One problem with this is that actions can be Composite and call arbitrary other ... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		arianvanp 9 months ago \| parent \| context \| favorite \| on: Tj-actions/changed-files GitHub Action Compromised... One problem with this is that actions can be Composite and call arbitrary other actions. So only if you use actions that themselves lock everything by commit for the actions they depend on you're safe.

wutwutwat 9 months ago [–]

You just described a supply chain, and the risks that come with them, which is something every dep management system is dealing with, rubygems, npm, etc

Again, it all comes down to your risk tolerance. There's a certain level of trust built into these systems.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact