[Security] .github/workflows/deploy.yml exposes github account usernames

[azerial]

Impact: Developer account security

Experienced: While browsing the code, I noticed in .github/workflows/deploy.yml there were 3 GitHub usernames hard coded into the deploy script.

Expected: These usernames need to be a secret variable. Not only does this make the script more portable, obfusticates the deployment usernames from the general public.

Repro:

1. Navigate to https://github.com/burningmantech/ranger-ims-server/blob/master/.github/workflows/deploy.yml
2. Observe line 32 and 93

Additional comment:
I guess you could assertain the usernames from the commits; however, hard coding usernames in a script that specifically is designated to deploy is a security risk. It tells prying eyes who to target.

[wsanchez]

Yes… and:

• Cat's already out of the bag; deleting that now doesn't remove that list from history.
• Actually anyone with the ability to commit and merge to master is a target, since they can change the list. That's also easy to determine.

[azerial]

True. I always try not to hard code anything if at all possible. It makes the code more flexible and if the whitelist changes, at least it will be obfuscated.