Bypassing GitHub Actions Policies Easily

GitHub Actions have a policy mechanism intended to limit which actions and workflows can be used, but this mechanism is trivial to bypass.

The bypass works by cloning the desired action repository locally and using a local path, which is not restricted by the policies.

The flaw exists because GitHub resolves actions to local paths on the runner, which are not inherently protected by policies.

The current policy enforcement could provide a false sense of security, as users might believe they are protected when they are not.

The author suggests either GitHub should fix this loophole or at least properly document it as a limitation of the policy mechanism.

Get notified when new stories are published for "🇺🇸 Hacker News English"

No Sign-In needed. One-Click Subscribe.

•

GitHub Actions have a policy mechanism intended to limit which actions and workflows can be used, but this mechanism is trivial to bypass.

The bypass works by cloning the desired action repository locally and using a local path, which is not restricted by the policies.

The flaw exists because GitHub resolves actions to local paths on the runner, which are not inherently protected by policies.

The current policy enforcement could provide a false sense of security, as users might believe they are protected when they are not.

The author suggests either GitHub should fix this loophole or at least properly document it as a limitation of the policy mechanism.

Get notified when new stories are published for "🇺🇸 Hacker News English"

No Sign-In needed. One-Click Subscribe.