Replies: 1 comment
-
Hi @ViliusS! Thanks for the feedback - very interesting idea! |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Select Topic Area
Product Feedback
Body
Currently if organization level Workflow permissions are adjusted it automatically changes permissions on all old and new repositories, i.e. the permissions work as defaults. I think this is pretty dangerous.
Let's consider
Allow GitHub Actions to create and approve pull requests
permission which is very dangerous on itself. The only secure way to currently enable it is:Allow GitHub Actions to create and approve pull requests
on organization level.gh api --method PUT /repos/yourorg/yourrepo/actions/permissions/workflow -F can_approve_pull_request_reviews=false
Allow GitHub Actions to create and approve pull requests
on only needed repositories.Allow GitHub Actions to create and approve pull requests
is always disabled when a new repository is created.The last point is pretty difficult to do and in organization with thousands of repositories could open the repositories to all sorts of attacks.
Hence my proposal that organization level Workflow permissions should be changed from working as defaults to what is allowed to configure on repository level. The defaults on newly created repos should remain as much secure as possible.
Beta Was this translation helpful? Give feedback.
All reactions