'GitHub allows too much privileges for the "write" repository role
I'm planning a migration to GitHub Enterprise for a few personal projects and right now I’m playing with a few features and resources to get used to it. One point that it's bothered me is the lack of write permissions granularity (I’ll be glad if there IS a way around this that I simply don't know about).
As far as I know, the write repository role is the least privilege I need to give to a user if I want him/her to push code to the repository (the next one would be triage and it doesn't allow push). However, I learned that this role (write) will also allow the user to edit environments’ secrets (web console won’t allow it, but they’ll have this permission from the API or GH cli).
So, my three questions are:
- Is there a way to give a user permission to contribute to the repository without being able to change environment secrets?
- Is there a way to block users from updating values on specific environments?
- Assuming the previous two are still not supported, Is there a way to alert repository admins when environment secrets are updated? (Asking this last question because I saw that there’s this specific event on audit logs and it brings all the info needed for this supposed alert system).
Thanks!
githubSources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|