Long career as a dilettante at Bell Labs Research and Google, mostly building weird stuff no one uses, but occasionally getting it right, such as with UTF-8 and Go.
In my 2023 ACM talk, to illustrate how supply chain security is more than just build deps graphs, I showed a graph of the servers involved in building and serving Go releases.
Has anyone done something like this but for GitHub Actions? We have examples now of attacks moving between actions.
For example, in 2025, a successful attack on the GitHub Action reviewdog/action-setup was used to infect the Action tj-actions/changed-files, with an ultimate target of coinbase/agentkit. www.wiz.io/blog/new-git...
Build deps get attention largely because they are easily computed. Other relevant dep graphs that are harder to compute are ignored.
The GitHub Actions graph is clearly relevant to attacks and should be easily computable from public repos.
What are the 'is-even's of GitHub Actions? Who owns them?
