alt Hacker News- Use Static analysis for GHA to catch security issues: https://github.com/zizmorcore/zizmor
- set locally: pnpm config set minimum-release-age 4320 # 3 days in minutes https://pnpm.io/supply-chain-security for other package managers check: https://gist.github.com/mcollina/b294a6c39ee700d24073c0e5a4e...
- add Socket Free Firewall when installing npm packages on CI https://docs.socket.dev/docs/socket-firewall-free#github-act...
Replies
robbiet480 • today at 2:14 AM
Thanks for making me aware of zizmor, just ran and fixed all issues on our core repos.
➕ show 1 reply
benoau • today at 12:40 AM
You also need to make sure you take care using PR titles and descriptions in your GHA because if they contain `text` it *may be executed lmfao.
edited: not "will", may depending on your GHA
➕ show 2 replies
The only way to 'harden your github actions' is to not use github actions.