We have work going on to enable that scneario but the changes where deeper than just the actions token for a number of reasons. I expect we will ship that before the end of the year.
Hey, @chrispat, do you have anything to share with us? Github Actions will be GAd in a couple of days, right? (Github Universe 2019)?
wow, talking about timing, just saw you just replied. I may be oversimplifying things, but if we are concerned on bad actors changing GitHub actions via PR and leak secrets, why not just prohibit all forks from editing a GitHub action? That way, it's impossible for a bad actor maliciously to change a GitHub action. My issue is PR not being triggered via forks. If it's read-only then problem solved right?
@thisguychris No it's not solved since you could still leak secrets from the code that's being tested.
@bbenoist Again my question is if the secrets are leaking, why does it run on public repos? When you do a PR on a public repo, the action does get triggered. If it's a security issue shouldn't it be disabled as well?
Dear @chrispat ,
Is there any update which you would like to share with us on the GITHUB_ACCESS Token for the Pull Request coming from the forks ?.
This is a must have, as this adds a manual step for reviewers to check action execution results on the forked repo.