TL;DR: what are possible issues/potential vectors for abuse with an admin-level API key to connect Bitrise to Apple’s App Store Connect?
Context:
We have a project that we’d like to migrate to automatic signing. For this purpose we created an access key for connecting to App Store Connect, as per Bitrise documentation, but developer level key fails the build with access error even with connection to cloud certificates enabled.
Docs say this key must be admin, however our organisation is generally against this for security purposes.
So my question is, what are the risks for abuse in this scenario (using an admin-level key)? Could a developer potentially misuse this access via Bitrise to delete the app or do other serious damage, - or is this not an issue?
I hope this was clear, happy to provide any details or context if I didn’t ask in the best way.