@@ -11,6 +11,8 @@ The group tokens are currently configured to only work on protected branches. B
It's not exactly clear if branch protection is necessary since only authenticated users can push to main anyways, but I might be missing something subtle, like a guest user can fork the repo and inherit the workflow and then muck with it. So I configured the token with branch protection required just in case. If someone can convince me it's mute to do so and only causes hassle, then we can change this.
There is a group level Setting to set default branch protection rule configuration. However, turning it on and clicking save results in messages saying it worked, but on refresh, the setting doesn't stick. Oh well. First bug found I guess.
Note: the goal is to avoid exposing the secret token. If an authorized user wants to expose it they can. Please don't. The variable is marked as both `hidden` and `masked`. This means GitLab makes some effort to obscure the value. This isn't perfect though, so for example an authorized user can expose it by creating a job that prints the entire env. Please don't do this.
