This is kind of not a solution to the problem, it’s not necessarily true that any collaborator could do what you say, why should the workflow have the same permissions as an Action? The collaborator would also have to be able to control the specific Action and what it does, not the whole runner. Consider the following extremely common scenario:
-
master is a protected branch, pushable by only administrators
-
master furthermore has “require review” enabled
-
feature branches are submitted as PRs
-
when a PR is accepted, it gets pushed to master
-
when a PR is pushed to master we want an auto patch version bump and tag of that version, on master
If a malicious collaborator wanted to run arbitrary code through a commit, they would have to get this arbitrary code through the review process. It seems a bit paranoid to not create this feature based on the argument that a reviewer might make a stupid mistake, that is true regardless of whether the feature exists or not.
What we need to make this last step above work is for Actions to have their own permission set (or a way to make an imported action get the permissions of an App? Or an App to work like an action?) With a small modification to @robozevel 's suggestion, it seems like a good solution. If there’s a way to do that already, I haven’t been able to find it, but would be more than happy to hear it!