[njibhu]

Can somebody tell me if I'm wrong on my take but this bug/issue means:

- a github app which had read permission on issues could elevate its permission to write

- a github app which had read permissions to discussions could elevate its permissions to write.

So far if the org/user would have been compromise they would have seen with issues or conversations containing content from the app.

Since these are only examples, I can imagine the case with major impact would be a contents:read elevate to content write. But again with commit signing, this would also be caught by the user. What did I miss where the impact would have not been visible to the end user/org ?

[zwass]

contents:read to contents:write is a big deal! Just to pick out a random widely used project, nodejs [1] has a number of unsigned commits to the main branch. Their commits could have been tampered with during this timeframe.

What about release artifacts?

[1]: https://github.com/nodejs/node/commits/main

[njibhu]

I guess I can see it, but branch protection rules and pull requests reviews would also prevent that to happen in my opinion

(also ability to do it with content:write is just speculation from my side, they don't make it clear if it is possible, that would need to be confirmed by github)