Code Room
On-callHard
Question
GitHub alerts that your org's CI service-account token (used by self-hosted runners, with push access to all repos and read access to Actions secrets) was used from an unrecognized IP to clone three private repos and to call the registry API at 03:40, outside business hours and from a different country than your runners. The token is also configured as a secret in 60+ workflows. Your last release deployed to prod 6 hours ago. You're the on-call platform engineer. Triage and respond.
What a strong answer looks like
Stop the bleeding first (mitigate), then form hypotheses from real signals. Separate root cause from symptom, communicate status as you go, and close with what prevents a repeat.
Learn the concepts
Loading whiteboard…
Run or narrate your approach, then ask the coach.