> To achieve this, we require that packages are built on a trusted CI/CD platform
Given what happened with NX [1], I'm hoping GitHub Actions disallows certain types of commands in their YAML. Otherwise we still have a straightforward way to attach provenance to malicious code. =\
2 comments
[ 2.9 ms ] story [ 14.3 ms ] threadAdditional resources:
- Trusted publishing via OIDC [1]
- Requiring 2FA for package publishing [2]
1: https://docs.npmjs.com/trusted-publishers
2: https://docs.npmjs.com/requiring-2fa-for-package-publishing-...
Given what happened with NX [1], I'm hoping GitHub Actions disallows certain types of commands in their YAML. Otherwise we still have a straightforward way to attach provenance to malicious code. =\
1: https://x.com/adnanthekhan/status/1958722939534417989