Hardening GitHub Actions Against Supply Chain Attacks
Everyone is talking about supply-chain attacks again, especially after the public campaigns that abused self-hosted and ephemeral runners in early 2025. The common thread: attackers weaponised pull requests to run malicious workflows, exfiltrate long-lived credentials, and ship tampered artifacts to registries. Here’s how I hardened my GitHub Actions estate without grinding the release train to a halt. What the current wave looks like The noisy incidents from the past quarter followed a familiar pattern: ...