Filippo ValsordaOct 24

I got frustrated with how GitHub Actions lets workflows with read-only permissions poison the cache of read/write workflows (!!??!?), so yesterday night I put together an Action that runs commands in a gVisor sandbox.

I am using it to test our Go modules against the latest versions of their dependencies (with "go get -u") on a schedule, to be notified early of compatibility issues, but without the supply chain attack risk or the Dependabot churn.

https://github.com/geomys/sandboxed-step

GitHub - geomys/sandboxed-step: A GitHub Action that runs a command in a gVisor sandbox

A GitHub Action that runs a command in a gVisor sandbox - geomys/sandboxed-step

GitHub
Show threadRichard Stephens
@filippo "Why don't we just run all of our CI in gVisor" is a thing I ask myself frequently.
Oct 24 at 1:59pmWeb