GitHub Actions makes cache read-only for untrusted workflow triggers by default

·1 views

GitHub announced on June 26, 2026, that Actions cache tokens will be read-only when workflows are triggered by untrusted events such as pull_request_target, issue_comment, and fork-based workflow_run cascades. The change addresses a longstanding security risk where external contributors could poison a repository's shared cache, influencing subsequent builds on the default branch without touching the codebase. No configuration opt-in is required; the restriction takes effect automatically the next time an untrusted trigger fires. Trusted triggers like push, schedule, and workflow_dispatch retain full read-write cache access as before. Teams that relied on fork or comment-triggered workflows to populate the cache will need to move cache-save steps into a separate push-triggered workflow, while untrusted workflows switch to restore-only operations.

Read the full story at DEV Community

This is an AI-generated summary. ShortSingh links to the original source for the complete article.

Discussion (0)

Developer Guide Shows How to Test Microservices With Jest and Pytest Frameworks

A technical tutorial published on DEV Community demonstrates how to write comprehensive API tests for a realistic three-service microservices architecture comprising user, product, and order services. The guide uses two testing frameworks — Jest with Supertest for Node.js unit testing and Pytest with HTTPX for Python-based integration and end-to-end testing. Each framework targets a different layer: Jest tests run without a live server by importing the app directly, while Pytest tests spin up real subprocesses to verify cross-service communication. The system uses JWT authentication shared across services, mirroring a common production pattern. All working code is available in a public GitHub repository at github.com/andre-carbajal/api-testing-microservices.

0 comments Read more at DEV Community

ProgrammingDEV Community ·

Why AI API Aggregators Often Beat Going Direct to Providers Like OpenAI or DeepSeek

A tech advisor who once urged founders to access AI models directly from providers like OpenAI and DeepSeek has reversed that stance after witnessing real-world friction. One team lost three weeks attempting to register with a Chinese AI provider that required a local phone number and accepted only WeChat Pay or Alipay. The author argues that the traditional 'enterprise vs. startup' framing around AI APIs is a false divide, since both types of teams share overlapping technical needs such as model flexibility, uptime, and compliance. Unified API layers, which aggregate over 180 models behind a single endpoint and accept standard payment methods, are presented as a practical solution for teams of any size. The core argument is that the time and complexity saved by using an aggregator typically outweighs any marginal cost advantage of going directly to individual providers.

0 comments Read more at DEV Community

ProgrammingDEV Community ·

Developer Compares Claude, Gemini, and ChatGPT for Daily Coding Workflows

A developer conducted an extended hands-on evaluation of Claude, Gemini, and ChatGPT through GitHub Copilot's multi-model feature, pairing each with the Spec-kit tool to supply repository context. Claude ranked highest for code generation, context analysis, and technical problem-solving, but proved costly — consuming roughly $200 in tokens per user per month. Gemini emerged as the most cost-efficient alternative, performing nearly as well as Claude on context analysis and delivering strong results when given clear instructions. ChatGPT underperformed for complex codebases, frequently producing incomplete code, hallucinating, and failing to adapt solutions to project-specific conventions. The author concludes that Spec-kit is essential regardless of model choice, as it supplies LLMs with coding standards and architectural rules that significantly improve output quality.

0 comments Read more at DEV Community

ProgrammingDEV Community ·

matten v0.28: Rust tensor library offers NumPy-style ops with clean error handling

The matten Rust library (version 0.28) provides a Tensor type for numerical computing without requiring generic type parameters or lifetime annotations. It supports standard constructors such as zeros, ones, and full, along with NumPy-compatible broadcasting using right-alignment rules. Shape operations like reshape and transpose panic with clear messages to aid prototyping, while boundary-facing methods such as from_json and from_csv return Result to handle real-world dirty data gracefully. The library includes built-in support for JSON and CSV serialization via optional default features, and errors are exposed through a non-exhaustive MattenError enum. This article is the second in a four-part series, with the next installment focusing on mixed-type and missing-value input scenarios.

0 comments Read more at DEV Community