> For the complete documentation index, see [llms.txt](https://0xn3va.gitbook.io/cheat-sheets/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://0xn3va.gitbook.io/cheat-sheets/ci-cd/github/releases.md). # Releases ## Overview Github provides the release functionality as a way to publish iterations of packaged software as releases. Releases include a compresed snapshot of the source code as `.zip` and `.tar.gz` files. Additionally, Github allows you to add extra files that you can attach when creating or editing a release. Moreover, these extra files can be modified after a release has been created. To reproduce the issue follow the next steps: 1. Create a public repository on Github 2. Create a release and add `test.sh` file 3. Invite an `attacker` user as a collaborator 4. `attacker` can edit the release and modify `test.sh` file 5. There is no indication the release was modified in Github UI In other words, an attacker can compromise the account of any project collaborator and modify releases without the knowledge of project owners. This is possible for the following reasons: 1. Release assets can be modified after initial publication (excluding source code snapshots) 2. Any project collaborators can modify releases. There are no permissions to allow an owner to prevent a release from being changed 3. UI does not notify or indicate that a release has been modified ([the releases API](https://docs.github.com/en/rest/reference/repos#releases) exposes additional information about release assets) 4. The `verified` flag is displayed if a git commit has been verified (this only applies to the source code snapshot, not extra files) ## References * [Writeup: Supply Chain Attacks via GitHub.com Releases](https://wwws.nightwatchcybersecurity.com/2021/04/25/supply-chain-attacks-via-github-com-releases/) --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://0xn3va.gitbook.io/cheat-sheets/ci-cd/github/releases.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.