Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

GitHub Actions provides a policy mechanism to limit the kinds of actions and reusable workflows that can be used. The policies eliminate the failure mode of adding malicious or harmful workflows without further consideration.

The restrictions can be applied to specific tags or commit hashes, as well as to particular organizations or repositories. It's a reasonably practical system for ensuring that a developer doesn't harm themselves.

This policy system can be "bypassed" via calling git clone on the repository and using a relative path. To me, this is a sane. If you downloaded something locally, then you're making an active choice to run the code. At the same time, is does work around the policy preventing of foot-guns.

The author suggests adding a new policy type that can explicitly allow or deny local usage of workflows. I'm personally on the fence about this though. Regardless, an interesting thing to know about for GitHub Actions.