LOTP

Local GHA

github-actions eval-sh config-file

References

If GitHub Action uses a local action such as uses: ./, we can overwrite the configuration file and gain RCE with an action.yml file such as this:

runs:
  using: 'composite'
  steps:
    - shell: bash
      run: echo "pwned"
Edit this page on GitHub