GitHub Actions is a powerful, flexible CI/CD service that gives developers the ability to automate all of their software workflows. Developers have built amazing things with GitHub Actions, and the CI/CD service has dramatically accelerated developer productivity. At the same time, as GitHub Actions has grown, we’ve unfortunately also seen a wide variety of bad actors abusing Actions, affecting service performance, and causing denial of service to open source projects.

The trustworthiness of the platform is crucial, and our team is committed to developer productivity and to Actions performing the way we intended. Cryptomining on Actions is not new, and we’ve been fighting abusers since the beginning. However, as the price of coins has gone up, the number of abusers has escalated. We’ve spent thousands of hours combating abuse and implemented dozens of different mitigations to detect and prevent it. Ensuring Actions remains a trusted choice for developers’ automation and CI/CD needs is a top priority for our team, and we’ll continue to put safeguards in place to get ahead of bad actors.

We wanted to take a moment to discuss one of the latest targeted abuse attacks that affected a lot of maintainers on GitHub and explain what we’re doing to fix it.

GitHub Actions cryptomining abuse

The recent surge in cryptocurrency prices has driven a significant increase in targeted abuse across CI providers. At GitHub, we’ve seen a variety of vectors being exploited. One of these is pull requests from forks being used by bad actors to run mining code on upstream repositories. This obviously has a negative impact on repository owners whose legitimate pull requests and accounts may be blocked as a result of this activity.

To prevent this, we’re delivering two changes to how we treat pull requests from public forks in Actions to help maintainers.

#features #open source #product #github