- Use least-privilege tokens; only grant org scopes when required
- Restrict runner machine access to trusted administrators
- Store secrets in GitHub Secrets, not on disk
- Minimum for runner admin operations:
repo,workflow,read:org admin:orgmay be required depending on org policies
- Prefer GitHub Actions logs as the authoritative audit trail
- Keep local host logs for forensic debugging only
- Remove and re-register runners on a cadence or after incident response