[shubik22]

Kinda surprised about the negativity here. It wasn’t too long ago that getting CI/CD set up for a small project would either be non-trivial and/or expensive. The value I get (for free!) from Github Actions is pretty substantial. Sounds like their previous policy of blaming upstream maintainers didn’t make sense, and now they’re trying to strike a reasonable balance between preventing abuse and burdening maintainers here. Maybe you think they’ve swayed too far to one side here, but I’m inclined to give Github the benefit of the doubt given the overwhelming value that I think Github Actions provides projects for free.

[1337shadow]

> It wasn’t too long ago that getting CI/CD set up for a small project would either be non-trivial and/or expensive.

You mean over 10 years ago? Travis-CI opened in 2011...

[pa7ch]

CI/CD is RCE as as service. Not opening CI/CD to the public by default seems like a security necessity.

[Longwelwind]

I'm building a project where my service would plug with the (unstrusted) JS code of users.

I first thought it would be easy to sandbox and have something decent running, but after making some research on sandboxing, I realize how hard it is, and the many ways bad actors can exploit a service running untrusted code.

Kudos to GitHub and GitLab for taking the challenge of providing a RCE service with a free plan.

[PurpleFoxy]

Hacker news is spam as a service, not letting the public post is a necessity.

Or we could acknowledge there is a space between complete unmanaged access and no access.

[rdsubhas]

Poor analogy. CI is about automating what a developer does remotely, so yes CI IS automated code execution in a remote environment, as a service. But Hacker news is "spam as a service" – huh?? They don't even compare.

Secondly, parent comment said public by default is bad. Parent didn't say "all public was bad". So there is no necessity to make it into a disagreement.