AI Hacker News 3h ago 2 min read
Astral’s April 8, 2026 post became an HN talking point because it turned supply-chain security into concrete CI/CD practice. The key pieces were banning risky GitHub Actions triggers, hash-pinning actions, shrinking permissions, isolating secrets, and using GitHub Apps or Trusted Publishing where Actions defaults fall short.