one quick question. In the Secret tab from Workflow the option Expose for Pull Request is available.
I’ve been checking documentation but i can’t understand correctly which kind of exposition and risks could happen in that case. In the logs, secrets are [REDACTED]. Could you give an example about it or point me to somewhere i can get more info about it?
It seems this was put in place primarily for open source projects. In fact, there was a time when there wasn’t an option to expose secrets for PRs!
Here is a blog that talks about this:
One thing to note:
Private apps: By default, Pull Requests submitted from a fork require approval if any Secrets are marked to be exposed for Pull Requests. The setting can be changed. If your secrets are NOT exposed to PRs, the build will run without asking for approval.