|
|
|
|
|
|
by junon
453 days ago
|
|
|
I theorized about this vulnerability a while back when I noticed new commits didn't disable automerging. This is an insane default from GH. EDIT: seems GitHub has finally noticed (or started to care); just went to test this and auto merge has been seemingly disabled sitewide. Even though the setting is enabled, no option to automerge PRs shows up. Seems I was right to worry! EDIT2: We just tested this on GitLab's CI since they also have an auto-merge function and it appears they've done things correctly. Auto-merge enablement is only valid for the commit for which it was enabled; new pushes disable auto-merge. Much more sensible and secure. |
|
|
It’s such an obvious attack vector, I’m pretty sure I tested GitLab soon after the feature initially rolled out.