Add self-hosted runner security framework and private data protection

[Copilot]

Establishes security baseline for self-hosted GitHub Actions runners and expands private data protection in version control.

Security Documentation

• SELF_HOSTED_RUNNER_SECURITY.md (10KB): Runner hardening, network isolation, secrets rotation, incident response
• RUNNER_SETUP.md: Administrator quick-start with configuration checklists
• SECURITY_QUICK_REFERENCE.md: Developer patterns for secure workflows
• .github/README.md: Navigation hub for all security resources

Automated Validation

validate-workflows.py enforces 6 security checks:

• Permission scope (flags write-all, missing permissions:)
• SHA-pinned actions (prevents supply chain attacks)
• pull_request_target isolation
• Secret exposure patterns
• Input validation presence
• Self-hosted runner labels (ephemeral, isolated, secure)

$ python3 .github/validate-workflows.py
✅ secure-runner-template.yml: 0 issue(s)
⚠️  etherscan-apiv2.yml: 1 issue(s)

Workflow Templates

secure-runner-template.yml - Production reference implementation:

• Input validation with case statements
• Minimal permissions (explicit read/write)
• SHA-pinned actions with version comments
• Pre-commit secret scanning
• Environment isolation with cleanup

etherscan-apiv2.yml - Enhanced with:

• API key via environment variables (not inline secrets)
• Input validation job
• Secret pattern scanning before commit
• Timeout and retry logic
• File size limits

# Before
- run: curl "${api_url}&apikey=${{ secrets.API_KEY }}"

# After
- env:
    API_KEY: ${{ secrets.API_KEY }}
  run: |
    curl "${api_url}&apikey=${API_KEY}"
    unset API_KEY

Data Protection

.gitignore expanded from 12 to 60+ patterns:

• Runner internals (.runner, _work/, .credentials)
• Cloud credentials (.aws/, .azure/, .gcloud/)
• Build artifacts (ci_secrets/, deploy_keys/)
• Keystores (*.jks, *.p12, *.keystore)

Validation Results

• CodeQL: 0 vulnerabilities
• Code review: 0 issues
• secure-runner-template.yml: passes all checks

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[Yaketh (Kushmanmb)]

`kushmanmb.eth```