The only way to 'harden your github actions' is to not use github actions.
replyMakes sense tbh :)
replyDisabling vscode/cursor extensions auto-updates also makes sense
replyThanks for making me aware of zizmor, just ran and fixed all issues on our core repos.
replyYou are welcome! Recently discovered it and found it genuinely useful. Fixed a bunch of issues in my workflows too :)
replyYou also need to make sure you take care using PR titles and descriptions in your GHA because if they contain `text` it *may be executed lmfao.
replyedited: not "will", may depending on your GHA
Can you cite this? It's not YAML execution syntax, surely Github doesn't do it, the only vector I can see is if you put it unquoted into a shell script inside of a GHA yaml.
replyI think he means template-injection -- https://woodruffw.github.io/zizmor/audits/#template-injectio...
replyYes that's it.
replyhttps://github.com/orgs/community/discussions/27065
replyhttps://stackoverflow.com/questions/77090044/github-actions-...
https://www.praetorian.com/blog/pwn-request-hacking-microsof...
All you need is user content containing `backticked`, and a github action referencing that via eg "github.event.issue.title" where the shell would normally execute `backticked` as a command (like echo, cat, etc).