From c7d2eeb3f05938f8c873b34ab43e1aad3a778588 Mon Sep 17 00:00:00 2001 From: Marcel Date: Sat, 16 May 2026 00:00:44 +0200 Subject: [PATCH] docs(ci): harden runner-config.yaml security comment for /opt/familienarchiv/ write access Co-Authored-By: Claude Sonnet 4.6 --- runner-config.yaml | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/runner-config.yaml b/runner-config.yaml index 2df22cf3..07cad8d5 100644 --- a/runner-config.yaml +++ b/runner-config.yaml @@ -17,12 +17,16 @@ container: - "/srv/gitea-workspace" - "/opt/familienarchiv" # appended to `docker run` when the runner spawns a job container - # SECURITY: Mounting the Docker socket grants job containers root-equivalent - # access to the host Docker daemon. Acceptable here because only trusted code - # from this private repo runs on this runner. Do NOT use on a runner that - # accepts untrusted PRs from external contributors. - # /opt/familienarchiv is mounted so the nightly job can deploy observability - # configs to the permanent location without needing ssh or nsenter. + # SECURITY WARNING: This mount configuration grants CI job containers: + # 1. Root-equivalent access to the host Docker daemon (via the socket). + # 2. Read/write access to /opt/familienarchiv/ — including the main app's + # compose files, Caddy config, and observability configs. A malicious + # workflow step could overwrite any file in that directory. + # Both are acceptable ONLY because this runner is single-tenant: it executes + # code exclusively from this private repo with a fixed set of trusted authors. + # WARNING: Do NOT add this runner to any repo with external contributors or + # untrusted PRs — the blast radius includes the entire production deployment. + # See ADR-016 for the reasoning behind the /opt/familienarchiv mount. options: "-v /var/run/docker.sock:/var/run/docker.sock -v /srv/gitea-workspace:/srv/gitea-workspace -v /opt/familienarchiv:/opt/familienarchiv" # keep network mode default (bridge) — Testcontainers handles its own networking force_pull: false