canonical
diff --git a/‎.github/workflows/integration_test.yaml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/integration_test.yaml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.vale/styles/config/vocabularies/local/accept.txt‎
Lines changed: 2 additions & 1 deletion b/‎.vale/styles/config/vocabularies/local/accept.txt‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎config.yaml‎
Lines changed: 0 additions & 14 deletions b/‎config.yaml‎
Lines changed: 0 additions & 14 deletions
diff --git a/‎docs/changelog.md‎
Lines changed: 17 additions & 16 deletions b/‎docs/changelog.md‎
Lines changed: 17 additions & 16 deletions
diff --git a/‎docs/explanation/security.md‎
Lines changed: 35 additions & 3 deletions b/‎docs/explanation/security.md‎
Lines changed: 35 additions & 3 deletions
diff --git a/‎docs/how-to/comply-security.md‎
Lines changed: 31 additions & 3 deletions b/‎docs/how-to/comply-security.md‎
Lines changed: 31 additions & 3 deletions
diff --git a/‎docs/how-to/index.md‎
Lines changed: 4 additions & 0 deletions b/‎docs/how-to/index.md‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎docs/how-to/manage-external-contributors.md‎
Lines changed: 43 additions & 0 deletions b/‎docs/how-to/manage-external-contributors.md‎
Lines changed: 43 additions & 0 deletions
diff --git a/‎docs/how-to/troubleshoot.md‎
Lines changed: 21 additions & 0 deletions b/‎docs/how-to/troubleshoot.md‎
Lines changed: 21 additions & 0 deletions
diff --git a/‎docs/index.md‎
Lines changed: 0 additions & 1 deletion b/‎docs/index.md‎
Lines changed: 0 additions & 1 deletion
@@ -20,7 +20,7 @@ jobs:
       juju-channel: 3.6/stable
       provider: lxd
       test-tox-env: integration-juju3.6
-      modules: '["test_multi_unit_same_machine", "test_charm_metrics_failure", "test_charm_metrics_success", "test_charm_fork_repo", "test_charm_fork_path_change", "test_charm_no_runner", "test_charm_runner", "test_charm_upgrade", "test_reactive"]'
+      modules: '["test_multi_unit_same_machine", "test_charm_metrics_failure", "test_charm_metrics_success", "test_charm_fork_path_change", "test_charm_no_runner", "test_charm_runner", "test_charm_upgrade",  "test_reactive"]'
       # INTEGRATION_TOKEN, INTEGRATION_TOKEN_ALT, OS_* are passed through INTEGRATION_TEST_SECRET_ENV_VALUE_<N>
       # mapping. See CONTRIBUTING.md for more details.
       extra-arguments: |
 
@@ -1,4 +1,5 @@
 aproxy
 Aproxy
 iptables
-Tmate
+Tmate
+untrusted
@@ -85,20 +85,6 @@ options:
       Minutes between each reconciliation of the current runners state and their targeted state.
       On reconciliation, the charm polls the state of runners and see if actions are needed. The
       value should be kept low, unless Github API rate limiting is encountered.
-  repo-policy-compliance-token:
-    type: string
-    description: >-
-      DEPRECATED, please use allow-external-contributor configuration option instead.
-      The token to authenticate with the repository-policy-compliance service in order to
-      generate one-time-tokens. This option requires the repo-policy-compliance-url to be set.
-      If not set, the repository-policy-compliance service will not be used.
-  repo-policy-compliance-url:
-    type: string
-    description: >-
-      DEPRECATED, please use allow-external-contributor configuration option instead
-      The URL to the repository-policy-compliance service. This option requires the
-      repo-policy-compliance-token to be set. If not set, the repository-policy-compliance service
-      will not be used. This option is only supported when using OpenStack Cloud.
   allow-external-contributor:
     type: boolean
     default: True
 
@@ -2,6 +2,10 @@
 
 This changelog documents user-relevant changes to the GitHub runner charm.
 
+## 2026-02-02
+
+- Deprecated `repo-policy-compliance` service.
+
 ## 2025-01-26
 
 - Add machine input parameter for terraform charm module to allow targeting specific machines for
@@ -43,7 +47,7 @@ GitHub runner image builder side.
 
 ## 2025-12-01
 
-- Added timeouts to API calls (Openstack,GitHub,Repo policy compliance) to fix a hanging GitHub runner manager application. 
+- Added timeouts to API calls (OpenStack, GitHub, repo-policy-compliance) to fix a hanging GitHub runner manager application.
 
 ## 2025-11-30
 
@@ -74,7 +78,6 @@ GitHub runner image builder side.
 
 - Fix issue with scaling down overshooting in deleting runners after cleanup
 
-
 ## 2025-08-20
 
 - Document relevant log files.
@@ -107,7 +110,7 @@ GitHub runner image builder side.
 ## 2025-07-09
 
 - Specify max supported nova compute API to be 2.91. This fixes an issue where the charm could fail
- due to a bug on the OpenStack side: https://bugs.launchpad.net/nova/+bug/2095364
+  due to a bug on the OpenStack side: https://bugs.launchpad.net/nova/+bug/2095364
 
 ### 2025-06-30
 
@@ -127,8 +130,7 @@ GitHub runner image builder side.
 ### 2025-06-16
 
 - Revert `copytruncate logrotate` method for reactive processes, as `copytruncate` keeps log files on disks and does not remove them, and each process is writing to a new file leading to a huge and increasing amount
-of zero sized files in the reactive log directory. This is a temporary fix until a better solution is implemented, as it has the downside that long lived reactive processes may write to deleted log files.
-
+  of zero sized files in the reactive log directory. This is a temporary fix until a better solution is implemented, as it has the downside that long lived reactive processes may write to deleted log files.
 
 ### 2025-06-12
 
@@ -140,9 +142,9 @@ of zero sized files in the reactive log directory. This is a temporary fix until
 
 ### 2025-06-04
 
-- Reduce the reconcile-interval configuration from 10 minutes to 5 minutes. This is the interval 
-between reconciling the current and intended number of runners. The value should be kept low, 
-unless GitHub API rate limiting is encountered.
+- Reduce the reconcile-interval configuration from 10 minutes to 5 minutes. This is the interval
+  between reconciling the current and intended number of runners. The value should be kept low,
+  unless GitHub API rate limiting is encountered.
 - Removed the reconcile-runners Juju action.
 
 ### 2025-06-03
@@ -151,9 +153,8 @@ unless GitHub API rate limiting is encountered.
 
 ### 2025-05-22
 
-- Add possibility to run a script in the pre-job phase of a runner. This can be useful to setup 
-network/infrastructure specific things.
-
+- Add possibility to run a script in the pre-job phase of a runner. This can be useful to setup
+  network/infrastructure specific things.
 
 ### 2025-05-09
 
@@ -162,8 +163,8 @@ network/infrastructure specific things.
 ### 2025-05-06
 
 - The ssh health checks are removed and GitHub is used instead to get the runners health
-information. This implies many changes in both the structure of the project and its functionality. Potentially, many race conditions should
-disappear.
+  information. This implies many changes in both the structure of the project and its functionality. Potentially, many race conditions should
+  disappear.
 
 ### 2025-04-28
 
@@ -197,7 +198,7 @@ disappear.
 ### 2025-03-24
 
 - New terraform product module. This module is composed of one github-runner-image-builder application and the related
-github-runner applications.
+  github-runner applications.
 
 ### 2024-12-13
 
@@ -243,14 +244,14 @@ github-runner applications.
 ### 2024-10-17
 
 - Use in-memory authentication instead of clouds.yaml on disk for OpenStack. This prevents
-the multi-processing fighting over the file handle for the clouds.yaml file in the `github-runner-manager`.
+  the multi-processing fighting over the file handle for the clouds.yaml file in the `github-runner-manager`.
 
 - Fixed a bug where metrics storage for unmatched runners could not get cleaned up.
 
 ### 2024-10-11
 
 - Added support for COS integration with reactive runners.
-- The charm now creates a dedicated user which is used for running the reactive process and 
+- The charm now creates a dedicated user which is used for running the reactive process and
   storing metrics and ssh keys (also for non-reactive mode).
 
 ### 2024-10-07
 
@@ -4,14 +4,46 @@ This document describes the security design of the GitHub runner charm. The char
 
 ## Remote code execution risk
 
-The charm manages GitHub self-hosted runners to run GitHub Actions jobs. This allows users on GitHub to execute code on the servers hosting the runners, which poses a remote code execution risk if the code is not trusted. Therefore, the charm should only spawn runners to trusted organizations or repositories.
+The charm manages GitHub self-hosted runners to run GitHub Actions jobs. This allows users on GitHub to execute code on the servers hosting the runners, which poses a remote code execution risk if the code has not been reviewed or authorized. Therefore, the charm should only spawn runners to trusted organizations or repositories.
 
-For third-party contributions, the charm can integrate with the [Repo Policy Compliance charm](https://charmhub.io/repo-policy-compliance) to manage the repository policy. With this integration, the self-hosted runner will not execute the GitHub jobs if the policy is not met. See [working with outside collaborators](https://charmhub.io/github-runner/docs/how-to-comply-security#working-with-outside-collaborators) for the recommended settings to ensure the code is reviewed by a trusted user prior to execution in the runner.
+For external contributor security, see [How to manage external contributors securely](../how-to/manage-external-contributors.md) for configuration options and recommended practices.
 
 ### Good practices
 
 - Only register the GitHub self-hosted runners to a trusted organization or repository so that only workflows from trusted users are able to run on the runners.
-- For outside collaborators: Use the [`repo-policy-compliance` charm](https://charmhub.io/repo-policy-compliance) with [policy for outside collaborators](https://charmhub.io/github-runner/docs/how-to-comply-security#working-with-outside-collaborators) to ensure the code executed in runners are reviewed by a trusted user.
+- For outside collaborators: Use the `allow-external-contributor` configuration option (set to `false`) to restrict workflow execution to users with COLLABORATOR, MEMBER, or OWNER status. This prevents unauthorized code execution from external contributors.
+- Configure appropriate repository settings and protection rules to ensure the code executed in runners are reviewed by a trusted user.
+
+### Recommended security practices
+
+When working with external contributors, consider the following security practices:
+
+#### Repository configuration
+
+- For outside collaborators, set permissions to read-only. See [here](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/managing-teams-and-people-with-access-to-your-repository#changing-permissions-for-a-team-or-person) for instructions to change collaborator permissions.
+
+#### Branch protection rules
+
+Create the following branch protection rules using the instructions [here](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule#creating-a-branch-protection-rule):
+
+- Branch name pattern `**` with `Require signed commits` enabled.
+- Branch name pattern matching only the default branch of the repository, such as `main`, with the following enabled:
+  - `Dismiss stale pull request approvals when new commits are pushed`
+  - `Required signed commits`
+  - `Do not allow bypassing the above settings`
+
+#### Working with external contributors
+
+When `allow-external-contributor` is set to `false`, external contributors can still contribute through the following workflow:
+
+1. External contributors create pull requests as usual
+2. A repository maintainer with COLLABORATOR, MEMBER, or OWNER status reviews the code
+3. If the code is safe, the maintainer can:
+
+- Approve and merge the pull request to another branch (workflows will run with maintainer permissions)
+- Manually trigger workflow runs if needed (using workflow dispatch on the target branch)
+
+This approach ensures that all code from external contributors is reviewed by trusted users before execution on self-hosted runners.
 
 ## Permission for GitHub app or personal access token
 
 
@@ -2,9 +2,29 @@
 
 According to GitHub, running code inside the GitHub self-hosted runner [poses a significant security risk of arbitrary code execution](https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#self-hosted-runner-security). The self-hosted runners managed by the charm are isolated in its own single-use virtual machine instance. In addition, the charm enforces some repository settings to ensure all code running on the self-hosted runners is reviewed by someone trusted.
 
-The charm can be integrated with the [Repo Policy Compliance charm](https://charmhub.io/repo-policy-compliance) to enforce a set of good practices around GitHub repository settings. Self-hosted runners managed by the charm will not run jobs on repositories unless they are compliant with the practices.
+The charm provides the `allow-external-contributor` configuration option to control whether workflows triggered by external contributors can execute on the self-hosted runners. When set to `false`, only users with COLLABORATOR, MEMBER, or OWNER status can trigger workflows from pull requests, reviews, and comments.
 
-In this guide, a recommended set of policies will be presented.
+In this guide, a recommended set of policies and security practices will be presented.
+
+## External contributor access control
+
+Configure the charm to restrict external contributor access:
+
+```bash
+juju config github-runner allow-external-contributor=false
+```
+
+With this setting, workflows will only run for users with the following GitHub author associations:
+- OWNER - Repository or organization owners
+- MEMBER - Organization members  
+- COLLABORATOR - Users with explicit collaborator access
+
+The charm checks author associations for these events:
+- `pull_request` - Pull requests from external contributors
+- `pull_request_target` - Pull request targeting (designed for handling PRs from forks)
+- `pull_request_review` - Pull request reviews from external contributors
+- `pull_request_review_comment` - Comments on pull request diffs from external contributors
+- `issue_comment` - Comments on issues or pull requests from external contributors
 
 ## Recommended policy
 
@@ -20,4 +40,12 @@ With these settings, the common workflow of creating branches with pull requests
 
 ### Working with outside collaborators
 
-Generally, outside collaborators are not completely trusted, but still would need to contribute in some manner. As such, this charm requires pull requests by outside collaborators to be reviewed by someone with `write` permission or above. Once the review is completed, the reviewer should add a comment including the following string: `/canonical/self-hosted-runners/run-workflows <commit SHA>`, where `<commit SHA>` is the commit SHA of the approved commit. Once posted, the self-hosted runners will run the workflow for this commit.
+When `allow-external-contributor` is set to `false`, outside collaborators can still contribute through the following secure workflow:
+
+1. External contributors create pull requests as usual
+2. A repository maintainer with COLLABORATOR, MEMBER, or OWNER status reviews the code
+3. If the code is safe, the maintainer can:
+  - Approve and merge the pull request to another branch (workflows will run with the permissions of the maintainer)
+  - Manually trigger workflow runs if needed (using workflow dispatch on the target branch)
+
+This approach ensures that all code from external contributors is reviewed by trusted users before execution on self-hosted runners, eliminating the need for manual comment-based approval workflows.
@@ -16,6 +16,8 @@ and using the Github Runner charm.
 
 ## Security
 * [Comply with security requirements]
+* [Manage external contributors securely]
+* [Troubleshoot]
 
 ## Development
 * [Contribute]
@@ -30,4 +32,6 @@ and using the Github Runner charm.
 [Spawn OpenStack runner]: openstack-runner.md
 [Set up reactive spawning]: reactive.md
 [Comply with security requirements]: comply-security.md
+[Manage external contributors securely]: manage-external-contributors.md
+[Troubleshoot]: troubleshoot.md
 [Contribute]: contribute.md
@@ -0,0 +1,43 @@
+# How to manage external contributors securely
+
+According to GitHub, running code inside the GitHub self-hosted runner [poses a significant security risk of arbitrary code execution](https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#self-hosted-runner-security). The self-hosted runners managed by the charm are isolated in their own single-use virtual machine instances. In addition, the charm provides security controls to ensure that code from external contributors is only executed when authorized.
+
+The charm provides the `allow-external-contributor` configuration option to control whether workflows triggered by external contributors can execute on the self-hosted runners. When set to `false`, only users with COLLABORATOR, MEMBER, or OWNER status can trigger workflows.
+
+In this guide, we'll explain how to configure external contributor access.
+
+## External contributor access control
+
+An external contributor is anyone whose GitHub author association is not OWNER, MEMBER, or COLLABORATOR. For internal pull requests (where the head and base repositories are the same), the association check is not applied; those runs are treated as internal.
+
+The charm checks the GitHub author association for the following events that can be triggered by external contributors:
+
+- `pull_request` - Pull requests from external contributors
+- `pull_request_target` - Pull request targeting (designed for handling PRs from forks)
+- `pull_request_review` - Pull request reviews from external contributors
+- `pull_request_review_comment` - Comments on pull request diffs from external contributors
+- `issue_comment` - Comments on issues or pull requests from external contributors
+
+### Disable external contributor access
+
+Prevent external contributors from triggering workflows. Run:
+
+```bash
+juju config github-runner allow-external-contributor=false
+```
+
+With this setting, only users with the following GitHub author associations can trigger workflows:
+
+- OWNER - Repository or organization owners
+- MEMBER - Organization members
+- COLLABORATOR - Users with explicit collaborator access
+
+### Enable external contributor access
+
+Allow all external contributors to trigger workflows. Run:
+
+```bash
+juju config github-runner allow-external-contributor=true
+```
+
+**Warning**: This setting allows any external contributor to trigger workflow execution on your self-hosted runners. Only use this in trusted environments or when you have other security controls in place.
@@ -0,0 +1,21 @@
+# How to troubleshoot
+
+This guide covers troubleshooting for common issues that users may encounter when working with the GitHub runner charm.
+
+## External contributor workflows
+
+### Workflows not running for external contributors
+
+If workflows are not running for external contributors when `allow-external-contributor=false`:
+
+1. Check the runner logs for authorization errors
+2. Verify the user's author association in the GitHub repository
+
+### Workflows running for unexpected users
+
+If you notice workflows running for users who shouldn't have access:
+
+1. Set `allow-external-contributor=false`
+2. Review repository collaborator permissions
+3. Check for any bypass rules in branch protection settings
+4. Audit recent workflow runs in the GitHub Actions tab
@@ -85,7 +85,6 @@ Thinking about using the GitHub runner charm for your next project? [Get in touc
     1. [Debug with SSH](local-lxd/how-to/debug-with-ssh.md)
     1. [Deploy on ARM64](local-lxd/how-to/deploy-on-arm64.md)
     1. [Integrate with COS](local-lxd/how-to/integrate-with-cos.md)
-    1. [Comply with repository policies](local-lxd/how-to/repo-policy.md)
     1. [Run on LXD cloud](local-lxd/how-to/run-on-lxd.md)
     1. [Set base image](local-lxd/how-to/set-base-image.md)
   1. [Reference](local-lxd/reference)
-Original file line number
+Diff line change
@@ @@ -1,4 +1,5 @@ @@
 aproxy
 Aproxy
 iptables
 -Tmate
 +Tmate
 +untrusted