I didn't see a key section of a COE: "What are we doing to make sure this can't happen again?"
Apologies if I missed it. There's some discussion of things under what could have gone better, but prevention is key, and the reports not done without it.
I didn't see a key section of a COE: "What are we doing to make sure this can't happen again?"
Apologies if I missed it. There's some discussion of things under what could have gone better, but prevention is key, and the reports not done without it.
We had a few revisions of the postmortem with this included, but ultimately felt premature to include given how quickly we released this notice.
That's not to say that we're not working hard on preventative work, however. We:
- [x] Temporarily removed the cache from our PNPM setup
- [x] Removed all caches from GitHub Actions
- [x] Locked down all GitHub actions on the org to commit IDs instead of version numbers
- [x] Enforced non-SMS GitHub 2FA (NPM & GitHub 2FA was already enforced, but SMS was previously allowed)
- [x] Removed all usage of `pull_request_target` from our CI pipeline (already wasn't in our CD)
- [ ] Are introducing `zizmor` as action linting to every repo via a PR check
- [ ] Are likely introducing `CODEOWNERS` on `.github` folders to restrict merging to only the 7 core maintainers
- [ ] Will replace the PNPM setup cache with `actions/cache/restore`, which has more secure defaults
- [ ] Will replace the PNPM setup cache to be isolated between release and PR envs
- [ ] May close the ability to make a TanStack PR as an external contributor (But we're absolutely not going closed source)
We'll have a follow-up blog post that outlines all of this and how maintainers are able to secure themselves simiarly.