Popular:
Virtualization DNS security formal verification reachability analysis compiler errors macro conflict web extension development framework Bitmap Graphics API inconsistencies All Tags

GitHub Actions' YAML Anchors: A Step Backwards?

2025-09-22

GitHub Actions recently added support for YAML anchors, a move the author argues is a step backward. The article contends that YAML anchors are redundant with existing functionality, increase the complexity of the data model, making CI/CD harder for both humans and machines to understand. Furthermore, GitHub's lack of support for merge keys renders YAML anchors' unique use case ineffective. The author believes this makes GitHub Actions more difficult to analyze for security vulnerabilities and recommends GitHub immediately remove support for YAML anchors.

Read more
(blog.yossarian.net)
Development

Optimizing GitHub Actions Static Analysis with Finite State Transducers

2025-08-18

The developer of the static analysis tool zizmor optimized its GitHub Actions template injection vulnerability detection using Finite State Transducers (FSTs). By mapping GitHub Actions context patterns to their logical "capability", FSTs reduced the representation size by an order of magnitude (from ~240KB to ~14.5KB) and proved faster and more memory-efficient than previous table- and prefix-tree-based approaches. Furthermore, the FST is pre-computed at compile time, eliminating startup costs. This improvement significantly reduces false positives and enhances detection efficiency.

Read more
(blog.yossarian.net)
Development finite state transducer

GitHub Actions Policy Bypass: A Trivial Circumvention of Seemingly Secure Policies

2025-06-11

GitHub Actions provides a policy mechanism to restrict the actions and reusable workflows usable within a repository, organization, or enterprise. However, this mechanism is easily bypassed. By cloning the action repository into the runner's filesystem and then using a local path reference to run the same action, the policy is trivially circumvented. This renders the seemingly secure policy ineffective. The author urges GitHub to address this vulnerability to prevent developers from mistakenly believing the policies provide a security boundary that doesn't exist.

Read more
(blog.yossarian.net)
Development Policy Bypass

The Makefile Effect: Why We Copy-Paste Config Files

2025-01-11

This post explores the common "Makefile effect" in software engineering: engineers tend to copy-paste and tweak existing configuration files (like Makefiles, CI/CD configurations, etc.) instead of writing them from scratch. The author argues this isn't inherently bad, but suggests it indicates that tools might be overly complex, lacking good diagnostics and debugging support, making them inefficient and insecure to use. The post concludes with design recommendations to minimize this effect, improving development efficiency and security.

Read more
(blog.yossarian.net)
Development tool design