Ideally the next step would be to use our own CDN (aka AWS), which admittedly is not a huge step up. So I'm not too sure yet what this means. But definitely, I'm more concerned about releases than I am about actual code/issues.
I just came across a security issue relevant to this discussion. Gitea (a GitHub alternative hosted on GitHub) just had its releases on GitHub compromised:
The solution they're going for is to GPG sign their releases. Another probably simpler way to resolve your concerns could be to just post the SHA256 hashes of the releases on an external domain and include directions to check the hash of the release from GitHub in the installation instructions.
Ideally the next step would be to use our own CDN (aka AWS), which admittedly is not a huge step up. So I'm not too sure yet what this means. But definitely, I'm more concerned about releases than I am about actual code/issues.
I just came across a security issue relevant to this discussion. Gitea (a GitHub alternative hosted on GitHub) just had its releases on GitHub compromised:
github.com/go-gitea/gitea/issues/4167
The solution they're going for is to GPG sign their releases. Another probably simpler way to resolve your concerns could be to just post the SHA256 hashes of the releases on an external domain and include directions to check the hash of the release from GitHub in the installation instructions.
Yup, this is the direction I'll be going in as well.