Can a deploy key create a pull request?

Let’s say I created a deploy key with write permissions to repository A.

Let’s say repository A has a protected master branch that has " Require a pull request before merging " enabled and “Allow force pushes” and “Allow deletions” disabled for everyone including admins.

If a malicious attacker steals that deploy key, what damage can they do to the repository? Can they create a pull request? Can they merge that pull request?

Is my understanding correct that the only thing they can do is to create, modify, or delete unprotected branches in that repository? They can’t affect the protected branches in any way?

Hi @1f604 and welcome to the forum! Yes, I believe that is correct. They cannot execute GitHub related actions like creating/updating PRs/Issues or get access to your GitHub account in any way.

Keep in mind you can also create a deploy key that can just pull if you’re worried about changes being pushed.

1 Like