| TL;DR: Why not add a capability/permissions model to CI? I agree that pinning commits is reasonable and that GitHub's UI and Actions system are awful. However, you said: > Maybe accounts should even require ID verification This would worsen the following problems: 1. GitHub actions are seen as "trustworthy" 2. GitHub actions lack granular permissions with default no 3. Rising incentives to attempt developer machine compromise, including via $5 wrench[1] 4. Risk of identity information being stolen via breach > It's time to take things seriously. Why not add strong capability models to CI? We have SEGFAULT for programs, right? Let's expand on the idea. Stop an action run when: * an action attempts unexpected network access * an action attempts IO on unexpected files or folders The US DoD and related organizations seem to like enforcing this at the compiler level. For example, Ada's got: * a heavily contract-based approach[2] for function preconditions * pragma capabilities to forbid using certain features in a module Other languages have inherited similar ideas in weaker forms, and I mean more than just Rust's borrow checker. Even C# requires explicit declaration to accept null values as arguments [3]. Some languages are taking a stronger approach. For example, Gren's[4] developers are considering the following for IO: 1. you need to have permission to access the disk and other devices 2. permissions default to no > We can't afford to fuck around anymore, Sadly, the "industry" seems to disagree with us here. Do you remember when: 1. Microsoft tried to ship 99% of a credit card number and SSN exfiltration tool[5] as a core OS component? 2. BSoD-as-service stopped global air travel? It seems like a great time to be selling better CI solutions. ¯\_(ツ)_/¯ [1]: https://xkcd.com/538/ [2]: https://learn.adacore.com/courses/intro-to-ada/chapters/cont... [3]: https://learn.microsoft.com/en-us/dotnet/csharp/language-ref... [4]: https://gren-lang.org/ [5]: https://arstechnica.com/ai/2024/06/windows-recall-demands-an... |