I’m no expert in this but I’m guessing GH’s higher tiers provide much more “actions” and whatnot than Codeberg does. AFAICS Gitlab might be the only alternative that even has the mechanisms that could be exploited.
But executing code in a comment, that’s harsh in any case. I mean, even I would’ve known how to prevent that right from the start. I think.
By default pull requests my new contributors require approval from someone with write-access to the repo before running actions.
These repos have specifically decided to change a setting to make them not require approval for anyone. The UI to change that setting explicitly warns you about exactly this attack, so this “article” feels like a non-item trying to farm engagement.
As far as I can tell it requires GitHub actions to be enabled for pull requests, which you can require approval for. I just quickly read the top of the article so I could be wrong
How exactly do their competitors like codeberg do better in preventing that?
I’m no expert in this but I’m guessing GH’s higher tiers provide much more “actions” and whatnot than Codeberg does. AFAICS Gitlab might be the only alternative that even has the mechanisms that could be exploited.
But executing code in a comment, that’s harsh in any case. I mean, even I would’ve known how to prevent that right from the start. I think.
The article doesn’t seem to say. I don’t know if it’s a problem with defaults or caused by the devs themselves.
By default pull requests my new contributors require approval from someone with write-access to the repo before running actions.
These repos have specifically decided to change a setting to make them not require approval for anyone. The UI to change that setting explicitly warns you about exactly this attack, so this “article” feels like a non-item trying to farm engagement.
As far as I can tell it requires GitHub actions to be enabled for pull requests, which you can require approval for. I just quickly read the top of the article so I could be wrong