+ [6 years ago] Gandalf84 jlk: I'm evaluating the possibility to switch from TeamCity to Github Actions, the repo can be accessed by all the developers assigned to the project, but they have no idea about the deployment config
+ [6 years ago] Gandalf84 but it seems if any developer can create workflow, in every branch, then they can easily create other triggers and other deployment workflow
+ [6 years ago] b1tninja Don't commit your secrets
+ [6 years ago] b1tninja Perhaps also could you use api keys with limited access, are there any of those that are restricted to your user
+ [6 years ago] b1tninja I'll go read about this

message no. 174809

Posted by vicfred in #github at 2019-09-30T19:19:14Z

tang^, if the private repository is only a mirror from a repo then it's not big deal right?
+ [6 years ago] jlk Gandalf84: anybody with write access to your repository can already read and use secrets.
+ [6 years ago] jlk Gandalf84: you either need to trust them, or remove direct write access to only those that are trusted and ask that the others use read access to create forks and open PRs
+ [6 years ago] Gandalf84 secrets are stored in the repo settings, those can be read only from a workflow, but right now we don't have
+ [6 years ago] jlk playing around, I see what you mean. You'r egoing to have to decide if you trust the people you've given write access to or not.
+ [6 years ago] jlk or make use of a different secret store inside the action.