I believe CI on pull requests runs without the secrets, to avoid precisely that ... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		takluyver on Nov 3, 2020 \| parent \| context \| favorite \| on: GitHub: Widespread Injection Vulnerabilities in Ac... I believe CI on pull requests runs without the secrets, to avoid precisely that issue.

amscanne on Nov 3, 2020 [–]

Yes, the problem is that GitHub did not seem to consider that “malicious input” can include any content that is provided and parsed in some way. Unfortunately, all of stdout is parsed, and often includes things like issue titles, descriptions, commit messages, etc.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact