- Published on
We discovered and responsibly disclosed a vulnerability in GitHub Actions that allowed any collaborator to bypass deployment branch protections and access environment secrets and OIDC tokens — even if none of the repository's workflows use pull_request_target.