Comment by vlovich123
2 days ago
I maintain that GitHub does a piss poor job of hardening CI so that one step getting compromised doesn’t compromise all possible secrets. There’s absolutely no need for the GitHub publishing workflow to run some third party scanner and the third party scanner doesn’t need access to your pypi publishing tokens.
This stupidity is squarely on GitHub CI. Trivy is also bad here but the blast radius should have been more limited.
No comments yet
Contribute on Hacker News ↗