👋 Welcome!

I’m sorry that happened. I’ve had a look and your ticket has been worked on by a couple of different teams. That sometimes delays a reply, but I can assure you they’re handling it!

Thanks for the update and I’m really glad to hear that. I know these attacks can be alarming.

Glad it got resolved and that it was a proactive response.

This is a good reminder on what our interface of our modern CI, the risk that it poses, and why we need to safeguard it. CI systems are Remote Code Execution as a service, nothing more nothing less. It has a (useful) side effect of being a great way to execute tests, that is the common use case rather than the only one.

I’m confused how this is an “attack”, or at least who it’s attacking.

GitHub, in their, uh, infinite wisdom, seems to have given the whole internet the ability to submit a shell script that they will run on an arbitrary number VMs, just by making a free, anonymous account and submitting a PR to any repo. As far as I can tell, the script doesn’t have access to modify your repo or use its / your credentials. It’s just doing what GitHub advertises: running arbitrary code in response to an action. (That code happens to be dumb and wasteful, but GH doesn’t prevent that.)

I’m confused how this is an “attack”, or at least who it’s attacking.

It’s primarily an attack against Github, wasting their resources for creating cryptocurrency. The effect on the repository owner is more like spam, but that’s bad enough already.

It would be nice to exclude folders like .github from pull requests opened by non-collaborators.

Cryptocurrency is a type of digital currency that uses encryption techniques to regulate the generation of units of currency and verify the transfer of funds. While it offers many benefits, such as decentralized control and increased privacy, it also poses certain risks to investors and users. Despite the risks, cryptocurrency can bring good profits. I trade on [removed by moderator] for several years now, and thanks to a lot of experience, trading brings me a consistently high profit.

I believe github added some controls to prevent actions from being run on public repositories. I do know these are not new as I implemented them a while ago at my org: https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#controlling-changes-from-forks-to-workflows-in-public-repositories.