GigaTap articles tagged GitHub Actions.
- npm worms are now a CI/CD trust problem - Unit 42’s updated report shows npm attacks shifting from typosquats to self-propagating campaigns that abuse tokens, package publishing, and CI/CD workflow
- zizmor hardening shows why CI parsers matter - Trail of Bits hardened zizmor against real GitHub Actions workflows, fixing YAML anchor, deserialization, and expression-evaluator issues found in a 41,253
- Risky Business #837: GitHub Actions as a supply-chain fault line - Risky Business #837 points to the TanStack compromise and a familiar CI/CD risk: workflows with too much trust can turn package publishing into an incident
- Grafana’s Missed Token Shows the Real CI/CD Risk - Grafana says one GitHub workflow token missed during post-TanStack incident response allowed attackers to access private repositories.
- Copilot can now propose fixes for failed Actions - GitHub added a one-click Copilot cloud agent flow for failed Actions jobs. Useful for CI triage, but teams should keep review boundaries clear.
- Composer token leak risk: update before CI logs bite - A GitHub token format change exposed a Composer error path that could print Actions tokens into CI logs. PHP teams should update Composer and review recent