| ▲ | tomjakubowski 2 hours ago | |
> But this commit doesn't even have to belong to the preceding repository. You can reference a commit on a fork. Great way to sneak in an xz-utils style backdoor into critical CI workflows. Wow. Does the SHA need to belong to a fork of the repo? Or is GitHub just exposing all (public?) repo commits as a giant content-addressable store? | ||
| ▲ | sheept 2 hours ago | parent [-] | |
Needs to be a fork. Related: https://trufflesecurity.com/blog/anyone-can-access-deleted-a... | ||