[rsclarke]

I've been capturing a list of GitHub Actions gotchas;

1. If you reference an environment in a build step, this causes an `on: deployment` event trigger. This is not intuitive.

2. Environments with deployment protection rules are just for branches. Using tagged releases for a production environment means we must allow all branches to be deployed to that environment.

3. Workflows are unable to start other workflows to prevent cyclic actions. Understandable, there are exceptions however e.g (1) above.

4. Pull requests raised by Dependabot will not have the `id-token: write` permission needed to create an OIDC ID token that we use to access external systems (the benefit of then not having to manage secrets). Note: Using `on: pull_request_target` will be granted the permission but then you're executing the `main` branch and not building/testing the Dependabot changes.

Then we have secrets, Organisation, Repository, Environment and Dependabot. Anything in Organisation, Repository or Dependabot should really be at most read only permissions. Environment based secrets may have write permissions but be wary of the malicious PR that then references this environment, what protections are in place? Environment approval? Deployment branch protection?