.github/workflows/pdd.yml line 19 references volodya-lombrozo/pdd-action@master pinned to the master branch, not a tag or SHA. Any commit pushed to that repository's master branch — including malicious code — will be immediately executed in this repo's CI pipeline with full repository access.
REPRODUCTION: An attacker gains write access to the volodya-lombrozo/pdd-action repo and pushes a malicious commit to master.
IMPACT: Full repository compromise. The attacker's code runs with checkout permissions and can exfiltrate secrets, modify source, or pivot to other infrastructure.
.github/workflows/pdd.yml line 19 references volodya-lombrozo/pdd-action@master pinned to the master branch, not a tag or SHA. Any commit pushed to that repository's master branch — including malicious code — will be immediately executed in this repo's CI pipeline with full repository access.
REPRODUCTION: An attacker gains write access to the volodya-lombrozo/pdd-action repo and pushes a malicious commit to master.
IMPACT: Full repository compromise. The attacker's code runs with checkout permissions and can exfiltrate secrets, modify source, or pivot to other infrastructure.