GitHub Actions Runner Hardening Kit That Defends OIDC Token Theft From Worker Process Memory After The TanStack Cache-Poisoning Worm
After the May 11 Mini Shai-Hulud worm shipped 84 malicious @tanstack/* packages by poisoning a GitHub Actions cache via pull_request_target and then reading the OIDC JWT directly out of /proc/<pid>/mem on the Runner.Worker process, maintainers and CISOs are scrambling for runner-side defenses that go beyond egress allowlists. The gap: a drop-in agent that locks down /proc/self/mem reads on the Runner.Worker, default-denies actions/cache restores into trusted release jobs, and signs the source of every restored archive so a poisoned cache cannot survive merge to main.
Don't pitch this as 'another supply-chain scanner.' The unique angle is runtime kernel-level enforcement on the runner: seccomp filters on /proc reads, namespaced caches that refuse to restore across PR-trust boundaries, and a signed manifest of every actions/cache entry. The market is not security teams... it's open-source maintainers like TanStack who just paid the full cost of NOT having this.
landscape (3 existing solutions)
Existing CI hardening tooling is mostly about egress allowlists, default-branch anchoring, and signed attestations, all of which the May 11 worm circumvented. There is no commodity defense against in-runner memory extraction of OIDC tokens, and cache restore is still a trust hole across the fork↔base boundary.