Abusing GitHub Action to run cryptominers

A spammer is attacking my repository creating pull requests with a github action config that runs a cryptominer. Example of a pull request – Demo title Add files via upload by tgaehkjteqgdjhki · Pull Request #110 · google/lldb-eval · GitHub

I have tried settings “Allow local actions only” and even “Allow select actions” (with a list of action my repo uses), but the action in the pull request is still executed!

Here’s an example of the config in the pull request – Demo title Add files via upload by tgaehkjteqgdjhki · Pull Request #110 · google/lldb-eval · GitHub

How do I protect my repository from these spammers?

1 Like

The settings you have used affect only what actions can be called with a uses: directive in a workflow, not which workflows run.

You should be able to use interaction limits to prevent more spam PRs:

That link is for user-wide settings, similar options exist for repositories and organizations.

1 Like

Welcome @werat and sorry this happened!

I have shared this with our security team, so hopefully it won’t be an issue anymore.

2 Likes

Sorry about that. We’ve implemented a new feature which should be able to help with this: GitHub Actions update: Helping maintainers combat bad actors - The GitHub Blog