Closed HonkingGoose closed 2 years ago
Всё нормально
I agree that this warning should definitely be called out on its own. I went looking for it today and actually missed it even still due to it being under the "Use credentials which are minimally scoped" heading.
@HonkingGoose Thanks so much for opening an issue! I'll triage this for the team to take a look :eyes:
Thank you for opening this issue! Your proposed plan sounds good. I modified it slightly below since we try to avoid sections that contain only a warning.
Under the "Using secrets" section, add a warning that state that any user with write access to your repository has read access to all secrets configured in your repository. ({% warning %}
{% endwarning %}` will add the red warning box styling.)
I think that with the addition of the warning in step 2, we could probably skip the new section in step 1. However, it is also ok if you want to do both steps since this is an important point long document.
You or anyone else is welcome to open a PR to address this.
Thank you for the review and modified plan. I'll let somebody else make a PR to resolve this issue.
Bug
I would like to contribute to this issue. If no one else is working on it, could you please assign it to me?
@mounilKshah As a general rule, we don’t assign issues to anyone. If you find an issue to work on, you are welcome to open a PR with a fix ✨
Oh alright. I'll begin working on a solution for this issue right away. Also, is there a separate developer channel or are all discussions done under the 'Discussions' section of the repository?
@mounilKshah all discussions done under the 'Discussions' section of the repository ✨
Code of Conduct
What article on docs.github.com is affected?
https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
What part(s) of the article would you like to see updated?
There's a big warning in the linked page:
It's really easy to read/skim past this the way the document is structured now.
I propose we add a new heading:
Strongly consider who you give write rights to
and put the warning "Be mindful that any user with write access to your repository has read access to all secrets configured in your repository." in that section.I suggest styling the warning message itself as a warning box with a red background, or something similar to really capture the attention of the reader.
Additional information
No response
Edited by maintainer. Here is the content design plan by a writer for this issue.