Why this topic matters
A pipeline runner is often a controlled execution environment that already has access to code, secrets, artifacts and deployment rights. That makes it one of the most valuable escalation points in a modern engineering estate.
Operator checks
- Map which jobs can access which secrets, environments and artifact stores.
- Check token permissions, pull-request trust, reusable workflows and third-party action imports.
- Identify whether runners are shared, ephemeral or long-lived and what residue they keep.
- Follow the runner outward: what can it sign, publish, deploy or reconfigure?
Reporting lens
Write findings in terms of trust crossed, scope enlarged and business or operational effect reached. That keeps the note useful whether you are validating a lab, an internal research target or a live customer environment.
Curated public references
- GitHub Actions HardeningWorkflow permissions and runner trust.
- GitLab Pipeline SecurityCommon pipeline-risk areas.
- Azure DevOps SecurityProject and pipeline security model context.