Thank you @chrispat. I had seen this message earlier but wanted to hold off until we had reached a final decision before replying. Unfortunately, we’ve not yet definitively decided to abandon or not; to be fair, until your response, we were going to abandon GitHub Actions, but as we can actually see some visibility into the fact that at least someone actually wants to support this, we’re currently holding off on abandonment.
We are working with our security team to get signoff from them to allow us to enable this feature. They have a concern that once a repo is forked the owning org no longer has control over who is added to the repo fork and therefore it opens up more doors for a malicious actor to get code into the repo that would then run in the CI that could then exflitrate code and secrets. Given the general nature of CI I am not sure there is any real mitigation other than the trust boundry of the org and its collaborators.
Right; if the repository is private, someone had to have given the forking user access to the repository; there would have to be some level of trust there. Perhaps even a simple opt-in for the owning organization/user of the base repository to allow these actions to run?
I hope to have an update on when we can schedule this work soon.
I am anxiously looking forward to hearing when this may occur. While they have only been minor so far, we have actually had a couple bugs that made their way into a couple different deployment environments whereas they would have been caught much earlier had we had the ability to have our unit tests run via GitHub Actions.