You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It seems to me that if you create a PAT with read/write 'Administration' and expose that as a secret that workflows can use, you have to prevent pull requests from running workflows. Otherwise anyone can create a pull request that edits the workflow to dump the PAT, and with that PAT they can do anything they want to your repo. Is this correct? If it is, maybe you should mention this in your README.
The text was updated successfully, but these errors were encountered:
What you mentioned also applies to essentially all secrets provided to a GH action workflow. That said, I totally see your point because this particular secret has Admin access to the repo and can't be scope like say the AWS token.
There seems to be some good news from Github finally! They have added a Self-hosted runners permission scope to fine-grained tokens which should address this particular issue.
I am gonna test it on our side (Might need to get rid of some old cleanup code) and make sure it works then update the README to provide instructions for the creation of new non-Admin tokens.
It seems to me that if you create a PAT with read/write 'Administration' and expose that as a secret that workflows can use, you have to prevent pull requests from running workflows. Otherwise anyone can create a pull request that edits the workflow to dump the PAT, and with that PAT they can do anything they want to your repo. Is this correct? If it is, maybe you should mention this in your README.
The text was updated successfully, but these errors were encountered: