robin/attic-action
1
0
Fork 0
mirror of https://codeberg.org/icewind/attic-action.git synced 2026-06-03 09:34:11 +02:00
Code Issues Projects Releases Packages Wiki Activity

README: clarify on security

Browse source
This commit is contained in:
Domen Kožar 2020-07-29 11:59:30 +02:00 committed by GitHub
commit 295fe2c38f
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 6 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

7
README.md
View file

@ -26,7 +26,12 @@ Cachix auth token and signing key need special care as they give read and write
> Anyone with write access to a repository can create, read, and use secrets. > Anyone with write access to a repository can create, read, and use secrets.
Which means all developers with push access can read your secrets and write to your cache. Furthermore, malicious code submitted via a pull request can, once merged into `master`, reveal the tokens. Which means all developers with write/push access can read your secrets and write to your cache.
Pull requests do not have access to secrets so read access to a public binary cache will work,
but pushing will be disabled since there is no signing key.
Note that malicious code submitted via a pull request can, once merged into `master`, reveal the tokens.
## Hacking ## Hacking