C0: review compensating control trusted-ci-only

Verified Forgejo runner is registered only to forge.ops.eblu.me and the forge has registration disabled, so no untrusted users can trigger privileged CI. Tightened notes to reflect the closed-forge mechanism (not a per-repo allow-list). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-01 10:49:22 -07:00 · 2026-05-01 10:49:22 -07:00 · f84f5f02b3
commit f84f5f02b3
parent 4aa0872949
2 changed files with 11 additions and 3 deletions
--- a/docs/changelog.d/+review-cc-trusted-ci-only.misc.md
+++ b/docs/changelog.d/+review-cc-trusted-ci-only.misc.md
@ -0,0 +1 @@
+Reviewed compensating control `trusted-ci-only`: Forgejo runner is registered only to the private forge, which has registration disabled — no untrusted users can create repos or trigger privileged CI. Tightened the notes to reflect that the closed-forge property (not a per-repo allow-list) is what actually mitigates the risk.
				`@ -0,0 +1 @@`
				Reviewed compensating control `trusted-ci-only`: Forgejo runner is registered only to the private forge, which has registration disabled — no untrusted users can create repos or trigger privileged CI. Tightened the notes to reflect that the closed-forge property (not a per-repo allow-list) is what actually mitigates the risk.