Bypassing GitHub Actions policies in the dumbest way possible
a year ago
- #Policy Bypass
- #GitHub Actions
- #Security
- GitHub Actions provides a policy mechanism to limit actions and reusable workflows in repositories, organizations, or enterprises.
- The policy mechanism is easily bypassed by fetching actions locally and using them via relative paths.
- GitHub does not consider this bypass a security issue, but the author disagrees.
- The bypass involves cloning an action repository and using it locally instead of referencing it directly.
- Suggested fixes include treating local uses as a separate policy category or documenting the limitation.
- Ineffective policy mechanisms can create a false sense of security and encourage workarounds.