Clarify permission level needed to access secrets

[muru]

What article on docs.github.com is affected?

https://docs.github.com/en/free-pro-team@latest/actions/reference/encrypted-secrets#creating-encrypted-secrets-for-a-repository

What part(s) of the article would you like to see updated?

In "Creating encrypted secrets for a repository," it says:

To create secrets for a user account repository, you must be the repository owner. To create secrets for an organization repository, you must have admin access.

However, according to the API docs:

Authenticated users must have collaborator access to a repository to create, update, or read secrets.

So, only admins can use the web interface to access secrets, but users with write access or above can use the API (directly, or indirectly, e.g., via Terraform). This is in fact the actual behaviour.

Additional information

This feels like a security issue, since updating secrets via the API involves not much of a record or oversight AFAICT (as opposed to, say, creating a workflow that dumps all secrets, which could leave traces that a bad actor cannot easily remove). I did report it as one, and the response is that this is intentional to allow users with write access to create and maintain workflows (which is understandable and fine by me). However, the current behaviour can be a bit surprising and the docs a bit time-wasting (I would write Terraform code that my org's admin would then apply, when I could have just applied them myself).

[welcome]

Thanks for opening this issue. A GitHub docs team member should be by to give feedback soon. In the meantime, please check out the contributing guidelines.

[janiceilene]

👋 Thanks for opening an issue @muru! Can you clarify what change you'd like to see in the "Creating encrypted secrets for a repository"? Are you hoping a line is added to that article letting folks know that anyone with write+ permissions can use the API to access secrets?

[muru]

@janiceilene Hmmm, yes. Or a rephrasing of the whole thing to include the reason for this particular behaviour. Something like:

Like other repository settings, secrets can be managed from the web interface only by repository owners (for user repositories) or users with admin access (for organization repositories). However, to enable developers to create and maintain workflows, users with collaborator access are allowed to use the API to manage secrets.

(Or perhaps with the last sentence as a {% note %}.)

[janiceilene]

👍 Thanks for the clarification @muru! I'll leave it to the team to respond further.

[runleonarun]

This sounds great, @muru! I added the "Help wanted" so someone can go ahead and fix this!