You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Last week's PR #64 had a bit of back-and-forth because of delayed CI feedback to a new contributor.
Dave explained that we currently err on the side of safety over convenience
To avoid being able to hijack Actions, they only run for commits directly to this repo by maintainers. Otherwise someone could fork and cat out the deploy token for pypi :)
I'd like to find a way to improve the CI experience for all contributors without compromising the project's safety.
Today I learned that there is a name for the threat: Poisoned Pipeline Execution.
Omer Gil of Cider Security has a good write up of the threat and some recommendations for how to handle it, including how to handle access to secrets.
I don't remember where I first read about the problem or potential solutions, but it's clearly a common one. There may be some existing solutions for Github actions that we can reuse.
The text was updated successfully, but these errors were encountered:
Last week's PR #64 had a bit of back-and-forth because of delayed CI feedback to a new contributor.
Dave explained that we currently err on the side of safety over convenience
I'd like to find a way to improve the CI experience for all contributors without compromising the project's safety.
Today I learned that there is a name for the threat: Poisoned Pipeline Execution.
Omer Gil of Cider Security has a good write up of the threat and some recommendations for how to handle it, including how to handle access to secrets.
I don't remember where I first read about the problem or potential solutions, but it's clearly a common one. There may be some existing solutions for Github actions that we can reuse.
The text was updated successfully, but these errors were encountered: