Dispatch
GitHub Accelerates Supply Chain Security: OIDC Trusted Publishing, Dependency Locking for Actions, npm Token Overhaul
GitHub published a comprehensive response to escalating supply chain attacks targeting secret exfiltration, including the multi-wave Shai-Hulud JavaScript campaign. New capabilities include a dependencies: section in workflow YAML that locks all direct and transitive dependencies with commit SHAs (like go.mod for Actions), expanding OIDC token integration across npm/PyPI/NuGet/RubyGems/Crates, and deprecating TOTP 2FA on npm in favor of FIDO-based auth with 7-day granular tokens. These are the most significant GitHub Actions security changes since the platform launched.
Source
↳ Follow the thread