mortenson
commented
3 years ago Nice, this repo predates GitHub Actions I think but I didn't think to research them and add anything here. Since this is about sneaking things into the main branch (probably of public open source repos) I'll have to think about the best example for that. For example editing actions to pull misnamed Docker images, or adding in a backdoor into an action for a future PR to take advantage of could be a thing.
Nice repo!
I was wondering if GitHub Actions are relevant here, i.e., if a repository has enabled them by default, they could be exploited to manipulate repo contents, etc.
https://github.blog/2021-03-22-github-ctf-results/
P.S. It seems to be deprecated, but the variants of the problem might still be there: https://github.com/actions/toolkit/security/advisories/GHSA-mfwh-5m23-j46w