Unsafe credential handling in CloudPirates Helm Charts exposes sensitive signing and access keys, creating an immediate risk of repository compromise.

The generate-schema.yaml workflow uses unsafe checkout practices that allow fork-controlled code to access and exfiltrate Personal Access Tokens and SSH signing keys.

The theft of signing keys and access tokens allows an attacker to impersonate the project maintainers and push malicious code or sign fraudulent commits. With a CVSS score of 10.0, this represents a critical threat to the integrity of the entire software lifecycle.

Immediate Action: Update to commit fcf9302 or later to correct the workflow checkout and credential management practices.

Proactive Monitoring: Review repository logs for unauthorized commit activity or unusual use of the compromised SSH signing keys.

Compensating Controls: Immediately revoke and rotate all Personal Access Tokens and SSH keys that were configured for use within this workflow.

Public Exploit Available: Unknown

Given the critical nature of secret exposure, users must treat this as a high-urgency remediation. Beyond updating the workflow, a full rotation of all exposed secrets is required to ensure the security of the repository and its associated assets.