+ [2019-09-30T23:27:36Z] Gandalf84 jlk: I'm evaluating the possibility to switch from TeamCity to Github Actions, the repo can be accessed by all the developers assigned to the project, but they have no idea about the deployment config
+ [2019-09-30T23:28:20Z] Gandalf84 but it seems if any developer can create workflow, in every branch, then they can easily create other triggers and other deployment workflow
+ [2019-09-30T23:52:38Z] b1tninja Don't commit your secrets
+ [2019-09-30T23:53:29Z] b1tninja Perhaps also could you use api keys with limited access, are there any of those that are restricted to your user
+ [2019-09-30T23:53:37Z] b1tninja I'll go read about this

message no. 174824

Posted by Gandalf84 in #github at 2019-09-30T23:07:48Z

Hi, I'm start using github actions, but I have some concerns about security. If anybody with write access to the repo can create a workflow yaml file, in any branch, having the secrets shared among the branches, how can I prevent any developer to create his own workflow yaml file and trigger any deployment (having the secrets already in place)?
+ [2019-10-01T00:07:12Z] jlk Gandalf84: anybody with write access to your repository can already read and use secrets.
+ [2019-10-01T00:07:38Z] jlk Gandalf84: you either need to trust them, or remove direct write access to only those that are trusted and ask that the others use read access to create forks and open PRs
+ [2019-10-01T00:08:02Z] Gandalf84 secrets are stored in the repo settings, those can be read only from a workflow, but right now we don't have
+ [2019-10-01T00:13:37Z] jlk playing around, I see what you mean. You'r egoing to have to decide if you trust the people you've given write access to or not.
+ [2019-10-01T00:13:44Z] jlk or make use of a different secret store inside the action.