/developer|entrepreneur/i
Always looking for new developer talent, even those with zero experience, as you never know who's got the potential to become a great developer.
This isn't always enough. If you have an open-source project that allows pull requests, and automatically runs tests against these, someone can weasel in there and inject a miner in that process.
They get the rewards, you get stuck with the tab.
The most insulting part of this is the amount gained by the attacker is usually a fraction of the cost to you. For each $1 you spend on CI services they might make a tenth of a cent, or in many cases even less. To make any amount of money at all they need to operate at a huge scale, which is why this problem is so bad.
There are other problems with letting the CI run on PRs without supervision. For example, someone could try to steal credentials being used in the build. I don't recommend doing this.
This isn't always enough. If you have an open-source project that allows pull requests, and automatically runs tests against these, someone can weasel in there and inject a miner in that process.
They get the rewards, you get stuck with the tab.
The most insulting part of this is the amount gained by the attacker is usually a fraction of the cost to you. For each $1 you spend on CI services they might make a tenth of a cent, or in many cases even less. To make any amount of money at all they need to operate at a huge scale, which is why this problem is so bad.
There are other problems with letting the CI run on PRs without supervision. For example, someone could try to steal credentials being used in the build. I don't recommend doing this.
Letting strangers run arbitrary code in PRs with responsibility falling under the repository owner was always gunna turn out bad surely?