GitHub Actions is the dominant CI system for Python open source, used for testing and publishing including trusted publishing to PyPI via OIDC. That means the security properties of Actions directly affect the Python supply chain.
But Actions is a package manager without the security features we expect from package managers: no lockfiles, mutable version tags, implicit transitive dependencies. Prior research shows 97% of workflows use actions from unverified creators. If a workflow can be compromised before the package is signed, downstream protections don't help.
I scanned GitHub Actions workflows across thousands of Python packages on PyPI using zizmor, a static analysis tool for Actions security. I found unpinned third-party actions, overly permissive GITHUB_TOKEN scopes, artifact poisoning risks, and pull request vulnerabilities that could let attackers hijack releases.
This talk presents findings at ecosystem scale and explores what the Python community can learn from how we've solved similar problems in pip.
What we'll cover:
- Why GitHub Actions is a supply chain risk
- What's missing compared to pip, npm, and other package managers
- Findings from scanning Python package workflows at scale
- What we can learn from pip's security model
- A checklist for hardening Python package release workflows
- How to integrate zizmor into CI pipelines