Reading up on zizmor
1 deep · digging since apr 28
- GitHub Actions is the weakest link
GitHub Actions' default features—mutable tags, pull_request_target, template injection, and write-scoped tokens—have enabled a chain of supply-chain attacks on open-source registries, and GitHub's opt-in security roadmap won't fix the root causes.