DevOps

剛剛看到 GitHub 去年 10 月的 immutable release 功能，可以鎖定對應的 Git tag 與所有附件，禁止對其變更或刪除。 When you enable immutable releases, the following protections are enforced: Git tags cannot be moved or deleted: Once an immutable release is published, its associated Git tag is locked to a specific commit and cannot be changed or removed. Release assets cannot be modified or deleted: All files attached to the release (such as binaries and archives) are protected from modification or deletion. 聽起來對於供應鏈下游多了一絲絲安全，至少攻擊者得發佈新版才能汙染下游，維持版本且有對版本驗證的下游就不會受到影響。 ...