz, runner'in guvenlik yamalarinin 
guncel oldugundan emin olun.
   2. **Riskli trigger'lar** (`pull_request_target`, `issue_comment`, 
`workflow_run`, `repository_dispatch`) kullaniyorsaniz, ek guvenlik onlemleri 
alin:
      - `pull_request_target` icin: base branch'i checkout ederken PR koduyla 
calismayin
      - `issue_comment` icin: sadece yetkili kullanicilarin 
trigger'layabildiginden emin olun
      - `workflow_run` icin: calisma ortamini kistlayin
   3. Runner erisimini **sadece guvenilir workflow'larla** sinirlandirin.
   4. Runner'in ag erisimini kistlayin.
   5. **Token'larinizi** sifreli sekilde (GitHub Secrets) saklayin.
   
   Detayli dokuman: 
https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
   
   ---
   
   *Bu mesaj, guvenlik amaciyla otomatik olarak gonderilmistir. Herkesin 
bilgisayari guvende olsun.*
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to