repository_dispatch security concern

At the moment repository_dispatch is the only way to externally trigger a Github Action. To use repository_dispatch a Personal Access Token with full repo access is required. 

I see a lot of people using this, but it’s important to note that by giving this key to an external service, you also expose your complete codebase to this service.

I feel like this is a security disaster waiting to happen, and should be replaced with something else as fast as possible. (I know people shouldn’t be doing this, but there is no other way, so it’s very tempting)

1 Like

There are other ways to trigger a GitHub Action, most specifically via the deployment event:

https://help.github.com/en/actions/reference/events-that-trigger-workflows#deployment-event-deployment

Which is in the family of “webhook” events that can trigger actions:

https://help.github.com/en/actions/reference/events-that-trigger-workflows#webhook-events

And finally, I’ve had it confirmed that you can use a PAT with “repo:public_repo” (rather than the more powerful “repo”) OAuth scope for public repo repository_dispatch triggers.