[themly]

Long story short: they messed up the assign-reviewers.yml workflow, allowing external contributors to merge PRs without proper reviews. From this point on, you're fully open to all kinds of bad stuff.

[codesparkle]

That’s not what happened at all

The attacker did not need to merge any PRs to exfiltrate the credentials

[codesparkle]

What actually happened:

The workflow was configured in a way that allowed untrusted code from a branch controlled by the attacker to be executed in the context of a GitHub action workflow that had access to secrets.

[vanschelven]

more so in case you actually do the "secrets on github with the right to do meaningful things"

[meowface]

Yeah that's a pretty deadly combo.

[dreamcompiler]

Here's an AI product I would actually use: Write my damn GH actions yml for me.

Oh, and describe for me exactly how it works and why. And be right about it.

[slashdave]

Except the model would have been trained on the available corpus of known runners and will achieve the same average level of quality...

[fragmede]

Why does it need to be a distinct product and not Cursor/ChatGPT/Claude code/any of the other existing tools?

(If you're so anti-AI that you're still writing boilerplate like that by hand, I mean, not gonna tell you what you do, but the rest of us stopped doing that crap as soon as it was evident we didn't have to any more.)

[ivanjermakov]

Opener source software