Attackers are increasingly targeting GitHub Actions due to its broad adoption and developers’ lack of security awareness. GitHub Actions is now the most widely used CI/CD platform, with a 51% adoption rate according to the CNCF 2024 survey. This popularity, combined with the tendency of developers to overlook security in their automation processes, creates a vulnerable environment. Many developers focus solely on the application code and neglect the security of their CI/CD infrastructure, making it ripe for exploitation. A primary concern is the mismanagement of secrets. Millions of secrets are leaked annually on GitHub, often hardcoded into workflows or exposed in logs. When secrets are compromised, attackers gain access to critical resources. Additionally, the GITHUB_TOKEN often has excessive permissions, allowing workflows to perform actions that should be restricted. Older repositories may still operate with broad permissions, which can lead to significant security risks. For example, a compromised GITHUB_TOKEN could modify code, delete branches, or access repository secrets. Dependency management is another critical area of concern. Many workflows use mutable references, such as tags or branches, which can be redirected to malicious code if an action’s repository is compromised. This situation was exemplified by the tj-actions/changed-files incident, where a single compromised action affected over 23,000 repositories, leaking secrets undetected for days. To mitigate these risks, developers should pin actions to specific commit hashes rather than relying on tags or branches. Each of these vulnerabilities highlights the need for stronger security practices around GitHub Actions to protect against potential attacks.