undefined | Better HN

0 pointsimglorp1mo ago0 comments

Yes, true, but at least the fire won't spread through this one point. Hopefully all of your upstreams can be persuaded to pin also.

0 comments

Doesn't a single compromised action in the chain cause the whole to be fucked? Pinning the top level doesn't prevent any spread.

Might want to vendor everything?

lijok1mo ago

That’s the way to go indeed. We’ve done it, not difficult, just a bit of gruntwork to keep them updated when needed

I don't know what this means in this context.

Make copies of the entire GitHub action dependency tree.

j / k navigate · click thread line to collapse

Doesn't a single compromised action in the chain cause the whole to be fucked? Pinning the top level doesn't prevent any spread.

Might want to vendor everything?

lijok1mo ago

That’s the way to go indeed. We’ve done it, not difficult, just a bit of gruntwork to keep them updated when needed

I don't know what this means in this context.

Make copies of the entire GitHub action dependency tree.

j / k navigate · click thread line to collapse