In response to the recent surge in cryptocurrency mining attacks, GitHub has changed how pull requests from public forks are handled in GitHub Actions to prevent abuse.
As the CEO of DevOps platform LayerCI, Colin Chartier, explained in a recent article,
As the market capitalization of cryptocurrency surged from $190 billion in January of 2020 to $2 trillion in April of 2021, it’s become profitable for bad actors to make a full time job of attacking the free tiers of platform-as-a-service providers.
Chartier describes how an attacker can abuse GitHub Actions
cron feature to create new commits every hour with the aim to mine cryptocurrencies.
Because developers can run arbitrary code on our servers, they often violate our terms of service to run cryptocurrency miners as a “build step” for their websites.
According to Chartier, one strategy to reduce the chances of being detected that is becoming popular is using a headless browser for these attacks.
Given this context, GitHub has announced two changes to pull request handling to make it harder for attackers to trigger the execution of mining code on upstream repositories by simply submitting a pull request.
This […] has a negative impact on repository owners whose legitimate pull requests and accounts may be blocked as a result of this activity.
As a first measure, upstream repositories will not be held responsible for abusive attacks triggered by forked repos.
Our enforcement will be directed at the account hosting the fork and not the account associated with the upstream repository.
In addition to this, when a contributor submits a pull request for the first time, manual approval from a repository collaborator with write access will be required before a GitHub Action can be run.
Based on conversations with several maintainers, we feel this step is a good balance between manual approval and existing automated workflows. This will be the default setting and, as of now, there is no way to opt out of the behavior.
GitHub also stated this approach could be made more flexible in the future, if it impacts negatively maintainers.
While GitHub strategy could work for the time being, according to Chartier it is likely that attacks will become more sophisticated and will circumvent any measures. In his rather pessimistic view, only abandoning computationally expensive proof-of-concept mining could preserve CI platforms free tiers.