> Surprisingly enough, GitHub Actions with read-only permissions still receive a cache write token, allowing cache poisoning, so they are not safe to run untrusted code.
What are solutions to this and their tradeoffs?
1. Disallow cache write access to read-only actions
2. Stack caches such that read only action cache writes don't affect the cache for read-write actions
edit: What else would solve?
pa7ch 99 days ago [-]
This is really nice. Clean and easy way to use gvisor isolation to solve a github problem.
gvisor seems like the right level of isolation for a lot of code a dev would run on various machines. So just making it more in reach I think is a boon.
c45y 99 days ago [-]
How one person can be so good at putting out useful security tech is just wild.
I'll add this to my pile of filo made security I consistently rely on
Rendered at 15:16:35 GMT+0000 (Coordinated Universal Time) with Vercel.
What are solutions to this and their tradeoffs?
1. Disallow cache write access to read-only actions
2. Stack caches such that read only action cache writes don't affect the cache for read-write actions
edit: What else would solve?
gvisor seems like the right level of isolation for a lot of code a dev would run on various machines. So just making it more in reach I think is a boon.
I'll add this to my pile of filo made security I consistently rely on