According to https://help.github.com/en/github/automating-your-workflow-with-github-actions/authenticating-with-the-github_token, Anyone with write access to a repository can create, read, and use secrets. Suppose there is a GitHub repository secret that contains a token for deploying to the staging (or even production) environment. Any collaborator with write permissions can create a new GitHub workflow file, use the repository secret to deploys to staging/production environment in that workflow file, push the changes into any branch and thus trigger this workflow. As a result, an arbitrary version of the code will be deployed. Is it possible to prevent this and allow triggering deployment only to authorized users?
... View more