The proof of concept shows it's possible to upload malicious PyTorch releases to GitHub by exploiting insecure misconfigurations in GitHub Actions.

Here's a simple example on how a developer can publish GitHub Actions artifacts for download once a build workflow successfully completes.

While GitHub will make its own actions available to developers, this is an open platform and others in the GitHub community can contribute their own actions, too.

Many open-source repositories contain privileged GitHub Actions workflows that execute untrusted code and can be triggered by attackers to expose credentials and access tokens, as MITRE and Splunk ...

GitHub Actions Secrets example One of the ongoing challenges DevOps professionals face when developing continuous integration workflows that integrate with disparate systems is how to protect that ...

Actionforge provides a visual, node-based interface to create and maintain GitHub Action workflows masking their underlying YAML textual definition. Packaged as an extension for Visual Studio Code ...

An interview with GitHub CEO Thomas Dohmke on the company's journey, four years after its acquisition by Microsoft.