Hello,
Has anyone found a solution to the vulnerability that if, on a large team, you have protected your GitHub master branch a malicious dev can push a change to config.yml that forces deployment of their branch?
It was posted a while back but Circle CI seems to have just closed it without responding. This was pointed out to us recently and frankly I’m not sure we can keep using Circle CI if there isn’t a fix - pretty easy to come up with scenarios where this allows a single dev just with dev branch permissions to push code to production that gives them full control. I’ve been searching for a way to, say, protect the filter section of the job definition to say it can only be changed on master, but not finding anything.
Anybody else had any luck?
Best
Luke