Your Workflow Log Is Not a Vault
The tj-actions compromise turned build logs into a credential buffet, which is a hell of a way to learn what 'pin your dependencies' actually means.
#github-actions
2 transmissions tagged #github-actions
The Security Scanner That Tried to Steal Your Secrets
Trivy got popped, then KICS got popped, and the lesson is that version tags are not a security boundary.