You know GitHub Actions, these small building blocks that make your dev life easier… But they can also get you pwned in no time, if you are not careful.

The talk covers:

  • the basic structure of a GitHub Actions workflow.
  • the general permission model of GitHub Actions.
  • insecure templating and executing user-controlled code in privileged workflows.
  • cache poisoning in workflows.

The slides can be found here. The workshop was held on 2023-10-26.