|
|
|
|
|
|
by matsemann
461 days ago
|
|
|
Even if you don't automerge, the bots will often have elevated rights (it needs to be able to see your private repository, for instance), so it making a PR will run your build jobs, possibly with the updated version, and just by doing that expose your secrets even without committing to main. |
|
|