Bad actors could inject malicious scripts into GitHub Actions.
Workflows run on pull requests, so any custom GitHub Action steps could be run.
Need CODEOWNERS file, requiring a review by me before .github/workflow changes are added to main branch
GitHub Actions do not to use enviroments for ci and production
GitHub secrets can be accessed in a GitHub actions.
A bad actor could COPY the secrets values to a file, and then simply print the file contents.
GitHub Actions prints out logs of the virtual machine, which can be viewed.
Research:
TOREAD: Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests - Article
TOREAD: Keeping your GitHub Actions and workflows secure Part 2: Untrusted input - Article
TOREAD: How to Hide Sensitive Things in GitHub Actions Logs - Article
TOREAD: How We Discovered Vulnerabilities in CI/CD Pipelines of Popular Open-Source Projects - Article
Identifying Actions security vulnerabilities regarding repository secrets and development/production workflows.
Trello Ticket #115
.github/workflow
changes are added tomain
branchResearch: