As far as I understand, mounting /var/run/docker.sock is only needed if one wants to manage the Docker daemon from inside a Docker container. Since /var/run/docker.sock is owned by root on the host system, this effectively creates a security risk (at least from what I understand from, e.g., https://stackoverflow.com/questions/40844197/what-is-the-docker-security-risk-of-var-run-docker-sock - I am really not an expert).

Is it thus possible to omit the -v /var/run/docker.sock:/var/run/docker.sock flag entirely? Or does that depend on which features I am using?

Background: We are trying to use this image to set up automated testing of a research code using on-premise machines, for which we need to be "reasonable" sure about securing the runners against malicious third-party PRs. Without this great repository, we wouldn't even know where to start, so thanks a lot for providing this image here!

You can omit it. Mounting the docker socket is optional and does create some risk, correct.

I would suggest looking into docker and GitHub runner best practices before using it in public repos for this and other reasons

You can omit it. Mounting the docker socket is optional and does create some risk, correct.

Thanks a lot for the quick feedback!

I would suggest looking into docker and GitHub runner best practices before using it in public repos for this and other reasons

You sound like you have some resources in mind that are useful to look at - if yes, it would be highly appreciated if you could share them with us!

There's many sources but GitHub also has a relevant one https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions

Thanks a lot, this is appreciated!