Long story short: they messed up the assign-reviewers.yml workflow, allowing ext...

codesparkle · 2025-11-30T00:21:16 1764462076

That’s not what happened at all

The attacker did not need to merge any PRs to exfiltrate the credentials

codesparkle · 2025-11-30T00:24:53 1764462293

What actually happened:

The workflow was configured in a way that allowed untrusted code from a branch controlled by the attacker to be executed in the context of a GitHub action workflow that had access to secrets.

vanschelven · 2025-11-29T22:19:32 1764454772

more so in case you actually do the "secrets on github with the right to do meaningful things"

meowface · 2025-11-29T23:53:04 1764460384

Yeah that's a pretty deadly combo.

dreamcompiler · 2025-11-30T00:11:53 1764461513

Here's an AI product I would actually use: Write my damn GH actions yml for me.

Oh, and describe for me exactly how it works and why. And be right about it.

slashdave · 2025-11-30T01:30:16 1764466216

Except the model would have been trained on the available corpus of known runners and will achieve the same average level of quality...

fragmede · 2025-11-30T00:59:57 1764464397

Why does it need to be a distinct product and not Cursor/ChatGPT/Claude code/any of the other existing tools?

(If you're so anti-AI that you're still writing boilerplate like that by hand, I mean, not gonna tell you what you do, but the rest of us stopped doing that crap as soon as it was evident we didn't have to any more.)

ivanjermakov · 2025-11-29T23:36:28 1764459388

Opener source software