(repost) Protect the repository hosting your GitHub Action

by Jesse Houwing

This post, now 2 years old, is still very valid, especially in light of the changed-files hack recently.

For any GitHub Actions' authors, this guidance could help you protect your GitHub Action from a similar fate, or at least makes it harder for an attacker to leverage a leaked token.

Protect the repository hosting your GitHub Action
It comes as no surprise that the tags and branches solution to version GitHub Actions is weak at best. There have been rumors of Actions moving to a different model (GitHub Container Registry), but that is yet to see the light.
Scrum BugJesse Houwing
Leave a comment.