Jon Jensen
@jenseng.bsky.social
I assume the API might need a token if the action is from a private repo? Though I suppose the risk factor there should be pretty low 😅 ... regardless, the plugin already has some token smarts (you can provide a token, or it can reuse `gh`'s token if present, etc.)
December 16, 2024 at 11:05 PM
I assume the API might need a token if the action is from a private repo? Though I suppose the risk factor there should be pretty low 😅 ... regardless, the plugin already has some token smarts (you can provide a token, or it can reuse `gh`'s token if present, etc.)
Nice! An unfortunate constraint of ESLint is that it needs to be synchronous. That said, this can be worked around with worker threads or child processes 🫠 (with caching it's not *too* terrible)
December 16, 2024 at 11:04 PM
Nice! An unfortunate constraint of ESLint is that it needs to be synchronous. That said, this can be worked around with worker threads or child processes 🫠 (with caching it's not *too* terrible)
For context, these were my motivators for writing the plugin (as opposed to using something existing): x.com/jenseng/stat...
x.com
x.com
December 16, 2024 at 8:51 PM
For context, these were my motivators for writing the plugin (as opposed to using something existing): x.com/jenseng/stat...
Going to get the ball rolling on this soon 🤞 ... I've been battle testing the plugin on a several Netflix repos over the last year 😅 ... while it doesn't specifically validate action shas, that should be a pretty simple rule to implement
December 16, 2024 at 8:50 PM
Going to get the ball rolling on this soon 🤞 ... I've been battle testing the plugin on a several Netflix repos over the last year 😅 ... while it doesn't specifically validate action shas, that should be a pretty simple rule to implement
don't you love,
the suspense,
caused by not knowing,
whether there is more to follow,
the suspense,
caused by not knowing,
whether there is more to follow,
November 26, 2024 at 12:20 AM
don't you love,
the suspense,
caused by not knowing,
whether there is more to follow,
the suspense,
caused by not knowing,
whether there is more to follow,
Since the token is always readonly and secrets are inaccessible, the risks are reduced. But attackers could still cause trouble, e.g.
1. `sleep infinity` to use up your concurrent job limit
2. hammer the API and get your repo rate-limited
3. use up the cache so useful stuff gets evicted
1. `sleep infinity` to use up your concurrent job limit
2. hammer the API and get your repo rate-limited
3. use up the cache so useful stuff gets evicted
November 13, 2024 at 3:06 AM
Since the token is always readonly and secrets are inaccessible, the risks are reduced. But attackers could still cause trouble, e.g.
1. `sleep infinity` to use up your concurrent job limit
2. hammer the API and get your repo rate-limited
3. use up the cache so useful stuff gets evicted
1. `sleep infinity` to use up your concurrent job limit
2. hammer the API and get your repo rate-limited
3. use up the cache so useful stuff gets evicted