The idea is to ensure that a certain secret is only used in a specific way, which a speicifc custom action can guarantee.
However, I cannot find a way to pass a secret to an action unless the secret is visible to the entire repo. Am I missing something? Is there some advanced secret-fu that would achieve this? If not, any plans?
A comparable feature would be system credentials in Jenkins: they are not accessible by mere build scripts, only by plugins explicitly installed by the administrator.