Repository Role without Secrets Write Access

[p5]

Why are you starting this discussion?

Bug

What GitHub Actions topic or product is this about?

Workflow Configuration

Discussion Details

Please provide a repository role where users can approve PRs, but cannot write to/change secrets used in workflows.
This seems like a pretty huge security oversight that anybody with write access to the repo can change secret values.

Users with write permissions are still restricted by rulesets to prevent causing damage to the contents of a repo. Access to secrets should also be restricted.

The only way to implement such a requirement already would be to make use of a GitHub Enterprise subscription. At a cost of $20 per user/month, this is just not an option for open source projects that want to care about supply chain security.

[RoyalOughtness]

A quick fix here could be to remove the create/change/delete secrets permission from the write role and keep it only on the maintain and admin roles. This would be much more fitting for the maintain role than the write role and would allow projects to keep existing roles for approvers intact.