Jarek>Github Action can use the GITHUB_TOKEN to perform write operations to anything in the repo
Once again: GITHUB_TOKEN has to be explicitly used in the YAML file. If GITHUB_TOKEN is not mentioned in the YAML, then write access is NOT possible. Jarek>This is exactly what Greg is writing about Greg's message was very vague, so I asked for clarification. Jarek>Basically, any non-trivial action will likely have the requirement to add GITHUB_TOKEN Should infra forbid non-trivial workflows then? Why should others suffer? Apache Calcite, Apache JMeter use GitHub actions, and GITHUB_TOKEN is not used at all. The action to deny third-party actions looks too intrusive, and the risks/damage of a runaway action does not seem to exceed the risks of adding a compromised dependency / compromised build system plugin. Jarek>But those practices are very difficult to enforce One of the approaches would be to forbid committing GITHUB_TOKEN. GitHub Actions doc>This means that a compromise of a single action within a workflow can be very significant, GitHub Actions doc>as that compromised action would have access to all secrets configured on your repository A compromise of a single build script plugin can be very significant, as that compromised code would have access to all secrets configured on developer (committer/PMC) machines, it would have access to all secrets configured on ASF Jenkins, and so on. Does that mean the next step is to forbid all non-ASF build systems and the corresponding plugins? Vladimir
