From e346208778010d1a931f590ea23afc11cadb26cb Mon Sep 17 00:00:00 2001
From: Chris McGehee <cmcgehee@datto.com>
Date: Thu, 24 Feb 2022 20:52:13 -0800
Subject: [PATCH] Make documentation for `actions` more accurate

---
 checks/permissions.go            | 2 +-
 docs/checks.md                   | 2 +-
 docs/checks/internal/checks.yaml | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/checks/permissions.go b/checks/permissions.go
index 2bcaa944a41..230b6b58199 100644
--- a/checks/permissions.go
+++ b/checks/permissions.go
@@ -342,7 +342,7 @@ func calculateScore(result permissionCbData) int {
 		}
 
 		// actions.
-		// May allow an attacker to steal GitHub secrets by adding a malicious workflow/action.
+		// May allow an attacker to steal GitHub secrets by approving to run an action that needs approval.
 		// High risk: -10
 		if permissionIsPresent(perms, permissionActions) {
 			score -= checker.MaxResultScore
diff --git a/docs/checks.md b/docs/checks.md
index d51faa5f932..73978634c48 100644
--- a/docs/checks.md
+++ b/docs/checks.md
@@ -581,7 +581,7 @@ Additionally, points are reduced if certain write permissions are defined for a
 ### Write permissions causing a large reduction
 * `contents` - Allows an attacker to commit unreviewed code. However, points are not reduced if the job utilizes a recognized packaging action or command.
 * `packages` - Allows an attacker to publish packages. However, points are not reduced if the job utilizes a recognized packaging action or command.
-* `actions` - May allow an attacker to steal GitHub secrets by adding a malicious workflow or action.
+* `actions` - May allow an attacker to steal GitHub secrets by approving to run an action that needs approval.
  
 
 **Remediation steps**
diff --git a/docs/checks/internal/checks.yaml b/docs/checks/internal/checks.yaml
index 4d9c8d629f1..354b4b527eb 100644
--- a/docs/checks/internal/checks.yaml
+++ b/docs/checks/internal/checks.yaml
@@ -633,7 +633,7 @@ checks:
       ### Write permissions causing a large reduction
       * `contents` - Allows an attacker to commit unreviewed code. However, points are not reduced if the job utilizes a recognized packaging action or command.
       * `packages` - Allows an attacker to publish packages. However, points are not reduced if the job utilizes a recognized packaging action or command.
-      * `actions` - May allow an attacker to steal GitHub secrets by adding a malicious workflow or action.
+      * `actions` - May allow an attacker to steal GitHub secrets by approving to run an action that needs approval.
  
     remediation:
       - >-