Zombie Workflows: A GitHub Actions horror story

GitHub Actions, a prominent CI/CD solution, facilitates automation of various tasks such as building code, running tests, and managing pull requests, but it is not immune to vulnerabilities that can be exploited by attackers, particularly in the form of Pwn Requests. These vulnerabilities often arise when workflows use sensitive information unsafely, especially in configurations triggered by the pull_request_target event, which can be manipulated to execute arbitrary code with access to sensitive data. A specific vulnerability pattern, termed "Zombie Workflows," allows attackers to exploit workflows by targeting older or unmerged branches where fixes have not been applied. A large-scale evaluation identified numerous repositories at risk, leading to GitHub's recent announcement to change the default behavior of pull_request_target-triggered workflows, which will now use the workflow version from the default branch to mitigate such risks effectively. This change enhances security by reducing the need to backport vulnerability fixes across all branches, though other potential vulnerabilities in GitHub Actions remain, underscoring the importance of ongoing vigilance and the use of tools like SonarQube for workflow scanning.