Closed zzak closed 1 year ago
Hey,
GitHub has a bunch of good resources on the security around workflows I'd recommend checking out (e.g. https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions)
Two big things to note which I think will resolve your concerns:
When workflows are ran, they're ran from the repo they originate from. So, when a fork triggers a workflow, it runs in the context of that fork.
You can also do conditionals to limit runs to your repo only: if: ${{ github.repository_owner == 'YourUser' }}
(Example: https://github.com/cloudflare/workers-sdk/blob/6d5000a7b80b29eb57139c6334f40c564c9ad0c9/.github/workflows/create-pullrequest-prerelease.yml#L7)
👋 Hello! I'm curious if you all have a recommendation or if there is a way to use this action in an open-source project that won't possibly expose the API token used for publishing.
It seems like if you use this action, anyone can fork your repo and craft a workflow which prints the token somewhere, and or publish whatever they want under your pages domain.
Is there anyone who's dealt with this in particular for an OSS project?