Open swissbuechi opened 2 months ago
Forgive the naivety - I've not used GitHub actions much. Where is the robot getting its permissions from to update files? Is there any exploit mechanism with that that someone could use nefariously or is it locked down?
Forgive the naivety - I've not used GitHub actions much. Where is the robot getting its permissions from to update files? Is there any exploit mechanism with that that someone could use nefariously or is it locked down?
It's using the "managed identity" of the github action to automatically authenticate via git.
It has a permission block where I specified that the $GH_TOKEN, which is used by the action, has write access to the content of the repository and therefore can make commits.
This is a common usecase for a github action and I can't see any security problems.
Initial PR: https://github.com/DomT4/homebrew-autoupdate/pull/114
Please take a look at all the comments and tests from the initial PR
Related PR which could be solved by merging this PR: https://github.com/DomT4/homebrew-autoupdate/pull/134