+ [2019-09-30T23:27:36Z] Gandalf84 jlk: I'm evaluating the possibility to switch from TeamCity to Github Actions, the repo can be accessed by all the developers assigned to the project, but they have no idea about the deployment config
+ [2019-09-30T23:28:20Z] Gandalf84 but it seems if any developer can create workflow, in every branch, then they can easily create other triggers and other deployment workflow
+ [2019-09-30T23:52:38Z] b1tninja Don't commit your secrets
+ [2019-09-30T23:53:29Z] b1tninja Perhaps also could you use api keys with limited access, are there any of those that are restricted to your user
+ [2019-09-30T23:53:37Z] b1tninja I'll go read about this

message no. 174809

Posted by vicfred in #github at 2019-09-30T19:19:14Z

tang^, if the private repository is only a mirror from a repo then it's not big deal right?
+ [2019-10-01T00:07:12Z] jlk Gandalf84: anybody with write access to your repository can already read and use secrets.
+ [2019-10-01T00:07:38Z] jlk Gandalf84: you either need to trust them, or remove direct write access to only those that are trusted and ask that the others use read access to create forks and open PRs
+ [2019-10-01T00:08:02Z] Gandalf84 secrets are stored in the repo settings, those can be read only from a workflow, but right now we don't have
+ [2019-10-01T00:13:37Z] jlk playing around, I see what you mean. You'r egoing to have to decide if you trust the people you've given write access to or not.
+ [2019-10-01T00:13:44Z] jlk or make use of a different secret store inside the action.