Hacker News new | past | comments | ask | show | jobs | submit login

How does this siphon the secrets away? It looks like it just dumps them out to stdout and stops there.



Yes, just prints to the build log, so the risk is higher for public repos. Lot of public repos have creds printed in their build logs due to this compromised action.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: