To prevent (at least certain vectors of) supply chain attacks, I think it would be a good idea to make the releases immutable (https://docs.github.com/en/code-security/concepts/supply-chain-security/immutable-releases).
If your GitHub account gets compromised, a bad actor could currently tamper existing release versions. E.g., if someone pins a certain version of trufflehog in CI scripts the formerly good version would turn into a "bad" version.
Of course, we could also pin the hashes, but if GitHub offers this nice functionality... 😃
What do you think?
To prevent (at least certain vectors of) supply chain attacks, I think it would be a good idea to make the releases immutable (https://docs.github.com/en/code-security/concepts/supply-chain-security/immutable-releases).
If your GitHub account gets compromised, a bad actor could currently tamper existing release versions. E.g., if someone pins a certain version of trufflehog in CI scripts the formerly good version would turn into a "bad" version.
Of course, we could also pin the hashes, but if GitHub offers this nice functionality... 😃
What do you think?