In mid March, a massive supply chain attack compromised ~23,000 GitHub repositories via GitHub Actions. Roughly four months prior, I predicted this attack would happen. But you didn’t have to be clairvoyant to see this coming. I could write a post whining about GitHub’s security malaise and the design of Actions, but instead I’ll try to make this a productive one. GitHub are working on a long-awaited feature called Immutable Actions that should make flash supply chain attacks like this impossible. It’s currently in preview and I’m not sure when it’s slated to be generally available.
No pages have linked to this URL yet.