This session will briefly explain how the compromises unfolded, drawing on public reports and using the supply-chain attacks disclosed in March 2025—CVE-2025-30066 and CVE-2025-30154—as a case study. It will also discuss the mitigations that both end users and GitHub Enterprise administrators can take to prepare for and defend against similar threats.
DAY 1
13:30-13:45 JST
Main Room B
JaEnKo
Streaming
Supply-Chain Attacks in GitHub Actions and Considerations for Mitigation
Speaker
Harima Yuta / LY Corporation
Service Infrastructure Group Infrastructure Group Developer Platform Division Developer Platform Department SCM Team
I joined Yahoo Japan Corporation as a new graduate in 2014 and have been responsible for the DevOps. My career has centered on developing and operating internal developer platforms, including CI/CD systems, and I currently manage our GitHub Enterprise Servers. In my spare time, I occasionally sharpen my skills by competing in CTF security challenges.