I am experimenting with using forgejo instead of GitHub for my personal projects. So far I like it, however I would like to make it available to the outside world at some point.
I was wondering what kind of traps I should avoid. The following things come to mind so far:
- Forgejo Actions seem like a massive potential security risk, however I do not intend to enable sign up for other
- OpenID appears to be a thing for forgejo, I do not know how it works and it seems like it would allow access to my instance even with registering disabled
- I would put the instance behind a nginx as reverse proxy, but how do you keep bot traffic to a minimum? Anubis?
I feel like there are a ton of things I have not thought of, which is why I am holding off on making anything available without a VPN so far.
It’s been a while since I set up my runner, and I have it on my personal desktop (which is wayyyyyy beefier than the VPS I host my forgejo instance on), but I’m pretty sure I was able to specify that only my user account can trigger actions to be run on this runner. What I’m getting at is that there is a decent amount of granularity for forgejo action permissions; you should be able to find a balance that suits you between “no actions at all” and “anyone can run any code they desire on your server”.