Hi Junio, On Tue, 20 Apr 2021, Junio C Hamano wrote: > Johannes Schindelin <Johannes.Schindelin@xxxxxx> writes: > > > If you click on one of them (such as above-mentioned "Codacy Security > > Scan"), you will see that "This workflow run has been marked as > > disruptive" (see for yourself at > > https://github.com/git/git/actions/workflows/codacy-analysis.yml). > > Yes, I was the one who "manually disabled" some of them. I did not > find how to mark them "as disruptive", though. > > How well are our refs protected from these random "Actions"? Can > somebody spam us with a pull request with a new "workflow" that > advances one of our integration branches ;-)? The GITHUB_TOKEN that is used by the GitHub workflows is generated in two ways, depending whether a PR originated from the same repository or from a fork. If it came from a fork, the token has only read permissions. So I'd say we're still safe. Ciao, Dscho
