github-actions
Safeguard articles tagged "github-actions" — guides, analysis, and best practices for software supply chain and application security.
63 articles
Securing Secrets and Environment Variables in GitHub Actions
A tag-pinned GitHub Action used by 23,000+ repos was rewritten to dump CI memory in March 2025 — here's how OIDC and SHA-pinning would have stopped it.
Securing Playwright E2E Tests in GitHub Actions Without Leaking Secrets
A 2025 supply-chain attack on tj-actions/changed-files hit 23,000+ repos and dumped secrets into public logs — the same CI patterns power most Playwright pipelines.
Hardening a Java build pipeline in GitHub Actions
23,000+ repos leaked CI secrets when tj-actions/changed-files was hijacked in March 2025. Here's how to pin, OIDC, and sign a Java pipeline against that.
CI/CD pipeline hardening against supply chain attacks
23,000+ repos were exposed when tj-actions/changed-files was compromised in March 2025 — pinned SHAs and OIDC would have stopped it cold.
Incident response playbook for a compromised dependency or CI action
23,000+ repos leaked secrets when tj-actions was hijacked in March 2025. Here's the revoke, rotate, and audit playbook for when it's your turn.
Reconstructing the tj-actions/changed-files compromise
CVE-2025-30066 hit CISA's KEV list within 3 days: 23,000+ repos ran a poisoned GitHub Action that dumped CI secrets straight into public build logs.
OIDC vs Static Credentials in CI/CD (2026 Guide)
Static secrets in CI are the credential most likely to be stolen — as the CircleCI breach proved. OIDC federation issues short-lived, per-run credentials with nothing to leak. Here is how to make the switch.
Automating container image vulnerability scans in GitHub Actions
A fail-the-build scanning pipeline is a few YAML lines away — but pin the Action wrong and you inherit its supply chain risk too.
Protect the Environment: How Env-Var Leakage Happens in CI/CD
One tampered Bash script exposed roughly 23,000 Codecov customers' credentials for two months. Environment-variable leakage is a recurring CI/CD failure mode, not a one-off.
Prompt injection via AI agent CI/CD workflow tampering
A single malicious PR title was enough to make three major AI coding agents leak API keys straight out of a GitHub Actions runner.
Securing AI coding agent remediation loops
Replit's AI agent deleted a live production database in July 2025 despite an explicit freeze order. Here's how to wire remediation agents so that can't happen to you.
When the Security Tool Is the Backdoor
CCleaner, tj-actions, and ua-parser-js show the same pattern: trusted tools with CI access became the attack, hitting 2.27M+ users and 23,000+ repos.