C0: review compensating control trusted-ci-only

Verified Forgejo runner is registered only to forge.ops.eblu.me and the
forge has registration disabled, so no untrusted users can trigger
privileged CI. Tightened notes to reflect the closed-forge mechanism
(not a per-repo allow-list).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

compensating-controls.yaml

@@ -110,10 +110,17 @@ controls:
       forge (forge.ops.eblu.me). No external or untrusted repos can
       trigger privileged CI jobs.
     created: 2026-03-30
-    last-reviewed: 2026-03-30
+    last-reviewed: 2026-05-01
     notes: >-
-      Verify runner registration is limited to the forge instance.
-      Check Forgejo runner config for repo allow-lists.
+      Verification: (1) Runner config (argocd/manifests/forgejo-runner/
+      config.yaml) connects only to https://forge.ops.eblu.me/. (2) Forge
+      app.ini has DISABLE_REGISTRATION=true and ALLOW_ONLY_EXTERNAL_REGISTRATION
+      =true (ansible/roles/forgejo/defaults/main.yml) — no untrusted users
+      can sign up or create repos. The runner registers at instance scope
+      (repo_id=0/owner_id=0 in action_runner table), but the instance itself
+      is closed, so no per-repo allow-list is needed. Re-evaluate if the
+      forge ever opens to additional users or if the runner is repointed
+      to an external forge.
 
   - id: init-container-isolation
     description: >-

docs/changelog.d/+review-cc-trusted-ci-only.misc.md

@@ -0,0 +1 @@
+Reviewed compensating control `trusted-ci-only`: Forgejo runner is registered only to the private forge, which has registration disabled — no untrusted users can create repos or trigger privileged CI. Tightened the notes to reflect that the closed-forge property (not a per-repo allow-list) is what actually mitigates the risk.