Posts Tagged ‘GitHubActions’
[NDCMelbourne2025] Front End Testing with GitHub Actions – Amy Kapernick
In a dynamic session at NDC Melbourne 2025, Amy Kapernick, a seasoned front-end developer and advocate for automation, unveils a streamlined approach to front-end testing using GitHub Actions. With a focus on practicality, Amy guides developers through constructing a robust continuous integration and continuous deployment (CI/CD) pipeline, ensuring that front-end tests run seamlessly against live websites. Her presentation underscores the necessity of automation to maintain quality in web development, offering actionable insights for teams seeking to integrate testing into their workflows without manual intervention.
The Imperative of Front-End Testing
Amy begins by highlighting the unique challenges of front-end testing, emphasizing that unlike unit tests, which can operate with dummy data, front-end tests require a live, functioning website to evaluate real-world performance. For instance, assessing accessibility for visually impaired users or determining page load speeds demands an environment that mirrors production. Amy illustrates this with a CSS code snippet, questioning whether it can reveal unintended style bleed or performance bottlenecks without a live interface. By advocating for environments as close to production as possible, she ensures that tests yield accurate, actionable results, setting the stage for automation to eliminate manual testing inconsistencies.
Automating with GitHub Actions
The core of Amy’s approach lies in leveraging GitHub Actions to automate front-end testing within a CI/CD pipeline. She explains that GitHub Actions’ workflows, defined in YAML files, enable developers to trigger tests on specific events, such as pull requests to a production branch. Amy walks through creating a workflow with jobs like “build” and “test,” detailing steps such as checking out repository code, setting up Node.js, and installing dependencies. By using existing GitHub Actions packages, like those for checking out code and configuring Node, she simplifies the process, ensuring tests run consistently without manual effort. This automation, Amy notes, prevents code merges that fail tests, safeguarding application quality.
Deploying and Testing Live Websites
A pivotal aspect of Amy’s workflow involves deploying a live website for testing, using Netlify for its ease and deploy preview capabilities. She demonstrates a custom bash script to deploy to Netlify, addressing challenges like handling sensitive data, such as site IDs, which GitHub Actions may flag as secrets. Amy ingeniously encodes the deployment URL to bypass security restrictions, decoding it for testing with tools like Lighthouse and Playwright. These tools provide comprehensive reports on performance and UI functionality, respectively, which Amy configures to upload as artifacts, ensuring developers can review results and address issues before merging code.
Enhancing Workflows with Additional Automation
Beyond testing, Amy showcases GitHub Actions’ versatility by integrating a package that converts code comments into GitHub issues, ensuring tasks like “fix later” are tracked. This automation assigns issues to the code’s author and auto-closes them when resolved, streamlining project management. Amy also touches on other uses, such as linting, checking broken links, and generating assets like static tweet images for blog posts. These examples highlight how GitHub Actions can extend beyond testing to enhance overall development efficiency, making it a powerful tool for modern workflows.
Links:
[DefCon32] DEF CON 32: Grand Theft Actions – Abusing Self-Hosted GitHub Runners
Adnan Khan and John Stawinski, security researchers, delivered a riveting presentation at DEF CON 32, exposing systemic vulnerabilities in GitHub Actions’ self-hosted runners. Their research revealed how misconfigurations enable attackers to compromise major open-source projects like PyTorch, leading to supply chain attacks. Earning over $250,000 in bug bounties, Adnan and John shared tactics, techniques, and procedures (TTPs) to elevate trivial compromises into critical breaches, urging organizations to bolster CI/CD security.
Exploiting Self-Hosted Runner Misconfigurations
Adnan and John opened by explaining GitHub Actions’ role as a leading CI/CD platform and its reliance on self-hosted runners—machines executing workflow jobs. They detailed how insecure defaults allow attackers to compromise runners, gaining access to sensitive repositories. Their attack on PyTorch demonstrated how a runner compromise enabled code contributions to the main branch, malicious release uploads, and backdooring related projects, highlighting the catastrophic potential of such flaws.
Escalating Privileges in GitHub Actions
Delving deeper, the duo showcased techniques to escalate privileges within GitHub Actions workflows, leveraging GitHub’s permissive features. Their research campaign uncovered vulnerabilities in organizations like Microsoft, TensorFlow, and ByteDance, exploiting misconfigured runners to achieve critical impacts. Adnan’s live demo illustrated how attackers could manipulate workflows to gain unauthorized access, emphasizing the need for robust access controls and monitoring in CI/CD pipelines.
Real-World Impact and Bug Bounty Success
Adnan and John shared war stories from their extensive bug bounty submissions, noting that internal CI/CD systems are often more vulnerable than public ones. Their work, yielding significant bounties, exposed a lack of awareness around CI/CD security. They highlighted successful mitigations by triage teams, urging organizations to learn from their findings. The duo’s research on platforms like HackerOne provides a blueprint for identifying similar vulnerabilities in other systems.
Strengthening CI/CD Security
Concluding, Adnan and John emphasized the need for heightened awareness among developers, architects, and executives to prevent supply chain attacks. They recommended isolating privileged runners, auditing configurations, and educating teams on CI/CD risks. Their call to action inspired attendees to explore these attacks and implement controls, ensuring organizations are better equipped to thwart the next critical breach in their CI/CD pipelines.