Summary:
-
Token Leak Vulnerability
GitHub Actions workflows can unintentionally leak sensitive tokens for third-party services and GitHub itself through artifacts, which are stored for up to 90 days and might be publicly accessible in open source projects. -
Security Risks
Leaked tokens can be exploited by attackers to inject malicious code or access private repositories. Issues have been found in high-profile projects like firebase-js-sdk and tools used by companies such as Google and Microsoft. -
Mitigation Measures
To address these risks, a custom action has been developed to audit artifacts for secrets before upload. Users are advised to review their CI/CD workflows and limit permissions to enhance security.
Read more at: Security Week
!