|
|
|
|
|
|
by lmeyerov
1903 days ago
|
|
|
Add one extra command ;-) These can be innocuous if buried in something like unit tests of configs or network behavior, or in a big pr: logs: `env | base64` network: `env | gzip | curl` It should be easy to set most workflows to run sandboxed with almost no capabilities - no secrets access, safelisted network access, safelisted package manager accesses for top 10 langs, etc - so that testing someone's PR isn't scary, and runtime violations make loud noises. The whole 'just disable actions on fork PRs' thing is a great default, but ultimately a figleaf as it's not hard to get someone to run an action. |
|
|