Let’s say I created a deploy key with write permissions to repository A.
Let’s say repository A has a protected master branch that has " Require a pull request before merging " enabled and “Allow force pushes” and “Allow deletions” disabled for everyone including admins.
If a malicious attacker steals that deploy key, what damage can they do to the repository? Can they create a pull request? Can they merge that pull request?
Is my understanding correct that the only thing they can do is to create, modify, or delete unprotected branches in that repository? They can’t affect the protected branches in any way?