From 79d2bc29fa5fa352534d89ecafdecb52e78420ce Mon Sep 17 00:00:00 2001
From: Nikola Jokic <jokicnikola07@gmail.com>
Date: Tue, 24 Feb 2026 20:27:40 +0100
Subject: [PATCH] warn when requireJobContainer is set to false

---
 .../templates/_mode_kubernetes.tpl                           | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/charts/gha-runner-scale-set-experimental/templates/_mode_kubernetes.tpl b/charts/gha-runner-scale-set-experimental/templates/_mode_kubernetes.tpl
index 38d8bfa8..6589d01d 100644
--- a/charts/gha-runner-scale-set-experimental/templates/_mode_kubernetes.tpl
+++ b/charts/gha-runner-scale-set-experimental/templates/_mode_kubernetes.tpl
@@ -62,6 +62,9 @@ env:
         fieldPath: metadata.name
   - name: ACTIONS_RUNNER_REQUIRE_JOB_CONTAINER
     value: {{ ternary "true" "false" $requireJobContainer | quote }}
+  {{- if not $requireJobContainer -}}
+    {{- printf "# WARNING: runner.kubernetesMode.requireJobContainer is set to false. This means that the runner container will be used to execute jobs, which may lead to security risks if the runner is compromised. It is recommended to set runner.kubernetesMode.requireJobContainer to true in production environments." }}
+  {{- end -}}
   {{- if and $hasExtension $setHookTemplateEnv }}
   - name: ACTIONS_RUNNER_CONTAINER_HOOK_TEMPLATE
     value: {{ $hookTemplatePath | quote }}
@@ -236,4 +239,4 @@ Create the labels for the hook extension ConfigMap.
 {{- $commonLabels := include "gha-common-labels" . | fromYaml -}}
 {{- $global := include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.all.metadata.labels | default (dict)) | fromYaml -}}
 {{- toYaml (mergeOverwrite $global $resourceLabels $commonLabels) -}}
-{{- end }}
\ No newline at end of file
+{{- end }}