Global news & analysis
You can SHA-pin the top-level action, but Palo Alto’s “Unpinnable Actions” research documented how transitive dependencies remain unpinnable regardless. The tj-actions/changed-files incident in March 2025 started with reviewdog/action-setup, a dependency of a dependency, and cascaded outward when the attacker retagged all existing version tags to point at malicious code that dumped CI secrets to workflow logs, affecting over 23,000 repos. GitHub has since added SHA pinning enforcement policies, but only for top-level references.
。WhatsApp网页版对此有专业解读
It comes shortly after the defence secretary reiterated president Donald Trump’s threat that if Iran does anything to prevent the flow of oil in the strait of Hormuz, it will be hit “twenty times harder”.
Update: See the Hacker News thread, /r/programming, /r/ProgrammingLanguages, /r/gamedev, and /r/lisp posts for discussions on this article and Cakelisp.