Help
cancel
Showing results for 
Search instead for 
Did you mean: 
Ground Controller Lvl 1
Message 1 of 2

How to prevent repository collaborators from triggering workflow

According to https://help.github.com/en/github/automating-your-workflow-with-github-actions/authenticating-with-t...,

 

Anyone with write access to a repository can create, read, and use secrets.

 

Suppose there is a GitHub repository secret that contains a token for deploying to the staging (or even production) environment.

 

Any collaborator with write permissions can create a new GitHub workflow file, use the repository secret to deploys to staging/production environment in that workflow file, push the changes into any branch and thus trigger this workflow.

 

As a result, an arbitrary version of the code will be deployed.

 

Is it possible to prevent this and allow triggering deployment only to authorized users?

1 Reply
Copilot Lvl 2
Message 2 of 2

Re: How to prevent repository collaborators from triggering workflow

I have the same thought.

 

If I want to use actions for deployments, I'd want to make sure that only master could be deployed to production. master can then be protected with branch protection to ensure that changes to workflow files must be approved by the relevent CODEOWNERS.