eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions
blumeops/docs/changelog.d/+review-cc-trusted-ci-only.misc.md

1 line
330 B
Markdown
Raw Normal View History

C0: review compensating control trusted-ci-only Verified Forgejo runner is registered only to forge.ops.eblu.me and the forge has registration disabled, so no untrusted users can trigger privileged CI. Tightened notes to reflect the closed-forge mechanism (not a per-repo allow-list). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-01 10:49:22 -07:00
Reviewed compensating control `trusted-ci-only`: Forgejo runner is registered only to the private forge, which has registration disabled — no untrusted users can create repos or trigger privileged CI. Tightened the notes to reflect that the closed-forge property (not a per-repo allow-list) is what actually mitigates the risk.
Reference in a new issue Copy permalink