By default pull requests my new contributors require approval from someone with write-access to the repo before running actions.
These repos have specifically decided to change a setting to make them not require approval for anyone. The UI to change that setting explicitly warns you about exactly this attack, so this “article” feels like a non-item trying to farm engagement.
As far as I can tell it requires GitHub actions to be enabled for pull requests, which you can require approval for. I just quickly read the top of the article so I could be wrong
The article doesn’t seem to say. I don’t know if it’s a problem with defaults or caused by the devs themselves.
By default pull requests my new contributors require approval from someone with write-access to the repo before running actions.
These repos have specifically decided to change a setting to make them not require approval for anyone. The UI to change that setting explicitly warns you about exactly this attack, so this “article” feels like a non-item trying to farm engagement.
As far as I can tell it requires GitHub actions to be enabled for pull requests, which you can require approval for. I just quickly read the top of the article so I could be wrong