Goal: brute force a git hash so that it is prefixed with dec0ded.

Method: there are ways to do this quite easily, such as https://github.com/bradfitz/gitbrute.

Creation: Have players make a PR on a repo, and have an action merge it only if it has one commit and the hash begins with dec0ded. Somehow send a message to a github user with a github secret once they have the commit.

Story: You've found a Github repository, and there seems to be a flag stored in it. They keep talking about how it's encoded, can you dec0ded it?

I think the best answer is probably to grab the GitHub users' email and shoot them an email on a successful merge. Maybe also posting a comment in the PR saying to check their email for the flag. Since naturally if we post the flag in the PR anyone can view the flag.

Some references for sending emails using SendGrid via GitHub Actions:
https://github.com/peter-evans/sendgrid-action
https://sendgrid.com/pricing/

According to the pricing one looks like we get 100 emails for free/day. However the next step up from there is $15USD for upwards of 50,000 emails/day. Unless we want to set up our own SMTP server or something.

Edit:
In hindsight we don't really need to pay unless we're planning on having > 100 teams. We could also track whether or not a git account has had the email sent so as to reduce number of outgoing emails and stay within the limit.