You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As a security engineer, I want to restrict the use of secret access tokens to workflows running on the main branch in order to ensure that this project is not vulnerable to exposing those secrets in the GH Actions workflows run by contributors.
Technical Notes
Currently, any user who has the permission to run a GH Action has the ability to echo out the personal access tokens or GH App tokens we are using for publishing. We should be able to resolve this by moving all jobs that require use of these tokens to a standalone workflow that can only be triggered by push to the main branch. I believe we will have to move any related secrets to a protected environment that can only be accessed from the main branch as well.
Acceptance Criteria
Developers on a feature branch cannot push code that has access to the actions-helper GH app token.
The text was updated successfully, but these errors were encountered:
As a security engineer, I want to restrict the use of secret access tokens to workflows running on the
main
branch in order to ensure that this project is not vulnerable to exposing those secrets in the GH Actions workflows run by contributors.Technical Notes
Currently, any user who has the permission to run a GH Action has the ability to echo out the personal access tokens or GH App tokens we are using for publishing. We should be able to resolve this by moving all jobs that require use of these tokens to a standalone workflow that can only be triggered by push to the
main
branch. I believe we will have to move any related secrets to a protected environment that can only be accessed from themain
branch as well.Acceptance Criteria
actions-helper
GH app token.The text was updated successfully, but these errors were encountered: