Wow, breaking news! 
Did you know you can use any program as a GitHub Actions shell? 
Next, we'll find out you can set your toaster as a CI/CD pipeline. 
https://yossarian.net/til/post/any-program-can-be-a-github-actions-shell/ #GitHubActions #ToasterCI #CDpipeline #BreakingNews #TechInnovation #HackerNews #ngated
Any program can be a GitHub Actions shell
https://yossarian.net/til/post/any-program-can-be-a-github-actions-shell/
#HackerNews #GitHubActions #Programming #DevOps #CI/CD #Automation
Oh joy, another thrilling exposé on the riveting world of disk I/O in GitHub Actions. Because clearly, what the internet needed was a dissertation on how slow pipelines are a mystery waiting to be solved by the heroes of... *checks notes*... #iostat. Let's sprinkle some cookies and call it a day. 
https://depot.dev/blog/uncovering-disk-io-bottlenecks-github-actions-ci #diskIO #GitHubActions #slowPipelines #techExposé #developerHumor #HackerNews #ngated
Disk I/O bottlenecks in GitHub Actions
https://depot.dev/blog/uncovering-disk-io-bottlenecks-github-actions-ci
#CI #github il est désormais possible d'utiliser des versions "free-threaded" de #Python (sans le global interpreter lock, qui bride la façon de faire de l'exécution concurrente) dans les #githubactions
https://hugovk.dev/blog/2025/free-threaded-python-on-github-actions/
BREAKING: You have 5 days until #DockerHub transforms into the landlord of your worst nightmares. But fear not, if you run your GitHub Actions on overpriced, molasses-slow machines, salvation awaits! Apparently, paying more for less is the 2025 motto. 
️
https://www.blacksmith.sh/blog/you-have-5-days-before-the-new-dockerhub-limits-f-ck-you-over #GitHubActions #TechNews #SoftwareDevelopment #DevOps #HackerNews #ngated
Oh no, not another soul lost in the GitHub Actions Bermuda Triangle 
. Apparently, someone decided it was a great idea to leave the backdoor open to their secret garden of mysteries. Who needs secure coding practices when you can just sprinkle some malicious pixie dust and watch chaos ensue? 
https://alexwlchan.net/2025/github-actions-audit/ #GitHubActions #SecurityBreach #CodingPractices #SoftwareDevelopment #TechHumor #DevOps #HackerNews #ngated
Nous avons tous nos bonnes pratiques lorsqu'il s'agit de créer un nouveau #projet #Python, avec l'utilisation de patterns et d'outils éprouvés : lint avec #ruff et #mypy, hooks avec #precommit, tests avec #pytest, intégration continue #githubactions : https://github.com/neubig/starter-repo
Libre à chaque personne de faire évoluer le porojet selon ses propres goûts et contraintes.
GitHub Actions now supports free-threaded Python!
I wrote up how to add it your workflows so you can start testing free-threaded Python 3.13 and 3.14 with either actions/setup-python or actions/setup-uv.
https://hugovk.dev/blog/2025/free-threaded-python-on-github-actions/
Coinbase Targeted in GitHub Actions Supply Chain Attack: A Deep Dive
A sophisticated supply chain attack has put Coinbase in the crosshairs, exploiting GitHub Actions to compromise secrets across hundreds of repositories. This article unpacks the technical details of t...
https://news.lavx.hu/article/coinbase-targeted-in-github-actions-supply-chain-attack-a-deep-dive
(horizon3.ai) What to know about recent Github Actions and Apache Tomcat vulnerabilities—before you investigate https://www.horizon3.ai/attack-research/attack-blogs/critical-or-clickbait-github-actions-and-apache-tomcat-rce-vulnerabilities-2025/
The article from Horizon3 analyzes two recent high-profile vulnerabilities: CVE-2025-30066 affecting GitHub Actions (tj-actions/changed-files) and CVE-2025-24813 affecting Apache Tomcat. Despite widespread publicity, Horizon3.ai's Attack Team found that actual exploitation risk is significantly lower than reported. For the GitHub Actions vulnerability, only one repository among 1,200 examined was exposed, with no evidence of data exfiltration. For Apache Tomcat, analysis of over 10,000 endpoints revealed no vulnerable configurations in production environments. The article emphasizes the importance of prioritizing security responses based on actual risk rather than media hype.
This Week in Security: The Github Supply Chain Attack, Ransomware Decryption, and Paragon - Last Friday Github saw a supply chain attack hidden in a popular Github Action. To... - https://hackaday.com/2025/03/21/this-week-in-security-the-github-supply-chain-attack-ransomware-decryption-and-paragon/ #thisweekinsecurity #supplychainattack #hackadaycolumns #securityhacks #githubactions #paragon #news
GitHub has removed a poisoned Action used in 23,000+ repos after it exfiltrated CI secrets, prompting concerns over supply chain security
#Cybersecurity #Microsoft #GitHub #CI_CD #DevSecOps #CyberThreats #GitHubActions #Malware #CodeSecurity #tjactions
If you work with GitHub Actions and have used actions to commit to a branch, you may have run into this little problem I ran into today: automatically generated commits and events triggered by a workflow, do not trigger any workflow.
In practice, that means that if you used a workflow to add a commit to your Pull Request, CI will not be triggered after that commit is pushed. All the events and CI that you would expect to see run on your Pull Request will not be triggered until your next push.
This is done on purpose by GitHub, as per the docs:
When you use the repository’s
GITHUB_TOKENto perform tasks, events triggered by theGITHUB_TOKEN, with the exception ofworkflow_dispatchandrepository_dispatch, will not create a new workflow run. This prevents you from accidentally creating recursive workflow runs. For example, if a workflow run pushes code using the repository’sGITHUB_TOKEN, a new workflow will not run even when the repository contains a workflow configured to run when push events occur.
A possible work-around in such cases is to use a personal access token instead of the default GITHUB_TOKEN to trigger events that require a token.
In my situation, I am using actions/github-script and its authenticated Octokit client. Specifically, I use createOrUpdateFileContents to add a new file, commit it, and push it to the branch. actions/github-script allows using the github-token input to pass your own custom token, so I used that:
uses: actions/github-script@v7 with: github-token: ${{ secrets.API_TOKEN_GITHUB }} script: |The generated commit now happens in my name, and CI events are triggered as expected by that commit.
Oh, look! Another tech blogger thinks they've discovered fire 
by "building a custom site" using GitHub Actions and Pages. In other news, water is wet 
. It's truly revolutionary to save a YAML file and click a few buttons!
https://til.simonwillison.net/github-actions/github-pages #techblogger #GitHubActions #webdev #innovation #sarcasm #HackerNews #ngated
Cascading Supply Chain Attack Exposes Secrets in Over 23,000 GitHub Repositories
A recent supply chain attack has compromised critical CI/CD secrets across a staggering number of GitHub repositories, revealing vulnerabilities in widely used actions. The breach highlights the inter...
Compromised `reviewdog` #GitHubActions "injected Malicious Code into any CI Workflows using it, dumping the CI Runner memory containing the Workflow Secrets"
https://www.wiz.io/blog/new-github-action-supply-chain-attack-reviewdog-action-setup
Cascading Supply Chain Attack Exposes CI/CD Secrets: A GitHub Action Breach Analysis
A recent cascading supply chain attack has compromised GitHub Actions, leading to the exposure of CI/CD secrets across thousands of repositories. This incident highlights vulnerabilities in the softwa...
