[amluto]

I find it rather embarrassing that, after all these years of trying to design computer systems, modern workflows are still designed so that bearer tokens, even short-lived, are issued to trusted programs. If the GitHub action framework gave a privileged Unix socket or ssh-agent access instead, then this type of vulnerability would be quite a lot harder to exploit.

[Thom2000]

Exactly!

Bearer tokens should be replaced with schemes based on signing and the private keys should never be directly exposed (if they are there's no difference between them and a bearer token). Signing agents do just that. Github's API is based on HTTP but mutual TLS authentication with a signing agent should be sufficient.

[otabdeveloper4]

The SPIFFE standard does something like this.

It's not used by anyone because nobody actually gives a shit about security, the entire industry is basically a grift.

[ants_everywhere]

Lots of projects use SPIFFE, but lots of people don't like the new tech because they think the old ways are simpler

[otabdeveloper4]

After trying to get SPIFFE mTLS to work with Python asyncio and giving up, I'm sure "lots of projects" is an overstatement.

Even basic parts of the tech stack aren't there yet.

[ants_everywhere]

Several big CNCF security projects use it. Normally you'd just add sidecars to your asyncio service.

[otabdeveloper4]

No, normally you would just add a parameter to your ssl context constructor.

"Sidecars" is a crazy hack that only applies if you use k8s and containers, which I'm obviously not.