+[2019-09-30T23:27:36Z]Gandalf84jlk: I'm evaluating the possibility to switch from TeamCity to Github Actions, the repo can be accessed by all the developers assigned to the project, but they have no idea about the deployment config +[2019-09-30T23:28:20Z]Gandalf84but it seems if any developer can create workflow, in every branch, then they can easily create other triggers and other deployment workflow +[2019-09-30T23:52:38Z]b1tninjaDon't commit your secrets +[2019-09-30T23:53:29Z]b1tninjaPerhaps also could you use api keys with limited access, are there any of those that are restricted to your user +[2019-09-30T23:53:37Z]b1tninjaI'll go read about this
+[2019-10-01T00:07:12Z]jlkGandalf84: anybody with write access to your repository can already read and use secrets. +[2019-10-01T00:07:38Z]jlkGandalf84: you either need to trust them, or remove direct write access to only those that are trusted and ask that the others use read access to create forks and open PRs +[2019-10-01T00:08:02Z]Gandalf84secrets are stored in the repo settings, those can be read only from a workflow, but right now we don't have +[2019-10-01T00:13:37Z]jlkplaying around, I see what you mean. You'r egoing to have to decide if you trust the people you've given write access to or not. +[2019-10-01T00:13:44Z]jlkor make use of a different secret store inside the action.