Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

GitHub Actions fork pull requests: where privileged workflows break


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9079
Topic starter  

TL;DR: A single pull request from a fork can turn GitHub Actions workflows into code execution, token theft, secret exposure, and repository compromise across Microsoft, Google, Nvidia, and others, according to Orca Security. The problem is not the fork itself but the assumption that untrusted pull request code can safely enter privileged workflows.

NHIMG editorial — based on content published by Orca Security: GitHub Actions pwn requests and privileged workflow exploitation

By the numbers:

Questions worth separating out

Q: How should security teams stop forked pull requests from reaching privileged GitHub Actions jobs?

A: Security teams should separate validation from privilege.

Q: Why do GitHub Actions misconfigurations create so much lateral movement risk?

A: They create lateral movement risk because a workflow runner can inherit access to repository writes, tokens, secret stores, and sometimes cloud credentials.

Q: What do security teams get wrong about pull_request_target workflows?

A: Teams often assume the trigger is safe if the workflow looks familiar or uses reusable components.

Practitioner guidance

  • Split untrusted and privileged jobs Run forked pull request validation in a non-privileged workflow with no write permissions, no release credentials, and no deployment environment access.
  • Remove checkout before trust checks Validate branch origin, event type, and repository source before any checkout of contributor-controlled code occurs in a job with elevated permissions.
  • Treat workflow tokens as NHI credentials Inventory GITHUB_TOKEN usage, reusable workflow permissions, and environment secrets as non-human identities with explicit scope and expiration.

What's in the full article

Orca Security's full blog post covers the operational detail this post intentionally leaves for the source:

  • Step-by-step exploit paths for Microsoft, Google Cloud, and Nvidia repositories
  • Workflow snippets showing how pull_request_target was misused in real jobs
  • Specific mitigation patterns such as label gates, environment protections, and repository-level restrictions
  • Disclosure timelines and repository-specific fixes that are useful for incident response teams

👉 Read Orca Security's analysis of GitHub Actions pwn request exploitation →

GitHub Actions fork pull requests: where privileged workflows break?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8508
 

Fork trust is not a safe default when the workflow identity can write back to the repository. GitHub Actions treats pull request automation as a software execution problem, but the security failure is identity scoping. Once untrusted contributor code is checked out inside a privileged job, the workflow identity has crossed from review into execution authority. Practitioners should treat that boundary as an NHI control point, not a developer convenience.

A few things that frame the scale:

A question worth separating out:

Q: Who is accountable when a GitHub Actions workflow exposes secrets or pushes malicious code?

A: Accountability sits with the team that defined the workflow trust boundary and granted the permissions, not with the runner or the contributor alone. Frameworks such as NIST Cybersecurity Framework 2.0 expect governance over access, change control, and response. If a workflow can write, publish, or deploy, it needs explicit ownership and review.

👉 Read our full editorial: GitHub Actions pwn requests expose the limits of fork trust



   
ReplyQuote
Share: