Re: [openstreetmap/openstreetmap-website] Lock GitHub Actions dependencies to SHAs for security and predictability (PR #6332)

Paul Norman via rails-dev Tue, 19 Aug 2025 01:37:37 -0700

pnorman left a comment (openstreetmap/openstreetmap-website#6332)

But we don't release anything through GH actions, do we? A malicious party 
could break our CI but they can do that by taking down their actions.


I'm not sure what we're trying to protect against. I know supply chain attacks 
are real, but what's the impact beyond CI?

-- 
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/pull/6332#issuecomment-3199784983
You are receiving this because you are subscribed to this thread.

Message ID: 
<openstreetmap/openstreetmap-website/pull/6332/c3199784...@github.com>

_______________________________________________
rails-dev mailing list
rails-dev@openstreetmap.org
https://lists.openstreetmap.org/listinfo/rails-dev

Re: [openstreetmap/openstreetmap-website] Lock GitHub Actions dependencies to SHAs for security and predictability (PR #6332)

Reply via email to