Closed domwhewell-sage closed 2 months ago
Wow good idea.
Damn, it has to be an admin api_key even for a public repository.
Or using the html_url you have to have a valid user_session cookie.
Error message wasn't helpful but it appears you can download log .zip
files for public repo's w/o admin rights 🥳
So this module will instead be emitting FILESYSTEM
events, and a further enhancement can be made to trufflehog to consume these events
Incase anyone gets this error for a public repository:
2024-05-14 00:02:46,662 [VERBOSE] bbot.core.helpers.web web.py:304 Failed to download https://api.github.com/repos/<ORG>/<repo>/actions/runs/<run_id>/logs: Client error '403 Forbidden' for url 'https://api.github.com/repos/<ORG>/<repo>/actions/runs/<run_id>/logs'
For more information check: https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/403
2024-05-14 00:02:46,662 [WARNING] bbot.modules.github_workflows base.py:1326 The current access key does not have access to workflow <ORG>/<repo>/<run_id> (status: 403)
2024-05-14 00:02:46,662 [TRACE] bbot.modules.github_workflows base.py:1377 Traceback (most recent call last):
File "/usr/local/lib/python3.10/dist-packages/bbot/modules/github_workflows.py", line 115, in download_run_logs
await self.helpers.download(
File "/usr/local/lib/python3.10/dist-packages/bbot/core/helpers/web.py", line 287, in download
response.raise_for_status()
File "/usr/local/lib/python3.10/dist-packages/httpx/_models.py", line 759, in raise_for_status
raise HTTPStatusError(message, request=request, response=self)
httpx.HTTPStatusError: Client error '403 Forbidden' for url 'https://api.github.com/repos/<ORG>/<repo>/actions/runs/<run_id>/logs'
For more information check: https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/403
The documentation says:
If the repository is private, OAuth tokens and personal access tokens (classic) need the repo scope to use this endpoint.
However I have found even for public repositories personal access tokens (classic) must have the repo
scope
Github actions logs could be a great source of plaintext secrets, use the API_KEY to make a request to the github api and grab the action logs