Techly NewsGet the app

Get the latest tech news

Bypassing GitHub Actions policies in the dumbest way possible


Jun 11, 2025 Tags: security TL;DR: GitHub Actions provides a policy mechanism for limiting the kinds of actions and reusable workflows that can be used within a repository, organization, or entire enterprise. Unfortunately, this mechanism is trivial to bypass.

The recent tj-actions attack typifies this: even popular, widely-used actions are themselves software components, with their own supply chains (and CI/CD setups). GitHub also provides special “preset” cases for this functionality, such as allowing only actions and reusable workflows that belong to the same organization namespace as the repository itself. The downside is that it would potentially break existing users of policies who also use local actions and reusable workflows, assuming there are significant numbers of them.

Get the Android app

Or read this on Hacker News

Read more on:

Photo of github actions

github actions

Photo of dumbest way

dumbest way

Related news:

News photo

Run GitHub Actions locally

News photo

How to harden GitHub Actions

News photo

Any program can be a GitHub Actions shell

« Switch 2 graphics are 'closer to an Xbox Series S', says Wild Hearts S developer
Show HN: RomM – An open-source, self-hosted ROM manager and player »