Techly NewsGet the app

Get the latest tech news

Accidentally breaking GitHub Actions with a shorthash collision (2019)


Last December, I was invited to a private bug bounty program to test a beta version of GitHub Actions. GitHub Actions is a workflow automation tool integrated with GitHub. One common use case of GitHub Actions is for CI builds – a project can fairly easily start up a Docker container every time they push a commit (e.g.), and run their project’s tests in the container.

Last December, I was invited to a private bug bounty program to test a beta version of GitHub Actions. So the runner for GitHub Actions would see the string actions/docker/cli@76ff57a in the config file, and then parse out the individual components: it would clone the actions/docker repository at commit 76ff57a, enter the cli directory, and execute some setup code located there. However, even if that were the case, someone without write access could still subtly introduce a collision by getting a PR accepted, or a shorthash could become ambiguous by chance over time.

Get the Android app

Or read this on Hacker News

Read more on:

Photo of github actions

github actions

Photo of shorthash collision

shorthash collision

Related news:

News photo

Golang PGO builds using GitHub Actions

« Former Windows Chief Explains Why macOS on iPad is Futile Quest
Show HN: Open-source BI and analytics for engineers »