> But this commit doesn't even have to belong to the preceding repository. You can reference a commit on a fork. Great way to sneak in an xz-utils style backdoor into critical CI workflows.
Wow. Does the SHA need to belong to a fork of the repo? Or is GitHub just exposing all (public?) repo commits as a giant content-addressable store?
It appears that under their system all forks belong to same repo (I imagine they just make _fork/<forkname> ref under git when there is something forked off main repo) presumably to save on storage. And so accessing a single commit doesn't really care about origin(as finding to which branch(es) commit belongs would be a lot of work)
Wow. Does the SHA need to belong to a fork of the repo? Or is GitHub just exposing all (public?) repo commits as a giant content-addressable store?