HN Reader

> Surprisingly enough, GitHub Actions with read-only permissions still receive a cache write token, allowing cache poisoning, so they are not safe to run untrusted code.

What are solutions to this and their tradeoffs?

1. Disallow cache write access to read-only actions

2. Stack caches such that read only action cache writes don't affect the cache for read-write actions

edit: What else would solve?

This is really nice. Clean and easy way to use gvisor isolation to solve a github problem.

gvisor seems like the right level of isolation for a lot of code a dev would run on various machines. So just making it more in reach I think is a boon.

How one person can be so good at putting out useful security tech is just wild.

I'll add this to my pile of filo made security I consistently rely on