Created
April 12, 2025 08:07
-
-
Save irsl/7d8bf8cd8de9f83e5102277c7bfab503 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| jobs: | |
| trusted_preparation_step: | |
| permissions: {} | |
| steps: | |
| - name: produce_executable | |
| run: | | |
| # produce trusted_executable | |
| - uses: actions/upload-artifact@v4 | |
| with: | |
| name: trusted_executable | |
| path: trusted_executable | |
| untrusted: | |
| needs: trusted_preparation_step | |
| permissions: {} | |
| steps: | |
| # doing something attacker controlled by design | |
| - ... | |
| trusted_post_processing: | |
| needs: untrusted | |
| permissions: | |
| contents: write | |
| # some more privileged permissions | |
| steps: | |
| - uses: actions/download-artifact@v4 | |
| with: | |
| name: trusted_executable | |
| path: /tmp/artifact-directory/ | |
| - shell: bash | |
| run: | | |
| # using the executable | |
| /tmp/artifact-directory/trusted_executable | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment