Astral shares the security practices they use to protect their open source tools (Ruff, uv, ty) from supply chain attacks. Key areas covered include: hardening GitHub Actions CI/CD by banning dangerous triggers like pull_request_target, pinning all actions to commit SHAs, limiting permissions, and isolating secrets in deployment environments. For releases, they use Trusted Publishing to eliminate long-lived credentials, Sigstore-based attestations, immutable releases, and two-person approval gates. They also use GitHub Apps to safely handle tasks that GitHub Actions can't do securely, maintain dependency hygiene with Dependabot/Renovate plus cooldowns, and contribute financially and technically to upstream projects. The post includes shareable GitHub rulesets and practical recommendations for other maintainers.
Table of contents
CI/CD security #Repository and organizational security #Automations #Release security #Dependency security #Concluding thoughts #Footnotes #2 Comments
Sort: