[zahlman]

> Attackers targeted a wide variety of repositories, many of which had PyPI tokens stored as GitHub secrets, modifying their workflows to send those tokens to external servers. While the attackers successfully exfiltrated some tokens, they do not appear to have used them on PyPI.

It's wild to me that people entrust a third-party CI system with API secrets, and then also entrust that same system to run "actions" provided by other third parties.

[blibble]

it's even worse that that

the CI system itself encourages you to import random third party code into your CI workflow, based on mutable tags

which then receives full privileges

the entire thing is insane

[NeutralForest]

That's why I stick mostly with Github actions and pin the SHA of the commits instead of the tag version.

[blibble]

yes, it supports it, but it's not the default, is a pain and fills your build file with a load of noise

so very few use it

it's not made obvious that the tag isn't immutable

although you might be happy with the contents of what you've imported right now, who says it won't be malicious in a year's time

people inadvertently give full control of their build and all their secrets to whoever controls that repository (now, and in the future)

making it easy to do the right thing is an important part of API design and building secure systems, and these CI systems fail miserably there

[Harmon758]

Immutable releases are in public preview and hopefully will make it easier to do the right thing.

https://github.blog/changelog/2025-08-26-releases-now-suppor...

[blibble]

I don't see how that solves this problem as long as the attacker can delete and recreate a repository

sigstore's main design goal seems to be to increase the lock-in of of "trusted" providers

(the idea that Microsoft should be trusted for anything requiring any level of security is entirely ludicrous)

[frenchtoast8]

It’s a good first step, but a significant number of GitHub Actions pull a Docker image from a repository such as Docker Hub. In those cases, the GitHub Action being immutable wouldn’t prevent the downstream Docker image from being mutated.