Github Actions

This hardening effort was directly triggered by the recent Trivy supply chain compromise, which impacted some repositories in my workplace. That prompted a full review of my own repository controls. If you want more information about the incident and the response, the following two links are worth reading first: Incident analysis: Trivy Compromised a Second Time (StepSecurity) Official disclosure and remediation guidance: Aqua Security discussion #10425 The aim of my actions to my repository was not to chase perfect security. It was to put in place some practical controls that are easy to maintain and that reduce real risk in day-to-day development. ...

Git is easy I have used git for quite a long time. I have also been coding in .NET for fairly some time now. I have created plenty of dotnet project repositories in Github and integrated some basic CI features to it using Github actions. It has all gone fairly well, until it didn’t, today. The documentation is pretty solid and I know a lot of it on top of my head. But today, I ran into something that got me totally by surprise and wasted a lot of my time on it. ...