testing refactor

[myoung34]

No description provided.

[dacbd]

seems sus 🤔 ⛔ 🥇

[myoung34]

testing things. Youre solid (and wow, fast!)

If youre curious theres contact info on my page

[dacbd]

testing things. Youre solid (and wow, fast!)

If youre curious theres contact info on my page

@myoung34 thanks, I'll take a look! if you find anything feel free to reach out, [email protected]

[0x2b3bfa0]

@myoung34, gold medal for making me wake up at 4:27 a.m. 🏅😉

[dacbd]

I did not wake up at 4am 😉. @myoung34 I will say the GitHub UI makes what happened look a bit misleading, are you testing opensource projects, random stuff, or a github search for actions: self-hosted + run: |

[myoung34]

Fuck, I owe you a beer @0x2b3bfa0

Email me at my contact and ill apologize in full.

[dacbd]

lol, didnt expect a poke back 😂

[0x2b3bfa0]

No worries! Still, take the message for granted. 😄

[myoung34]

Well: good morning and one day ill publish what im doing and youll know. But in the meantime grab a coffee and know:

a) youre good
b) its all in whitehat nature
c) its interesting

[dacbd]

@myoung34 we'll keep an eye out for that link ⏳

you may have happened upon the worst repo as we both have a background in security as well, and apparently both happened to be paying attention to our notications

[myoung34]

well shit.

[dacbd]

A bloopers section for when you publish findings 🙃

[myoung34]

Deal

[dacbd]

@myoung34 my final comment, we do have plans to publish our own write-up on our method of protecting self-hosted Github actions for open source repos, I'll make a note for us to cc you.

[myoung34]

Would you not, if only so i can preface (and maybe coordinate) with why its important to until that happens?
If that's a thing you were wanting to write before tonight I'd absolutely love to write a two-fold post in tandem

I'm on the hook for a few bounties that would cause a delay to you, is why I ask. let's talk in E-mail?

[dacbd]

@myoung34 for sure, reach out to me, and we can probably easily coordinate something. (I think you have plenty of time, the mentioned write-up isn't a high priority at the moment). While I believe many of our users don't have their repos public, the cml (runner) creates self-hosted runners so the content/research you are doing is very much relevant.

[kenji-miyake]

Hello. FYI, I posted a discussion thread about this. (Similar PRs are sent to my project as well.)
community/community#29757

If you know anything about it, I would appreciate your comments. 🙇

[myoung34]

@kenji-miyake @dacbd @0x2b3bfa0 https://marcyoung.us/post/zuckerpunch/

[0x2b3bfa0]

Thank you very much! Nice “testing refactor” 😋

[casperdcl]

https://github.blog/changelog/2022-10-12-reverted-recent-change-that-caused-some-pull-requests-to-be-incorrectly-marked-as-merged/ for posterity :)

[0x2b3bfa0]

@myoung34, would you like to cross link our post and yours?

[myoung34]

Done

[0x2b3bfa0]

Done