| ▲ | Show HN: Run a GitHub Actions step in a gVisor sandbox(github.com) | |
| 85 points by FiloSottile 9 days ago | 3 comments | ||
| ▲ | westurner 2 days ago | parent | next [-] | |
> Surprisingly enough, GitHub Actions with read-only permissions still receive a cache write token, allowing cache poisoning, so they are not safe to run untrusted code. What are solutions to this and their tradeoffs? 1. Disallow cache write access to read-only actions 2. Stack caches such that read only action cache writes don't affect the cache for read-write actions edit: What else would solve? | ||
| ▲ | pa7ch 3 days ago | parent | prev | next [-] | |
This is really nice. Clean and easy way to use gvisor isolation to solve a github problem. gvisor seems like the right level of isolation for a lot of code a dev would run on various machines. So just making it more in reach I think is a boon. | ||
| ▲ | c45y 3 days ago | parent | prev [-] | |
How one person can be so good at putting out useful security tech is just wild. I'll add this to my pile of filo made security I consistently rely on | ||