The CI only runs after one of the maintainers adds a "can be tested" label.
When the label is already added, it stops when any of the infrastructure-related files are modified, like Dockerfile, CI configurations, etc. This is quite ok, but not 100% bulletproof, as you can easily do weird things by modifying the code or using a bug in the compiler. However, the CI infrastructure runs on isolated machines inside an isolated account.
Before adding the label, we have to check the diff for suspicious things. There were a few abuse attempts (all of them were from now vanished GitHub accounts).
Before adding the label, we have to check the diff for suspicious things. There were a few abuse attempts (all of them were from now vanished GitHub accounts).