Part 11/14:

Adopting a zero trust mindset is paramount. Assumptions should be that any component—be it a pull request, a third-party action, or a runner—can be compromised. Design workflows and environments with this in mind, isolating critical secrets and restricting privilege levels.

2. Harden Runners and Environments

For self-hosted runners, employ strict Linux permission models. Run runners with minimal privileges and isolate processes using containers, such as Docker or Kubernetes, with non-root users. Create separate user accounts for different processes to prevent privilege escalation if a process is compromised.

3. Secure Configuration Files