Security changes to workflows to ensure only trusted builds run on self-hosted runner

Author: alitheg

.github/workflows/allowlistchecker.yml

@@ -27,7 +27,8 @@ permissions:
   contents: read
 jobs:
   asf-allowlist-check:
-    runs-on: ubuntu-latest
+    # Trusted sources on our own runner; fork PRs on the hosted runner.
+    runs-on: ${{ (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) && 'self-hosted' || 'ubuntu-latest' }}
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:

.github/workflows/analyze.yml

@@ -16,7 +16,8 @@ env:
 
 jobs:
   analyze:
-    runs-on: ubuntu-latest
+    # Trusted sources on our own runner; fork PRs on the hosted runner.
+    runs-on: ${{ (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) && 'self-hosted' || 'ubuntu-latest' }}
     strategy:
       fail-fast: false
       matrix:

.github/workflows/build.yml

@@ -4,7 +4,7 @@ on:
   push:
     branches: [altera, arm, main, sbp, tertia]
   pull_request:
-    branches: [main]
+    branches: [arm, main]
   workflow_dispatch:
 
 permissions:
@@ -15,7 +15,15 @@ env:
 
 jobs:
   test:
-    runs-on: ubuntu-latest
+    # Run on our own runner for trusted sources (push/dispatch, or a same-repo
+    # PR); fork PRs fall back to the hosted runner so they never touch it.
+    runs-on: ${{ (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) && 'self-hosted' || 'ubuntu-latest' }}
+    # Skip same-repo PRs from branches push already built - no point building the
+    # same commit twice.
+    if: >-
+      github.event_name != 'pull_request' ||
+      github.event.pull_request.head.repo.full_name != github.repository ||
+      !contains(fromJSON('["altera", "arm", "main", "sbp", "tertia"]'), github.event.pull_request.head.ref)
     strategy:
       fail-fast: false
       matrix:

.github/workflows/codeql.yaml

@@ -12,7 +12,8 @@ on:
 jobs:
   analyze:
     name: Analyze
-    runs-on: ubuntu-latest
+    # Trusted sources on our own runner; fork PRs on the hosted runner.
+    runs-on: ${{ (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) && 'self-hosted' || 'ubuntu-latest' }}
 
     permissions:
       actions: read

.github/workflows/generatesbom.yml

@@ -11,7 +11,8 @@ permissions:
 
 jobs:
   generate-sbom:
-    runs-on: ubuntu-latest
+    # Only runs on push to main / dispatch, so always trusted - use our runner.
+    runs-on: self-hosted
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         with: