WalshyDev
commented
1 year ago Hey,
GitHub has a bunch of good resources on the security around workflows I'd recommend checking out (e.g. https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions)
Two big things to note which I think will resolve your concerns:
- Workflows require approval on first runs from external contributors. Someone could not just fork and run arbitrary code on your account without approval
- Secrets are not passed to forks so someone does not have the ability to access your API token if created as a secret (which it 100% should be)
When workflows are ran, they're ran from the repo they originate from. So, when a fork triggers a workflow, it runs in the context of that fork.
You can also do conditionals to limit runs to your repo only: if: ${{ github.repository_owner == 'YourUser' }} (Example: https://github.com/cloudflare/workers-sdk/blob/6d5000a7b80b29eb57139c6334f40c564c9ad0c9/.github/workflows/create-pullrequest-prerelease.yml#L7)
👋 Hello! I'm curious if you all have a recommendation or if there is a way to use this action in an open-source project that won't possibly expose the API token used for publishing.
It seems like if you use this action, anyone can fork your repo and craft a workflow which prints the token somewhere, and or publish whatever they want under your pages domain.
Is there anyone who's dealt with this in particular for an OSS project?