Has anyone done a thorough analysis of how secure secrets are?
I’m asking because with my macOS / iOS Actions I’m at a point where I need to start calling into Apple’s App Store Connect API - and that is a bit scary.
I’m less worried about GitHub accidentally exposing secrets - I assume the part that stores them on the GitHub server and substitutes them in inputs is pretty solid.
What I do not have a good grasp on for example is what happens to secrets in pull requests. Specifically in public projects. Could someone submit a pull request and modify files in
.github/workflows with a malicious intent to retrieve a secret.
I’ll do more research but I am curious about other people’s thoughts and insight.