Imagine you have github actions that run on PRs and that use secrets (say to test on AWS). Are these secrets secure? i.e. could the person creating the PR exfiltrate them?
my gut feeling is yes, since they can modify the github action workflow, they can effectively do whatever they want to reveal the secret?
is this correct? if so, is there any way around it? if not, what am I misunderstanding?