Any chance for a third +1 here? :)
On 2023/07/07 16:28:41 Vladimir Sitnikov wrote: > >I will watch for abuse. > > Thank you for the response. > > Technically speaking, first-time contributors would need manual approval > for executing CI anyway, > so we don't need to constantly monitor pull requests for cryptominers and > things like that. > > Just wondering: are the others silent because they are busy or are they > silent because > they are not sure of the consequences? > > I would like to mention that the policy summarizes the most important best > practices for > using GitHub Actions in a secure manner, and we should follow it no matter > what. > > For example, we need to be careful when modifying CI configuration (e.g. > .github/.../*.yml files) > since merging some changes (e.g. pull_request_target option) might expose > secrets. > > Vladimir >
