The .github folder holds the workflows, and YAML file has all the checks and tests that run and uses GitHub secrets to build/deploy. The main branch has branch protection rules requiring review before merge.
With write access to the repo, one can bypass all the checks/branch protection rules and deploy directly. Below are the steps:
Go to .github folder
Look for workflow which deploys to production environment
Copy the contents and paste in a new branch
Remove all the checks and only keep the deploy step
Run the workflow on the newly created branch
This triggers the deployment job to target env bypassing all the checks and rules
Is there a way to prevent to the usage of secrets and restrict to particular workflows/branches?
The only way I can think of is moving away from Repository secrets to Environment secrets and setup rules in the Environment to restrict the branches/tags allowed to deploy to the environment.
With this we would have an additional approval steps for the workflow run.
More details here: https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-protection-rules