←back to thread

Public secrets exposure leads to supply chain attack on GitHub CodeQL

(www.praetorian.com)
297 points cyberbender | 2 comments | 30 Mar 25 19:54 UTC | HN request time: 0.38s | source
Show context
Sytten ◴[31 Mar 25 07:08 UTC] No.43532057[source]
An again this would not be so bad an impact if github finally pushed their immutable actions [1]. I sound like a broken record since I keep repeating that this would solve like 70%+ of the scope of attacks on gha today. You would think that the weekly disaster they have would finally make them launch it.

[1] https://github.com/features/preview/immutable-actions

replies(1): >>43532082 #
thund ◴[31 Mar 25 07:13 UTC] No.43532082[source]
They probably have good reasons if it's still in preview, that could be serious bugs, security gaps, potential breaking changes that would cause more harm than good if rushed, etc
replies(2): >>43532304 #>>43533725 #
1. intelVISA ◴[31 Mar 25 07:49 UTC] No.43532304[source]
Too much stakeholder alignment?
replies(1): >>43533171 #
2. tanepiper ◴[31 Mar 25 10:09 UTC] No.43533171[source]
More like last year they laid off a whole bunch of people. We've been waiting for several open tickets on GitHub to be picked up, some were but seem to be abandoned and others just ignored.