news newest ask show jobs

Made with ♥ by @iamnishanth

Open Source @Github

fp.

Open in hackernews

Supply Chain Attack on Trivy

https://www.wiz.io/blog/trivy-compromised-teampcp-supply-chain-attack

11•tiri•1h ago

Comments

wilkystyle•1h ago

I have generally preferred to avoid using community-maintained actions as far as possible, instead installing and configuring the runners as though I would a normal machine.

This started from a desire to avoid an unknown amount of bloat and untrusted code, but also because I'm pretty tired of getting Node deprecation warnings for installing/using something that has nothing to do with JavaScript at all.

I've always installed a pinned version of Trivy of my choosing, and installed by curl | sh.

Looks like curl | sh may have saved my skin, whereas even older versions of the github action were force-pushed to install the vulnerable binary.

SahAssar•1h ago

> avoid using community-maintained actions as far as possible, instead installing and configuring the runners as though I would a normal machine.

A runner and a action are two very different things.

You could run on the default runners with no community actions, and you can run on self-hosted runners with a lot of community actions.

wilkystyle•32m ago

If you're getting hung up on "normal machine", what I meant is a computer in general that is not related to GitHub Actions at all.

If that's not the part of my message you're referring to, then your message seems completely orthogonal to what I posted.

PC Gamer recommends RSS readers in a 37mb article that just keeps downloading

https://stuartbreckenridge.net/2026-03-19-pc-gamer-recommends-rss-readers-in-a-37mb-article/

289•JumpCrisscross•6h ago•138 comments

The gold standard of optimization: A look under the hood of RollerCoaster Tycoon

https://larstofus.com/2026/03/22/the-gold-standard-of-optimization-a-look-under-the-hood-of-rolle...

163•mariuz•5h ago•62 comments

The future of version control

https://bramcohen.com/p/manyana

390•c17r•9h ago•230 comments

Reports of code's death are greatly exaggerated

https://stevekrouse.com/precision

223•stevekrouse•13h ago•201 comments

Why I love NixOS

https://www.birkey.co/2026-03-22-why-i-love-nixos.html

184•birkey•7h ago•132 comments

LLMs predict my coffee

https://dynomight.net/coffee/

63•surprisetalk•4d ago•24 comments

GrapheneOS will remain usable by anyone without requiring personal information

https://grapheneos.social/@GrapheneOS/116261301913660830

193•nothrowaways•3h ago•47 comments

Project Nomad – Knowledge That Never Goes Offline

https://www.projectnomad.us

355•jensgk•12h ago•107 comments

Flash-MoE: Running a 397B Parameter Model on a Laptop

https://github.com/danveloper/flash-moe

296•mft_•13h ago•104 comments

Five Years of Running a Systems Reading Group at Microsoft

https://armaansood.com/posts/systems-reading-group/

109•Foe•7h ago•29 comments

First and Lego Education Partnership Update

https://community.firstinspires.org/first-lego-education-partnership-update

19•jchin•3d ago•6 comments

MAUI Is Coming to Linux

https://avaloniaui.net/blog/maui-avalonia-preview-1

151•DeathArrow•9h ago•74 comments

Why I Vibe in Go, Not Rust or Python

https://lifelog.my/episode/why-i-vibe-in-go-not-rust-or-python

25•riclib•1h ago•13 comments

Windows native app development is a mess

https://domenic.me/windows-native-dev/

319•domenicd•15h ago•334 comments

How to Attract AI Bots to Your Open Source Project

https://nesbitt.io/2026/03/21/how-to-attract-ai-bots-to-your-open-source-project.html

64•zdw•1d ago•13 comments

Building an FPGA 3dfx Voodoo with Modern RTL Tools

https://noquiche.fyi/voodoo

156•fayalalebrun•11h ago•33 comments

I Reverse-Engineered the TiinyAI Pocket Lab from Marketing Photos

https://bay41.com/posts/tiiny-ai-pocket-lab-review/

11•davidklemke•3d ago•3 comments

Theodosian Land Walls of Constantinople

https://turkisharchaeonews.net/object/theodosian-land-walls-constantinople

23•bcraven•3d ago•5 comments

Show HN: Codala, a social network built on scanning barcodes

https://play.google.com/store/apps/details?id=com.hsynkrkye.codala&hl=en

23•hsynkrkye•4d ago•12 comments

What Young Workers Are Doing to AI-Proof Themselves

https://www.wsj.com/economy/jobs/ai-jobs-young-people-careers-14282284

61•wallflower•6h ago•68 comments

They're Vibe-Coding Spam Now

https://tedium.co/2026/02/25/vibe-coded-email-spam/

22•raybb•2h ago•12 comments

Teaching Claude to QA a mobile app

https://christophermeiklejohn.com/ai/zabriskie/development/android/ios/2026/03/22/teaching-claude...

61•azhenley•5h ago•4 comments

More common mistakes to avoid when creating system architecture diagrams

https://www.ilograph.com/blog/posts/more-common-diagram-mistakes/

136•billyp-rva•13h ago•52 comments

Palantir extends reach into British state as gets access to sensitive FCA data

https://www.theguardian.com/technology/2026/mar/22/palantir-extends-reach-into-british-state-as-i...

179•chrisjj•7h ago•51 comments

Vectorization of Verilog Designs and its Effects on Verification and Synthesis

https://arxiv.org/abs/2603.17099

21•matt_d•3d ago•4 comments

25 Years of Eggs

https://www.john-rush.com/posts/eggs-25-years-20260219.html

248•avyfain•4d ago•71 comments

OpenClaw is a security nightmare dressed up as a daydream

https://composio.dev/content/openclaw-security-and-vulnerabilities

283•fs_software•7h ago•196 comments

Iran war energy crisis is a renewable energy wake-up call

https://apnews.com/article/middle-east-wars-renewable-energy-asia-4b5fe0693ce5816472c905db85f7da6e

112•mooreds•2h ago•111 comments

A review of dice that came with the white castle

https://boardgamegeek.com/thread/3533812/a-review-of-dice-that-came-with-the-white-castle

127•doener•3d ago•38 comments

You are not your job

https://jry.io/writing/you-are-not-your-job/

58•jryio•9h ago•84 comments