Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Wow this looks quite serious. I hope that github will at least provide a way to turn these commands off entirely.

I hope they also fix the stupid authwalling of the execution logs that happens for public repos. The code is public, but the logs need an account? There is barely any security benefit in doing this for public repos, but it does make it harder for me to check PRs that I make to open source projects while not being logged in (e.g. from my phone).



At their scale I do believe there’s a benefit to authenticating to see logs: a lot of people scrape GitHub for secrets. CI logs are at high risk for user error, errors where a user unintentionally marks something as non-secret when it should’ve been secret. Putting these logs behind auth feels like an easy filter for some scraping.


Yeah, definitely. When I was at GitHub we were seeing secrets getting lifted from public pushes and tried within 7 seconds or so, if I recall correctly, and this was five years ago. This was a big reason why there’s a real scanning API now for service providers to be informed if a secret leaks.

By the time a human discovers their mistake it’s usually far too late.


That's a good point I guess. Per default, secrets are redacted by github in the logs, but some might slip through, e.g. if only a part of them is printed. Doesn't make me really happy though, I don't want to have to use an account :).


The code is public but the secrets are obviously not, and if they are ever put in the logs then that's a security issue. Even if the action isn't logging credentials directly, it may be logging privileged information (e.g. S3 bucket names or contents) that can only be accessed with privileged credentials. Therefore it makes sense to keep the logs private. Maybe there should be a setting for Action owners where they can set logs public if they think it would help contributors.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: