Public secrets exposure leads to supply chain attack on GitHub CodeQL

An again this would not be so bad an impact if github finally pushed their immutable actions [1]. I sound like a broken record since I keep repeating that this would solve like 70%+ of the scope of attacks on gha today. You would think that the weekly disaster they have would finally make them launch it.<p>[1] <a href="https:&#x2F;&#x2F;github.com&#x2F;features&#x2F;preview&#x2F;immutable-actions" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;features&#x2F;preview&#x2F;immutable-actions</a>

No mention why this temp token had rights to do things like create a new deployments and generate artifact attestations?<p>For their fix, they disabled debug logs...but didn&#x27;t answer if they changed the temp tokens permissions to something more appropriate for a code analysis engine.

I am getting more and more convinced that CI and CD should be completely separate environments. Compromise of CI should not lead to token leaks related to CD.

They weren’t kidding on the response time. Very impressive from GitHub.

As someone with the last name Prater—derived from Praetorian—I really wish I owned praetorian.com.

Using public github actions is just asking for trouble and more so without analyzing the workflow&#x27;s procedure. Instead, just host one yourself using woodpecker or countless other great CI builders (circle, travis, gitlab, etc)

I put CodeQL in use in OpenZFS PRs. This is not an issue for OpenZFS. None of our code is secret. :)

Is this fixed?

This sites performance is so bad i can barely scroll