I’ve always worried about env leakage, especially in npm packages. GHA does a decent job of masking but there is no stopping arbitrary code. One thing they could do is pass log output against known GHA Secrets and run an additional masking on the output string.
To put this into context everything about this attack is logged in the open I believe. If that shows up in log output, you’ll know who did it and that everyone can see it - and proceed with rotating secrets promptly and report the hack to GitHub.
To put this into context everything about this attack is logged in the open I believe. If that shows up in log output, you’ll know who did it and that everyone can see it - and proceed with rotating secrets promptly and report the hack to GitHub.