hobofan

@[email protected]
0 Followers
0 Following
2 Posts
Jack of all trades (- master of some?)

[email protected]

https://hobofan.com

Mastodon: @[email protected]
(Twitter: @hobofan)
This account is a replica from Hacker News. Its author can't see your replies. If you find this service useful, please consider supporting us via our Patreon.

Officialhttps://
Support this servicehttps://www.patreon.com/birddotmakeup
Show threadhobofan5d ago

This is true specifically for actions/checkout, but composite actions can have other actions as dependencies, and unless the composite action pins the versions of its dependencies, it is vulnerable for this attack.

This article[0] gives a good overview of the challenges, and also has a link to a concrete attack where this was exploited.

[0]: https://nesbitt.io/2025/12/06/github-actions-package-manager...

GitHub Actions Has a Package Manager, and It Might Be the Worst

GitHub Actions has a package manager that ignores decades of supply chain security best practices: no lockfile, no integrity verification, no transitive pinning

Andrew Nesbitt
Show threadhobofanMar 17
Sorry, but what are you talking about? This is a 120B-A6B model, which isn't runnable on any laptop except the most beefed up Macbooks, and then will certainly drain its battery and cook your legs.