Description:
While updating the GBDK GitHub workflow to version 4.3.0, I received feedback regarding the security of using GITHUB_TOKEN in the svenstaro/upload-release-action. Feeding GITHUB_TOKEN to a third-party action may introduce potential security risks.
Action Item:
Consider switching to GitHub's native gh release upload command for uploading release assets. This approach may provide better control over token security.
Proposed Change Example:
on:
release:
types: [published]
jobs:
release:
runs-on: ubuntu-latest
steps:
- name: Upload release asset
run: |
gh release upload ${{ github.event.release.tag_name }} the_file_to_uploadThis would eliminate the dependency on third-party actions for releases. Adding this to my workflow review list to improve security.
Description:
While updating the GBDK GitHub workflow to version 4.3.0, I received feedback regarding the security of using
GITHUB_TOKENin thesvenstaro/upload-release-action. FeedingGITHUB_TOKENto a third-party action may introduce potential security risks.Action Item:
Consider switching to GitHub's native
gh release uploadcommand for uploading release assets. This approach may provide better control over token security.Proposed Change Example:
This would eliminate the dependency on third-party actions for releases. Adding this to my workflow review list to improve security.