From 6074480482256ff82a5bc93de72b30a782d218dc Mon Sep 17 00:00:00 2001
From: Marcel <marcel@familienarchiv>
Date: Sat, 9 May 2026 16:05:19 +0200
Subject: [PATCH] ci: document Docker socket security trade-off in runner
 config

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 runner-config.yaml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/runner-config.yaml b/runner-config.yaml
index 2110e800..66bb616c 100644
--- a/runner-config.yaml
+++ b/runner-config.yaml
@@ -6,6 +6,10 @@ container:
   valid_volumes:
     - "/var/run/docker.sock"
   # appended to `docker run` when the runner spawns a job container
+  # SECURITY: Mounting the Docker socket grants job containers root-equivalent
+  # access to the host Docker daemon. Acceptable here because only trusted code
+  # from this private repo runs on this runner. Do NOT use on a runner that
+  # accepts untrusted PRs from external contributors.
   options: "-v /var/run/docker.sock:/var/run/docker.sock"
   # keep network mode default (bridge) — Testcontainers handles its own networking
   force_pull: false