GitHub Actions

Synopsis

GitHub Actions allows users to build, test, and deploy code right from GitHub. Action workflows are configured directly in the repository. Self-hosted runners are available for users who require custom hardware configuration or operating systems not offered by GitHub-hosted runners.

Focus areas

Ineligible submissions

Bypassing build log secret redaction

To prevent accidental disclosure of secrets, GitHub Actions includes a mechanism to sanitize any encrypted secrets that appear in build logs. Our mechanism attempts to match any secrets in common encodings, such as plaintext, base64, etc. It is not designed to prevent users intentionally disclosing secrets in non-standard encodings and is therefore ineligible for reward.

General abuse or exhaustion of resources

Intentionally misusing CPU, memory or network limits of GitHub Actions is a known issue. We take abuse and spam seriously and have a dedicated team that tracks spammy users. Therefore, this is ineligible for reward.

Availability of resources inside a workflow run

A GitHub Actions build will intentionally have access to many resources including, but not limited to:

  • a metadata service available at https://169.254.169.254
  • a job token used to report status back to GitHub.com
  • privileged access to the host VM

Access to these resources is expected and not eligible for a reward. However, if these primitives can be abused to access resources of other repositories or users then this would be eligible for reward.

Access to build artifacts without user session

Downloading build artifacts requires read access to a repository. When a user with read access clicks the download button, they will be given a link containing a signed token that is no longer tied to the user session. This is expected behavior and ineligible for reward.

Submit a vulnerability for GitHub Actions

Recently collected GitHub Actions bounties:

1 Vlaaaaaaad 10000 pts Vlad Ionescu GitHub Actions secret leak