SOFA PRs may be able to be abused by non-approved authors

Open erikng opened this issue 1 year ago • 1 comments

The current github action has no safety when running on branches or PRs. I rogue PR may be able to abuse this action and steal our credentials.

Jul 20 '24 11:07 erikng

so it turns out this may not be an issue

https://github.com/orgs/community/discussions/26374

and it's not even possible to fix when using the cron option. We just need to be careful if we ever add other github actions.

Jul 22 '24 13:07 erikng