Greg>Using an action defined by a third party, which might modify Apache Greg>repositories in unknown ways ... not something we want.
Gregg, Do you have pointers that clarify how actions can modify Apache repositories? I strongly believe that Actions are read-only by default. AFAIK the only way GitHub Action can modify the repository is when the user provides credentials. Of course, if somebody generates a personal access token and commits it to a public repository, then anyone can use it. However, by default GitHub Action has no write access to the repository. GitHub generates a temporary token for each execution (it is called GITHUB_TOKEN), however, it is NOT available for actions automatically, and it must be mentioned in *.yml file in order to be used. Here's the relevant documentation: https://docs.github.com/en/free-pro-team@latest/actions/reference/authentication-in-a-workflow#using-the-github_token-in-a-workflow Vladimir
