sudo rm -rf --no-preserve-root /|Jul 01, 2026 11:50
so i've been moving all of my actively maintained repos to require github actions pinned to _full-length commit shas_. on top of that, all jobs now use fine-grained perms, downloaded binaries are verified against hardcoded sha256 hashes, deps are pinned, and force-pushes to the `main`/`master` branch are disabled. there's really no good reason to risk dangling commits on your main branch. otherwise, anyone who gets compromised with write access could force-push an amended (and malicious) version of an old-looking commit. look, none of this will completely protect you from supply chain attacks, but it's one of many guardrails you can put in place. in the end, it's the combination of these measures that makes the difference hopefully. here my snekmate pr if you wanna check what i did: https://github.com/pcaversaccio/snekmate/pull/388(sudo rm -rf --no-preserve-root /)
Share To
Timeline
HotFlash
APP
X
Telegram
CopyLink