Y
Hacker News
new
|
ask
|
show
|
jobs
by
imglorp
86 days ago
Yes, true, but at least the fire won't spread through this one point. Hopefully all of your upstreams can be persuaded to pin also.
1 comments
franktankbank
86 days ago
Doesn't a single compromised action in the chain cause the whole to be fucked? Pinning the top level doesn't prevent any spread.
link
teaearlgraycold
86 days ago
Might want to vendor everything?
link
lijok
86 days ago
That’s the way to go indeed. We’ve done it, not difficult, just a bit of gruntwork to keep them updated when needed
link
franktankbank
86 days ago
I don't know what this means in this context.
link
teaearlgraycold
86 days ago
Make copies of the entire GitHub action dependency tree.
link