Johannes Schindelin <Johannes.Schindelin@xxxxxx> writes: > On Tue, 20 Apr 2021, Junio C Hamano wrote: > >> How well are our refs protected from these random "Actions"? Can >> somebody spam us with a pull request with a new "workflow" that >> advances one of our integration branches ;-)? > > The GITHUB_TOKEN that is used by the GitHub workflows is generated in two > ways, depending whether a PR originated from the same repository or from a > fork. If it came from a fork, the token has only read permissions. > > So I'd say we're still safe. Yeah, their blog post came to my inbox, which was quite timely, this morning ;-). https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/
