Hacker News
new
|
past
|
comments
|
ask
|
show
|
jobs
|
submit
login
qbane
77 days ago
|
parent
|
context
|
favorite
| on:
Bypassing GitHub Actions policies in the dumbest w...
Also you can leak
any
secrets by making connections to external services via internet and simply send secrets to them.
mystifyingpoi
77 days ago
|
next
[–]
You can also print them to console in quadruple base64 in reverse, the trick is getting away with it.
formerly_proven
77 days ago
|
prev
[–]
Not in many enterprisey CI systems you can't, those frequently have hermetic build environments.
msgodel
77 days ago
|
parent
|
next
[–]
Nothing makes me want to quit software more than enterprisey CI systems.
qbane
77 days ago
|
parent
|
prev
[–]
I think GitHub is correct that the bypass itself is not a vulnerability, but just like the little tooltip on GitHub's "create secret gist" button, GitHub can do a better job clarifying at the "Actions permissions" section.
Guidelines
|
FAQ
|
Lists
|
API
|
Security
|
Legal
|
Apply to YC
|
Contact
Search:
