SYSTEM Cited by 1 source

GitHub Actions¶

GitHub Actions is GitHub's native CI/CD platform: workflow files in .github/workflows/*.yml declare jobs that run on GitHub-hosted or self-hosted runners, triggered by repo events (push, PR, issue, schedule, webhook). It is the dominant CI substrate for open-source projects hosted on GitHub.

Security model — the substrate under attack¶

Script injection¶

${{ github.event.* }} expressions are string-interpolated into shell scripts before the shell parses them. Attacker-controlled fields (PR title, branch name, issue title, issue body, PR body, commit message, and — as in the Datadog datadog-iac-scanner attack — filenames matched by git diff) can carry shell metacharacters that trigger command execution. concepts/github-actions-script-injection is the class; canonical mitigation is patterns/environment-variable-interpolation-for-bash: route untrusted data through an env: key and reference as "$TITLE" in the bash snippet. GitHub publishes secure-use guidance recommending this pattern explicitly.

Token permissions¶

Every job receives a GITHUB_TOKEN. Default permissions are org-configurable; narrowing to read-only by default and opting-in to pull-requests: write / contents: write per-workflow limits blast radius.

`pull_request_target` / `workflow_run`¶

Strictly avoided — they run on trusted contexts with access to secrets, which makes them prime targets for script-injection exploits.

OIDC identity federation¶

GitHub Actions can act as an OpenID Connect (OIDC) identity provider. Workflows can exchange a short-lived OIDC token for cloud-provider credentials (AWS STS, Azure, GCP, PyPI) at runtime, replacing long-lived secrets stored in the repo. Canonical pattern: patterns/short-lived-oidc-credentials-in-ci. GitHub-specific short-lived-credential projects built on this include octo-sts (Chainguard) and dd-octo-sts-action (Datadog's adaptation) for dynamic GitHub PAT replacement.

Organization-level rulesets¶

GitHub rulesets enforce protections at the org level: required PRs for default branches, restricted write access to tags, and prevention of GitHub Actions from creating or approving PRs. patterns/org-wide-github-rulesets is the hardening pattern.

Static analysis¶

zizmor is the canonical linter for workflow-security issues — run with zizmor --min-severity high across an org's workflows before shipping changes to tighten known high-risk patterns.

LLM-powered actions¶

A growing class of actions invoke LLMs on repo events — the most widely deployed is anthropics/claude-code-action (>10,000 public workflows as of 2026-03). These actions are susceptible to prompt injection from attacker-controlled PR/issue/commit text. Datadog's 2026-03-09 post catalogs five best practices: write untrusted data to a file, then instruct the LLM to read it, treat LLM output as untrusted, scope tools to specific files, use recent models (less prone to injection), and keep the LLM step out of secret-bearing contexts.

Seen in¶

sources/2026-03-09-datadog-when-an-ai-agent-came-knocking — primary canonical wiki source; Datadog retrospective on the hackerbot-claw campaign exploiting both script injection and prompt injection.

systems/github — parent platform.
systems/anthropics-claude-code-action — LLM action deployed on Actions.
systems/octo-sts, systems/dd-octo-sts-action — short-lived-credential projects built on Actions + OIDC.
concepts/github-actions-script-injection — dominant code-execution attack class.
concepts/oidc-identity-federation — short-lived credential substrate.
patterns/environment-variable-interpolation-for-bash, patterns/short-lived-oidc-credentials-in-ci, patterns/org-wide-github-rulesets — hardening patterns.