Security implications of exposing a 'Administration' read and write PAT secret to workflows

[rocallahan]

It seems to me that if you create a PAT with read/write 'Administration' and expose that as a secret that workflows can use, you have to prevent pull requests from running workflows. Otherwise anyone can create a pull request that edits the workflow to dump the PAT, and with that PAT they can do anything they want to your repo. Is this correct? If it is, maybe you should mention this in your README.

[mahdi-torabi]

Hey Robert,

What you mentioned also applies to essentially all secrets provided to a GH action workflow. That said, I totally see your point because this particular secret has Admin access to the repo and can't be scope like say the AWS token.

There seems to be some good news from Github finally! They have added a Self-hosted runners permission scope to fine-grained tokens which should address this particular issue.

I am gonna test it on our side (Might need to get rid of some old cleanup code) and make sure it works then update the README to provide instructions for the creation of new non-Admin tokens.

[mariajgrimaldi]

Thank you for addressing this security issue, @mahdi-torabi. Would you happen to have any updates? Let me know. Thanks!