https://github.com/praetorian-inc/gato

Gato, or GitHub Attack Toolkit, is an enumeration and attack tool that allows both blue teamers and offensive security practitioners to evaluate the blast radius of a compromised personal access token within a GitHub organization.

https://www.youtube.com/watch?v=RPb8iZM2JuE

pre-commit

Use YAML files to write a list of tests/actions run by Git locally at commit time. Supported prewritten hooks are here.

https://github.com/AdnaneKhan/ActionsCacheBlasting

Proof-of-concept code for research into GitHub Actions Cache poisoning.

• Exfiltrate the CacheServerUrl Actions Runtime token from a workflow (for example one that runs on pull_request_target and checks out user-controlled code). The URL and token is valid for 6 hours, even if the workflow you exfiltrated it from only runs for a few seconds. There is no way for the repository maintainer to revoke this token.
• Use the CacheServerUrl and token to write arbitrary values to the repository's GitHub Actions cache to user-controlled cache keys and versions.