I caught someone using a pull request against one of my GitHub repositories to trigger crypto-currency mining via a GitHub action. I took a snapshot of it with archive-web-page here after reporting it to GitHub:
It seems like this is a thing now: https://www.bleepingcomputer.com/news/security/github-actions-being-actively-abused-to-mine-cryptocurrency-on-github-servers/ The only way to turn it off is to only run actions that are defined by the repository?
FWIW I'm glad I took a snapshot of the pull request pages with https://archiveweb.page because GitHub have deleted the PR, so it's like it never existed.
This seems like a sensible solution: https://github.blog/changelog/2021-04-22-github-actions-maintainers-must-approve-first-time-contributer-workflow-runs/
@edsu I've been using builds.sr.ht lately and they're going paid-only for the builds service (although they will give you a waiver if you can't afford it) because of this. It's a constant cat-and-mouse game trying to keep on top of the new miners trying to squeeze a few seconds of free CPU time out of anyone and everyone.
@edsu Although also: allowing the actions to be changed by a PR seems like a problem in general; I don't get why services do this. Like maybe CI changes should only be triggered if someone with the commit bit marks the manifest as trusted or something.
@sam yes, I think whitelisting should be the default instead of leaving it wide open. But still, why are the actions being run when someone submits a PR? I naively thought Actions were only triggered by commits on the git repository.
@edsu They're often used for CI so you want to check that tests and what not pass on PRs before merging them.
@edsu I don't know, I don't use either Travis or GitHub actions, but I suspect it's a script and you could check the branch name and exit if you only want to run deploys on the default branch or something.
@sam now I'm kind of worried that someone could issue a PR for a new GitHub action that runs, gets the job's secret environment variables and sends them off somewhere else. GitHub must have thought about that already?
@edsu I know builds.sr.ht doesn't allow secrets in builds that are triggered externally or where the manifest has been modified, but I don't know about GitHub actions. I would assume they would have thought of this, but it's probably not a good idea to make that assumption if you're using them :)
@edsu Glad I could be of service :) I've been looking for alternatives myself but haven't really found anything that suits my needs for various reasons sadly (although GitHub never really did either, but if I'm going to do work to move the alternative better be at least slightly better to justify the effort).
@sam but it sounds like you've been giving sourcehut.org a try? I've bookmarked codeberg, notabug, gitlab and thought about running a gitea ... but haven't done anything yet probably just because of the number of things I'll need to move.
Have you looked at git.coop at all?
@sam maybe I could start by just moving a few things different places and see what I like -- it is super nice that git is a lingua franca of sorts.
@edsu As much as I'd love to support co-ops I *hate* GitLab. It's a mess of confusing options, it's slow, and it tries to do everything under the sun (which means it does nothing well). Gittea is a bit nicer IMO, but as far as I know there's no hosted CI that supports it and (like GitLab) it just imitates all the bad parts of GitHub. SourceHut is the best I've found so far, but some of the authors actions make me very nervous that there will be major changes before a stable release.
@meena they have a marketplace of actions that you can pull from which is nice in principle (building electron apps, announcing builds in Slack, etc). But I guess in practice this is hard. It seems like different Actions should need to be approved, rather than the default being to allow anyone? I guess this is what happens when Microsoft buys your company.
@edsu so does that vulnerability go all the way back to the launch of Actions? or was it related to some changes more recently
@redoak yes, I think it does ... that people could steal compute cycles from github by committing custom actions and submitting PRs for them. I think it got noticed recently because of the scale & impact of the attacks.
I just hope that these cretins weren't using it to steal secret configuration variables too.
@edsu i will never understand how companies with such resources release features with boneheaded vulnerabilities like "any old person can run whatever code against your repo, at our expense but maybe also yours"
@emma it really is. But I guess the accumulation of money by the few, and the scarcity of it for the many has always been a scam? I think I sometimes dismiss all the fintech/blockchain stuff because it is so obviously a sham, but it is getting picked up and used by the privileged and already powerful to consolidate their positions. So I think it's important to understand and take apart.
Definitely. The system we live in was a scam even before someone came up with "proof of work."
@edsu We only trigger actions when a project member approves (on bazelbuild/bazel), but I have no idea how that's set up, because I don't do any GitHub admin. But it is apparently a thing that can be done!
The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!