Mastodawn

A follow up here on action items (assuming you’re already using trusted publishers OIDC to scope releases to a single GitHub Action workflow):

1. Look for any `pull_request_target` GitHub Actions workflows! (this allows external forks/code to run your actions with write access ☠️☠️☠️☠️☠️)
2. Look for use of `cache` in your GitHub Actions release workflow (cache was poisoned/compromised by `pull_request_target` trigger)

Learn more about `pull_request_target`: https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/

Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests

Combining the pull_request_target workflow trigger with an explicit checkout of an untrusted Pull Request is a dangerous practice that may lead to repository compromise.

GitHub Security Lab

Zearin 1d ago

Show thread

Zach Leatherman May 12

Importantly, `pull_request_target` IGNORES this GitHub security setting: https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#controlling-changes-from-forks-to-workflows-in-public-repositories

This was very surprising to me.

Zearin 1d ago

Build Awesome (11ty)6d ago

We’ll be live in 5m: https://www.youtube.com/watch?v=-NkmUmq0JUQ

We’ll answer your questions about Font Awesome, Build Awesome, and the Kickstarter. Watch as @jabronus helps @zachleat assemble a Font Awesome keyboard! Test our multitasking skills!

Back the Kickstarter: https://www.kickstarter.com/projects/fontawesome/build-awesome-pro?ref=9n0yiq

Cozy Keyboard Build and Build Awesome AMA

YouTube

Zearin 1d ago

@doctormo Is GitLab being corrupted in a way similar to GitHub?

I recall reading that Inkscape’s move from Launchpad and Bazaar to Git and GitLab was exhausting, and that it’s unclear whether the will to migrate again exists.

Where does this situation currently stand?

(P.S. Thanks for your *awesome* YouTube videos! They really changed my perception of Inkscape for the better. Been a user since around v0.42, I think.)

Zearin Apr 22

Show thread

damianwalsh Apr 22

@Zearin @zachleat To be fair, the IWC community has developed a page for Eleventy, and contributors do seem to be keeping it updated with new developments: https://indieweb.org/Eleventy

Eleventy

Eleventy (abbreviated 11ty) is an open source JavaScript based static site generator that allows the user to select their own preferred template engine and theme, which in practice can and does enable use of microformats2.

IndieWeb

Zearin Apr 22

@zachleat Psst! #eleventy should totally be listed here (but isn’t ATM):

https://indieweb.org/projects

projects

There are many projects you can use to get your site on the IndieWeb, improve your IndieWeb support, or browse for inspiration for your own project; please note, some development ability and familiarity with command line tools will likely be required for you to use and improve these projects.

IndieWeb

Zearin Mar 4

zeldman Mar 4

“What would WordPress look like if it were invented today?”

https://www.pootlepress.com/2026/03/are-we-in-wordpress-asking-the-right-question/

Are We in WordPress Asking the Right Question? | Pootlepress

For about ten years of my life, my alarm clock went off at 4:00am. Not because I hate mornings. In fact, I rather like them. The world is quiet, the coffee tastes better, and nobody has started sending Slack messages yet. But even if you enjoy mornings, 4:00am is still objectively ridiculous. It was because […]

Zearin Mar 3

@SaraSoueidan News headlines make me worried about your safety. Please let us know if you’re okay… 🙏🏽

#BeSafe

Zearin Mar 3

@SaraSoueidan News headlines make me worried about your safety. Please let us know if you’re okay… 🙏🏽

#BeSafe

Zearin Mar 1

Zach Leatherman Feb 28

Looking forward to seeing everyone at @webstandards #SotB today!