Unvetted contributors should require approval to run CI

What

Until a contributor is vetted, their contributions should require manual approval before CI runs.

Why

If contributors can automatically run CI, malicious actors can use a trivial pull request (e.g., typo fixes) to gain access to run CI, and then replace the actual code with something that abuses the CI runner (e.g., cryptomining).

When

From the beginning

Recommendation: Select “Require approval for all outside contributors” (under Settings → Actions → General → Fork pull request workflows from outside collaborators)

See also:

GitHub docs on approving workflow runs

Have a vetting process