|
|
|
|
|
|
by rmunn
57 days ago
|
|
|
I hadn't previously considered vendoring GHA dependencies, but yes, that might be a good idea. Perhaps not in all circumstances, but for anything that might be at risk of supply-chain compromise, the same arguments that apply to NPM apply to GHA. |
|
|