Can we get some clarity on whether an attacker was able to access actual machines running builds? So far all questions about whether source code was leaked were answered with:
We recommend viewing the security audit logs of your VCS for any unauthorized access.
If actual build agents/runners were (potentially) compromised that means source code could have been leaked without it showing up in out Github audit logs. Additionally, any builds created while the attacker had access might have had malicious code injected into them.