How to prevent repository collaborators from triggering workflow

According to https://help.github.com/en/github/automating-your-workflow-with-github-actions/authenticating-with-the-github_token,

Anyone with write access to a repository can create, read, and use secrets.

Suppose there is a GitHub repository secret that contains a token for deploying to the staging (or even production) environment.

Any collaborator with write permissions can create a new GitHub workflow file, use the repository secret to deploys to staging/production environment in that workflow file, push the changes into any branch and thus trigger this workflow.

As a result, an arbitrary version of the code will be deployed.

Is it possible to prevent this and allow triggering deployment only to authorized users?

4 Likes

I have the same thought.

If I want to use actions for deployments, I’d want to make sure that only master could be deployed to production. master can then be protected with branch protection to ensure that changes to workflow files must be approved by the relevent CODEOWNERS.

According to https://github.community/t5/GitHub-Actions/Question-on-actions-security/m-p/35028/ it seems that in order to achieve desired security boundaries we have to use forks.