Secrets are no longer secret.

[jbkeg]

Describe the bug I have a private repo in GitHub which I have no authority to access repository settings. But I still can access to repository secrets and create/update/delete the secrets.

To Reproduce Steps to reproduce the behaviour:

1. Link the repo which has no authority to access repo settings with vscode github actions extension.
2. At the extension can see/edit/create/delete the secrets.

Expected behavior Supposed to be failed or blocked to read/write the secrets.

Extension Version v0.26.2

[brignano]

I have observed the same behavior recently. This applies to secrets, variables, and environments.

[elbrenn]

The VSCode Extension uses our public REST APIs to modify secrets and variables. Repo secrets and variables can be written written, modified and deleted with collaborator access to the repo