Skip to content

repo-analysis executes documents from the dispatched ref with secrets #98

Description

@taras

Problem

repo-analysis.yml checks out the dispatched inputs.ref and executes the
analysis documents from it with DEEPINFRA_TOKEN and an issues: write
token. Any write-access account can point it at an unreviewed branch and run
arbitrary document code with those credentials.

Proposal

Either execute the analysis documents from main (checkout the target ref
only as data), or gate the workflow behind an environment with required
reviewers, mirroring npm-publish.

Metadata

Metadata

Assignees

No one assigned

    Labels

    securitySecurity hardening

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions