Open Source Security at Astral
7 hours ago
- #CI/CD
- #Supply Chain
- #Security
- Astral builds developer tools and emphasizes security to maintain user trust amidst rising supply chain attacks.
- CI/CD security involves using GitHub Actions with restrictive triggers, pinned actions, and minimal permissions to enhance security.
- Repository and organizational security measures include limited admin roles, strong 2FA, branch/tag protections, and banning admin bypasses.
- Automations like GitHub Apps are used for tasks that GitHub Actions cannot handle securely, improving control over sensitive operations.
- Release security practices include Trusted Publishing, Sigstore attestations, immutable releases, and isolated deployment environments with approvals.
- Dependency security involves using tools like Dependabot and Renovate, maintaining social connections, and being conservative about new dependencies.
- Key recommendations: respect CI/CD limits, isolate long-lived credentials, strengthen release processes, and maintain dependency awareness.