|
|
|
|
|
|
by mnahkies
42 days ago
|
|
|
I use GitHub environments to require a manual approval (which includes MFA) in GitHub, prior to a pipeline running with a oidc token capable of publishing. Would this have caught the cache poisoning? Unsure, though it at least means I'm intentionally authorising and monitoring each publish for anything unexpected. https://docs.github.com/en/actions/deployment/targeting-diff... |
|
|