Johannes Schindelin
Johannes Schindelin
@m-kuhn thank you for adding that advice. That's useful. Having said that, I am still unconvinced that we should change the default to `limit-access-to-actor=true`. It makes the Action more cumbersome...
It's a big change, and I defer to @mxschmitt to make the call. _Iff_ we change the default, I would recommend a major version bump, to notify existing users of...
I have another idea: how about introducing a new mode `limit-access-to-actor: auto` that uses the registered SSH keys if there are any, and falls back to `false` if there aren't...
> My concern is that other developers with privileged access to repositories I work on will run this action according to the first sample they run into (just like I...
I guess I am starting to come around to agree that it makes sense to change the default. @mxschmitt what's your take?
I agree that things should be secure by default insofar possible and practical. If the first thing the Action does is to fail for the vast majority, then it does...
> > If the first thing the Action does is to fail for the vast majority, then it does not constitute "secure by default" but "broken by default". > >...
> I'm considering creating a fork for my own usage that suits my personal needs and spreading the word about it in the projects I'm working on. This is the...
> git push from the command line pretty much needs an ssh key. Nope. Most people push via `https://`, typically using Git Credential Manager or GitHub Desktop. No SSH keys.
@petervanderdoes oh! You're here! I got the impression that this `gitflow-avh` was abandoned. It's good that I was wrong!