The Misconfiguration That Let Anyone Merge to Main A friend pinged me last month: "Our Actions runner keeps pulling PRs from forks we've never heard of." Turns out they'd set up a self-hosted runner on a bare-metal server, pointed it at their public repo, and left the default workflow permissions wide open. Every fork could now execute arbitrary code on their infrastructure. Self-hosted runners are tempting. GitHub-hosted runners cost $0.008/minute for Linux, $0.016 for Windows. If you're running 50 hours of CI per week, that's $100-200/month. Throw an old desktop in the corner, install the runner agent, and you're done. Free compute. But free comes with footnotes. The GitHub-hosted runner security model assumes ephemeral VMs that get nuked after every job. Self-hosted runners persist. They accumulate secrets, cache layers, and filesystem artifacts across runs. And if you're not careful about which workflows trigger on which events, you've just handed shell access to the internet.…