The steam-workshop-deploy github action does not exclude the .git directory when packaging content for deployment and provides no built-in way to do so. If a .git folder exists in the target directory (e.g., due to a local Git repo, custom project structure, or via the actions/checkout workflow), it is silently included in the output package. This results in leakage of sensitive repository metadata and potentially credentials, including github personal access tokens (PATs) embedded in .git/config.
Many game modding projects require packaging from the project root as the game expects certain files (assets, configuration, metadata) to be present at specific root-level paths. Consequently, the .git directory often exists alongside these required files and gets packaged unintentionally, especially when using actions/checkout.
While github hosted runners automatically revoke ephemeral credentials at the end of each job, the severity of this issue increases dramatically in other CI environments:
.git folders with embedded PATs or remotes tied to private repositories.actions/checkout action, distributing the .git directory present on the running machine if it exists in the directory.A real example of an affected mod can be found here: https://github.com/BoldestDungeon/wildermyth-drauven-pcs/security/advisories/GHSA-7j9v-72w9-ww6w
Who is affected:
steam-workshop-deploy operating in an environment where .git exists in the packaging directory.steam-workshop-deploy operating in an environment where the actions/checkout workflow is used and then the .git directory is inadvertently generated within the packaging directory (greatly reduced severity due to the ephemeral nature of github actions).The severity of...
2.0.04Exploitability
AV:NAC:LPR:NUI:NScope
S:CImpact
C:HI:HA:NCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N