Github-Actions

Last week I spent a full Saturday auditing every GitHub Actions workflow across our repos. Not because I wanted to, but because the Trivy supply chain attack made me realize how thin the ice was under my feet. If you missed it: someone managed to sneak a malicious commit into the actions/checkout action by exploiting GitHub’s fork commit reachability. They swapped a SHA pin in Trivy’s release workflow to point at an orphaned commit in a fork. The commit looked legit, the comment said # v6.0.2, the author was spoofed to look like a real maintainer. The actual payload downloaded Go files from a typosquatted domain and replaced Trivy’s source code during the build. ...

Last Tuesday, one of my Go services got 14 Dependabot PRs in a single day. All of them came from one CVE, and none of them affected the way our code actually runs in production. We still had to read the alerts, review the PRs, wait for CI, and merge changes. That was the moment I decided to stop using Dependabot for this workflow. What finally broke it for me The issue was CVE-2026-26958 in filippo.io/edwards25519. ...

Why Do You Need a CI/CD Pipeline? If your deployment process involves someone SSH-ing into a server and running commands manually — every deployment is a risk. Forgotten steps, drifting configurations, human errors. A CI/CD pipeline automates the entire flow from code to production. Every deployment becomes identical, repeatable, and safe. The Five Layers of a CI/CD Pipeline 1. Source Control Git with a branching strategy (trunk-based development recommended), PR reviews, and protected main branch. ...