Putting asside secrets used to upload a mark, if you’re relying on a workflow running in the student’s repository to generate the mark, you’ve essentially built a self assessment system.
Maybe it would be better having a system where the student requests that their work be marked, and some system out of their control assesses their work. You could still use Github actions to perform the assessment though, instead relying on a workflow running in a repository you control. For example, you could have a workflow starting with:
- name: Check out the assessment harness
- name: Check out the student's code
ref: master # or whatever revision you want to test
path: ./under-test # where you want to put the student's work
Since the workflow is in a repository you control, you can easily make use of secrets. It could even be a private repo if needed.
That leaves the question of how to trigger the workflow for a particular student’s work. From the look of it, “on: repository_dispatch” looks promising. This would let you trigger the workflow with a simple HTTP POST request with parameters like the repository name in the request body. As the dispatch API endpoint requires authentication, you can’t easily have students call it directly. You would probably want some simple system that takes the repository as input, checks that it actually belongs to a student and then sends the appropriate trigger.