If I understand correctly, a single collaborator account could be compromised and a malicious actor could modify a config to run when pushed and send all your secrets to their server.

Sorry to tell you that you could not prevent collaborators to access to secrets through workflow.  

secrets.png715×484 17.7 KB

Oh bummer.  I was hoping for a way to secure these for when working with contractors.  Thanks for the reply!