Can Github Actions from the marketplace do malicious things?

Question

I am an absolute beginner with GitHub Actions.

There are Actions available on the market place. Can any of those actions do malicious things to my repository, such as, say,

• deleting my repo?
• commit malicious code into my repo?
• copy the content from private repositories?

Answer 1

The answer is (unfortunately) YES

You can find some references here:

• Use GitHub actions at your own risk
• The Security of GitHub Actions
• Are Github Actions safe to use?
• Security hardening for GitHub Actions
• Keeping your GitHub Actions and workflows secure: Untrusted input
• Keeping your GitHub Actions and workflows secure: Preventing pwn requests

Understand that this is the same thing with most libraries you use to code on a daily basis.

Github Actions on the Github Marketplace are generally public open source repositories, and aren't always backed-up by big companies.

Most of them do simple operations that you can check by looking at the repository code, but it is always possible for the owner to configure malicious things deep inside the implementation.

That's why you need to be aware of this when choosing one or another action/library, and be cautious and check the code and its eventual vulnerabilities before using them for your own projects.

Be even more cautious if you need to inform Personal Access Token (PAT) as input variable.

Note that Github shows verified users on the Marketplace, which can be considered as 'trusted'.

Example:

Hopefully, not everyone has this mindset (of doing malicious things), and the community is most of the time helpful. Just be aware that there might always be some risks (and some security tools can help with that).