Merge pull request #42 from cachix/domenkozar-patch-1

README: clarify on security
2026-06-03 17:44:07 +02:00 · 2020-04-24 13:57:11 +02:00 · 2020-04-24 13:57:11 +02:00 · 6749aef225
commit 6749aef225
parent 6ca1a9b396 bfb80e965d
1 changed files with 10 additions and 1 deletions
--- a/README.md
+++ b/README.md
@ -56,7 +56,16 @@ jobs:

 See [action.yml](action.yml) for all options.

---
+## Security
+
+Cachix auth token and signing key need special care as they give read and write access to your caches.
+
+[As per GitHub Actions' security model](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets#using-encrypted-secrets-in-a-workflow):
+
+> Anyone with write access to a repository can create, read, and use secrets.
+
+Which means all developers with push access can read your secrets and write to your cache. Furthermore, malicious code submitted via a pull request can, once merged into `master`, reveal the tokens.
+

 ## Hacking