Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

GitHub Actions security has been at the forefront of security for the last few months. A vulnerability in a GitHub Action allowed the compromise of Spotbugs' GitHub PAT. This led to writing to spotbugs, leaking further secrets from spotbugs and reviewdog. From ReviewDog, they compromised TJ's actions to target real users. In this post, they dive deeper into GitHub Actions best practices.

Point 1 is to set the default Workflow Token Permission to read only. Prior to Feb of 2023, the default was read-write. Second, is using verified actions. These are GitHub Actions from trusted sources, such as GitHub itself or Marketplace-verified creators. If you're running self-hosted runners, you can also restrict the repositories that these run in. There's also a setting that should NEVER be enabled: "Allowing GitHub Actions to Create and Approve Pull Requests."

Branch Protections can also do a lot. requires specific rules, such as only trusted code in the main/release branches is good. Requires re-review upon any changes, whether from you or others.

Secrets have three different types: repo, organizational, and environment. Repo-level secrets are secrets that are only available to the repo, but this does make this readable to all users with write access. Environment-level offers more granular control. This can make them available only for jobs that reference the environment. They can also have approval requirements before execution.

Overall, a good article on hardening GitHub Actions from a security engineer's perspective.