Github is great. They have a cute mascot. And they got people coding.
But their ideas of <code>permission</code> leads to moments where this emoji, 😳, shows up more than it should.
Recently I learned about the api permissions for secrets store in Github Actions.
Github Actions allows you to store secrets per repository or at the organisation level, which can be consumed as part of the Github actions workflows. This is great since it allows you to store secure details like the say a Prod secret key for deployment for eg. and perform releases from actions.
To add/update/remove secrets for an organisation, you are required to possess an <code>admin:org</code> permission which should and would not be distributed among many users.
However, the add/update/remove secrets for a repository require only a <code>repo</code> permission for an org. So everyone who is a writer to the repo will be able to list, add, update and remove secrets.
This isn't exposed via UI, which leads to the expectation that it is available only for admins at first glance. Until you look at the API Docs. Consequently, an easy unintentional way to use/abuse them is to make changes via the <code>gh</code> cli app.
A possible workaround exists to keep your workflows running as expected.
<ul>
<li>Store and use sensitive secrets only from organisation secrets.</li>
</ul>
However, the solution still allows a malicious user to push a bad secret overriding the value set at the org level.

Giri

Github Actions and Secret Permissions