Code Room
On-callHardoc-g602
Subject Security compromised ci tokenLevel Senior–Staff~40 minCommon in Security interviewsIndustries Software development, Technology

Question

GitHub alerts that your org's CI service-account token (used by self-hosted runners, with push access to all repos and read access to Actions secrets) was used from an unrecognized IP to clone three private repos and to call the registry API at 03:40, outside business hours and from a different country than your runners. The token is also configured as a secret in 60+ workflows. Your last release deployed to prod 6 hours ago. You're the on-call platform engineer. Triage and respond.

What a strong answer looks like

Stop the bleeding first (mitigate), then form hypotheses from real signals. Separate root cause from symptom, communicate status as you go, and close with what prevents a repeat.

Diagram & narrate the incident
Loading whiteboard…
Run or narrate your approach, then ask the coach.