Unrelated, but another interesting one is any non-admin contributors being able to add (and I believe update) secrets in a private repo for use in GH actions. It can’t be done via the UI, but can be done via the API or VSCode extension.
When I looked into it a while back, apparently it is intended behavior, which just seems odd.
You're saying there's a github API that takes as an argument a secret, and creates a git commit containing that secret? I'm very surprised. Can you provide a reference to the API call?
To clarify, it doesn’t create a commit and is only usable within actions. I have always used the GH action VSCode extension for it, but I believe from the API, you would call the below endpoint using a classic/non-fine grained PAT that has the “repo” grant.
When I looked into it a while back, apparently it is intended behavior, which just seems odd.