Inform people that repository collaborators can read PATs or discourage people from using them #74
Comments
|
Sorry, I accidentally created this issue several times due to GitHub throwing a 500 when I submitted it. I'm closing all of them except for one. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Inside the README, people are encouraged to use a PAT to access repository content, but this adds a risk to the repository owner's account, allowing people to read any private repository if they get access to it. As stated in the GitHub Documentation, anyone with write access can read the PAT and all private repositories a user has access to.
People should be discouraged from using PATs and should be encouraged to keep the action in their within their own repository to prevent repository collaborators from having more access to a user's account than they should.
The text was updated successfully, but these errors were encountered: