tenseleyflow/shithub / 49ecaa3

+- optional per-container DNS servers for operator-managed egress

+  allowlisting

+Runner network allowlisting is an operator-managed control. The runner

+config records `runner.network_allowlist` and passes

+`engine.dns_servers` to each step container; the deployment role renders

+a dnsmasq allowlist template. DNS filtering must be paired with host

+firewall rules on the runner bridge to block direct-IP egress. Do not

+treat DNS-only filtering as a complete network sandbox.

+

+Actions secrets are decrypted only for the runner job claim that needs

+them. Repo secrets shadow org secrets with the same name. The runner

+receives the resolved secret map plus an exact-value mask set; runner

+logs are scrubbed before upload, and the web API scrubs again before

+persisting chunks. The server-side scrubber carries possible secret

+prefix tails across adjacent chunks so a bypassing runner cannot leak a

+secret by splitting it over multiple log POSTs. Base64-encoded or

+transformed secrets are not masked; workflows must not print secrets in

+derived forms.

+

+# shithub_runner_dns_servers=172.30.0.1

+shithub_runner_network_allowlist:

+  - api.github.com

+  - auth.docker.io

+  - codeload.github.com

+  - github.com

+  - objects.githubusercontent.com

+  - production.cloudflare.docker.com

+  - registry-1.docker.io

+  - "*.githubusercontent.com"

+shithub_runner_dns_servers: []

+shithub_runner_dnsmasq_config: /etc/shithubd-runner/dnsmasq.conf

+shithub_runner_dnsmasq_upstream: 1.1.1.1

+- name: Runner DNS allowlist template

+  template:

+    src: "{{ playbook_dir }}/../runner-config/dnsmasq.conf.j2"

+    dest: "{{ shithub_runner_dnsmasq_config }}"

+    owner: root

+    group: shithub-runner

+    mode: "0640"

+

+{% if shithub_runner_network_allowlist is string %}

+network_allowlist = {{ shithub_runner_network_allowlist.split(",") | map("trim") | list | to_json }}

+{% else %}

+network_allowlist = {{ shithub_runner_network_allowlist | to_json }}

+{% endif %}

+{% if shithub_runner_dns_servers is string %}

+dns_servers = {{ shithub_runner_dns_servers.split(",") | map("trim") | list | to_json }}

+{% else %}

+dns_servers = {{ shithub_runner_dns_servers | to_json }}

+{% endif %}

+

+`dnsmasq.conf.j2` is the optional runner DNS allowlist template. The

+Ansible role renders it to `/etc/shithubd-runner/dnsmasq.conf` from

+`shithub_runner_network_allowlist`; operators can run dnsmasq bound to

+their Actions Docker bridge and point step containers at it with

+`engine.dns_servers`.

+

+The dnsmasq template intentionally has no default upstream resolver, so

+names outside the allowlist fail resolution. DNS allowlisting alone does

+not block direct-IP egress or a workflow that brings its own resolver;

+pair it with host firewall rules on the runner bridge for a deny-by-

+default network boundary.

+# Managed by Ansible. Optional DNS allowlist resolver for Actions runners.

+#

+# Pair this with a Docker bridge/network that uses this resolver as its only

+# DNS server. This controls name resolution, not direct-IP egress; enforce

+# direct-IP denial with host firewall rules on the runner bridge.

+

+domain-needed

+bogus-priv

+no-resolv

+no-hosts

+

+{% for pattern in shithub_runner_network_allowlist %}

+{% set host = (pattern[2:] if pattern.startswith("*.") else pattern) %}

+server=/{{ host }}/{{ shithub_runner_dnsmasq_upstream }}

+{% endfor %}

+The job payload includes resolved `secrets` and `mask_values`; repo

+secrets shadow org secrets with the same name.

+Before append, the API re-scrubs exact secret values from the runner

+claim's visible secret set. It also reprocesses any possible secret

+prefix carried at the end of the prior chunk, so a runner cannot leak a

+secret by splitting it across two log calls.

+- `shithub_actions_log_scrub_replacements_total{location="server"}`

+boundaries. S41e wires resolved workflow secrets into the runner claim

+payload and mask set, then applies the same exact-value scrub again in

+the runner API before persisting chunks. The server path also carries a

+possible secret-prefix tail from the prior persisted chunk, so a runner

+that bypasses client-side scrubbing cannot leak a secret by splitting

+it across adjacent log POSTs.

+network_allowlist = [

+  "api.github.com",

+  "auth.docker.io",

+  "codeload.github.com",

+  "github.com",

+  "objects.githubusercontent.com",

+  "production.cloudflare.docker.com",

+  "registry-1.docker.io",

+  "*.githubusercontent.com",

+]

+dns_servers = []

+shithub_runner_dns_servers=172.30.0.1

+`shithub_runner_network_allowlist` defaults to GitHub source/archive

+hosts plus Docker Hub registry hosts. Override it when a runner must

+fetch from an internal package registry. `shithub_runner_dns_servers`

+is empty by default; set it only after a DNS allowlist resolver exists

+on the runner network.

+

+- renders `/etc/shithubd-runner/dnsmasq.conf` from the network

+  allowlist for operators who run a local DNS allowlist resolver

+## Network Allowlist

+

+The runner config carries two separate network controls:

+

+- `runner.network_allowlist`: the host patterns allowed by the

+  operator's DNS allowlist resolver.

+- `engine.dns_servers`: DNS servers passed to each step container with

+  Docker `--dns`.

+

+For a single-host deployment, create a dedicated Docker bridge for

+Actions jobs, run dnsmasq bound to that bridge, render

+`/etc/shithubd-runner/dnsmasq.conf`, and set

+`shithub_runner_dns_servers` to the bridge address of that resolver.

+The rendered dnsmasq config has no default upstream resolver; names not

+matching the allowlist fail DNS resolution.

+

+DNS filtering is not a complete egress boundary by itself. Block

+direct-IP egress from the Actions bridge with host firewall rules, and

+allow only DNS to the resolver plus established outbound connections

+opened by that resolver. Keep the runner on a separate host from web

+and database services.

+