Pwning the CI (with GitHub Action Workflows)

The presentation discusses the security challenges faced by open source projects and GitOps workflows, particularly in relation to GitHub Actions workflows. The speaker demonstrates potential abuses and vulnerabilities in GitHub Actions workflows and highlights the importance of implementing best practices to protect against attacks.

• Open source projects and GitOps workflows are vulnerable to security threats
• GitHub Actions workflows can be abused by malicious actors to gain access to sensitive information
• Best practices, such as implementing environmental protection and short-lived tokens, can help protect against attacks

The speaker shares a story about a pull request received by their open source project, which attempted to delete useful information and replace it with malicious code on their self-hosted runners. This highlights the potential dangers of running self-hosted runners on public projects and the importance of implementing best practices to protect against attacks.

Our journey to open source and GitOps heaven has exposed new security challenges as our CI platforms are exposed to the outside world. The soft underbelly of our development pipeline is visible as much to willing contributors as it is to malicious subversives looking for the keys to the backdoor. In this talk we'll start with basic social engineering and progress to demostrating live some known potential abuses to GitHub Actions workflows in combination with an insecure GitHub configuration to show how alluring defaults and straight-up bad practices can leave our supply chain, wide open to attackers.