🔐 Main Branch: The One Where Actions got Hardened

Hiya friends, welcome back. One security change coming, one just shipped - both actually matter for your workflows.

🚢 What shipped

GitHub Actions OIDC tokens just got more precise

You can now include check_run_id in your OIDC token claims. This sounds small, but it’s a big deal for compliance. Instead of just knowing which workflow ran, you now know which specific job and compute executed the request. If your workflow calls an internal service on Azure or AWS, you can trace that token back to the exact job that made the call. Least-privilege access control gets real when you can tie every token to a specific job, not just a repo. This matters if you’re auditing who accessed what and when.

pull_request_target event is getting locked down (Dec 8)

Here’s a security win: pull_request_target workflows will now always use your default branch as the source, not whatever branch someone used as a PR base. This prevents old, vulnerable workflows on stale branches from executing when someone opens a PR. Right now if you fix a vulnerability in your workflow on main but it still exists on a feature branch, a PR from that branch could trigger the broken version. December 8, that spooky door closes.

🎧 What I’m listening to

Darknet Diaries - EP 42: Mini-Stories Vol 2

Clay finds a backdoor on his server and goes full detective mode. Cracks the attacker’s password with John the Ripper, traces every command they ran, then locks them out step by step instead of just nuking everything. The forensics work is beautiful - you can feel his adrenaline rush. Listen on Darknet Diaries.

🔧 What I’m using

TypeScript is now the #1 language by contributor count. If you’re still debating whether to type your new projects, this settles it (maybe). Check the full Octoverse report.

I used Typescript for my project git-history-cleaner. An user-friendly tool to generate customizable scripts for clearing git repository history while preserving your current files. If you’ve got repos in need of a commit history scrub give it a try and let me know what you think: https://github.com/AndreaGriffiths11/git-history-cleaner.

✨ This week

This week I’ve been overwhelmed with gratitude…seriously. Friends old and new have been sharing the newsletter and the feedback has been genuinely constructive and kind. Growing this into something we’re all proud of feels real now. Also made it to hot yoga twice. I feel like a new woman (a woman in pain, but new 😀).

That’s it. Fundamentals that actually matter for your workflows.

Forward this to your team if it was useful. Reply and tell me what you actually want to read about if it wasn’t.

With gratitude, I’ll see you next week,

Andrea

P.S. – Fundamentals first. Always.