Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

A way to manage access around who can edit contents of `.github/workflows/`

See original GitHub issue

Enhancement: Provide role separation around who can edit contents of .github/workflows/

Reasoning: In an organization setting you have a lot of people who have write access to repositories. Add github actions workflows and secrets manager (think org level secret manager when it is released) and every person with write access could change a workflow file or create a new workflow file to print out the contents of a secret. Being able to limit the people who can edit workflows would be a huge plus in the security front.

@ds0440 @josephshanahan-cfa

Issue Analytics

State:
Created 3 years ago
Reactions:77
Comments:55 (7 by maintainers)

Top GitHub Comments

11reactions

timharris777commented, May 21, 2020

Hey guys, we understand that anyone who can edit the workflow file can possibly dump secret contents.

Our ask is that you provide role based separation of who can edit the contents of the .github/ folder or the .github/workflows folder. For example, looking at the current roles of read, triage, write, maintain, and admin-- maybe the maintain and admin roles could have access to update the folders in question. This would prevent everyone who only has write access to the repo from being able to edit the workflows.

Separately, Gitlab allows per folder permissions in addition to repo level read/write permissions which would solve our issue but Github does not seem to have this capability. Is that on the radar at all?

10reactions

deutmeyerbrianpfgcommented, Apr 29, 2021

Another big concern with not having access controls is that a contributor can change the workflow trigger from on pull request to be on push. That would allow the workflow to run without any approvals! We’ve configured an environment for the production deployment, however, if someone removed that and changed the trigger to be push, the workflow would run in its entirety, bypassing the approvals.

Top Results From Across the Web

Disabling or limiting GitHub Actions for your organization

You can disable GitHub Actions for all repositories in your organization. When you disable GitHub Actions, no workflows run in your repository. Alternatively, ......

Managing GitHub Actions settings for a repository

Under "Workflow permissions", choose whether you want the GITHUB_TOKEN to have read and write access for all scopes (the permissive setting), or just...

Sharing workflows, secrets, and runners with your ...

Learn how you can use organization features to collaborate with your team, by sharing starter workflows, secrets, variables, and self-hosted runners.

Workflows vs actions: which permission is correct? #26711

The actions permission only grants you some permissions for accessing Actions APIs, but not access to updating workflow files. This is to prevent...

How to prevent individuals or a team to edit GitHub actions ...

I have a GiHub repository with GitHub actions based workflow ( /.github/workflows/build.yml ) to do CI builds. I am from the DevOps team,...