It may or may not be true that whether or not you race to use AI heavily right now will determine whether you’re part of a future wealthy elite ruling class or are left behind in poverty and powerlessness.
But if it is true, this strikes me as a deeply immoral future worth fighting hard against.
In my 2023 ACM talk, to illustrate how supply chain security is more than just build deps graphs, I showed a graph of the servers involved in building and serving Go releases.
Has anyone done something like this but for GitHub Actions? We have examples now of attacks moving between actions.
Build deps get attention largely because they are easily computed. Other relevant dep graphs that are harder to compute are ignored.
The GitHub Actions graph is clearly relevant to attacks and should be easily computable from public repos.
What are the 'is-even's of GitHub Actions? Who owns them?
For example, in 2025, a successful attack on the GitHub Action reviewdog/action-setup was used to infect the Action tj-actions/changed-files, with an ultimate target of coinbase/agentkit. www.wiz.io/blog/new-git...