Astral shares its open source security practices, focusing on CI/CD workflows in GitHub Actions to protect tools like Ruff, uv, and ty from supply chain attacks. The post highlights poor security defaults in GitHub Actions and offers techniques to mitigate risks for developers and maintainers. This is a proactive response to recent high-profile hacks like Trivy and LiteLLM.
Background
Supply chain attacks have become increasingly common in open source ecosystems, with recent incidents affecting tools like Trivy and LiteLLM. CI/CD systems, particularly GitHub Actions, are often targeted due to weak security defaults.
- Source
- Lobsters
- Published
- Apr 8, 2026 at 11:25 PM
- Score
- 7.0 / 10