Security considerations

[Diggsey]

Github actions are a target for any malicious actors as they have access to secrets like crates.io login tokens for potentially thousands of crates.

This organisation is likely to become the defacto standard for Rust Github actions. As such you should put in place (and document) some basic security precautions. For example:

• Require 2FA for all members.
• Limit within the org who can publish changes to widely used actions.

To name a couple of options.

[svartalf]

Thank you for pointing that out, @Diggsey.

2FA is enabled and used already and all released tags are signed with my personal key (as can be seen in here, for example); it is the same key, which is provided at my homepage, PGP keyservers or Keybase (if you okay with this thing).

It is a good idea to document the applied security measures, I'll try to compile a page for that. If you have any examples of a good security policies, I would really appreciate it!

Also, while I do understand the potential issues and try my best to enforce the security measures, I feel obligated to point out that Actions at actions-rs are published under the MIT license, which explicitly states the liability and warranty limitations. It is reasonable to point out that anyone who wants to adopt the actions-rs should also assess and understand the risks; this is, unfortunately, rarely happens when people are relying on open-source projects.

[Diggsey]

Yes, obviously you have no legal liability, but it's still important information for people deciding whether to fork actions-rs or use its actions directly. Anyway, it sounds like you are already ahead of the curve with 2FA and release signing so just putting it in the readme or something would be cool 👍