Spoofable Actor Condition
Description
Workflows sometimes gate privileged behaviour on the actor context — for example if: github.actor == 'dependabot[bot]' — to “only run for a trusted user or bot.” The github.actor and github.triggering_actor contexts are not a reliable trust boundary: across chained events (workflow_run), re-runs, and certain automation flows the effective actor can be influenced, so a check based on it can be bypassed to run the protected path. 1 Actor gates are also a common way people think they have restricted a dangerous trigger when they have not.
Vulnerable Instance
- A job- or step-level
if:condition comparesgithub.actor/github.triggering_actorto a specific user or bot to gate sensitive behaviour.
on:
workflow_run:
workflows: [build]
jobs:
deploy:
if: github.actor == 'dependabot[bot]' # spoofable trust gate
runs-on: ubuntu-latest
steps:
- run: ./deploy.shMitigation Strategies
- Do not use the actor as a security control. Treat
github.actoras informational only. - Verify the event payload. For Dependabot, check
github.event.pull_request.user.loginand the event source rather than the actor string. - Use real controls. Enforce trust with least-privilege
permissions, environment protection rules with required reviewers, or a GitHub App identity — not a string comparison. - Avoid privileged triggers where an actor check is your only guard (see Dangerous Event).
Secure Version
jobs:
deploy:
- if: github.actor == 'dependabot[bot]'
runs-on: ubuntu-latest
+ environment: production # required reviewers enforce the real gate
steps:
- run: ./deploy.sh
Impact
| Dimension | Severity | Notes |
|---|---|---|
| Likelihood | Actor-based gates are a common misconception. | |
| Risk | A bypassable gate can expose the protected path to unauthorized triggers. | |
| Blast radius | Depends on what the gated job does — often deploys or privileged automation. |
References
- GitHub Docs, “Contexts — github context,” https://docs.github.com/en/actions/learn-github-actions/contexts#github-context 1
- GitHub Docs, “Security hardening for GitHub Actions,” https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions 2
GitHub Docs, “Contexts,” https://docs.github.com/en/actions/learn-github-actions/contexts#github-context ↩︎ ↩︎
GitHub Docs, “Security hardening for GitHub Actions,” https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions ↩︎