uraimo
commented
2 years ago Hi, yes, it's safe, for the following reasons:
- The token obtained with
${{ github.token }}is an ephemeral workflow token that is generated by github and is valid only during the current workflow session. The temporary token will be stored only on the runner (see the warning you pasted), that will be destroyed once the workflow terminates. - The optional token is only used internally to publish the newly created run-on-arch docker container on ghcr.io, this container does not contain the token and has no visibility on the token variable (or any of its derivates).
[1] https://docs.github.com/en/actions/security-guides/automatic-token-authentication [2] https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
timandy
this action prints
Your password will be stored unencrypted in /home/runner/.docker/config.json.