←back to thread

Public secrets exposure leads to supply chain attack on GitHub CodeQL

(www.praetorian.com)
297 points cyberbender | 1 comments | 30 Mar 25 19:54 UTC | HN request time: 0.202s | source
Show context
ashishb ◴[31 Mar 25 03:03 UTC] No.43530439[source]
I am getting more and more convinced that CI and CD should be completely separate environments. Compromise of CI should not lead to token leaks related to CD.
replies(2): >>43530510 #>>43540155 #
mdaniel ◴[31 Mar 25 03:13 UTC] No.43530510[source]
This area is near and dear to my heart, and I would offer that the solution isn't to decouple CD over into its own special little thing but rather to make the CD "multi factor" in that it must be "sub":"repo:octo-org/octo-repo:environment:prod"[1] and feel free to sprinkle in any other [fun claims][] you'd like to harden that system

1: https://docs.github.com/en/actions/security-for-github-actio...

fun claims: https://github.com/github/actions-oidc-debugger#readme

replies(1): >>43531158 #
ashishb ◴[31 Mar 25 04:44 UTC] No.43531158[source]
Doable but I would prefer a complete isolation for simplicity.
replies(1): >>43532097 #
1. thund ◴[31 Mar 25 07:15 UTC] No.43532097[source]
there are ways to isolate code from CI from CD, it's just not as easy as setting up the classic repo. One can use multiple repos for example, or run CI and CD with different products.