Hacker News new | past | comments | ask | show | jobs | submit login

I believe CI on pull requests runs without the secrets, to avoid precisely that issue.



Yes, the problem is that GitHub did not seem to consider that “malicious input” can include any content that is provided and parsed in some way. Unfortunately, all of stdout is parsed, and often includes things like issue titles, descriptions, commit messages, etc.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: