| ▲ | captn3m0 4 hours ago | |||||||
https://docs.github.com/en/actions/how-tos/deploy/configure-... is the feature they use. > We impose tag protection rules that prevent release tags from being created until a release deployment succeeds, with the release deployment itself being gated on a manual approval by at least one other team member. We also prevent the updating or deletion of tags, making them effectively immutable once created. On top of that we layer a branch restriction: release deployments may only be created against main, preventing an attacker from using an unrelated first-party branch to attempt to bypass our controls. > https://astral.sh/blog/open-source-security-at-astral From what I understand, you need a website login, and not a stolen API token to approve a deployment. But I agree in principle - The registry should be able to enforce web-2fa. But the defaults can be safer as well. | ||||||||
| ▲ | jonchurch_ 4 hours ago | parent [-] | |||||||
I tested approving a deployment via API last week w/ my gh cli token (well, had claude do it while I watched). Again, I really want to be wrong about this, but my testing showed that it is indeed trivial to use the default token from my gh cli to approve via API. (repo admin scope, which I have bc I am admin on said repo) Nothing in this link [1] proves what I said, but it is the test repo I was just conducting this on, and it was an approval gated GHA job that I had claude approve using my GH cli token I also had claude use the same token to first reconfigure the enviornment to enable self-approves (I had configured it off manually before testing). It also put it back to self approve disabled when it was done hehe [1] https://github.com/jonchurch/deploy-env-test/actions/runs/25... | ||||||||
| ||||||||