GitHub rotates cloud credentials, user actions may be needed

GitHub recently announced it had implemented crucial credential updates on GitHub.com. This move was in response to a security flaw identified via its Bug Bounty program in late December 2023. The identified vulnerability provided an attacker with the potential to access sensitive credentials within a production container on GitHub.com. As a precaution, GitHub proceeded to update any credentials that might have been compromised.

The company has expressed strong confidence that this security flaw was not exploited or discovered by anyone before it was responsibly reported through their Bug Bounty program. Nonetheless, updating the credentials is a standard practice in situations where there's a possibility of them being accessed by unauthorized parties.

This update process resulted in some temporary service interruptions on GitHub.com, specifically between December 27 and 29, as the credentials were being updated across GitHub's production infrastructure. GitHub has acknowledged this inconvenience and mentioned that they are refining their procedures to minimize such downtime in future credential update events.

Some GitHub users might need to take action regarding the updated credentials, which include:

1. Importing new GitHub Commit Signing Key: This is utilized for the cryptographic signing of commits made on GitHub.com. Users who verify GitHub-signed commits externally will have to import the new public key.
2. Updating to new public keys for Customer Encryption Keys for Actions, Codespaces, and Dependabot: These keys are used for encrypting secrets sent to GitHub. Users who have hardcoded or cached the old keys should update to the new public keys to prevent errors.

GitHub advises developers to regularly update their public keys via API, rather than relying on hardcoded keys, to facilitate smoother future key updates.