-
Why sticking to GitHub Actions instead of using GitHub Apps?
GitHub Apps come with lots of advantages over GitHub Actions (e.g. they are not ephemeral, they use their own identity without the need for maintaing bots as separate users...) but are applications that you have to host somewhere. Unless eager developers out there will turn this automation into a GitHub App freely available in the marketplace 😉, we deem much more convenient to spare the burden of maitaining a local server and offload the service to the GitHub runners.
-
Why does the dashboard repo need to be public to enable the mentioning mechanism?
With a private dashboard repo, the action devoted to managing the mentioning mechanism would need an organization PAT to access the dashboard where all the required info is stored to correctly process the request. Relying on organization PATs represents a vulnerability as it may allow a user/contributor with
writepermissions to run a malicious action to take over the control of the organization.