Release Pipeline

Poisoned CI Action

This page simulates a compromised CI/action chain where workflow secrets, action tags, and release metadata were tampered with after automation credentials were exposed.

Back to hub Reload scenario

Release monitor

Expected Findings

Workflow file exposes privileged release secrets and unsafe trust assumptions.
Action tags were force-moved to malicious commits.
Audit log shows compromised automation credentials being reused.

Primary Flows

Release workflow Workflow with leaked secret references
Moved action tags Force-retagged action refs
Release audit log Compromised automation events
Compromised action README Malicious action note

Signals

Workflow Secret

TRIVY_GITHUB_TOKEN: ${{ secrets.RELEASE_PAT }}

Retag

v0.69.4 -> 1f2e3d4 malicious commit

Notes

This emulates a poisoned automation pipeline and tag-retargeting pattern, not a live code execution path.