alt Hacker NewsI don’t disagree with that, but I think GitHub has shown that projects want to have their cake and eat it too. GitHub has also shown that it’s incredibly easy to design an insecure CI/CD that satisfies that goal, but I see that more as a symptom of them being first-to-market rather than an inherent quality of the problem.
Wait, isn't this about protecting the machine running the actions? If someone hosts a project on Github and allows anyone to run actions, it's Github's problem if there's a vulnerability to exploit. It's their installations that are going to get compromised, not necessarily the project's data.