I’m co-lead of the Cucumber · GitHub project. For a while now we’ve had a permissive commit bit policy, where we give commit access to the main repos to anyone who has a pull request accepted. Right now we have around 270 people in this group.
This is working well for us, but it does mean that the group of people who have commit rights are only semi-trusted, and shouldn’t be given access to the secrets we use for publishing packages. It would be too easy for someone to phone home with these secrets by pushing a change to a GitHub Actions.
I’m trying to work out how we can still automate package publishing in this context. It looks to me like the only way to do it would be to have separate repo(s) that only the trusted “inner circle” of maintainers have write access to, and put GitHub Actions workflows for publishing in there.
What do you think? Is anyone else doing something like this? Did I miss anything?